Edit tour

Windows Analysis Report
setup.exe

Overview

General Information

Sample name:	setup.exe
Analysis ID:	1553146
MD5:	1274cbcd6329098f79a3be6d76ab8b97
SHA1:	53c870d62dcd6154052445dc03888cdc6cffd370
SHA256:	bbe5544c408a6eb95dd9980c61a63c4ebc8ccbeecade4de4fae8332361e27278
Tags:	exetronbruteforce-onlineuser-aachum
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Stop multiple services

System process connects to network (likely due to code injection or exploit)

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Hooks files or directories query functions (used to hide files and directories)

Hooks processes query functions (used to hide processes)

Hooks registry keys query functions (used to hide registry keys)

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Stops critical windows services

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates or modifies windows services

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after accessing registry keys)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Powershell Defender Exclusion

Sigma detected: Uncommon Svchost Parent Process

Suricata IDS alerts with low severity for network traffic

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

setup.exe (PID: 4924 cmdline: "C:\Users\user\Desktop\setup.exe" MD5: 1274CBCD6329098F79A3BE6D76AB8B97)

dialer.exe (PID: 1172 cmdline: C:\Windows\System32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)

winlogon.exe (PID: 560 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)

lsass.exe (PID: 652 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)

svchost.exe (PID: 928 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

dwm.exe (PID: 996 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)

svchost.exe (PID: 436 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 376 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 60 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 980 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1064 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1140 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1192 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1248 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1328 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1344 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s nsi MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1356 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1448 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1496 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1516 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1560 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1640 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1648 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1784 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1872 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1900 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1980 cmdline: C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1988 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 2000 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

powershell.exe (PID: 2432 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 1656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 2216 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

cmd.exe (PID: 2404 cmdline: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 3476 cmdline: sc stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 800 cmdline: sc stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 2024 cmdline: sc stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 592 cmdline: sc stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 4328 cmdline: sc stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

updater.exe (PID: 5484 cmdline: "C:\Program Files\Google\Chrome\updater.exe" MD5: 1274CBCD6329098F79A3BE6D76AB8B97)

cleanup

Sigma Signatures

Operating System Destruction

Sigma detected: Stop multiple services

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc, CommandLine: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc, ProcessId: 2404, ProcessName: cmd.exe

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, ProcessId: 2432, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\System32\dialer.exe, ParentImage: C:\Windows\System32\dialer.exe, ParentProcessId: 1172, ParentProcessName: dialer.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, ProcessId: 928, ProcessName: svchost.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, ProcessId: 2432, ProcessName: powershell.exe

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-10T12:38:17.092545+0100	2022930	1	A Network Trojan was detected	4.245.163.56	443	192.168.2.6	49751	TCP
2024-11-10T12:38:52.557754+0100	2022930	1	A Network Trojan was detected	52.149.20.212	443	192.168.2.6	60889	TCP
2024-11-10T12:38:53.820122+0100	2022930	1	A Network Trojan was detected	52.149.20.212	443	192.168.2.6	60896	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\wxyubnjmnlae.tmp

Avira: detection malicious, Label: RKIT/Agent.dvyic

Multi AV Scanner detection for dropped file

Source: C:\Program Files\Google\Chrome\updater.exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Local\Temp\wxyubnjmnlae.tmp	ReversingLabs: Detection: 87%

Multi AV Scanner detection for submitted file

Source: setup.exe

ReversingLabs: Detection: 76%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Program Files\Google\Chrome\updater.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\wxyubnjmnlae.tmp	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: setup.exe

Joe Sandbox ML: detected

Source: setup.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000001D.00000000.2178288513.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.3382734593.0000022595840000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000001D.00000000.2178248889.000002259582B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.3382137488.000002259582B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: d.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 0000001D.00000000.2178288513.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.3382734593.0000022595840000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 0000001D.00000000.2178288513.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.3382734593.0000022595840000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000001D.00000000.2178288513.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.3382734593.0000022595840000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 0000001D.00000002.3383305724.000002259585D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000000.2178341597.000002259585D000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: +@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000001D.00000000.2178248889.000002259582B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.3382137488.000002259582B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000001D.00000000.2178248889.000002259582B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.3382137488.000002259582B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000001D.00000000.2178248889.000002259582B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.3382137488.000002259582B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 0000001D.00000002.3383305724.000002259585D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000000.2178341597.000002259585D000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 0000001D.00000000.2178288513.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.3382734593.0000022595840000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 0000001D.00000000.2178288513.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.3382734593.0000022595840000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 0000001D.00000002.3383305724.000002259585D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000000.2178341597.000002259585D000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdbcache source: svchost.exe, 0000001D.00000002.3383305724.000002259585D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000000.2178341597.000002259585D000.00000004.00000001.00020000.00000000.sdmp

Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 4_2_000001B1C6ACDCE0 FindFirstFileExW,	4_2_000001B1C6ACDCE0
Source: C:\Windows\System32\winlogon.exe	Code function: 17_2_000002D0165EDCE0 FindFirstFileExW,	17_2_000002D0165EDCE0
Source: C:\Windows\System32\lsass.exe	Code function: 21_2_000002D6F151DCE0 FindFirstFileExW,	21_2_000002D6F151DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_0000014E41FDDCE0 FindFirstFileExW,	22_2_0000014E41FDDCE0
Source: C:\Windows\System32\dwm.exe	Code function: 23_2_000001D15B04DCE0 FindFirstFileExW,	23_2_000001D15B04DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_0000023AF32EDCE0 FindFirstFileExW,	24_2_0000023AF32EDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_0000023C9FD9DCE0 FindFirstFileExW,	25_2_0000023C9FD9DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000001A1CA71DCE0 FindFirstFileExW,	26_2_000001A1CA71DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_00000246EDE6DCE0 FindFirstFileExW,	27_2_00000246EDE6DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 28_2_00000200A19BDCE0 FindFirstFileExW,	28_2_00000200A19BDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000002259668DCE0 FindFirstFileExW,	29_2_000002259668DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_0000022E670FDCE0 FindFirstFileExW,	30_2_0000022E670FDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000001FE4A4EDCE0 FindFirstFileExW,	31_2_000001FE4A4EDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_0000024C19A7DCE0 FindFirstFileExW,	32_2_0000024C19A7DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 33_2_00000275D266DCE0 FindFirstFileExW,	33_2_00000275D266DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_0000023BBDCCDCE0 FindFirstFileExW,	34_2_0000023BBDCCDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 35_2_00000227D954DCE0 FindFirstFileExW,	35_2_00000227D954DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000002DED2CADCE0 FindFirstFileExW,	36_2_000002DED2CADCE0
Source: C:\Windows\System32\svchost.exe	Code function: 37_2_0000014ACE6EDCE0 FindFirstFileExW,	37_2_0000014ACE6EDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 38_2_00000220AF66DCE0 FindFirstFileExW,	38_2_00000220AF66DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 39_2_00000241B697DCE0 FindFirstFileExW,	39_2_00000241B697DCE0

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\svchost.exe

Domain query: 241.42.69.40.in-addr.arpa

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.6:49751
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.6:60889
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.6:60896

Source: unknown

DNS traffic detected: query: 241.42.69.40.in-addr.arpa replaycode: Name error (3)

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 241.42.69.40.in-addr.arpa

Source: Microsoft-Windows-LiveId%4Operational.evtx.30.dr	String found in binary or memory: http://Passport.NET/tb
Source: lsass.exe, 00000015.00000002.3399487185.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146802943.000002D6F0DA5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3402475967.000002D6F0E00000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146987040.000002D6F0E00000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000003.2387433085.000002D6F0D72000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: lsass.exe, 00000015.00000002.3400721788.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146907635.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3389734995.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146426037.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: lsass.exe, 00000015.00000002.3399487185.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146568788.000002D6F0C46000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3393594679.000002D6F0C44000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000003.2387433085.000002D6F0D72000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146802943.000002D6F0D51000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: lsass.exe, 00000015.00000000.2146345009.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3398167999.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146757082.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3402475967.000002D6F0E00000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000003.2397368366.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146987040.000002D6F0E00000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3387852004.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: lsass.exe, 00000015.00000002.3399487185.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3389734995.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000003.2387433085.000002D6F0D72000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
Source: lsass.exe, 00000015.00000002.3399487185.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146802943.000002D6F0DA5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3398167999.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146757082.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3402475967.000002D6F0E00000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000003.2397368366.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146987040.000002D6F0E00000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000003.2387433085.000002D6F0D72000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146802943.000002D6F0D51000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: lsass.exe, 00000015.00000002.3400721788.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146907635.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3389734995.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146426037.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: lsass.exe, 00000015.00000002.3399487185.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146802943.000002D6F0DA5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3402475967.000002D6F0E00000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146987040.000002D6F0E00000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000003.2387433085.000002D6F0D72000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: lsass.exe, 00000015.00000002.3400721788.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146907635.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3389734995.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146426037.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: lsass.exe, 00000015.00000000.2146345009.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3398167999.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146757082.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3402475967.000002D6F0E00000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000003.2397368366.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146987040.000002D6F0E00000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3387852004.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 00000015.00000002.3399487185.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146568788.000002D6F0C46000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3393594679.000002D6F0C44000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000003.2387433085.000002D6F0D72000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146802943.000002D6F0D51000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: lsass.exe, 00000015.00000002.3399487185.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3389734995.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000003.2387433085.000002D6F0D72000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
Source: lsass.exe, 00000015.00000002.3400721788.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146907635.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3389734995.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146426037.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: lsass.exe, 00000015.00000002.3399487185.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146802943.000002D6F0DA5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3398167999.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146757082.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3402475967.000002D6F0E00000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000003.2397368366.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146987040.000002D6F0E00000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000003.2387433085.000002D6F0D72000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146802943.000002D6F0D51000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: lsass.exe, 00000015.00000000.2146757082.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: lsass.exe, 00000015.00000002.3399487185.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146802943.000002D6F0DA5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3402475967.000002D6F0E00000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146987040.000002D6F0E00000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000003.2387433085.000002D6F0D72000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: lsass.exe, 00000015.00000002.3399487185.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146568788.000002D6F0C46000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3393594679.000002D6F0C44000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000003.2387433085.000002D6F0D72000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146802943.000002D6F0D51000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 00000015.00000002.3400721788.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146907635.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3389734995.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146426037.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: lsass.exe, 00000015.00000002.3399487185.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146802943.000002D6F0DA5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3398167999.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146757082.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3402475967.000002D6F0E00000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000003.2397368366.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146987040.000002D6F0E00000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000003.2387433085.000002D6F0D72000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146802943.000002D6F0D51000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
Source: lsass.exe, 00000015.00000002.3389734995.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146426037.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: lsass.exe, 00000015.00000000.2146568788.000002D6F0C00000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3393594679.000002D6F0C00000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: lsass.exe, 00000015.00000000.2146345009.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3387852004.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
Source: lsass.exe, 00000015.00000000.2146371271.000002D6F064E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3388396962.000002D6F064E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
Source: lsass.exe, 00000015.00000000.2146345009.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3387852004.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: lsass.exe, 00000015.00000002.3400721788.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3399487185.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146345009.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146802943.000002D6F0DA5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3398167999.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146757082.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146568788.000002D6F0C46000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146907635.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3389734995.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146426037.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3402475967.000002D6F0E00000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000003.2397368366.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146987040.000002D6F0E00000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3393594679.000002D6F0C44000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3387852004.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000003.2387433085.000002D6F0D72000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146802943.000002D6F0D51000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: lsass.exe, 00000015.00000000.2146757082.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: lsass.exe, 00000015.00000002.3399487185.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146802943.000002D6F0DA5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3398167999.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146757082.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3402475967.000002D6F0E00000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000003.2397368366.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146987040.000002D6F0E00000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000003.2387433085.000002D6F0D72000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146802943.000002D6F0D51000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: lsass.exe, 00000015.00000002.3400721788.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146907635.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3389734995.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146426037.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: lsass.exe, 00000015.00000000.2146757082.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146426037.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: lsass.exe, 00000015.00000000.2146345009.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3387852004.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: lsass.exe, 00000015.00000000.2146345009.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3387852004.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: lsass.exe, 00000015.00000000.2146371271.000002D6F064E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146345009.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3388396962.000002D6F064E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3387852004.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
Source: lsass.exe, 00000015.00000000.2146345009.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3387852004.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: lsass.exe, 00000015.00000000.2146345009.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3387852004.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
Source: lsass.exe, 00000015.00000000.2146345009.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3387852004.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
Source: lsass.exe, 00000015.00000000.2146345009.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3387852004.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/P
Source: lsass.exe, 00000015.00000002.3400721788.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3399487185.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146802943.000002D6F0DA5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3398167999.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146757082.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146907635.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3389734995.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146426037.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3402475967.000002D6F0E00000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000003.2397368366.000002D6F0CEB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146987040.000002D6F0E00000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000003.2387433085.000002D6F0D72000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146802943.000002D6F0D51000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: svchost.exe, 00000029.00000000.2208243745.0000014D25483000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000002.3421210700.0000014D25483000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.msftconnecttest.com/

Source: C:\Windows\System32\dialer.exe	Code function: 12_2_00007FF6AFBE10C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,	12_2_00007FF6AFBE10C0
Source: C:\Windows\System32\winlogon.exe	Code function: 17_2_000002D0165E28C8 NtEnumerateValueKey,NtEnumerateValueKey,	17_2_000002D0165E28C8
Source: C:\Windows\System32\lsass.exe	Code function: 21_2_000002D6F151253C NtQueryDirectoryFileEx,GetFileType,StrCpyW,	21_2_000002D6F151253C
Source: C:\Windows\System32\lsass.exe	Code function: 21_2_000002D6F151202C NtQuerySystemInformation,StrCmpNIW,	21_2_000002D6F151202C
Source: C:\Windows\System32\dwm.exe	Code function: 23_2_000001D15B0428C8 NtEnumerateValueKey,NtEnumerateValueKey,	23_2_000001D15B0428C8

Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 4_2_000001B1C6A91F2C	4_2_000001B1C6A91F2C
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 4_2_000001B1C6AA38A8	4_2_000001B1C6AA38A8
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 4_2_000001B1C6A9D0E0	4_2_000001B1C6A9D0E0
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 4_2_000001B1C6AC2B2C	4_2_000001B1C6AC2B2C
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 4_2_000001B1C6AD44A8	4_2_000001B1C6AD44A8
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 4_2_000001B1C6ACDCE0	4_2_000001B1C6ACDCE0
Source: C:\Windows\System32\dialer.exe	Code function: 12_2_00007FF6AFBE14D8	12_2_00007FF6AFBE14D8
Source: C:\Windows\System32\dialer.exe	Code function: 12_2_00007FF6AFBE226C	12_2_00007FF6AFBE226C
Source: C:\Windows\System32\dialer.exe	Code function: 12_2_00007FF6AFBE2560	12_2_00007FF6AFBE2560
Source: C:\Windows\System32\winlogon.exe	Code function: 17_2_000002D016581F2C	17_2_000002D016581F2C
Source: C:\Windows\System32\winlogon.exe	Code function: 17_2_000002D0165938A8	17_2_000002D0165938A8
Source: C:\Windows\System32\winlogon.exe	Code function: 17_2_000002D01658D0E0	17_2_000002D01658D0E0
Source: C:\Windows\System32\winlogon.exe	Code function: 17_2_000002D0165E2B2C	17_2_000002D0165E2B2C
Source: C:\Windows\System32\winlogon.exe	Code function: 17_2_000002D0165F44A8	17_2_000002D0165F44A8
Source: C:\Windows\System32\winlogon.exe	Code function: 17_2_000002D0165EDCE0	17_2_000002D0165EDCE0
Source: C:\Windows\System32\lsass.exe	Code function: 21_2_000002D6F14ED0E0	21_2_000002D6F14ED0E0
Source: C:\Windows\System32\lsass.exe	Code function: 21_2_000002D6F14F38A8	21_2_000002D6F14F38A8
Source: C:\Windows\System32\lsass.exe	Code function: 21_2_000002D6F14E1F2C	21_2_000002D6F14E1F2C
Source: C:\Windows\System32\lsass.exe	Code function: 21_2_000002D6F151DCE0	21_2_000002D6F151DCE0
Source: C:\Windows\System32\lsass.exe	Code function: 21_2_000002D6F15244A8	21_2_000002D6F15244A8
Source: C:\Windows\System32\lsass.exe	Code function: 21_2_000002D6F1512B2C	21_2_000002D6F1512B2C
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_0000014E41FAD0E0	22_2_0000014E41FAD0E0
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_0000014E41FB38A8	22_2_0000014E41FB38A8
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_0000014E41FA1F2C	22_2_0000014E41FA1F2C
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_0000014E41FDDCE0	22_2_0000014E41FDDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_0000014E41FE44A8	22_2_0000014E41FE44A8
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_0000014E41FD2B2C	22_2_0000014E41FD2B2C
Source: C:\Windows\System32\dwm.exe	Code function: 23_2_000001D15B011F2C	23_2_000001D15B011F2C
Source: C:\Windows\System32\dwm.exe	Code function: 23_2_000001D15B01D0E0	23_2_000001D15B01D0E0
Source: C:\Windows\System32\dwm.exe	Code function: 23_2_000001D15B0238A8	23_2_000001D15B0238A8
Source: C:\Windows\System32\dwm.exe	Code function: 23_2_000001D15B042B2C	23_2_000001D15B042B2C
Source: C:\Windows\System32\dwm.exe	Code function: 23_2_000001D15B04DCE0	23_2_000001D15B04DCE0
Source: C:\Windows\System32\dwm.exe	Code function: 23_2_000001D15B0544A8	23_2_000001D15B0544A8
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_0000023AF32C38A8	24_2_0000023AF32C38A8
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_0000023AF32BD0E0	24_2_0000023AF32BD0E0
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_0000023AF32B1F2C	24_2_0000023AF32B1F2C
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_0000023AF32F44A8	24_2_0000023AF32F44A8
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_0000023AF32EDCE0	24_2_0000023AF32EDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_0000023AF32E2B2C	24_2_0000023AF32E2B2C
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_0000023C9FD6D0E0	25_2_0000023C9FD6D0E0
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_0000023C9FD738A8	25_2_0000023C9FD738A8
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_0000023C9FD61F2C	25_2_0000023C9FD61F2C
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_0000023C9FD9DCE0	25_2_0000023C9FD9DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_0000023C9FDA44A8	25_2_0000023C9FDA44A8
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_0000023C9FD92B2C	25_2_0000023C9FD92B2C
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000001A1CA6ED0E0	26_2_000001A1CA6ED0E0
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000001A1CA6F38A8	26_2_000001A1CA6F38A8
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000001A1CA6E1F2C	26_2_000001A1CA6E1F2C
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000001A1CA71DCE0	26_2_000001A1CA71DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000001A1CA7244A8	26_2_000001A1CA7244A8
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000001A1CA712B2C	26_2_000001A1CA712B2C
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_00000246ED7B1F2C	27_2_00000246ED7B1F2C
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_00000246ED7BD0E0	27_2_00000246ED7BD0E0
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_00000246ED7C38A8	27_2_00000246ED7C38A8
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_00000246EDE62B2C	27_2_00000246EDE62B2C
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_00000246EDE6DCE0	27_2_00000246EDE6DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_00000246EDE744A8	27_2_00000246EDE744A8
Source: C:\Windows\System32\svchost.exe	Code function: 28_2_00000200A19B2B2C	28_2_00000200A19B2B2C
Source: C:\Windows\System32\svchost.exe	Code function: 28_2_00000200A19C44A8	28_2_00000200A19C44A8
Source: C:\Windows\System32\svchost.exe	Code function: 28_2_00000200A19BDCE0	28_2_00000200A19BDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000002259668DCE0	29_2_000002259668DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_00000225966944A8	29_2_00000225966944A8
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_0000022596682B2C	29_2_0000022596682B2C
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_0000022E670C1F2C	30_2_0000022E670C1F2C
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_0000022E670D38A8	30_2_0000022E670D38A8
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_0000022E670CD0E0	30_2_0000022E670CD0E0
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_0000022E670F2B2C	30_2_0000022E670F2B2C
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_0000022E671044A8	30_2_0000022E671044A8
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_0000022E670FDCE0	30_2_0000022E670FDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000001FE4A4C38A8	31_2_000001FE4A4C38A8
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000001FE4A4BD0E0	31_2_000001FE4A4BD0E0
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000001FE4A4B1F2C	31_2_000001FE4A4B1F2C
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000001FE4A4F44A8	31_2_000001FE4A4F44A8
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000001FE4A4EDCE0	31_2_000001FE4A4EDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000001FE4A4E2B2C	31_2_000001FE4A4E2B2C
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_0000024C19A4D0E0	32_2_0000024C19A4D0E0
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_0000024C19A538A8	32_2_0000024C19A538A8
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_0000024C19A41F2C	32_2_0000024C19A41F2C
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_0000024C19A7DCE0	32_2_0000024C19A7DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_0000024C19A844A8	32_2_0000024C19A844A8
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_0000024C19A72B2C	32_2_0000024C19A72B2C
Source: C:\Windows\System32\svchost.exe	Code function: 33_2_00000275D1FCD0E0	33_2_00000275D1FCD0E0
Source: C:\Windows\System32\svchost.exe	Code function: 33_2_00000275D1FD38A8	33_2_00000275D1FD38A8
Source: C:\Windows\System32\svchost.exe	Code function: 33_2_00000275D1FC1F2C	33_2_00000275D1FC1F2C
Source: C:\Windows\System32\svchost.exe	Code function: 33_2_00000275D2662B2C	33_2_00000275D2662B2C
Source: C:\Windows\System32\svchost.exe	Code function: 33_2_00000275D26744A8	33_2_00000275D26744A8
Source: C:\Windows\System32\svchost.exe	Code function: 33_2_00000275D266DCE0	33_2_00000275D266DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_0000023BBDCA38A8	34_2_0000023BBDCA38A8
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_0000023BBDC91F2C	34_2_0000023BBDC91F2C
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_0000023BBDC9D0E0	34_2_0000023BBDC9D0E0
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_0000023BBDCD44A8	34_2_0000023BBDCD44A8
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_0000023BBDCC2B2C	34_2_0000023BBDCC2B2C
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_0000023BBDCCDCE0	34_2_0000023BBDCCDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 35_2_00000227D9542B2C	35_2_00000227D9542B2C
Source: C:\Windows\System32\svchost.exe	Code function: 35_2_00000227D95544A8	35_2_00000227D95544A8
Source: C:\Windows\System32\svchost.exe	Code function: 35_2_00000227D954DCE0	35_2_00000227D954DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000002DED2C71F2C	36_2_000002DED2C71F2C
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000002DED2C7D0E0	36_2_000002DED2C7D0E0
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000002DED2C838A8	36_2_000002DED2C838A8
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000002DED2CA2B2C	36_2_000002DED2CA2B2C
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000002DED2CADCE0	36_2_000002DED2CADCE0
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000002DED2CB44A8	36_2_000002DED2CB44A8
Source: C:\Windows\System32\svchost.exe	Code function: 37_2_0000014ACE6B1F2C	37_2_0000014ACE6B1F2C
Source: C:\Windows\System32\svchost.exe	Code function: 37_2_0000014ACE6BD0E0	37_2_0000014ACE6BD0E0
Source: C:\Windows\System32\svchost.exe	Code function: 37_2_0000014ACE6C38A8	37_2_0000014ACE6C38A8
Source: C:\Windows\System32\svchost.exe	Code function: 37_2_0000014ACE6E2B2C	37_2_0000014ACE6E2B2C
Source: C:\Windows\System32\svchost.exe	Code function: 37_2_0000014ACE6EDCE0	37_2_0000014ACE6EDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 37_2_0000014ACE6F44A8	37_2_0000014ACE6F44A8
Source: C:\Windows\System32\svchost.exe	Code function: 38_2_00000220AEFDD0E0	38_2_00000220AEFDD0E0
Source: C:\Windows\System32\svchost.exe	Code function: 38_2_00000220AEFE38A8	38_2_00000220AEFE38A8
Source: C:\Windows\System32\svchost.exe	Code function: 38_2_00000220AEFD1F2C	38_2_00000220AEFD1F2C
Source: C:\Windows\System32\svchost.exe	Code function: 38_2_00000220AF66DCE0	38_2_00000220AF66DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 38_2_00000220AF6744A8	38_2_00000220AF6744A8
Source: C:\Windows\System32\svchost.exe	Code function: 38_2_00000220AF662B2C	38_2_00000220AF662B2C
Source: C:\Windows\System32\svchost.exe	Code function: 39_2_00000241B69538A8	39_2_00000241B69538A8
Source: C:\Windows\System32\svchost.exe	Code function: 39_2_00000241B694D0E0	39_2_00000241B694D0E0
Source: C:\Windows\System32\svchost.exe	Code function: 39_2_00000241B6941F2C	39_2_00000241B6941F2C
Source: C:\Windows\System32\svchost.exe	Code function: 39_2_00000241B69844A8	39_2_00000241B69844A8
Source: C:\Windows\System32\svchost.exe	Code function: 39_2_00000241B697DCE0	39_2_00000241B697DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 39_2_00000241B6972B2C	39_2_00000241B6972B2C

Source: Joe Sandbox View	Dropped File: C:\Program Files\Google\Chrome\updater.exe BBE5544C408A6EB95DD9980C61A63C4EBC8CCBEECADE4DE4FAE8332361E27278
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\wxyubnjmnlae.tmp F7E1E53A6FB24A2BD9206305C59448A8F99B6F5847A6ACB18EB0FD9F7383FFB4

Source: wxyubnjmnlae.tmp.0.dr

Static PE information: Resource name: DLL type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows

Source: updater.exe.0.dr	Static PE information: Number of sections : 11 > 10
Source: setup.exe	Static PE information: Number of sections : 11 > 10

Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.30.dr	Binary string: 4\Device\HarddiskVolume3\Windows\System32\dllhost.exeQC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}(
Source: System.evtx.30.dr	Binary string: \Device\HarddiskVolume3\Windows\SysWOW64\tzutil.exe`
Source: Microsoft-Windows-SMBServer%4Operational.evtx.30.dr	Binary string: \Device\NetbiosSmb
Source: System.evtx.30.dr	Binary string: \\?\Volume{5d0fa9fb-e2e8-4263-a849-b22baad6d1d8}\Device\HarddiskVolume4lt
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.30.dr	Binary string: 9\Device\HarddiskVolume3\Windows\System32\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: System.evtx.30.dr	Binary string: C:\Device\HarddiskVolume3`&
Source: System.evtx.30.dr	Binary string: C:\Device\HarddiskVolume3
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.30.dr	Binary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exeP**
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.30.dr	Binary string: 1\Device\HarddiskVolume3\Windows\SysWOW64\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Security.evtx.30.dr	Binary string: \Device\HarddiskVolume3\Program Files (x86)\Joebox\driver\joeboxdriver.sys
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.30.dr	Binary string: 4\Device\HarddiskVolume3\Windows\System32\spoolsv.exe
Source: Security.evtx.30.dr	Binary string: \Device\HarddiskVolume3\Windows\System32\drivers\filetrace.sysnvi
Source: System.evtx.30.dr	Binary string: \Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-SMBServer%4Operational.evtx.30.dr	Binary string: :\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-SMBServer%4Operational.evtx.30.dr	Binary string: WIN-77KHDDR6TT1 WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-SMBServer%4Operational.evtx.30.dr	Binary string: user-PC WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: System.evtx.30.dr	Binary string: \\?\Volume{5d0fa9fb-e2e8-4263-a849-b22baad6d1d8}\Device\HarddiskVolume4A
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.30.dr	Binary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.30.dr	Binary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-SMBServer%4Operational.evtx.30.dr	Binary string: DESKTOP-AGET0TR WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}

Source: setup.exe, updater.exe.0.dr

Binary or memory string: .SlnIX

Source: classification engine

Classification label: mal100.evad.winEXE@24/65@1/0

Source: C:\Windows\System32\dialer.exe

Code function: 12_2_00007FF6AFBE226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,

12_2_00007FF6AFBE226C

Source: C:\Windows\System32\dialer.exe

Code function: 12_2_00007FF6AFBE19C4 SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString,

12_2_00007FF6AFBE19C4

Source: C:\Windows\System32\dialer.exe

12_2_00007FF6AFBE226C

Source: C:\Users\user\Desktop\setup.exe

File created: C:\Program Files\Google\Chrome\updater.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3816:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1656:120:WilError_03

Source: C:\Users\user\Desktop\setup.exe

File created: C:\Users\user\AppData\Local\Temp\wxyubnjmnlae.tmp

Jump to behavior

Source: setup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\setup.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: setup.exe

ReversingLabs: Detection: 76%

Source: setup.exe	String found in binary or memory: <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
Source: setup.exe	String found in binary or memory: <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
Source: setup.exe	String found in binary or memory: <StopOnIdleEnd>false</StopOnIdleEnd>
Source: setup.exe	String found in binary or memory: <StopOnIdleEnd>false</StopOnIdleEnd>

Source: C:\Users\user\Desktop\setup.exe

File read: C:\Users\user\Desktop\setup.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\setup.exe "C:\Users\user\Desktop\setup.exe"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc
Source: C:\Users\user\Desktop\setup.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe
Source: unknown	Process created: C:\Program Files\Google\Chrome\updater.exe "C:\Program Files\Google\Chrome\updater.exe"
Source: C:\Users\user\Desktop\setup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: setup.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: setup.exe

Static file information: File size 5617152 > 1048576

Source: setup.exe

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x550200

Source: setup.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000001D.00000000.2178288513.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.3382734593.0000022595840000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000001D.00000000.2178248889.000002259582B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.3382137488.000002259582B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: d.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 0000001D.00000000.2178288513.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.3382734593.0000022595840000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 0000001D.00000000.2178288513.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.3382734593.0000022595840000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000001D.00000000.2178288513.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.3382734593.0000022595840000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 0000001D.00000002.3383305724.000002259585D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000000.2178341597.000002259585D000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: +@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000001D.00000000.2178248889.000002259582B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.3382137488.000002259582B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000001D.00000000.2178248889.000002259582B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.3382137488.000002259582B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000001D.00000000.2178248889.000002259582B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.3382137488.000002259582B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 0000001D.00000002.3383305724.000002259585D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000000.2178341597.000002259585D000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 0000001D.00000000.2178288513.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.3382734593.0000022595840000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 0000001D.00000000.2178288513.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.3382734593.0000022595840000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 0000001D.00000002.3383305724.000002259585D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000000.2178341597.000002259585D000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdbcache source: svchost.exe, 0000001D.00000002.3383305724.000002259585D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000000.2178341597.000002259585D000.00000004.00000001.00020000.00000000.sdmp

Source: wxyubnjmnlae.tmp.0.dr	Static PE information: real checksum: 0x0 should be: 0x316d6
Source: updater.exe.0.dr	Static PE information: real checksum: 0x55ddc3 should be: 0x56311d
Source: setup.exe	Static PE information: real checksum: 0x55ddc3 should be: 0x56311d

Source: setup.exe	Static PE information: section name: .xdata
Source: updater.exe.0.dr	Static PE information: section name: .xdata

Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 4_2_000001B1C6AAACDD push rcx; retf 003Fh	4_2_000001B1C6AAACDE
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 4_2_000001B1C6ADC6DD push rcx; retf 003Fh	4_2_000001B1C6ADC6DE
Source: C:\Windows\System32\winlogon.exe	Code function: 17_2_000002D01659ACDD push rcx; retf 003Fh	17_2_000002D01659ACDE
Source: C:\Windows\System32\winlogon.exe	Code function: 17_2_000002D0165FC6DD push rcx; retf 003Fh	17_2_000002D0165FC6DE
Source: C:\Windows\System32\lsass.exe	Code function: 21_2_000002D6F14FACDD push rcx; retf 003Fh	21_2_000002D6F14FACDE
Source: C:\Windows\System32\lsass.exe	Code function: 21_2_000002D6F152C6DD push rcx; retf 003Fh	21_2_000002D6F152C6DE
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_0000014E41FBACDD push rcx; retf 003Fh	22_2_0000014E41FBACDE
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_0000014E41FEC6DD push rcx; retf 003Fh	22_2_0000014E41FEC6DE
Source: C:\Windows\System32\dwm.exe	Code function: 23_2_000001D15B02ACDD push rcx; retf 003Fh	23_2_000001D15B02ACDE
Source: C:\Windows\System32\dwm.exe	Code function: 23_2_000001D15B05C6DD push rcx; retf 003Fh	23_2_000001D15B05C6DE
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_0000023AF32CACDD push rcx; retf 003Fh	24_2_0000023AF32CACDE
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_0000023C9FD7ACDD push rcx; retf 003Fh	25_2_0000023C9FD7ACDE
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_0000023C9FDAC6DD push rcx; retf 003Fh	25_2_0000023C9FDAC6DE
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000001A1CA6FACDD push rcx; retf 003Fh	26_2_000001A1CA6FACDE
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000001A1CA72C6DD push rcx; retf 003Fh	26_2_000001A1CA72C6DE
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_00000246ED7CACDD push rcx; retf 003Fh	27_2_00000246ED7CACDE
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_00000246EDE7C6DD push rcx; retf 003Fh	27_2_00000246EDE7C6DE
Source: C:\Windows\System32\svchost.exe	Code function: 28_2_00000200A19CC6DD push rcx; retf 003Fh	28_2_00000200A19CC6DE
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000002259669C6DD push rcx; retf 003Fh	29_2_000002259669C6DE
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_0000022E670DACDD push rcx; retf 003Fh	30_2_0000022E670DACDE
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_0000022E6710C6DD push rcx; retf 003Fh	30_2_0000022E6710C6DE
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000001FE4A4CACDD push rcx; retf 003Fh	31_2_000001FE4A4CACDE
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000001FE4A4FC6DD push rcx; retf 003Fh	31_2_000001FE4A4FC6DE
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_0000024C19A5ACDD push rcx; retf 003Fh	32_2_0000024C19A5ACDE
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_0000024C19A8C6DD push rcx; retf 003Fh	32_2_0000024C19A8C6DE
Source: C:\Windows\System32\svchost.exe	Code function: 33_2_00000275D1FDACDD push rcx; retf 003Fh	33_2_00000275D1FDACDE
Source: C:\Windows\System32\svchost.exe	Code function: 33_2_00000275D267C6DD push rcx; retf 003Fh	33_2_00000275D267C6DE
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_0000023BBDCAACDD push rcx; retf 003Fh	34_2_0000023BBDCAACDE
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_0000023BBDCDC6DD push rcx; retf 003Fh	34_2_0000023BBDCDC6DE
Source: C:\Windows\System32\svchost.exe	Code function: 35_2_00000227D955C6DD push rcx; retf 003Fh	35_2_00000227D955C6DE
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000002DED2C8ACDD push rcx; retf 003Fh	36_2_000002DED2C8ACDE

Source: C:\Users\user\Desktop\setup.exe	File created: C:\Program Files\Google\Chrome\updater.exe			Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe	File created: C:\Users\user\AppData\Local\Temp\wxyubnjmnlae.tmp			Jump to dropped file

Source: C:\Windows\System32\svchost.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DnsPolicyConfig\DNS_RESILIENCY_fe3cr.delivery.mp.microsoft.com

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\sc.exe sc stop UsoSvc

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Users\user\Desktop\setup.exe

Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\WXYUBNJMNLAE.TMP

Hooks files or directories query functions (used to hide files and directories)

Source: winlogon.exe

IAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile

Hooks processes query functions (used to hide processes)

Source: winlogon.exe

IAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation

Hooks registry keys query functions (used to hide registry keys)

Source: winlogon.exe

IAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Modifies the prolog of user mode functions (user mode inline hooks)

Source: winlogon.exe

User mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Windows\System32\dialer.exe

Code function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,

12_2_00007FF6AFBE10C0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5145	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4745	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Window / User API: threadDelayed 1711	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Window / User API: threadDelayed 657	Jump to behavior
Source: C:\Windows\System32\winlogon.exe	Window / User API: threadDelayed 6588	Jump to behavior
Source: C:\Windows\System32\winlogon.exe	Window / User API: threadDelayed 3412	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Window / User API: threadDelayed 8026	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Window / User API: threadDelayed 1903	Jump to behavior
Source: C:\Windows\System32\dwm.exe	Window / User API: threadDelayed 9864	Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wxyubnjmnlae.tmp

Jump to dropped file

Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep			graph_4-15085
Source: C:\Windows\System32\svchost.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep			graph_22-15146

Source: C:\Windows\System32\dialer.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_12-431

Source: C:\Windows\System32\wbem\WmiPrvSE.exe	API coverage: 4.9 %
Source: C:\Windows\System32\lsass.exe	API coverage: 8.0 %
Source: C:\Windows\System32\svchost.exe	API coverage: 4.9 %
Source: C:\Windows\System32\svchost.exe	API coverage: 4.7 %
Source: C:\Windows\System32\svchost.exe	API coverage: 5.2 %
Source: C:\Windows\System32\svchost.exe	API coverage: 4.9 %
Source: C:\Windows\System32\svchost.exe	API coverage: 4.9 %
Source: C:\Windows\System32\svchost.exe	API coverage: 5.7 %
Source: C:\Windows\System32\svchost.exe	API coverage: 4.6 %
Source: C:\Windows\System32\svchost.exe	API coverage: 7.0 %
Source: C:\Windows\System32\svchost.exe	API coverage: 4.9 %
Source: C:\Windows\System32\svchost.exe	API coverage: 6.5 %
Source: C:\Windows\System32\svchost.exe	API coverage: 4.9 %
Source: C:\Windows\System32\svchost.exe	API coverage: 6.3 %
Source: C:\Windows\System32\svchost.exe	API coverage: 5.9 %
Source: C:\Windows\System32\svchost.exe	API coverage: 5.0 %
Source: C:\Windows\System32\svchost.exe	API coverage: 4.9 %
Source: C:\Windows\System32\svchost.exe	API coverage: 4.9 %
Source: C:\Windows\System32\svchost.exe	API coverage: 6.5 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2548	Thread sleep count: 5145 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5660	Thread sleep count: 4745 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5476	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe TID: 5660	Thread sleep count: 252 > 30	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe TID: 5660	Thread sleep time: -252000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\dialer.exe TID: 3544	Thread sleep count: 1711 > 30	Jump to behavior
Source: C:\Windows\System32\dialer.exe TID: 3544	Thread sleep time: -171100s >= -30000s	Jump to behavior
Source: C:\Windows\System32\dialer.exe TID: 1008	Thread sleep count: 657 > 30	Jump to behavior
Source: C:\Windows\System32\dialer.exe TID: 1008	Thread sleep time: -65700s >= -30000s	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 2820	Thread sleep count: 6588 > 30	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 2820	Thread sleep time: -6588000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 2820	Thread sleep count: 3412 > 30	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 2820	Thread sleep time: -3412000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 3800	Thread sleep count: 8026 > 30	Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 3800	Thread sleep time: -8026000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 3800	Thread sleep count: 1903 > 30	Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 3800	Thread sleep time: -1903000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1584	Thread sleep count: 245 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1584	Thread sleep time: -245000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\dwm.exe TID: 1804	Thread sleep count: 9864 > 30	Jump to behavior
Source: C:\Windows\System32\dwm.exe TID: 1804	Thread sleep time: -9864000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2268	Thread sleep count: 255 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2268	Thread sleep time: -255000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6108	Thread sleep count: 255 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6108	Thread sleep time: -255000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5476	Thread sleep count: 244 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5476	Thread sleep time: -244000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6336	Thread sleep count: 244 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6336	Thread sleep time: -244000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5960	Thread sleep count: 203 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5960	Thread sleep time: -203000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3472	Thread sleep count: 254 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3472	Thread sleep time: -254000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6512	Thread sleep count: 241 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6512	Thread sleep time: -241000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4208	Thread sleep count: 248 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4208	Thread sleep time: -248000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6540	Thread sleep count: 252 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6540	Thread sleep time: -252000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 404	Thread sleep count: 242 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 404	Thread sleep time: -242000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4044	Thread sleep count: 255 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4044	Thread sleep time: -255000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2896	Thread sleep count: 255 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2896	Thread sleep time: -255000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 592	Thread sleep count: 238 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 592	Thread sleep time: -238000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3700	Thread sleep count: 255 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3700	Thread sleep time: -255000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3816	Thread sleep count: 252 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3816	Thread sleep time: -252000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5696	Thread sleep count: 256 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5696	Thread sleep time: -256000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7008	Thread sleep count: 256 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7008	Thread sleep time: -256000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 340	Thread sleep count: 245 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 340	Thread sleep time: -245000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2620	Thread sleep count: 200 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2620	Thread sleep time: -200000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6136	Thread sleep count: 252 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6136	Thread sleep time: -252000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1052	Thread sleep count: 239 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1052	Thread sleep time: -239000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6876	Thread sleep count: 253 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6876	Thread sleep time: -253000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4864	Thread sleep count: 254 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4864	Thread sleep time: -254000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Last function: Thread delayed
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Last function: Thread delayed
Source: C:\Windows\System32\dialer.exe	Last function: Thread delayed
Source: C:\Windows\System32\dialer.exe	Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe	Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\dwm.exe	Last function: Thread delayed
Source: C:\Windows\System32\dwm.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed

Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 4_2_000001B1C6ACDCE0 FindFirstFileExW,	4_2_000001B1C6ACDCE0
Source: C:\Windows\System32\winlogon.exe	Code function: 17_2_000002D0165EDCE0 FindFirstFileExW,	17_2_000002D0165EDCE0
Source: C:\Windows\System32\lsass.exe	Code function: 21_2_000002D6F151DCE0 FindFirstFileExW,	21_2_000002D6F151DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_0000014E41FDDCE0 FindFirstFileExW,	22_2_0000014E41FDDCE0
Source: C:\Windows\System32\dwm.exe	Code function: 23_2_000001D15B04DCE0 FindFirstFileExW,	23_2_000001D15B04DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_0000023AF32EDCE0 FindFirstFileExW,	24_2_0000023AF32EDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_0000023C9FD9DCE0 FindFirstFileExW,	25_2_0000023C9FD9DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000001A1CA71DCE0 FindFirstFileExW,	26_2_000001A1CA71DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_00000246EDE6DCE0 FindFirstFileExW,	27_2_00000246EDE6DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 28_2_00000200A19BDCE0 FindFirstFileExW,	28_2_00000200A19BDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000002259668DCE0 FindFirstFileExW,	29_2_000002259668DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_0000022E670FDCE0 FindFirstFileExW,	30_2_0000022E670FDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000001FE4A4EDCE0 FindFirstFileExW,	31_2_000001FE4A4EDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_0000024C19A7DCE0 FindFirstFileExW,	32_2_0000024C19A7DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 33_2_00000275D266DCE0 FindFirstFileExW,	33_2_00000275D266DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_0000023BBDCCDCE0 FindFirstFileExW,	34_2_0000023BBDCCDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 35_2_00000227D954DCE0 FindFirstFileExW,	35_2_00000227D954DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000002DED2CADCE0 FindFirstFileExW,	36_2_000002DED2CADCE0
Source: C:\Windows\System32\svchost.exe	Code function: 37_2_0000014ACE6EDCE0 FindFirstFileExW,	37_2_0000014ACE6EDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 38_2_00000220AF66DCE0 FindFirstFileExW,	38_2_00000220AF66DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 39_2_00000241B697DCE0 FindFirstFileExW,	39_2_00000241B697DCE0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: dwm.exe, 00000017.00000002.3428646036.000001D156AA0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000gB
Source: svchost.exe, 0000001E.00000002.3400792914.0000022E66A2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001E.00000000.2182071509.0000022E66A2B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @Microsoft-Windows-Hyper-V-Hypervisor
Source: lsass.exe, 00000015.00000000.2146426037.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicvssNT SERVICE
Source: svchost.exe, 0000001E.00000002.3401934481.0000022E66A43000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: (@vmci
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.30.dr	Binary or memory string: VMware SATA CD00
Source: svchost.exe, 0000001C.00000002.3387853671.00000200A122B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.30.dr	Binary or memory string: NECVMWarVMware SATA CD00
Source: svchost.exe, 0000001E.00000002.3407425356.0000022E67060000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: D8VMwareVirtual disk6000c29c2bea38880a8a16ee9f37bec9
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.30.dr	Binary or memory string: LSI_SASVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: svchost.exe, 0000001E.00000000.2183261964.0000022E67584000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a8
Source: svchost.exe, 0000001E.00000003.2262517067.0000022E6759C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.30.dr	Binary or memory string: storahciNECVMWarVMware SATA CD00
Source: Microsoft-Windows-Storsvc%4Diagnostic.evtx.30.dr	Binary or memory string: VMware Virtual disk 2.0 6000c2942fce4d06663969f532e45d1aPCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
Source: svchost.exe, 0000001E.00000000.2183261964.0000022E67584000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1ap
Source: Microsoft-Windows-PowerShell%4Operational.evtx.30.dr	Binary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware Virtual disk", $value).replace("VMware", $value).replace("HARDDISK", "WDC").replace("VIRTUAL_DISK", $value)
Source: svchost.exe, 0000001E.00000000.2183261964.0000022E67584000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: D8VMwareVirtual disk6000c29c2bea38880a8a16ee9f37bec98
Source: lsass.exe, 00000015.00000002.3387178705.000002D6F0613000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146320539.000002D6F0613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.2148868592.0000014E41C13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3382740118.0000014E41C13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.3385466857.0000023C9FE2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.2168682482.0000023C9FE2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.3380926986.000001A1CA02A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000000.2169895372.000001A1CA034000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.3388754633.00000200A1241000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2174065757.00000200A1241000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001E.00000000.2182141150.0000022E66A43000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.30.dr	Binary or memory string: LSI_SASVMware Virtual disk 6000c29c2bea38880a8a16ee9f37bec9
Source: svchost.exe, 00000016.00000002.3382740118.0000014E41C13000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: System.evtx.30.dr	Binary or memory string: VMCI: Using capabilities (0x1c).
Source: lsass.exe, 00000015.00000000.2146426037.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicshutdownNT SERVICE
Source: Microsoft-Windows-PowerShell%4Operational.evtx.30.dr	Binary or memory string: $value = $pr.Value.replace("VEN_80EE", $value).replace("VEN_15AD", $value).replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("82801FB", $value).replace("82441FX", $value).replace("82371SB", $value).replace("OpenHCD", $value).replace("VMWare", $value).replace("VMware", $value)
Source: Microsoft-Windows-Storsvc%4Diagnostic.evtx.30.dr	Binary or memory string: VMware Virtual disk 2.0 6000c29c2bea38880a8a16ee9f37bec9PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.30.dr	Binary or memory string: nonicNECVMWarVMware SATA CD00
Source: svchost.exe, 0000001E.00000000.2183261964.0000022E67584000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a@
Source: svchost.exe, 00000023.00000002.3380795225.00000227D882B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: Microsoft-Windows-PowerShell%4Operational.evtx.30.dr	Binary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware", $value).replace("VirtualBox", $value).replace("Oracle Corporation", $value).replace("Microsoft Basic Display Adapter", $value)
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.30.dr	Binary or memory string: nonicVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: svchost.exe, 00000028.00000000.2206212871.00000202A1C02000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: svchost.exe, 0000001E.00000002.3414254414.0000022E6747B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmciAP<
Source: lsass.exe, 00000015.00000000.2146426037.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicheartbeatNT SERVICE
Source: svchost.exe, 0000001E.00000000.2183094778.0000022E6749C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: dowvmci
Source: Microsoft-Windows-Storsvc%4Diagnostic.evtx.30.dr	Binary or memory string: VMware
Source: svchost.exe, 0000001E.00000000.2182457632.0000022E67080000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
Source: Microsoft-Windows-PowerShell%4Operational.evtx.30.dr	Binary or memory string: if(($pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "AdapterCompatibility" -or $pr.Name -eq "Description" -or $pr.Name -eq "InfSection" -or $pr.Name -eq "VideoProcessor") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VirtualBox' -or $pr.Value -match 'VMware' -or $pr.Value -match 'Oracle Corporation' -or $pr.Value -match 'Microsoft Basic Display Adapter'))
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.30.dr	Binary or memory string: nonicVMware Virtual disk 6000c29c2bea38880a8a16ee9f37bec9
Source: Microsoft-Windows-PowerShell%4Operational.evtx.30.dr	Binary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Model" -or $pr.Name -eq "PNPDeviceID") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMware'))
Source: dwm.exe, 00000017.00000002.3428646036.000001D156B0A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: svchost.exe, 0000001E.00000002.3407425356.0000022E67060000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk2.06000c29c2bea38880a8a16ee9f37bec9PCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
Source: Microsoft-Windows-PowerShell%4Operational.evtx.30.dr	Binary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "Service" -or $pr.Name -eq "Description") -and ($pr.Value -match 'VEN_80EE' -or $pr.Value -match 'VEN_15AD' -or $pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMWare' -or $pr.Value -match 'VMware' -or $pr.Value -match '82801FB' -or $pr.Value -match '82441FX' -or $pr.Value -match '82371SB' -or $pr.Value -match 'OpenHCD'))

Source: C:\Windows\System32\dialer.exe

API call chain: ExitProcess graph end node

graph_12-486

Source: C:\Users\user\Desktop\setup.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\wbem\WmiPrvSE.exe

Code function: 4_2_000001B1C6ACD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_000001B1C6ACD2A4

Source: C:\Windows\System32\wbem\WmiPrvSE.exe

Code function: 4_2_000001B1C6AC1628 GetProcessHeap,HeapAlloc,RegOpenKeyExW,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegCloseKey,

4_2_000001B1C6AC1628

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\dialer.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 4_2_000001B1C6ACD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_000001B1C6ACD2A4
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 4_2_000001B1C6AC7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_000001B1C6AC7D90
Source: C:\Windows\System32\winlogon.exe	Code function: 17_2_000002D0165E7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_000002D0165E7D90
Source: C:\Windows\System32\winlogon.exe	Code function: 17_2_000002D0165F6218 SetUnhandledExceptionFilter,	17_2_000002D0165F6218
Source: C:\Windows\System32\winlogon.exe	Code function: 17_2_000002D0165ED2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_000002D0165ED2A4
Source: C:\Windows\System32\lsass.exe	Code function: 21_2_000002D6F1517D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_000002D6F1517D90
Source: C:\Windows\System32\lsass.exe	Code function: 21_2_000002D6F151D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_000002D6F151D2A4
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_0000014E41FDD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_0000014E41FDD2A4
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_0000014E41FD7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_0000014E41FD7D90
Source: C:\Windows\System32\dwm.exe	Code function: 23_2_000001D15B056218 SetUnhandledExceptionFilter,	23_2_000001D15B056218
Source: C:\Windows\System32\dwm.exe	Code function: 23_2_000001D15B04D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	23_2_000001D15B04D2A4
Source: C:\Windows\System32\dwm.exe	Code function: 23_2_000001D15B047D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	23_2_000001D15B047D90
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_0000023AF32ED2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_0000023AF32ED2A4
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_0000023AF32E7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_0000023AF32E7D90
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_0000023C9FD9D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_0000023C9FD9D2A4
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_0000023C9FD97D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_0000023C9FD97D90
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000001A1CA717D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	26_2_000001A1CA717D90
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000001A1CA71D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	26_2_000001A1CA71D2A4
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_00000246EDE6D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	27_2_00000246EDE6D2A4
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_00000246EDE67D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	27_2_00000246EDE67D90
Source: C:\Windows\System32\svchost.exe	Code function: 28_2_00000200A19BD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	28_2_00000200A19BD2A4
Source: C:\Windows\System32\svchost.exe	Code function: 28_2_00000200A19C6218 SetUnhandledExceptionFilter,	28_2_00000200A19C6218
Source: C:\Windows\System32\svchost.exe	Code function: 28_2_00000200A19B7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	28_2_00000200A19B7D90
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_0000022596687D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	29_2_0000022596687D90
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000002259668D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	29_2_000002259668D2A4
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_0000022E670FD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	30_2_0000022E670FD2A4
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_0000022E670F7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	30_2_0000022E670F7D90
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000001FE4A4E7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	31_2_000001FE4A4E7D90
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000001FE4A4ED2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	31_2_000001FE4A4ED2A4
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_0000024C19A7D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	32_2_0000024C19A7D2A4
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_0000024C19A77D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	32_2_0000024C19A77D90
Source: C:\Windows\System32\svchost.exe	Code function: 33_2_00000275D266D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	33_2_00000275D266D2A4
Source: C:\Windows\System32\svchost.exe	Code function: 33_2_00000275D2667D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	33_2_00000275D2667D90
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_0000023BBDCCD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	34_2_0000023BBDCCD2A4
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_0000023BBDCD6218 SetUnhandledExceptionFilter,	34_2_0000023BBDCD6218
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_0000023BBDCC7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	34_2_0000023BBDCC7D90
Source: C:\Windows\System32\svchost.exe	Code function: 35_2_00000227D954D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	35_2_00000227D954D2A4
Source: C:\Windows\System32\svchost.exe	Code function: 35_2_00000227D9547D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	35_2_00000227D9547D90
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000002DED2CAD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	36_2_000002DED2CAD2A4
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000002DED2CA7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	36_2_000002DED2CA7D90
Source: C:\Windows\System32\svchost.exe	Code function: 37_2_0000014ACE6ED2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	37_2_0000014ACE6ED2A4
Source: C:\Windows\System32\svchost.exe	Code function: 37_2_0000014ACE6E7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	37_2_0000014ACE6E7D90
Source: C:\Windows\System32\svchost.exe	Code function: 38_2_00000220AF667D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	38_2_00000220AF667D90
Source: C:\Windows\System32\svchost.exe	Code function: 38_2_00000220AF66D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	38_2_00000220AF66D2A4
Source: C:\Windows\System32\svchost.exe	Code function: 39_2_00000241B6977D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	39_2_00000241B6977D90
Source: C:\Windows\System32\svchost.exe	Code function: 39_2_00000241B697D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	39_2_00000241B697D2A4

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\svchost.exe

Domain query: 241.42.69.40.in-addr.arpa

Adds a directory exclusion to Windows Defender

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Users\user\Desktop\setup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force			Jump to behavior

Allocates memory in foreign processes

Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\winlogon.exe base: 2D016580000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\lsass.exe base: 2D6F14E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 14E41FA0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dwm.exe base: 1D15B010000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 23AF32B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 23C9FD60000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1A1CA6E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 246ED7B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 200A1980000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 22595FB0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 22E670C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1FE4A4B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 24C19A40000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 275D1FC0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 23BBDC90000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 227D8FC0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2DED2C70000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 14ACE6B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 220AEFD0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 241B6940000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 202A22A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 14D25AA0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1BD1A2F0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 21A63950000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1834ABA0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2D8F03D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 18BAF3C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 256EBEB0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2568E1B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 226A7DC0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\spoolsv.exe base: 12A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1E2C0F50000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2EE0D7C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 22B68FC0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 207EA5B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1EBCE9B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 11CD6340000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1AFDEB70000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 207C0460000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 245A2150000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 24708EB0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 22F60740000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 26E569B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2CA8FE60000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\sihost.exe base: 1D63DC20000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1A799B20000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1F6963C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 26481BB0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 166D2D90000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\ctfmon.exe base: 128DE440000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2101D0E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\explorer.exe base: 86A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 192D1E50000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 26DD2000000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 257155B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dasHost.exe base: 16443E50000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 2C8A6FC0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1E968280000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1A9452E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dllhost.exe base: 29227D20000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 283E5C00000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\smartscreen.exe base: 14BB07C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 22C4F660000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1DBAE850000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 27B1B9F0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 27FF3CD0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 281CF7C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 28843650000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 2761C420000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 1ED974C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 14FE9140000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1BB54D40000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 22F380C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 234F31D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1B1C6A90000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 1D4049E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 1D404D90000 protect: page execute and read and write	Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Windows\System32\dialer.exe

Code function: 12_2_00007FF6AFBE1C88 CreateProcessW,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,OpenProcess,TerminateProcess,

12_2_00007FF6AFBE1C88

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\winlogon.exe EIP: 1658273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\lsass.exe EIP: F14E273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 41FA273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\dwm.exe EIP: 5B01273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: F32B273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 9FD6273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: CA6E273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: ED7B273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: A198273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 95FB273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 670C273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 4A4B273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 19A4273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: D1FC273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: BDC9273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: D8FC273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: D2C7273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: CE6B273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: AEFD273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: B694273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: A22A273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 25AA273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 1A2F273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 6395273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 4ABA273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: F03D273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: AF3C273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: EBEB273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8E1B273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A7DC273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 12A273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C0F5273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D7C273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 68FC273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: EA5B273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: CE9B273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D634273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: DEB7273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C046273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A215273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8EB273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6074273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 569B273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8FE6273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 3DC2273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 99B2273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 963C273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 81BB273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D2D9273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: DE44273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 1D0E273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 86A273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D1E5273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D200273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 155B273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 43E5273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A6FC273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6828273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 452E273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 27D2273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: E5C0273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: B07C273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4F66273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: AE85273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 1B9F273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F3CD273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: CF7C273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4365273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 1C42273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 974C273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: E914273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 54D4273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 380C273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F31D273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C6A9273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 49E273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4D9273C	Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\setup.exe	NtQuerySystemInformation: Direct from: 0x7FF6E94A42AE			Jump to behavior
Source: C:\Program Files\Google\Chrome\updater.exe	NtCreateMutant: Direct from: 0x7FF63DE742AE			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 2D016580000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 2D6F14E0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 14E41FA0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 1D15B010000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23AF32B0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23C9FD60000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A1CA6E0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 246ED7B0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 200A1980000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22595FB0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22E670C0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FE4A4B0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 24C19A40000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 275D1FC0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23BBDC90000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 227D8FC0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2DED2C70000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 14ACE6B0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 220AEFD0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 241B6940000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 202A22A0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 14D25AA0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BD1A2F0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21A63950000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1834ABA0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2D8F03D0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 18BAF3C0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 256EBEB0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2568E1B0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 226A7DC0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\spoolsv.exe base: 12A0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E2C0F50000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2EE0D7C0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22B68FC0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 207EA5B0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1EBCE9B0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 11CD6340000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1AFDEB70000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 207C0460000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 245A2150000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 24708EB0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22F60740000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26E569B0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2CA8FE60000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\sihost.exe base: 1D63DC20000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A799B20000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F6963C0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26481BB0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 166D2D90000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 128DE440000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2101D0E0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\explorer.exe base: 86A0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 192D1E50000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26DD2000000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 257155B0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dasHost.exe base: 16443E50000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2C8A6FC0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1E968280000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A9452E0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 29227D20000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 283E5C00000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 14BB07C0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22C4F660000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1DBAE850000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 27B1B9F0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 27FF3CD0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 281CF7C0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 28843650000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 2761C420000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1ED974C0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 14FE9140000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1BB54D40000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22F380C0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 234F31D0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1B1C6A90000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1D4049E0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1D404D90000 value starts with: 4D5A	Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\dialer.exe

Memory written: PID: 4004 base: 86A0000 value: 4D

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\setup.exe

Section loaded: NULL target: C:\Windows\System32\dialer.exe protection: readonly

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\setup.exe

Thread register set: target process: 1172

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\setup.exe	Memory written: C:\Windows\System32\dialer.exe base: A832518010	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 2D016580000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 2D6F14E0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 14E41FA0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 1D15B010000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23AF32B0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23C9FD60000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A1CA6E0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 246ED7B0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 200A1980000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22595FB0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22E670C0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FE4A4B0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 24C19A40000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 275D1FC0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23BBDC90000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 227D8FC0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2DED2C70000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 14ACE6B0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 220AEFD0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 241B6940000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 202A22A0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 14D25AA0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BD1A2F0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21A63950000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1834ABA0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2D8F03D0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 18BAF3C0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 256EBEB0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2568E1B0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 226A7DC0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\spoolsv.exe base: 12A0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E2C0F50000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2EE0D7C0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22B68FC0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 207EA5B0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1EBCE9B0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 11CD6340000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1AFDEB70000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 207C0460000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 245A2150000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 24708EB0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22F60740000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26E569B0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2CA8FE60000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\sihost.exe base: 1D63DC20000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A799B20000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F6963C0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26481BB0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 166D2D90000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 128DE440000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2101D0E0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\explorer.exe base: 86A0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 192D1E50000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26DD2000000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 257155B0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dasHost.exe base: 16443E50000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2C8A6FC0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1E968280000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A9452E0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 29227D20000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 283E5C00000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 14BB07C0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22C4F660000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1DBAE850000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 27B1B9F0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 27FF3CD0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 281CF7C0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 28843650000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 2761C420000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1ED974C0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 14FE9140000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1BB54D40000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22F380C0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 234F31D0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1B1C6A90000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1D4049E0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1D404D90000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 207EA610000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 207EA610000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 207EA610000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 207EA610000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 207EA610000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 207EA610000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 207EA610000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 207EA610000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 207EA610000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 207EA610000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 207EA610000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1834B270000	Jump to behavior

Source: C:\Users\user\Desktop\setup.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc	Jump to behavior

Source: C:\Windows\System32\dialer.exe

Code function: 12_2_00007FF6AFBE1B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

12_2_00007FF6AFBE1B54

Source: C:\Windows\System32\dialer.exe

Code function: 12_2_00007FF6AFBE1B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

12_2_00007FF6AFBE1B54

Source: winlogon.exe, 00000011.00000000.2142953238.000002D016A60000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000011.00000002.3399964337.000002D016A61000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000017.00000002.3424272166.000001D154AB1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: dwm.exe, 00000017.00000000.2159577755.000001D159439000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 00000017.00000002.3435659457.000001D159439000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: winlogon.exe, 00000011.00000000.2142953238.000002D016A60000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000011.00000002.3399964337.000002D016A61000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000017.00000002.3424272166.000001D154AB1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: winlogon.exe, 00000011.00000000.2142953238.000002D016A60000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000011.00000002.3399964337.000002D016A61000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000017.00000002.3424272166.000001D154AB1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: winlogon.exe, 00000011.00000000.2142953238.000002D016A60000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000011.00000002.3399964337.000002D016A61000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000017.00000002.3424272166.000001D154AB1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\wbem\WmiPrvSE.exe

Code function: 4_2_000001B1C6AA36F0 cpuid

4_2_000001B1C6AA36F0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior

Source: C:\Windows\System32\dialer.exe

Code function: 12_2_00007FF6AFBE1B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

12_2_00007FF6AFBE1B54

Source: C:\Windows\System32\wbem\WmiPrvSE.exe

Code function: 4_2_000001B1C6AC7960 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

4_2_000001B1C6AC7960

Lowering of HIPS / PFW / Operating System Security Settings

Stops critical windows services

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc

Source: Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.30.dr

Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	11 DLL Side-Loading	1 Abuse Elevation Control Mechanism	2 Disable or Modify Tools	1 Credential API Hooking	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	11 Windows Service	11 DLL Side-Loading	1 Abuse Elevation Control Mechanism	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	1 Credential API Hooking	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Service Execution	Logon Script (Windows)	1 Access Token Manipulation	1 Obfuscated Files or Information	Security Account Manager	22 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	11 Windows Service	11 DLL Side-Loading	NTDS	231 Security Software Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	913 Process Injection	4 Rootkit	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	21 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	1 Remote System Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	913 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Hidden Files and Directories	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
setup.exe	76%	ReversingLabs	Win64.Trojan.SilentCryptoMiner
setup.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\wxyubnjmnlae.tmp	100%	Avira	RKIT/Agent.dvyic
C:\Program Files\Google\Chrome\updater.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\wxyubnjmnlae.tmp	100%	Joe Sandbox ML
C:\Program Files\Google\Chrome\updater.exe	76%	ReversingLabs	Win64.Trojan.SilentCryptoMiner
C:\Users\user\AppData\Local\Temp\wxyubnjmnlae.tmp	88%	ReversingLabs	Win64.Trojan.SilentCryptoMiner

Name	IP	Active	Malicious	Antivirus Detection	Reputation
241.42.69.40.in-addr.arpa	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://schemas.xmlsoap.org/wsdl/soap12/P	lsass.exe, 00000015.00000000.2146345009.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3387852004.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy	lsass.exe, 00000015.00000000.2146371271.000002D6F064E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000000.2146345009.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3388396962.000002D6F064E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3387852004.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp	false	high
http://Passport.NET/tb	Microsoft-Windows-LiveId%4Operational.evtx.30.dr	false	high
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702	lsass.exe, 00000015.00000000.2146345009.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3387852004.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust	lsass.exe, 00000015.00000000.2146345009.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3387852004.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/ws-sx/ws-trust/200512	lsass.exe, 00000015.00000000.2146371271.000002D6F064E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3388396962.000002D6F064E000.00000004.00000001.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	lsass.exe, 00000015.00000000.2146345009.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3387852004.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/09/policy	lsass.exe, 00000015.00000000.2146345009.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3387852004.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/wsdl/erties	lsass.exe, 00000015.00000000.2146345009.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3387852004.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/wsdl/soap12/	lsass.exe, 00000015.00000000.2146345009.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3387852004.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/wsdl/	lsass.exe, 00000015.00000000.2146345009.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000015.00000002.3387852004.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1553146
Start date and time:	2024-11-10 12:37:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	27
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	setup.exe
Detection:	MAL
Classification:	mal100.evad.winEXE@24/65@1/0
EGA Information:	Successful, ratio: 91.7%
HCA Information:	Successful, ratio: 75% Number of executed functions: 60 Number of non-executed functions: 362
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, schtasks.exe
Excluded IPs from analysis (whitelisted): 40.126.31.69, 20.190.159.2, 20.190.159.23, 20.190.159.0, 40.126.31.71, 40.126.31.67, 20.190.159.4, 20.190.159.64
Excluded domains from analysis (whitelisted): client.wns.windows.com, prdv4a.aadg.msidentity.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
Execution Graph export aborted for target setup.exe, PID 4924 because it is empty
Execution Graph export aborted for target updater.exe, PID 5484 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: setup.exe

Simulations

Behavior and APIs

Time	Type	Description
06:37:57	API Interceptor	1x Sleep call for process: setup.exe modified
06:37:59	API Interceptor	15x Sleep call for process: powershell.exe modified
06:38:35	API Interceptor	299626x Sleep call for process: lsass.exe modified
06:38:35	API Interceptor	5380x Sleep call for process: svchost.exe modified
06:38:35	API Interceptor	383958x Sleep call for process: winlogon.exe modified
06:38:35	API Interceptor	1894x Sleep call for process: dialer.exe modified
06:38:37	API Interceptor	371943x Sleep call for process: dwm.exe modified
06:38:43	API Interceptor	225x Sleep call for process: WmiPrvSE.exe modified
12:38:02	Task Scheduler	Run new task: GoogleUpdateTaskMachineQC path: %ProgramFiles%\Google\Chrome\updater.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\wxyubnjmnlae.tmp	iqA8j9yGcd.exe	Get hash	malicious	HackBrowser, DCRat, Discord Token Stealer, Millenuim RAT, PureLog Stealer, zgRAT	Browse
	VaTlw2kNGc.exe	Get hash	malicious	Blank Grabber, DCRat, PureLog Stealer, Xmrig, zgRAT	Browse
	87Bym0x4Fy.exe	Get hash	malicious	Blank Grabber, DCRat, Discord Rat, PureLog Stealer, Xmrig, zgRAT	Browse
	8Ck8T5qRcC.exe	Get hash	malicious	Blank Grabber, DCRat, PureLog Stealer, Xmrig, zgRAT	Browse
	TS-240605-Millenium1.exe	Get hash	malicious	Blank Grabber, Discord Token Stealer, Millenuim RAT, Xmrig	Browse
	DevxExecutor.exe	Get hash	malicious	Python Stealer, Blank Grabber, CStealer, Discord Token Stealer, Millenuim RAT	Browse
	hacn.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT, Xmrig	Browse
	SecuriteInfo.com.Win64.Evo-gen.25073.24639.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	RHADAMANTHYS, RedLine, Xmrig	Browse
	WinrarInstaller.exe	Get hash	malicious	Xmrig	Browse
C:\Program Files\Google\Chrome\updater.exe	iqA8j9yGcd.exe	Get hash	malicious	HackBrowser, DCRat, Discord Token Stealer, Millenuim RAT, PureLog Stealer, zgRAT	Browse
	VaTlw2kNGc.exe	Get hash	malicious	Blank Grabber, DCRat, PureLog Stealer, Xmrig, zgRAT	Browse
	87Bym0x4Fy.exe	Get hash	malicious	Blank Grabber, DCRat, Discord Rat, PureLog Stealer, Xmrig, zgRAT	Browse
	8Ck8T5qRcC.exe	Get hash	malicious	Blank Grabber, DCRat, PureLog Stealer, Xmrig, zgRAT	Browse
	TS-240605-Millenium1.exe	Get hash	malicious	Blank Grabber, Discord Token Stealer, Millenuim RAT, Xmrig	Browse
	DevxExecutor.exe	Get hash	malicious	Python Stealer, Blank Grabber, CStealer, Discord Token Stealer, Millenuim RAT	Browse
	hacn.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT, Xmrig	Browse

Created / dropped Files

C:\Program Files\Google\Chrome\updater.exe

Download File

Process:	C:\Users\user\Desktop\setup.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	5617152
Entropy (8bit):	7.71585644239634
Encrypted:	false
SSDEEP:	98304:Dei3W2HJn8hqIOLmRLRSo+QqvCRs19A3JIkLJQrAtjRQii7yXdmMpy2N:6Z2i4OcxQECE6ZIkLJIAt8y4
MD5:	1274CBCD6329098F79A3BE6D76AB8B97
SHA1:	53C870D62DCD6154052445DC03888CDC6CFFD370
SHA-256:	BBE5544C408A6EB95DD9980C61A63C4EBC8CCBEECADE4DE4FAE8332361E27278
SHA-512:	A0FEBBD4915791D3C32531FB3CF177EE288DD80CE1C8A1E71FA9AD59A4EBDDEEF69B6BE7F3D19E687B96DC59C8A8FA80AFFF8378A71431C3133F361B28E0D967
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 76%
Joe Sandbox View:	Filename: iqA8j9yGcd.exe, Detection: malicious, Browse Filename: VaTlw2kNGc.exe, Detection: malicious, Browse Filename: 87Bym0x4Fy.exe, Detection: malicious, Browse Filename: 8Ck8T5qRcC.exe, Detection: malicious, Browse Filename: TS-240605-Millenium1.exe, Detection: malicious, Browse Filename: DevxExecutor.exe, Detection: malicious, Browse Filename: hacn.exe, Detection: malicious, Browse
Preview:	MZ......................@.......................................hr......!..L.!This program cannot be run in DOS mode....$.......PE..d......................(.v....U................@.............................PV.......U...`... ...............................................V......0V.......U..............@V.x.............................U.(.....................V.X............................text....u.......v..................`..`.data...`.U.......U..z..............@....rdata..`.....U......\|U.............@..@.pdata........U.......U.............@..@.xdata........U.......U.............@..@.bss.... .....U..........................idata........V.......U.............@....CRT....`.....V.......U.............@....tls......... V.......U.............@....rsrc........0V.......U.............@....reloc..x....@V.......U.............@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nlllultnxj:NllU
MD5:	F93358E626551B46E6ED5A0A9D29BD51
SHA1:	9AECA90CCBFD1BEC2649D66DF8EBE64C13BACF03
SHA-256:	0347D1DE5FEA380ADFD61737ECD6068CB69FC466AC9C77F3056275D5FCAFDC0D
SHA-512:	D609B72F20BF726FD14D3F2EE91CCFB2A281FAD6BC88C083BFF7FCD177D2E59613E7E4E086DB73037E2B0B8702007C8F7524259D109AF64942F3E60BFCC49853
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eydvvihl.5mn.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h51hc0b1.nqj.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hfz2w2dg.myg.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pxg3x2ib.s0n.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\wxyubnjmnlae.tmp

Download File

Process:	C:\Users\user\Desktop\setup.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	161792
Entropy (8bit):	5.8318794599287465
Encrypted:	false
SSDEEP:	3072:lQbW78Kb89UMmY8MA1cRWr7BiKcOO1Sf7lHn4mr3yo4f8P2:lQK75bobwfBiKCYfhHLU5
MD5:	1667C96053EAA078109F8B0C9500FC9D
SHA1:	E0F567763BAAAA757F66F96951D9810F45F69F30
SHA-256:	F7E1E53A6FB24A2BD9206305C59448A8F99B6F5847A6ACB18EB0FD9F7383FFB4
SHA-512:	6285ADE5CB85B71814EDD57EDDC512A031596043B7FCE4FCC909A0B78ECFE161C062AD0637EC82CBDAA36675AD32FBD0C94DDD96BB575BE8B1FBB47DF706AAE1
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Joe Sandbox View:	Filename: iqA8j9yGcd.exe, Detection: malicious, Browse Filename: VaTlw2kNGc.exe, Detection: malicious, Browse Filename: 87Bym0x4Fy.exe, Detection: malicious, Browse Filename: 8Ck8T5qRcC.exe, Detection: malicious, Browse Filename: TS-240605-Millenium1.exe, Detection: malicious, Browse Filename: DevxExecutor.exe, Detection: malicious, Browse Filename: hacn.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win64.Evo-gen.25073.24639.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: WinrarInstaller.exe, Detection: malicious, Browse
Preview:	MZ......................@.......................................sr......!..L.!This program cannot be run in DOS mode....$.......K...............D.......D...........o...9A......9A9.....9A......Rich............PE..d....t.d.........."....%.....X......X".........@..........................................`..................................................8.......p..`>...`..8....................5..8............................................0...............................text............................... ..`.rdata.......0......."..............@..@.data........P......................@....pdata..8....`.......6..............@..@.rsrc...`>...p...@...8..............@..@........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\yntnomxcupkb.xml

Download File

Process:	C:\Users\user\Desktop\setup.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1490
Entropy (8bit):	5.1015990235428035
Encrypted:	false
SSDEEP:	24:2dk4+SkIMFWYL60YeGlMhEMjn5pwjpILUYODOLqx49RJh7h8gJ15E15LNEB86tn:cC3IQDL60uydbQ9IIYODOLqOdq2sbEx
MD5:	546D67A48FF2BF7682CEA9FAC07B942E
SHA1:	A2CB3A9A97FD935B5E62D4C29B3E2C5AB7D5FC90
SHA-256:	EFF7EDC19E6C430AAECA7EA8A77251C74D1E9ABB79B183A9EE1F58C2934B4B6A
SHA-512:	10D90EDF31C0955BCEC52219D854952FD38768BD97E8E50D32A1237BCCAF1A5EB9F824DA0F81A7812E0CE62C0464168DD0201D1C0EB61B9FE253FE7C89DE05FE
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <Triggers>.. <BootTrigger>.. . <Enabled>true</Enabled>.. </BootTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">... <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <Duration>PT10M</Duration>.. <WaitTimeout>PT1H</WaitTimeout>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabl

C:\Windows\System32\winevt\Logs\Application.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	2360
Entropy (8bit):	3.703112687382221
Encrypted:	false
SSDEEP:	48:MtCDUlZzrP++cSLdwSCtR65EfWHjjP4OFiL8anhyxDJAAy:mujJOLjjP4OkganaWAy
MD5:	99D3A843B04904597BD6DCC02360A584
SHA1:	BFD51927B3AC96EC83030AEECE6CC55FFDB81E4D
SHA-256:	1F3C08672B32DF1C611C556F013BD710F5B301CCC9491C61901F3673AE1284C9
SHA-512:	52C2402B60A222E00F15DF210D59D615DFDCF1787CF650B4AB69C1FEE5038732F8E4FA8941199D5498E3D440A0FE580F20206EB57C13126E29F66AF96B476C96
Malicious:	false
Preview:	ElfChnk.........................................8..........................................................................S.9.................m...........................=...................................................................................v...................................t...?...........................................F...................M...5...........................F...............................................&.......................................................................**..8............[.e3........}$..&.......}$...[\_+-...x(.}.......A..q...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..2............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.A.P.I.2.F........)...G.u.i.d.....&.{.5.b.b.c.a.4.a.8.-.b.2.0.9.-.4.8.d.c.-.a.8.c.7.-.b.2.3.d.3.e.5.2.1.6.f.b.}.

C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.844757629881363
Encrypted:	false
SSDEEP:	384:5he6UHi2uepX7xasnPC3FzFtpFDhFPFyF842xDmSyVflkWiVytr1jSmKbC93ZmLH:5VUHiapX7xadptrDT9W84R9RNdlJEt
MD5:	6DD9513F9459922C47E5DA7D177B65ED
SHA1:	22141C6315B5E37BF885AA1B2D611BB4A7B85186
SHA-256:	EEE9440984A354B116F442B7E64D4754847E667C0A90A6AD38DD990371A09086
SHA-512:	3D40609D277197F9249A917D3890960F419CB78B47A68CE5A74A902AC069DBAB781C33A104E21C8A12B5C484EACBB00783FE8F1AC48752C24709B833AAAE5F1C
Malicious:	false
Preview:	ElfChnk.........H...............H....................u3.......................................................................................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...............................................N...........&........r...................m..............qo...................>...;..................**..............4.9...............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	DIY-Thermocam raw data (Lepton 3.x), scale 8448-1024, spot sensor temperature 0.000000, unit celsius, color scheme 1, show spot sensor, calibration: offset 0.000000, slope 13321401407157305344.000000
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.375898877258491
Encrypted:	false
SSDEEP:	384:GhzN7UN0HN9NINoNaNxNUN7N+N8NXNINCXNGNXNNaYNXa4NvNhnNFNENNhSNEcNV:GDttjfckEwpQTB1cuat3x9
MD5:	C9340739814935979F6E070F71B429C3
SHA1:	5D5883156D59CE1BFCCE51E8B05190DACBD63C4D
SHA-256:	C73213B06AE8111F7F5E76AA12A63FBD173A2BF1072D07B0D1BEE6C91C722160
SHA-512:	23A7490C2F62515367EB614618910117A79AC4A42A0C9815C8194D47F4D8A978DB5A0D1F503BC6B07A2433DB05EB8F7582289AEDF7062C3D1B735049825CF459
Malicious:	false
Preview:	ElfChnk.x...............x.............................r.....................................................................].B.................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F....................{..........................&.......................MX......]...................................................................**......x.......G.".U..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	77600
Entropy (8bit):	4.254900887881969
Encrypted:	false
SSDEEP:	384:eghxVpV/rV9VdVHVVpVkVXghxVpV/rV9VdVHVVpVkVPWWVnVyVqVmVXV5VX64VXO:egxWgxjIiXkrtrAjxq
MD5:	5A17B181AA89D574FA47B49FB774FD4C
SHA1:	EBEA40225DC23D0EA2CD3F832AA6EA8648BD66BF
SHA-256:	22D1A8A1465961F49521FBCC33B3217F085D761BF44190C851077F3B5FEFA73C
SHA-512:	4DE6ACDBA1B70A2FE6E8C7AB105E4ECFBEB0880A18FFAA051F108054EBE8E5BD5A79EC181E7BEBBDB3F9415DACE059F82CC02E041B815AD66E3208C0FC0C8833
Malicious:	false
Preview:	ElfChnk.I.......P.......I.......P....................2>.......................................................................=.................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...............................................&...................................................................................................**......I........J..W..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.213049085236613
Encrypted:	false
SSDEEP:	384:fh+m3shOg26Qm6mt3m+DmqkTmETiImombmtmgmRmvhmCmGImchm7mBmImwmtmHm2:fNCOg26Dk1TisCzjECrXqm
MD5:	C142C52B34FFDA11B1B98479A7FD083A
SHA1:	46E3403362EDEE1AA85FA9304DCCF2786938FBD6
SHA-256:	EE26845A028E718A3FCB180BB07B1B944DA0C876313A24EDA336A7BAF53D49C9
SHA-512:	1198A7AA1C55DD65542CBEA8A567A910645D6A167B02692C5C8E33F9AB40644BE233589181B7F67263324DEB1A661BE95E964607F1C680C7EFC8EDBED5E1E2C7
Malicious:	false
Preview:	ElfChnk..0.......0.......0.......0...................:8O....................................................................Z...................P.......................x...=...........................................................................................................................f...............?...........................m...................M...F...............................................&...............................)...................................................................**.......0......f6..W..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 5, DIRTY
Category:	dropped
Size (bytes):	71344
Entropy (8bit):	0.8840647255895877
Encrypted:	false
SSDEEP:	192:EUV7pp8nMLmvcp8nbp8nup8n6p8n0V7pp8nMLmvcp8nbp8nup8n6p8n:EUhpiMLmUibiui6i0hpiMLmUibiui6i
MD5:	61C96B59C970A72978EC94C20C97D5B5
SHA1:	22DD0147508820ED55636849F4455D79B5DE1E9E
SHA-256:	84F8031B86E32DF3235731CFDBB29A64FB1559AB94E0242A2F1FBA12DBDB8B71
SHA-512:	2B9F5366A84DA4A6B9AF3DCCAAD6CDFD2DC0F24451C972156E3D06B162C748070F63D01990B4C7B0E90E0DBA816C3581E48228B7E2D6DA3CFAF023DD02877388
Malicious:	false
Preview:	ElfFile......................................................................................................................RyNElfChnk.........................................0...X.?#......................................................................s8............................................=...........................................................................................................................f...............?...................................p...........M...F...................................................................................................................................&...............**..p...........n.d.............g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

C:\Windows\System32\winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.6213104887740535
Encrypted:	false
SSDEEP:	768:0PB9TXYa1RFxRaayVadMRFyfqd9xZRta7Ea+5BVZUeaBhN1dJhlBlBJ9hFUKjSxw:wXY5nVYIyyqED5BVZUe7NrVnL3K9fYS
MD5:	94CE283335713D796E068233C0D27233
SHA1:	8B154CE1AEB28021DFE8B3FE78D322210537769A
SHA-256:	619E945769B0AFB1D3097B0FD8D85539C20F3024E47A98CAAB23DCA2F089EE2E
SHA-512:	5DAFBD530019133D08737F49D10DFF926CAD9D665588F800D18B6F3321FFB1EF7C7C2D61F0AD30C1084ECD2086D90E7099A7A9E0AADD3DC8AA047B51D75879B6
Malicious:	false
Preview:	ElfChnk.....................................x...X....#.N........................................................................................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................................y.......................**................9..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	100472
Entropy (8bit):	2.3234118864973796
Encrypted:	false
SSDEEP:	384:XoxK9o+hdo69CcoTorNorWorbvorTorZorQorNor7orqorlGhorrqorrcoiorloF:tDCoKDCot/2y3h89GpnVD6fO
MD5:	7D27AF07CDC3D079185E9E247AF3688B
SHA1:	2B9967895E36A39C3A138993AF60B40035D66D33
SHA-256:	0421D9092F2E7F7624B3C8920EEF5E8C032F6755B4FE5CADD7DDCFCBDF237ACD
SHA-512:	D5529DF0D6447605ECE37D6BC661530345AA849CD5D52342BC355E7B32F5A8420B3DF91955FAED367C5667C53B2E6A026B3ABCC9A0069CD9A3AA9960E34E3998
Malicious:	false
Preview:	ElfChnk.....................................0-..`/..=^h.......................................................................a.................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................&.....................................................................................................................................y..d3.........Z7;................................................................>.......V...X.!..e...............y..d3..g..TW.....TW.......\|........................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.o.d.e.I.n.t.e.g.r.i.t.y..k.N.<.D..97d>7.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.o.d.e.I.n.t.e.g.r.i.t.y./.O.p.e.r.a.t.i.o.n.a.l...!>........!>....[.U.....i...........\|...:....A..3...b...%....=.......F.i.l.e.N.a.m.e.L.e.n.g.t.h.......A..3...b...%....=.......F.i.l.e.N

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	DIY-Thermocam raw data (Lepton 2.x), scale 8448-1024, spot sensor temperature 0.000000, unit celsius, color scheme 1, calibration: offset 0.000000, slope 206.521484
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8818863793721268
Encrypted:	false
SSDEEP:	384:PhAiPA5PNPxPEPHPhPEPmPSPRP3PoP5PUZPDPBPrPTP:P2N7
MD5:	ABC20FF1642044E1CCE03170FDE15383
SHA1:	8FA47598A436BFAC1C60AA663BBA85ED65684EB3
SHA-256:	335CB1E45B8A1EBDC3714F6744B8AA7332FD8A88C296A4FC03F300D1417CCE8D
SHA-512:	262570D8EAB15F9A890B7FFC26B6E6D6615B2659120D7595D2E14A2DB9394EF043B475F1B00239C9E59577821EEC69441C5964D8250CAA7C623FAF497735E839
Malicious:	false
Preview:	ElfChnk......................................&.. (...........................................................................c..................N...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................................................................................'.......................**..x.............\|..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8732041818438444
Encrypted:	false
SSDEEP:	384:ihZ21JJgL4JJFiJJ+aeJJ+WBJJ+5vJJ+/UJJ+4fJJ+CwJJ+D2JJ+a2JJ+JtJJ+ly:iWXSYieD+tvgzmMvpgNNr/C
MD5:	B693B4CC631594D7178A17D644604830
SHA1:	010015CDCBAC9449FB75222B3ADAA84725A573E2
SHA-256:	2AB6A0ED88C441E535930D7653055EFB046C8E0D20409B95E70F6203B05B770E
SHA-512:	2625F3E08A6C17703CD43E2FE6FE6DC8B1096D4BCF3DE77DE75882E923AC278A0F24E21C43644A4909F21E2DF827CDF967C53ECA1D35D18BCAB453309C55546C
Malicious:	false
Preview:	ElfChnk......................................&...'..... .......................................................................................F...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...................&...................................................................................................**..p............zu..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	67136
Entropy (8bit):	3.2465016830681974
Encrypted:	false
SSDEEP:	384:dhFhUhqhSx4h/y4Rhph5h6hNh5hah/hrhbhmhjh/h7hkh8hbhMh9hYwhChwh8hR8:8bCyhLfI49L
MD5:	116C6A0855F9E1E0CC8F3AE433597F2A
SHA1:	1D2EF40CA92849FE9C2912EA6D711BCA738FBEF9
SHA-256:	62C20B72A460475A40568ED095A7585CAEFD532C3531B4595FB7254163AECD65
SHA-512:	532E972E249272DB9747A00298F4C065EEC19CF8FCB33F2B809D824789A2322BEEBBC430CAC70999F5C588D2DC93D6380C992812375963B878BAB76E2BDE6D91
Malicious:	false
Preview:	ElfChnk.........O...............O..................e.ym.....................................................................q..................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...........................&....................n..........n.......................................................................................*......N...........d3.........Z7;.n..............................................................<.......T.....!.....................d3..g..TW......TW...........N....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.r.y.p.t.o.-.D.P.A.P.I.@.....NF.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.r.y.p.t.o.-.D.P.A.P.I./.O.p.e.r.a.t.i.o.n.a.l....0.............j.....m.[.H...w:..C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.M.i.c.r.o.s.o.f.t.\.P.r.o.t.e.c.t.\.S.-.1.-.5.-.1.8.\.U.s.e.r.\....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-NCrypt%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	66528
Entropy (8bit):	3.492784992459667
Encrypted:	false
SSDEEP:	768:dcMhFBuyKskZljdoKXjtT/r18rQXn8x3F4mLvgpaCm:uMhFBuV
MD5:	4387002E5A19880A9A57BDB0D73F86F4
SHA1:	AF1E1109777211BE0B4EC0637B1C5FCD0404E962
SHA-256:	34403FFBDD36A74C246485FC944ED50E4649AB23BF75A7875FF227E37D93C103
SHA-512:	A5403BA32B433F620A0C3597C5B80BE812897354DE4D662B9981852A25634B2D8D9A2DCD6CCC53E20381940C8BF5FBE7ECD4F47972BEEB468CBBB0E52B49E475
Malicious:	false
Preview:	ElfChnk.........S...............S...............p...u3.'....................................................................q..f................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............m...........................5A..........................................**......S.......v...d3.........Z7;................................................................>.......V...y.!.................v...d3..g..TW......TW...........S....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.r.y.p.t.o.-.N.C.r.y.p.t........E..3...pM.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.r.y.p.t.o.-.N.C.r.y.p.t./.O.p.e.r.a.t.i.o.n.a.l....M.........F...........M.i.c.r.o.s.o.f.t. .P.l.a.t.f.o.r.m. .C.r.y.p.t.o. .P.r.o.v.i.d.e.r...0...l.s.a.s.s...e.x.e................ElfChnk.

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.792827407520075
Encrypted:	false
SSDEEP:	768:nVQ+uYvAzBCBao/F6Cf2SEqEhwaK41HZaYBnUm3iKLnn4eDB7:0Ht3iKLn
MD5:	152A48624B4DFD0D038B4FA3623BA7E7
SHA1:	5678AC8B8E8F29A58EA8D43EF57FFF9A6FDAEC28
SHA-256:	C4F9B02538E32C9F8583CACBBFA7C43453C03CEFEE70EC5DEB0194E96197BF49
SHA-512:	CB23A12137680CFD7B86FE67A4551D33CC727AE1F1EB5EB981D0DB7DB77F2F9A034AE08BEF109FFF080DC98467674369E675B06D768983E4BB15C819F3D4FE8E
Malicious:	false
Preview:	ElfChnk.........r...............r............... ............................................................................(.................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................................................%0......**..@...........WW. ..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.8858919329531718
Encrypted:	false
SSDEEP:	384:Nh1kbAP1gzkw3kN5Ayqk+HkzGk+hkV3SuckzlckA66k+4DkzRxk+dkzwUk+rkzDg:NMAP1Qa5AgfQQlke9a6
MD5:	B66301CC0555CC995B4374B6FF0F39E5
SHA1:	63D7895AAD4EA9BCDAF4D3BFB2911FBC3B316613
SHA-256:	C056C5B1E6C58773FC9A75C46E8CC74E855A1620D21D2FF3D0AA34CEA380165C
SHA-512:	5A40E2618146D20A0F89943A7155FF211302643CC0D70684CF86363E303D3887625366AF85D5B538C317E70DF3DE30193CE0CE5660FF52756CEF46AFFBBA11FB
Malicious:	false
Preview:	ElfChnk......................................]...`..........................................................................c..................b...........................=...........................................................................................................................f...............?...........................m...................M...F................................................U..........&........................................&..............;...............................*..x...........HD................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.428876543896683
Encrypted:	false
SSDEEP:	384:vKhrEbExnEO4+EUEtEjEXE7LpEn7AEmxEsE27jE/iCESWQHEPEX5EwE2Ex7zEuEq:SfZRLvz75hyME8
MD5:	3E00DDA6A4D097354A6D64995B6F5637
SHA1:	37446C0346A6195D226249D251E7C8B5D9BA8EE9
SHA-256:	47B00BC6744A8886BE9ADAFE8E7C95FF08511038E35F12C66B74643326A29582
SHA-512:	1F2E1ABB9AFB705BA7E3C37B8A3DDB3EC180F83F2DBBD82C0AFA95EB37633057D9C5F4F0F76610CAC954FEACB1B7D6223B689A27628B3C69E1223CA216FB4AEC
Malicious:	false
Preview:	ElfChnk.p...............p....................... .....U.....................................................................w.%e.......................................R...=...........................................................................................................................f...............?...........................m...................M...F...................................E....%......&............;...)...........-..e+.......'...1..................M...........m...........%>..M.......*......p.......Elr W..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.462764563871168
Encrypted:	false
SSDEEP:	384:5hYCAKRuKIYKxkKiCKVIAK8sL4K5VKjPKwnKZ/K50K8/0KXAKuWKSlK+NK8t3Klc:51T4hImaVqA
MD5:	90C7B97351EB8C1E5D63C95F98DA7DC2
SHA1:	BCA659CC6F082891275AC1DE0DBCF11874239D97
SHA-256:	6E033AC321438132DD42CEF1729149128602226619B68BACC8509AA2C3BF7959
SHA-512:	E73206F70E009C1446EA7BA550901B9AF4F43CE0EBDA17DE514E3F55A65264490A24034BCEA90F88C9B0FE6FCED2CF9E970C85E969DB39C9374CF0A2F5AF8F9A
Malicious:	false
Preview:	ElfChnk.........s...............s...............P...............................................................................................V.......................T...=...........................................................................................................................f...............?...........................m...................M...F................................................\|..........&.............................................................../.......................**............... .$..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.543522413880544
Encrypted:	false
SSDEEP:	384:AhFiDhKxDmqIDrfDYEDdDDDbDOD2DSD+DtDFDxDlDUDEDoDADeDuDx4DWDXDjDfk:AzSKEqsMuy6/ij
MD5:	A7C99371DDFC5A4213129E4CACAFCBC1
SHA1:	DD3ED05CE634AA129B7F1385424AFB489F50C66A
SHA-256:	ED6442E39002736D07EE523A96024EB370A0E69A127E042D0EEA7C98F466831C
SHA-512:	E6642A332446467BF9D5DF8FF402EDF4184CA26FC50D8D224FFBDF0504E8B0E750BCC6664E9AE3F84BBC1A9E8F945F3D77B8BAF8F3A2E4FD971FD6EEC6E1E4B2
Malicious:	false
Preview:	ElfChnk.........P...............P...............8...D......................................................................./..................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F...........................&....................`..................=...............................................................................**...............v?..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Shimuser%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.24409357808026
Encrypted:	false
SSDEEP:	384:mhMLzI9ozTxzFEz3zLzWztCzizQzzz5zqfzDz5z1zkzSz9zEzWz+zQzqbzUTz3zS:mmw9g3LYx
MD5:	3E92F94FE6AA3FDC475D1591EF7E2704
SHA1:	B078DB603A5949847827FFD1EA107D357C22D6F8
SHA-256:	FD11BA3444675A33C4263FEAFDC9DD37E8061968D02E9BB4800B7E22D123DEB9
SHA-512:	A5362EB798F2F827B99F074F72D5B1208BDC89A23F152C85C3C8F9200B217F9F3E415A42B59D00D0DA765992DB085A9E47F63AC273404C95C914351150A8A4E8
Malicious:	false
Preview:	ElfChnk.........9...............9............t...v...4........................................................................x................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......E............X..........n.......#...............................................................................**..............j...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9546787598621266
Encrypted:	false
SSDEEP:	192:ssgV71IUKGGk4yb27x1IMb27kdI2dIeWIbTcc2eI5Tcc:8h1IUbGk4NIsIKINIDI
MD5:	BA45982149D644A9243DF5BA6EB08A81
SHA1:	6DD8A1A7503D8323B24669AE91EA9C1308E30B15
SHA-256:	29302E33B11EBCBC0560A52847583AE37F2A2A72976A23F4AD71393E4FEBDBD4
SHA-512:	E0F1B9B471A40FC848A124DD0261FBC66B82FF3D9CC0DD655C8A6E2D9FBEEF0B9E1070D424589D8C3A57E0976A62B00AFC5BDF8B716B9D05DA5BE97B7B698AB5
Malicious:	false
Preview:	ElfChnk.K.......P.......K.......P............S...j...N.(...................................................................../.........................................R...=...........................................................................................................................f...............?...........................m...................M...F...............................................&...................................................................................................*..x...K.......`~.%W..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-LiveId%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows Vista Event Log, 14 chunks (no. 13 in use), next record no. 378, DIRTY
Category:	dropped
Size (bytes):	100608
Entropy (8bit):	5.665078841554595
Encrypted:	false
SSDEEP:	384:3ahAa5DpzuzNz0zxzuewKWMKFNa5TUa5pa5Oa5HMa5W2KvzyzIz2a5jNa5Oa5OaN:K0QqW/ygJ91R0QqW/ygJ91r0Tw00
MD5:	D2A30E484797E93C2E71175878E91AFA
SHA1:	A3F47F9D4CF5F30E68447C204E1C7D2C6439B6DE
SHA-256:	40435CE391AFDEC59DB5241F45DA582FD7C6C4BE96CDF3CBC2F1B8E04473F155
SHA-512:	0E305177E67DF47982C2DF2410F61491A881DBB7624ED143F56435666866F45B3337F6E07EFD8A20DA08A8C00742EF102383C8AB274951C7318BEE7E2045317D
Malicious:	false
Preview:	ElfFile.................z...................................................................................................I,c5ElfChnk.q...............q...........................F..3....................................................................!.y................&.......................N...=...........................................................................................................................f...............?...........................m...................M...F...............................................&.......................................................................................)...q.......**......q.......%x.OU..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0906234381604036
Encrypted:	false
SSDEEP:	384:1h1hM7MpMEaMWFMu/Ma2M+AMmGM1cMNF3Mg9Ml7MABMczM0cMKhMOrMM/uMZeiMa:1eJw
MD5:	C5FF06DD8BE524B616F8663522CECD8F
SHA1:	C4103F0987D75AFE225436B8039C57F7CE40BDBA
SHA-256:	BE9EA2824B5985A8CA71792C629FCBAD2FE3267613E560F55512E1439F8D89DC
SHA-512:	2839A4B7356AA30DEA18794D81C10A81D4CB79C76380681EEBA6427D843DED6BB0A0B37AAA4AAF7715DE4C31DA9D30DFC1CF70F662E83B29CE8DC24EF1522DB3
Malicious:	false
Preview:	ElfChnk.....................................X0...1...p{{....................................................................s.\.........................................>...=...........................................................................................................................f...............?...........................m...................M...F...........................&...................6(..................................................................................................**..............c...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.3544648067172504
Encrypted:	false
SSDEEP:	384:chz1g1z1f1m51F1Z191f181L1tY1VGm1Q1L1p1VG1U1Z1s1VA141c1Vc1q1tS10r:c2jdjP0cs5uP/ub
MD5:	5E01D7C4731FBE5625EEC0680D1037F1
SHA1:	F5889D115B9E5869538E908EFFD8B28A0BB72462
SHA-256:	73D8518E4715F852C806A157EAD1506A36AABF4BDE478DCEFF96A84D81E27AE6
SHA-512:	1FC15D0D1B817E648209CC72E14EDBFCBC8CC827C70DAE75D8C8A5465927BDBD6142D73F203F3240D259F38A2451E555D763D07BA10F5CA47B200733AD37CC1C
Malicious:	false
Preview:	ElfChnk.....................................(.........O.......................................................................................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...............................................&...........................................I.......................................................**.................WW..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	82528
Entropy (8bit):	3.4362312687169356
Encrypted:	false
SSDEEP:	384:x4IA73IyI0hIIIlIbIWIKRGINZIoxII5IMII9I4IaIaIsIavVCI5IhIYzhDIEQAd:x+9XV6zZxGq00f9XV
MD5:	37A90AA3362520791E16B75BC7EE675B
SHA1:	DDA4CCE21C873AE963331E5B6E90EB521C1FEAF3
SHA-256:	65747D661CCF9720B568DC21A847940EA83F66E1576848DCB160764A084F278E
SHA-512:	70FA9BD9DA35F258B63096CFBB6871EA803651B4B5C86D508883E8BDD3EC7017FFDE8D891141F40EDFE48B59DB3A249C1BDD7CB85C604C201393A5092225C45F
Malicious:	false
Preview:	ElfChnk.T...............T...................h.......E........................................................................m.........................................>...=...........................................................................................................................f...............?...........................m...................M...F................................................(..........as..................1..................................................................**......z...........d3.........Z7;.(..............................................................,.......D.....!........... ....@....d3..g..TW......TW.......d...z....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.N.t.f.s..z.?..nM.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.N.t.f.s./.O.p.e.r.a.t.i.o.n.a.l.......as..&.......6p.\.#i....>..........2........A..=...>.../....=.......V.o.l.u.m.e.C.o.r.r.e.l.a.t.i.o.n.I.d.......A..7...>...)....=.......V.o.l.u.m.e.N.a.m.e.L.e.n.g.t.h....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4WHC.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8285527879711732
Encrypted:	false
SSDEEP:	384:G2h6iIvcImIvITIQIoIoI3IEIMIoIBIbIlMI2I5IEFIzI5I:G2oxOT
MD5:	B980C446A2A107517F87CF34ADC83DD9
SHA1:	ECCBF6BD7A62E3914DA365893A1AA6D8DDD920CD
SHA-256:	CB0BF585620C448F0695AC37A7FFF2A358AED302660B31901C2D060921721FFB
SHA-512:	B2732AFC5D98033D990944E61930C3EA57D2ACFEE4A802476721665D7711FA2E9FEDCD7647917FE95AE03CDDC5DD927FA55F08F35CDEFA62EDC7CFD3C7FB5A39
Malicious:	false
Preview:	ElfChnk......................................#...$...>......................................................................V.=.............................................=...........................................................................................................................f...............?...........................m...................M...F...........................&...................^...................................................................................................**..............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.1037290630380294
Encrypted:	false
SSDEEP:	768:n4u1n8zfFFU1x4Dk13xIb13xIb13xIt13xIi13xI513xIU13xI013xIF13xIH13K:d
MD5:	7C3D15939EC70328CB06DAA08EA22573
SHA1:	BDA43799C74C483842C457E23EAAD47A136C976C
SHA-256:	5CA7B9E56E9708ED4F32F7C0BF086BF107C4A8AE7DBCE974FEB8AF9501D23902
SHA-512:	7875BC899CCEC1F62AD34E73A9F61D588BD6A98C2F768FB01FF1865B272FD8337DC15E6B5B18DB9B11DF565C543E2F329A784F73C3CF333B0F526E9F47021A58
Malicious:	false
Preview:	ElfChnk.....................................@...P...J.{P......................................................................q.................(.......................P...=...........................................................................................................................f...............?...........................m...................M...F...........................&................................ ......................................................................................**...............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	dBase III DBT, next free block index 1130785861, 1st item "**"
Category:	dropped
Size (bytes):	68624
Entropy (8bit):	3.799626971198427
Encrypted:	false
SSDEEP:	768:KUFutDBjV8kau7eUtHpoVWWFcRkpHrWbGyYKQc90X+07SZRcZv76NcRUjGHzLKv9:LutDBjV8kau7PtHpoVW
MD5:	42F7FC202DC75D6F3C56CE18F533583B
SHA1:	7570FFAABB5893444888C99379E1EB5FBD32F4C5
SHA-256:	D1F150CEC1124CD906D92D388DA317A6258679C857B4FD56C03D00DE76B8844E
SHA-512:	E45746174245A596C81BF24C5681FEA7A5D37C9DCAF8D93B78CEB1C82604830921299E8491C5027660DED27AC86E16F6A9EB7454B212F89A6835932820FFB42E
Malicious:	false
Preview:	ElfChnk.................Q.......S....................Y..........................................................................................6...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................&...................................................................................................**..`...Q........r..d3.........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	modified
Size (bytes):	100496
Entropy (8bit):	5.027607808345225
Encrypted:	false
SSDEEP:	768:ke9rIQrdwfQKRLc/RmA3gn3h6/AmFC+DYLxVw:lrAc/4AwRMA4C+sLxVw
MD5:	05364B0B9337FF95808C430DC30AF570
SHA1:	6E3FD252254ED028FD7DEB9CCB914A9650533599
SHA-256:	7BD0E8AD4D119227B98B8E82F98FFEFB2F44F4FA588849CF016DC49DEA4B8EBC
SHA-512:	A758C1FA7391B692E3045224E5BBAD17437C3C9FBF7FF35D433B6299E37F90AFEDCD61E5C4DF594A4A206FBB37EAB85ACAC149D4D9446ED922EBF993E224C695
Malicious:	false
Preview:	ElfChnk.:.......=.......:.......=.....................A.......................................................................................d...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................&...................................................................=...............................**......:........o.e3.........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7906584955348045
Encrypted:	false
SSDEEP:	384:MhP8o8Z85848V8M8g8D8R8E8y8JB8M848r898:MN
MD5:	4581429C5AA67A59E35288D5B0B55942
SHA1:	F0B9983D5700F829CBB975F501FBA322F5522593
SHA-256:	DEDCEFB3F18D3B36D8D27631F4DF73637937BF907FB1EB891CCEA1C14C19F44D
SHA-512:	96E95B4DA3F900B38F6B53121AA9C142B85242F3C287233D93B191CE08C1E89280FAAA52A6EEFFE0E04ED282CD6374AF8286E2C905004C651AAC78FFEAEF7E19
Malicious:	false
Preview:	ElfChnk.....................................8!..."..V.1.....................................................................8..Z........................................V...=...........................................................................................................................f...............?...........................m...................M...F...............................................v...........&.......................................................................................**..(.............................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.766812344360369
Encrypted:	false
SSDEEP:	1536:fXhIUyS+z1VV18o838c8bUc8cVVsz8VX8SoX8aA8cmtpjAiVB18dwE4vjcYoMjn1:fXanS
MD5:	63C1ECFCCC5E415817C4D1B162A51207
SHA1:	579474A30B7B1A06982D96212C4D450F423FC181
SHA-256:	C077D19248E142503FB02D771A1187FFE24B7FFBBF53B9DD42FEE57C0308A622
SHA-512:	4932D83B7BF836906224D5F3572D239B4C38E021D2FC915FB6D53FCD4B9F281DA47B2C001FC7100A5A82E6F8589365D104CD30EA6C5F1EB2259AE665E2B000F4
Malicious:	false
Preview:	ElfChnk.........(...............(............J..xL..c4.#........................................................................................v...........................=...........................................................................................................................f...............?...........................m...................M...F................................................9..........&...............................................................O.......................**..............g5...............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.551634567387031
Encrypted:	false
SSDEEP:	768:L0VsLY/Z5aFka2aKazzabCafama5Sa0ra6rzaJcavkao9O6aGyRvF5UN5325Oi5Z:RcEN
MD5:	9FE9303D437AE64AE7D6F84406623E46
SHA1:	A7CE105D08F7A28F815B5BF171B3EDEB56E5CFF5
SHA-256:	81E629C26EF40A78C5E60E749498BE53744A0D618273BE5AF3DA048009D7345C
SHA-512:	F08582C238A2B6E2257F16B30DB0D407980129438D57099E92CA9FDE99A55B84B814FBDEC73A164B4A5BB792906AE2C5C88E63FA71FBDA472276B3CAE68C4CC9
Malicious:	false
Preview:	ElfChnk.........C...............C...................<b......................................................................-..s................Q...........................=...........................................................a...............................................................f...............?...2...........................................M...F......................................&........b..................................................%_..........................]...................*.............._.............X..&.......X...],T.'tB..E........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1912
Entropy (8bit):	3.5999672418334248
Encrypted:	false
SSDEEP:	48:MSWR7CKOrCK3QKB69Dkn9OCKOrCK3QkkcqrFn1:m7CKOrCKg669Dkn9OCKOrCKgkkcGF1
MD5:	3A240DD15354C5DA8184823C36AED024
SHA1:	75C73AFFBE5C763C4F8CD809740DBCCDEDE98127
SHA-256:	3354EA45B1CBF14FD326983C62CC33F783A0B3D49369ACDAFECCAF7DB78AF6A7
SHA-512:	969D7AD359DABDF0E973755E2B3055AD660F1E8E2F499CCDA0A4D6286E2401FF285D177754C57A9A6B2022E90CCECD8869045D436CFE2010E1DBD725143391A1
Malicious:	false
Preview:	ElfChnk.'.......8.......'.......8...........pv..`y..8..........................................................................................\...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................5...&...................................................................................................**......7...........e3.........Z7;&...............................................................L.......b.....!.....................e3..g..TW...+.TW...d.......7....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.e.c.u.r.i.t.y.-.M.i.t.i.g.a.t.i.o.n.s........J...M..<.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.e.c.u.r.i.t.y.-.M.i.t.i.g.a.t.i.o.n.s./.K.e.r.n.e.l.M.o.d.e...!..^5...........h.......>...................................4.\.D.e.v.i.c.e.\.H.a.r.d.d.i.s.k.V.o.l.u.m.e.3.\.W.i

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Debug.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.327219596727842
Encrypted:	false
SSDEEP:	384:Npa/hDGCyCkCzCRCFC0CPCqiCEBCzMCy2zCoFC9CKCPCryCaC6CyCU2sF2s2EY2L:Npa/dUwmgU
MD5:	39BDE2B4C029E5F2BC6FA244100ED55C
SHA1:	EE71625A1DDB5D57B606677AB384B794C2F76741
SHA-256:	DACAB8704BF60ED925B8F231A45A4F5A1CA9C87DED892940B518EACA1CDEE266
SHA-512:	909A4CE0385AD7D2936C2F73E69F20DFC438304778826AAAE9CEC176E1E10900557A6621608F7CA782CF5B098B98E195AAC432739F81112B12DEF9C0547BD50C
Malicious:	false
Preview:	ElfChnk.U...............U...........................y.6R....................................................................?...................F.......................n...=...........................................................................................................................f...............?...........................m...................M...F............................H..................f,..........&................................................x..............is......................**..0...U.........Df..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4AppDefaults.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.4645121501987095
Encrypted:	false
SSDEEP:	1536:PrGJSsWdeBDBvwdvx8j00lDL0MBqQtcgVSyCV78AhurLyt2Q4eW+WzpzXepPvMog:PrGJSsWdeBDBvwdvx8j00lDL0MBqQtcU
MD5:	AF6B3AF3FEB5952B5CFA4A79A418228D
SHA1:	56B7AED9FC54B88B43EDEBBF35599F58610D3488
SHA-256:	4C33B557190EB5E003E3537736BEC0EB3B39A6435797B3B2E0B0440F25283A3A
SHA-512:	52F7304D50D66DDCF4B936F1089E8A6A56E5BD67037F6991D70A3DF6161C23F7A9D9954648CD4688EAA96ED45D4310822CB3107389B89244E9BC45340A90C98A
Malicious:	false
Preview:	ElfChnk......................................d..hf..........................................................................H.".................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...............................................&...................................................................................................**................G.S..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	70808
Entropy (8bit):	4.452267081981958
Encrypted:	false
SSDEEP:	1536:I4qtXpOHrPBOYM9QuTOc99zPb+zEbINH90Z5kLnOE8EGmwAOXKbGKszQW3XnT04G:I4qtZOHrPBOYM9QuTOc99zPb+zEbINd1
MD5:	2F2A5A95B9E4B57A5004CFED29EB7768
SHA1:	4A7EE3BE743BF0C4E33A3FB677661116A5C50995
SHA-256:	1F79A5D536B269BE3DB897717A7495DF9C642B896ECB54ABAA19C21F3067995D
SHA-512:	9E134423705E8647D18D5AE0722133DD65693A22C00896988187822B88D372C1D32DAF991EA40856901E6DB5BFCE48F5C19ED9835B17BBE983C2CC55A17558A3
Malicious:	false
Preview:	ElfChnk.....................................X.......%q......................................................................JMi................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F........................................................................................................i..........A....g..1c...............k........x...........ov..d3.........Z7;&...............................................................8.......P.....!....nqm......... ov..d3..$.....E@.#<.....................................$.N......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.h.e.l.l.-.C.o.r.e..n30'.\|D..Q.R.a.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.h.e.l.l.-.C.o.r.e./.O.p.e.r.a.t.i.o.n.a.l......L1c.............x.....(...............d3.........Z7;&...............................................................8.......P.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.4123466903622734
Encrypted:	false
SSDEEP:	384:vhZ7o7c7r7t7Q7A767/7U7r7W7A777kJ7q747i7T7L7H7P7p7c7/7v7E7iw7p7O6:v
MD5:	788B6B13BF6B1506C42A647C90C608FB
SHA1:	83A1DF28AAA9431F8BA98910622AB433633D5269
SHA-256:	E544869EE0C5829D15D7BFAF95679A6FF09D069B2752870866479980D4DECE5B
SHA-512:	6EE60DEE5B9E36106D7A654D241BC8CE2C84FC5DC663C43E270207EB84E4A6419BE19E00CBC6B530A7760F297BC56466619F5F6D17D9D7B8578CA937D3AD044A
Malicious:	false
Preview:	ElfChnk.....................................Ps.. u...^......................................................................]bJ............................................=...........................................................................................................................f...............?...........................m...................M...F............................6...............1..k............................................................................4......................**..............\|.FzT..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.3479804318728847
Encrypted:	false
SSDEEP:	384:Ghc+uaNuru+uhuKVuPJu5u9u4ufuTuxuDuvuDuOuXumui+udutui4uTAuFuauinw:G6Ovc0S5UyEeDgLcxq3gYi3
MD5:	20ABEDB128E5E464C3ADEDAFDD33AABD
SHA1:	008B5B5722E9F1C1FC3659745636DA9AC4BF3246
SHA-256:	E910DB6310307CE0E3D9AF315BB11B5118C3C82E2077D23CBB5204E604404D5F
SHA-512:	8710B94D7EA052FED9E34AAD859242ECAA44D2A21E7C4B8B3CE5BB0A38187D4F155981802A7EB34A931002BC9B841821EA4100F779EFAB52A9D95C69453352EC
Malicious:	false
Preview:	ElfChnk.........B...............B............v...x..........................................................................:m\.................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................&...................6^..................................................................w...............................**...............&3..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8478731703315486
Encrypted:	false
SSDEEP:	384:chGuZumutu4uEu5uOuDuyb2uPu1uxuMDpu++uwKuDou13u:cO
MD5:	59AB0335EB19F6DD54860AACB86FD9CB
SHA1:	3E8217D9EE7123F81F7C87F00C27CFD908350941
SHA-256:	98E01AC5F79731DBD6E6ED4F39DDFA1A61F4D84E06BCDE28EFEB53D2CA949BEB
SHA-512:	A1B8B98385ACE44DD5B0F9314B7B647609CE122081BD3B06FB66F0BDB0C0970BFA7D8FA87C73AB2586716AEEA2DF7D209D716A094217FF6F93F1DDFF89243AAE
Malicious:	false
Preview:	ElfChnk......................................$...&..6.5......................................................................./.................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...............................................>...........&.......................................................................................**..............Wy.8..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.2240351571410395
Encrypted:	false
SSDEEP:	384:5hHAxA+AAVA3A0Al9ABtuAbuAbhAbxAboAb5TAbZAbPAU2AWAEAbAJAOhbArnAVT:5uG1mDNqd1ZjCRpazcYu2t
MD5:	38BC36F8F4362404E333E07569271DD3
SHA1:	A10D1ED540B714D7DEE9300C094DB58B0F4AD018
SHA-256:	A7B49B3228A919E34A01B00F9C71958A4391F9FC94EDB3BCA46088A94AA99D59
SHA-512:	2F730C5EE594ECF1B0F8E545940AA18E801E61F17CFBD44D8C99C6ADD80E5C29944F679439A7A9B9E855BBD6295A4F20D5B8BB638505E2F9CE660DF919B23019
Malicious:	false
Preview:	ElfChnk.........................................(...a.GR....................................................................LY..................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................Um..................&...m\...........................................S..........................................]W......**..................U..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Health.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.769029143659816
Encrypted:	false
SSDEEP:	384:4hnpg2TpJGpJfpJA3pJ9pJupJjpJkpJRpJapJfpJa5xpJxpJj+1pJQpJtpJAhpJT:45j5D+zAC
MD5:	20577B58222FB7BDEFC1300B21345286
SHA1:	AC97F48ACFF0FC27E1DA3A55C0322A9DF9ECB08A
SHA-256:	CDAC346E2CA13A1D8DE813E3574AD476A4071E25B8B4F919EBB24B38A0EF0C3A
SHA-512:	76B832469C31EE2EB6FCD6A5B96828BA84DA2FDEBC972E5C42092D71B61F932F0EB200F5B63BC1B41CA9E86536CFC7269FA909E90FB7899A206E3CD4F4DB15B1
Malicious:	false
Preview:	ElfChnk.7.......D.......7.......D............9...=...T.^................................................................................................................@...=...........................................................................................................................f...............?...........................m...................M...F...............................................&...................................................................................................**......7........qTUW..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.2293376553515465
Encrypted:	false
SSDEEP:	384:ZhtbpwV1pIvpLfpvQpw2pQYph15pcApLqBpJxTp0qo8psfp4yp4Rphe3p7PpLWBe:ZwDoh1VLHUO2hER7Mkf2q
MD5:	310A53947288CB6B830E117FED6CB431
SHA1:	9EF3CE4C8CF1C83613ADED2DFDEC20E886E9CA6D
SHA-256:	86C884F9E1E28CD0BE2F4B68DD247C8C76F9A2AA83EBD46A9B1380AF053A3D7F
SHA-512:	31F063C868A22CE873B40E3FC62661EACF67A5C0B40DD22412CF64924E7CA29CDF44317F5C8CD30524A5AD595531ACF71133943DDA072D81C07FEB62D0204521
Malicious:	false
Preview:	ElfChnk.\...............\............................N.................................................................................................................R...=...........................................................................................................................f...............?...........................m...................M...F............................................;..^...........&...................................i...................................mS..............*..8...\........=..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2061151937932604
Encrypted:	false
SSDEEP:	384:YhwCCRzCaCkClCzCYC/CyCVCGCMCvC3CcvCCC7CaCqCEC:YKFz
MD5:	70E70D2CB97D613C0C3E1EA1D74EAA92
SHA1:	73F3C23087DB31711E0851550188FDDD6F11B59A
SHA-256:	CCDF6F2CA947C96970A0B63EEC1F8CCD753549B2FC6CED8E0C0AB54BEE2AE027
SHA-512:	F1900F302272A5319682D7E4B3AA8911DE337EB4059FEB97FB5DD4E25078CB961DEB49C8FF273C82693C3B5867FD9247ED3F2D22AAB5F9F9361BF0CC4004523C
Malicious:	false
Preview:	ElfChnk.....................................h6...8..3..........................................................................................V.......................~...=...........................................................................................................................f...............?...........................m...................M...F...........................&...................v)............................................................................................../...**..p............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	112776
Entropy (8bit):	4.6668032712348975
Encrypted:	false
SSDEEP:	384:0hoMAcMSmM+MEMwMSVMfM0MtMXjM2MoMVxMWMlMvM6bM+MD5MSLAyEMSMpMyhoMx:0WKAyNWKAydsAyIfythK+AyqAyeWKAyA
MD5:	B33C80CA37EF53B693AF2F6147210F86
SHA1:	F7BC6CD3B078DE8FE275A11854A7283196C3750B
SHA-256:	947A801DC9E623764CE7D73516CFABD7FC37F23979AD6D72E61A4ECBAD3124FA
SHA-512:	F59F8FE6141F620F8913F6D44D47851A870A742285B1D3A0EEC7E288AE25AFFD7A329EFE2B8A2D066F102FBCC53F36D3ED19D9441C7F7AC5DEB96B802723B169
Malicious:	false
Preview:	ElfChnk.."......."......."......."..........`H...J..o.\'.....................................................................c<................".......................J...=...........................................................................................................................f...............?...........................m...................M...F...............................................&...................................................................................................*......."......N.0.d3.........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storsvc%4Diagnostic.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2305573051374772
Encrypted:	false
SSDEEP:	384:phL6UsE0ZUmxUmgDUmSUmKUmgUmlUmB8UmCUmeUmfPUmD+UmxUmBUmxUm:pY7LM
MD5:	38DDC0D6E2F296743CF4A3E22830F8ED
SHA1:	FAA40792E1A6F8AD8CD1EC6EC61E9C0232C20D11
SHA-256:	886F12875E0B1F98D5A61C42D96B95F0F8C992DC0F77E428B0CED2CC030913D2
SHA-512:	41C548C0D81C02855C71ACCDDCD8B75232459A5C405B94FAA7743495B142F9D1B7F10A7D2F47DB8845E1A5B4987D71BD4728A62B02CE14C248804460C2D32369
Malicious:	false
Preview:	ElfChnk.....................................04...6..lGz\.....................................................................@.................. .......................H...=...........................................................................................................................f...............?...........................m...................M...F...........................&......................................................................................................................*..............a...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-TZUtil%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	67784
Entropy (8bit):	0.36796488824563184
Encrypted:	false
SSDEEP:	96:q4TBUNVaO87oHx/6aNH4TBUNVaO87oHx/6a:qCgV7LxiaNHCgV7Lxia
MD5:	2E6E2A34AFF7B2217D8A098CBA4A5518
SHA1:	0FA3FB9BF99BE4E8C31667A7E8E24AC29D42BA2A
SHA-256:	705282D9C032DFEB3A6FE5AA20F6BED5121E820FB672C684322BBA8E721D9035
SHA-512:	7E95DFF6022C67F504B1249D5C0E0F4F11369E77D9BBD60322AB4E3ED35B9B2F6C402E65E29EC9A32DA187839FAABBF9000624F78EDDC176467146D3A1462BB2
Malicious:	false
Preview:	ElfChnk..............................................I..........................................................................................&.......................N...=...........................................................................................................................f...............?...........................m...................M...F...............................................&...................................................................................................**...............>..W..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.081454356890361
Encrypted:	false
SSDEEP:	384:OhMiv9i6ri+Hi7EibniWihKixiTijKiFi5iuiUioifiN8ixiEixihiliYi9niO8t:OfNa/xQM9QSp
MD5:	F38DD63F1596D1039571A5D80A147980
SHA1:	278553D5556ACBAF4E671C41F9A930CA0D253F11
SHA-256:	5AC3EDCEBF4CC25A645D62044E94FD695452E12A72D3500D98898E3F766C4875
SHA-512:	F6CE9DDF2D6888FB2DBB4C17544E632D8D5057B3C96577F70AD6F3B8EEA84274BFE092D94A0F3D2965DAD553209652AB5A28778C88DF9FDB5A8FA3E7D1EC8FFC
Malicious:	false
Preview:	ElfChnk.y...............y...................hv...x............................................................................?i................F....#......................=.......................#....................%..................N#...................................%......................f...............?.......................P.......................M...F...............................................v0..I%......v.......................................................................D...............**......y...........S...........g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.3997811013158903
Encrypted:	false
SSDEEP:	768:73aonqagagaAaEa8aka8a0agaIakaYa4acasaEa4akaMaUaEaIaUawakaEaAaUar:/n
MD5:	C8E6C53F151CF7B2E1ECCEEF43F518EB
SHA1:	6BAB71A3AC8228576F2396A21B7C895C68E074D2
SHA-256:	D2707C65485CE51CC921FA1C867C5F53E9CAE2C11D526F8BC55F982D164596B6
SHA-512:	B41B802EBBF94D84D897D0CD72B155ABFF0C1557E73281BA1CEA43CFC4B03DE522E8BC365A893FC3F390CBA3B76DFFE4B8EE49206D3270B8E21E0C75B5562DF3
Malicious:	false
Preview:	ElfChnk.........@...............@...............h....\|.,......................................................................1u................f...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................&...............................................................?...................................**..P...........XL.W..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.4147866220767469
Encrypted:	false
SSDEEP:	384:XhaXJb4+XJcXJsXJrXJQXJIXJdXJkXJuXJyXJLMXJ3XJpyXJGXJQXJyXJbXJHXJZ:XQ0yUkNYwD8imLEJpmaYm9ZZ
MD5:	5AC69472258A06CCE6D64B90D882DD98
SHA1:	FE3AFF211337BBEDDF9E188F419495EDEED10F2D
SHA-256:	4E1ABC12F4354A38FB1B34228498C106713E751D06F206EFE76B1013DE3B09BD
SHA-512:	EC964437F5B9D0D3AB7CD4EB59C9B1215D22C244099C5F3EEFCB18F4B1F0EDC47FD38D3D83F0306136699C498BBBE3FE9C4489E976A7573DFE3E7427A5123A1E
Malicious:	false
Preview:	ElfChnk......................................D...G...6.m.....................................................................>.................j...........................=...........................................................................................................................f...............?...........................m...................M...F................................................0..........&...........................................................C...........................**..............@V.$..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.335502462229597
Encrypted:	false
SSDEEP:	384:rhjmrmvm3BmOmbmLmomtmImj5pmHm5mxEmtPmoGmNlmmmCmZmLJmAkm2rmqimtmU:rGX5XDcxXaPv
MD5:	55C2C83DABDC93F6135C1875602E337D
SHA1:	3E825BFC09D43C9310193ED95D28BCC2C3E157CA
SHA-256:	587414170FCD20D1ED1BE71F5FB4D39CD2AA9169F694B51997866F7F20023E18
SHA-512:	3660BE713BF840ACF9D2B3E3C621D08B27B0A24E836A787351B777E6052E75BF1FE275C2A543A31C338E03B121D067C206E8D5C64320DB4C917D2E6EC443199F
Malicious:	false
Preview:	ElfChnk......................................6..H8..9........................................................................1z................P.......................x...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................3...........).......................................................**..x...........%...U..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.343747536559921
Encrypted:	false
SSDEEP:	384:Yho27s2m2C2i2g2Q2l2Q2A2g2jl2l2E2k28242A2g2U202Q2G2e2O2n2r2X272XF:Yf0mbm
MD5:	90EA562392E0A34BDD8BF8CED995478A
SHA1:	A8DB3CEB353E018652470C5D146FBB99755644E8
SHA-256:	1394D5A46782AED86CB80F8C9C66D05852229CD03138AD825D855AF3365DECFC
SHA-512:	6A9F396A0FA4B52589CE8557BCCCDB77DA5236E2FF47A697F3833FCEA2A1AAE7E75AF1E0E05E8E92F5BB0E26D906C51810C2AB0726C16F1D5C85278C3FC57DE4
Malicious:	false
Preview:	ElfChnk.........................................,..i.......................................................................[v..................R.......................z...=...........................................................................................................................f...............?...........................m...................M...F...............................+...............&...................................................................................................*...............b..U..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	125536
Entropy (8bit):	4.116412655201922
Encrypted:	false
SSDEEP:	384:1uRmRvKh8R+uRqRERNRiRcRTRRR8RiRDRhRuNRBRCR8R0RCtRgRQRNRTRrRMRhqX:QZtZR
MD5:	BB367E158AA1585F71292796EEC0B44D
SHA1:	7FF1DEA7583634C8F9B097CF7191CBF81E3AC6C1
SHA-256:	A16AE13B86F2185B89A19E37422455C1C6E30E031264B09581AFD690E1CA480D
SHA-512:	FEAB28F2085B39DD3A1537730EE7F7A484914B4F2E405E7367367F8EC6A21D0E342EF2662FAA75AE23D1055B685EFE9688D773CDD964186562E7718C4FEB0A4C
Malicious:	false
Preview:	ElfChnk.D.......x.......D.......x...................c.m.................................................................................................... ..............=..........................................3......................+..........................................W.......@...f...`.......4...?......................................E.......M...F...............................................&.........................................................................................................w......../L.d3........w..b&...............................................................<.......T...-.!................@./L.d3........ O.sK..3........w....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.W.M.I.-.A.c.t.i.v.i.t.y.......#F.~.J.{..M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.W.M.I.-.A.c.t.i.v.i.t.y./.O.p.e.r.a.t.i.o.n.a.l.................................P.r.o.t.e.c.t.i.o.n.M.a.n.a.g.e.m.e.n.t.......w.m.i.p.r.v.s.e...e.x.e.......".%.P.r.o.g.r.a.m.D.a.t.a.%.\.M.i.c

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wcmsvc%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.248562733326363
Encrypted:	false
SSDEEP:	384:ThThquhVh3hfhMhohghrhwhAhS5hqhShmh0hohRhNIh1BwhohGh5h3hShChWhzhM:T80FFpkBQL1
MD5:	3B202E0452EBFB9892AEB5D31B114EF9
SHA1:	EB516634D8C4E4BC3A1BFF0529DE8084B8C97415
SHA-256:	02D362B03A9A229E86546E073260C9F77BBF79142552E0EBE994A4B5EDF1729F
SHA-512:	D1B13B90844FFF51F84A84E517DF3B990ED12E13AA375B32A94333059DFAC4D72A309ED3EC830A348AA0011C2FEEEEAD5D4C9CFF6C17A2A7FBDD0B0F8CFC4D0A
Malicious:	false
Preview:	ElfChnk.....................................8!..."......................................................................................................................l...=...........................................................................................................................f...............?...........................m...................M...F...........................................a...&...................................................................................9...............**..@...........O. W..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WebAuthN%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.3101945749546235
Encrypted:	false
SSDEEP:	384:GhOVPiVcVCVC7VNVtVEV3Vob7V5VXVmVbVoV/VEVptVtVBVnVOVAViVhcVSVsVX6:GyjbP
MD5:	FFD7548AA8B73513E37AC74F7FC499B7
SHA1:	7BAF52151B91BDFA56D12285A88E0AF2BBDA1AD0
SHA-256:	418A17FEDA3FCB510EBA4F33A7D7ADDF1DC4FF23E09460BA2E41D92E01393F31
SHA-512:	A4BDC043871F8BFC002912A12FB7453CB0EB451F6D35DCE88726B45805F69E0C08999AA83F569826E30520B17935F372D283E94261D0B284850FE8A07618E3D0
Malicious:	false
Preview:	ElfChnk.........$...............$...........(;...<.....R....................................................................$A.g................&...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...................&..........v.......................................................................................*..P...........y................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.303395614912883
Encrypted:	false
SSDEEP:	384:ghxBwBuBwBOXBwByXyBwB6BwBLBwB6BwB6BwBEBwB01BwBfw/D7BwBL/iBwBfCbs:gvuCbCPDMgBWuh
MD5:	DBBEB8F44F26B7E23652347B0F91BBBF
SHA1:	1042EC373336F7B311053A4CEB09071512108B56
SHA-256:	70AC343E9C4D1328A8A3916240F56C75E5735BF37B438A29F7A9BA5226D74ADA
SHA-512:	08B96C667B593A02049E6B28E0FB8E469533F66E0A6C41A1E7A385BB663723C7D19F93A19F88A4583003605BD540C601273A9C924464A918945918218CC6255B
Malicious:	false
Preview:	ElfChnk.....................................hL...O..BF........................................................................&.............................................=...........................................................................................................................f...............?...........................m...................M...F....................".......)......................................................................................................................**..(............-.1W..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.415502860476199
Encrypted:	false
SSDEEP:	384:/hNUEuUEdeUEFUEWUEbUEGUE7eUEt9UE8oUEbPUETaUEEpUESEUED7UEhmUEGlUi:/2qgYE
MD5:	7750FCF3463E4684F5956C8EF6545615
SHA1:	673F0508FDFE69CBABABDFDC29133640FA81051E
SHA-256:	FA412F1DA2F16D58A180E41D4793F4AF3512803C93E3DDA457305473F1CBF2FF
SHA-512:	6AE0FE662EEFD4ED26D6C40F742706AF38F3D448A92C23DE2986F11D3C7890DA6B5235C716085EA07E048548C429A4E91FE5F2DD422D1B03CCF0EC403E2156FC
Malicious:	false
Preview:	ElfChnk......................................Z...[......................................................................................................................F...=...........................................................................................................................f...............?...........................m...................M...F...............................................&...................................................................................................**................z W..........Z7;&........Z7;..T.f.m`..L........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Security.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	68136
Entropy (8bit):	4.292271187322906
Encrypted:	false
SSDEEP:	768:VfFJXdxjRGxHe96wYfy167tbiikqokbE8noJp2p5A58H:hR9lg
MD5:	1BC95F7467BED7C0A05F535C17396EDA
SHA1:	BBBD37A347AFC6EEB37F99363355D968312CCED9
SHA-256:	FF7FDEDE4B4E0B50BE2D7F4405AAE8DC2B0227C8367F1E1FA392B718076628D9
SHA-512:	5BA77968669D28A4371FA1747AAD991823D5229FD383C737F2904A8F5DD5EA8F6217B6B7EBBDB76E30929B9253007B0E57230BB3C4B749B40A724ACEAD67BAF4
Malicious:	false
Preview:	ElfChnk.................r.......r...............(......L.....................................................................v.7....................s...h...............N...=...................................................N...............................................w.......:.......................3...................................a...........).......M...X...:...................................................................................................&...........................................**..(...r........!..d3........Ez.B&.......Ez.Bfa.S...=F.&E.......A..9...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....b...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

C:\Windows\System32\winevt\Logs\System.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	75080
Entropy (8bit):	4.773769641234503
Encrypted:	false
SSDEEP:	768:Y9gb/x5kd253pW5Yp5aC+6/lXHPIfqi3qijqiurDC:7fZ5kYfIii6i+iCC
MD5:	849FB93F1A96B56E6EA7D5240F27EE63
SHA1:	005941C6210DE9A7BF7B3AD53804E435256CC27A
SHA-256:	EF560B27C85FD6EFD83A143EE0EEB6D4E936EB7045A3A77784BC909AE2DB6E7B
SHA-512:	B870F1629A2DDE50E92B594A6FFCEBBBD447B1DFF9C7FF6661280A50EBF50E88120A78CB7ECE204A041B1A32CCA9C0E5B29ACD87D2323115F365C1611187348C
Malicious:	false
Preview:	ElfChnk.........................................0......g...........................................................................................s...h...............N...=...................................................N...............................................w.......6.......................K...................................]...........).......M...9...:...........................................................................................................$...................&...............**...............!..d3............&.............gX..L.&..A.......A..5...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....^...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

C:\Windows\System32\winevt\Logs\Windows PowerShell.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	76672
Entropy (8bit):	3.8331047933303037
Encrypted:	false
SSDEEP:	1536:sWWldGB9gWWldGB9XaFVdv6t+Na0gK4a:
MD5:	6C159A56805EBDF9AB0BAE86F36284CD
SHA1:	A3F5234EC0130D8874993666EB6B656596CDF387
SHA-256:	06F83FF090FF0F0FAF61B493A2F75D40AB5449C2954F0A101E6FDAE0C25B4953
SHA-512:	FBB96AA7E3FAAB3A94EA72BC6511C3C74A25143260CB5314375216B0DECA06E49B0794A96022D26AC20066F543C95E1B32C132BE38411B8F3572949C7F5B54A3
Malicious:	false
Preview:	ElfChnk.................y....................&...+.....{.....................................................................Us.............................................=..........................................................................................................................._...............8...........................f...................M...c...........................t...................................................................&...................................................*......y...........d3.........{-&........*{-.elRN.E%.,+.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..R............{..P.r.o.v.i.d.e.r.../....=.......K...N.a.m.e.......P.o.w.e.r.S.h.e.l.l..A..M...s........a..E.v.e.n.t.I.D...'............)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n............

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.71585644239634
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	setup.exe
File size:	5'617'152 bytes
MD5:	1274cbcd6329098f79a3be6d76ab8b97
SHA1:	53c870d62dcd6154052445dc03888cdc6cffd370
SHA256:	bbe5544c408a6eb95dd9980c61a63c4ebc8ccbeecade4de4fae8332361e27278
SHA512:	a0febbd4915791d3c32531fb3cf177ee288dd80ce1c8a1e71fa9ad59a4ebddeef69b6be7f3d19e687b96dc59c8a8fa80afff8378a71431c3133f361b28e0d967
SSDEEP:	98304:Dei3W2HJn8hqIOLmRLRSo+QqvCRs19A3JIkLJQrAtjRQii7yXdmMpy2N:6Z2i4OcxQECE6ZIkLJIAt8y4
TLSH:	2E46E01B9BB5EF12D119C0FE306626086634D3069DE87C28EF6F5B41351632E63E9EE1
File Content Preview:	MZ......................@.......................................hr......!..L.!This program cannot be run in DOS mode....$.......PE..d......................(.v....U................@.............................PV.......U...`... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x1400012fd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:	0x4000450c, 0x1, 0x400044f0, 0x1
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	0fdd3d21d2193b717f076a70dfaa659c

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [0055A348h]
mov dword ptr [eax], 00000001h
call 00007F17A4866F13h
nop
nop
dec eax
add esp, 28h
ret
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [0055A32Bh]
xor edx, edx
mov dword ptr [eax], edx
call 00007F17A4866EF8h
nop
nop
dec eax
add esp, 28h
ret
dec eax
sub esp, 28h
call 00007F17A486AF07h
dec eax
cmp eax, 01h
sbb eax, eax
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
dec eax
lea ecx, dword ptr [00000005h]
jmp 00007F17A48670CEh
ret
nop
nop
nop
ret
nop word ptr [eax+eax+00000000h]
nop dword ptr [eax+00h]
ret
nop word ptr [eax+eax+00000000h]
nop dword ptr [eax+00h]
ret
nop word ptr [eax+eax+00000000h]
nop dword ptr [eax+00h]
ret
nop word ptr [eax+eax+00000000h]
nop dword ptr [eax+00h]
ret
nop word ptr [eax+eax+00000000h]
nop dword ptr [eax+00h]
ret
nop word ptr [eax+eax+00000000h]
nop dword ptr [eax+00h]
ret
sldt word ptr [eax]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x560000	0x5e4	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x563000	0x388	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x55c000	0x60c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x564000	0x78	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x55b2c0	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x560198	0x158	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x75b8	0x7600	92a433ff13025dda2f8832b3ba47f4cb	False	0.5024496822033898	data	6.126233240669742	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x9000	0x550160	0x550200	f79fc51b240acbc551e51cfd4934ec52	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x55a000	0x1b60	0x1c00	e79c60ad85a32722531f8593b23b26b7	False	0.44893973214285715	data	5.0676250579227995	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pdata	0x55c000	0x60c	0x800	b563079ef928b523d8d741b04fc428c5	False	0.37109375	data	3.6393254656893337	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0x55d000	0x490	0x600	6731287afa5b247d7414e61e07564c26	False	0.2923177083333333	data	3.367895720590965	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x55e000	0x1620	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x560000	0x5e4	0x600	b6fc00d75df898e2f006a20f12fb69b1	False	0.3606770833333333	data	3.8755986783766283	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x561000	0x60	0x200	9867011dc1bd0b257a5f116a965d24ff	False	0.06640625	data	0.28341599526108024	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x562000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x563000	0x388	0x400	1dc8ad87c60f0851d6dbef5108e34126	False	0.44921875	data	5.016736197841765	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x564000	0x78	0x200	03a349d5be37c2131c83dbfaf1c3e983	False	0.248046875	data	1.5196339247044217	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x563058	0x330	XML 1.0 document, ASCII text	English	United States	0.508578431372549

Imports

DLL	Import
KERNEL32.dll	DeleteCriticalSection, EnterCriticalSection, GetLastError, InitializeCriticalSection, LeaveCriticalSection, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery
msvcrt.dll	__C_specific_handler, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _commode, _fmode, _initterm, _onexit, abort, calloc, exit, fprintf, fputs, free, malloc, memset, signal, strlen, strncmp, vfprintf, wcscat, wcscpy, wcslen, wcsncmp, wcsstr, _wcsnicmp, _wcsicmp

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-10T12:38:17.092545+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.245.163.56	443	192.168.2.6	49751	TCP
2024-11-10T12:38:52.557754+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	52.149.20.212	443	192.168.2.6	60889	TCP
2024-11-10T12:38:53.820122+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	52.149.20.212	443	192.168.2.6	60896	TCP

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 10, 2024 12:38:46.874742031 CET	53	59094	162.159.36.2	192.168.2.6
Nov 10, 2024 12:38:47.477428913 CET	53170	53	192.168.2.6	1.1.1.1
Nov 10, 2024 12:38:47.484446049 CET	53	53170	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 10, 2024 12:38:47.477428913 CET	192.168.2.6	1.1.1.1	0xe56a	Standard query (0)	241.42.69.40.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 10, 2024 12:38:47.484446049 CET	1.1.1.1	192.168.2.6	0xe56a	Name error (3)	241.42.69.40.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
ZwEnumerateKey	INLINE	winlogon.exe, explorer.exe
NtQuerySystemInformation	INLINE	winlogon.exe, explorer.exe
ZwResumeThread	INLINE	winlogon.exe, explorer.exe
NtDeviceIoControlFile	INLINE	winlogon.exe, explorer.exe
ZwDeviceIoControlFile	INLINE	winlogon.exe, explorer.exe
NtEnumerateKey	INLINE	winlogon.exe, explorer.exe
NtQueryDirectoryFile	INLINE	winlogon.exe, explorer.exe
ZwEnumerateValueKey	INLINE	winlogon.exe, explorer.exe
ZwQuerySystemInformation	INLINE	winlogon.exe, explorer.exe
NtResumeThread	INLINE	winlogon.exe, explorer.exe
RtlGetNativeSystemInformation	INLINE	winlogon.exe, explorer.exe
NtQueryDirectoryFileEx	INLINE	winlogon.exe, explorer.exe
NtEnumerateValueKey	INLINE	winlogon.exe, explorer.exe
ZwQueryDirectoryFileEx	INLINE	winlogon.exe, explorer.exe
ZwQueryDirectoryFile	INLINE	winlogon.exe, explorer.exe

Processes

Process: winlogon.exe, Module: ntdll.dll

Function Name	Hook Type	New Data
ZwEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
ZwResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
NtDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
ZwDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
NtEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF
ZwEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
RtlGetNativeSystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
NtEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
ZwQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF

Process: explorer.exe, Module: ntdll.dll

Function Name	Hook Type	New Data
ZwEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
ZwResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
NtDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
ZwDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
NtEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF
ZwEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
RtlGetNativeSystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
NtEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
ZwQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF

Target ID:	0
Start time:	06:37:57
Start date:	10/11/2024
Path:	C:\Users\user\Desktop\setup.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\setup.exe"
Imagebase:	0x7ff6e94a0000
File size:	5'617'152 bytes
MD5 hash:	1274CBCD6329098F79A3BE6D76AB8B97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:37:58
Start date:	10/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:37:58
Start date:	10/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:38:00
Start date:	10/11/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff717f30000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	06:38:01
Start date:	10/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
Imagebase:	0x7ff766cd0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:38:01
Start date:	10/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	06:38:01
Start date:	10/11/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop UsoSvc
Imagebase:	0x7ff63b810000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	06:38:01
Start date:	10/11/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop WaaSMedicSvc
Imagebase:	0x7ff63b810000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	06:38:01
Start date:	10/11/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop wuauserv
Imagebase:	0x7ff63b810000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	06:38:01
Start date:	10/11/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop bits
Imagebase:	0x7ff63b810000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	06:38:01
Start date:	10/11/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop dosvc
Imagebase:	0x7ff63b810000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	06:38:01
Start date:	10/11/2024
Path:	C:\Windows\System32\dialer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\dialer.exe
Imagebase:	0x7ff6fb2c0000
File size:	39'936 bytes
MD5 hash:	B2626BDCF079C6516FC016AC5646DF93
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	06:38:01
Start date:	10/11/2024
Path:	C:\Windows\System32\winlogon.exe
Wow64 process (32bit):	false
Commandline:	winlogon.exe
Imagebase:	0x7ff70f350000
File size:	906'240 bytes
MD5 hash:	F8B41A1B3E569E7E6F990567F21DCE97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	06:38:02
Start date:	10/11/2024
Path:	C:\Program Files\Google\Chrome\updater.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\updater.exe"
Imagebase:	0x7ff63de70000
File size:	5'617'152 bytes
MD5 hash:	1274CBCD6329098F79A3BE6D76AB8B97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 76%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	06:38:02
Start date:	10/11/2024
Path:	C:\Windows\System32\lsass.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\lsass.exe
Imagebase:	0x7ff7ac940000
File size:	59'456 bytes
MD5 hash:	A1CC00332BBF370654EE3DC8CDC8C95A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	06:38:02
Start date:	10/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	23
Start time:	06:38:03
Start date:	10/11/2024
Path:	C:\Windows\System32\dwm.exe
Wow64 process (32bit):	false
Commandline:	"dwm.exe"
Imagebase:	0x7ff68eb30000
File size:	94'720 bytes
MD5 hash:	5C27608411832C5B39BA04E33D53536C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	06:38:04
Start date:	10/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	06:38:04
Start date:	10/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	26
Start time:	06:38:04
Start date:	10/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	27
Start time:	06:38:05
Start date:	10/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	28
Start time:	06:38:05
Start date:	10/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	29
Start time:	06:38:05
Start date:	10/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	30
Start time:	06:38:06
Start date:	10/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	31
Start time:	06:38:06
Start date:	10/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	32
Start time:	06:38:07
Start date:	10/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	33
Start time:	06:38:07
Start date:	10/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	34
Start time:	06:38:07
Start date:	10/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	35
Start time:	06:38:07
Start date:	10/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	36
Start time:	06:38:07
Start date:	10/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	37
Start time:	06:38:08
Start date:	10/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	38
Start time:	06:38:08
Start date:	10/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	39
Start time:	06:38:08
Start date:	10/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	40
Start time:	06:38:08
Start date:	10/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	41
Start time:	06:38:08
Start date:	10/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	42
Start time:	06:38:09
Start date:	10/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	43
Start time:	06:38:09
Start date:	10/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	44
Start time:	06:38:09
Start date:	10/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	45
Start time:	06:38:09
Start date:	10/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	46
Start time:	06:38:10
Start date:	10/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Function 00007FF6E94A12FD Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145012600.00007FF6E94A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E94A0000, based on PE: true

Associated: 00000000.00000002.2144974995.00007FF6E94A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145158691.00007FF6E94A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145201376.00007FF6E94D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145764298.00007FF6E99F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145792520.00007FF6E99FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145827736.00007FF6E99FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145855515.00007FF6E9A03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2145877143.00007FF6E9A04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e94a0000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e2382d73125df78936d26452b80bcba07539e5c8c97af36270da171beb56e3f
Instruction ID: 4ccb7815166216860ef7553fb942e437498505dfd8473c6ec040d00bff41f98f
Opcode Fuzzy Hash: 8e2382d73125df78936d26452b80bcba07539e5c8c97af36270da171beb56e3f
Instruction Fuzzy Hash: EFB01272A04605C4E3002F01D8413BC33206F1C700F500830D40C43353CEBED0548716

Analysis Process: WmiPrvSE.exePID: 2216, Parent PID: 752COMMON

Execution Graph

Execution Coverage:	0.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	56.8%
Total number of Nodes:	74
Total number of Limit Nodes:	2

Executed Functions

Function 000001B1C6AC328C Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 000001B1C6AC32AE
PathFindFileNameW.SHLWAPI ref: 000001B1C6AC32BD

Part of subcall function 000001B1C6AC3844: StrCmpNIW.SHLWAPI ref: 000001B1C6AC385C

Part of subcall function 000001B1C6AC3790: GetModuleHandleW.KERNEL32 ref: 000001B1C6AC379E
Part of subcall function 000001B1C6AC3790: GetCurrentProcess.KERNEL32 ref: 000001B1C6AC37CC
Part of subcall function 000001B1C6AC3790: VirtualProtectEx.KERNEL32 ref: 000001B1C6AC37EE
Part of subcall function 000001B1C6AC3790: GetCurrentProcess.KERNEL32 ref: 000001B1C6AC3809
Part of subcall function 000001B1C6AC3790: VirtualProtectEx.KERNEL32 ref: 000001B1C6AC382A

CreateThread.KERNEL32 ref: 000001B1C6AC330B

Part of subcall function 000001B1C6AC1D14: GetCurrentThread.KERNEL32 ref: 000001B1C6AC1D1F

Memory Dump Source

Source File: 00000004.00000002.3394196823.000001B1C6AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B1C6AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6ac0000_WmiPrvSE.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction ID: 97bbd69e84afed8c7ba40225508ceb979657183efe982b2f29f8e0f2a99c2368
Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction Fuzzy Hash: EB11C430694600B2F760AB21F8743D97A94BB94344FD29D24FB0E836A9EF7AF0548200

Function 000001B1C6AC1ABC Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000001B1C6AC1628: GetProcessHeap.KERNEL32 ref: 000001B1C6AC1633
Part of subcall function 000001B1C6AC1628: HeapAlloc.KERNEL32 ref: 000001B1C6AC1642
Part of subcall function 000001B1C6AC1628: RegOpenKeyExW.ADVAPI32 ref: 000001B1C6AC16B2
Part of subcall function 000001B1C6AC1628: RegOpenKeyExW.ADVAPI32 ref: 000001B1C6AC16DF
Part of subcall function 000001B1C6AC1628: RegCloseKey.ADVAPI32 ref: 000001B1C6AC16F9
Part of subcall function 000001B1C6AC1628: RegOpenKeyExW.ADVAPI32 ref: 000001B1C6AC1719
Part of subcall function 000001B1C6AC1628: RegCloseKey.ADVAPI32 ref: 000001B1C6AC1734
Part of subcall function 000001B1C6AC1628: RegOpenKeyExW.ADVAPI32 ref: 000001B1C6AC1754
Part of subcall function 000001B1C6AC1628: RegCloseKey.ADVAPI32 ref: 000001B1C6AC176F
Part of subcall function 000001B1C6AC1628: RegOpenKeyExW.ADVAPI32 ref: 000001B1C6AC178F
Part of subcall function 000001B1C6AC1628: RegCloseKey.ADVAPI32 ref: 000001B1C6AC17AA
Part of subcall function 000001B1C6AC1628: RegOpenKeyExW.ADVAPI32 ref: 000001B1C6AC17CA

Sleep.KERNEL32 ref: 000001B1C6AC1AD7
SleepEx.KERNELBASE ref: 000001B1C6AC1ADD

Part of subcall function 000001B1C6AC1628: RegCloseKey.ADVAPI32 ref: 000001B1C6AC17E5
Part of subcall function 000001B1C6AC1628: RegOpenKeyExW.ADVAPI32 ref: 000001B1C6AC1805
Part of subcall function 000001B1C6AC1628: RegCloseKey.ADVAPI32 ref: 000001B1C6AC1820
Part of subcall function 000001B1C6AC1628: RegOpenKeyExW.ADVAPI32 ref: 000001B1C6AC1840
Part of subcall function 000001B1C6AC1628: RegCloseKey.ADVAPI32 ref: 000001B1C6AC185B
Part of subcall function 000001B1C6AC1628: RegOpenKeyExW.ADVAPI32 ref: 000001B1C6AC187B
Part of subcall function 000001B1C6AC1628: RegCloseKey.ADVAPI32 ref: 000001B1C6AC1896
Part of subcall function 000001B1C6AC1628: RegCloseKey.ADVAPI32 ref: 000001B1C6AC18A0

Memory Dump Source

Source File: 00000004.00000002.3394196823.000001B1C6AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B1C6AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6ac0000_WmiPrvSE.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction ID: 9e69a504b9330ae095c2a23997ba96dfb8a8250ef7ee54ba0e58d16e6b8b3350
Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction Fuzzy Hash: 56310F7138064571FB509B26DA713E97BA4AB84BD0F865C21AE0D8739AFF25EC61C610

Function 000001B1C6AC3844 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpNIW.SHLWAPI ref: 000001B1C6AC385C

Strings

dialer, xrefs: 000001B1C6AC3855

Memory Dump Source

Source File: 00000004.00000002.3394196823.000001B1C6AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B1C6AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6ac0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID: dialer
API String ID: 0-3528709123
Opcode ID: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
Instruction ID: 3c6af229386a8a50520a5aa76ff11266ea397b7ae97ed6923405ed7616839ef6
Opcode Fuzzy Hash: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
Instruction Fuzzy Hash: 7FD0A774391205B7FF14DFA788E4AE47B60FB18744FC95420EA0843154DB19F98D9B10

Function 000001B1C6A9273C Relevance: 1.7, APIs: 1, Instructions: 187
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 000001B1C6A9285E

Memory Dump Source

Source File: 00000004.00000002.3393309014.000001B1C6A90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B1C6A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6a90000_WmiPrvSE.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction ID: 002c636410fc6ffa28e3e40eda552596c8e2645a43c1401c2a59c000ed58e572
Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction Fuzzy Hash: 5C61563AB692D097DB58CF15D0207AD7B92F754BB4FA98921EE5D03788DB38E852C700

Non-executed Functions

Function 000001B1C6AC1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000001B1C6AC1633
HeapAlloc.KERNEL32 ref: 000001B1C6AC1642

Part of subcall function 000001B1C6AC1268: GetProcessHeap.KERNEL32 ref: 000001B1C6AC126E
Part of subcall function 000001B1C6AC1268: HeapAlloc.KERNEL32 ref: 000001B1C6AC127D
Part of subcall function 000001B1C6AC1268: GetProcessHeap.KERNEL32 ref: 000001B1C6AC1297
Part of subcall function 000001B1C6AC1268: HeapAlloc.KERNEL32 ref: 000001B1C6AC12A8

RegOpenKeyExW.ADVAPI32 ref: 000001B1C6AC16B2
RegOpenKeyExW.ADVAPI32 ref: 000001B1C6AC16DF
RegCloseKey.ADVAPI32 ref: 000001B1C6AC16F9
RegOpenKeyExW.ADVAPI32 ref: 000001B1C6AC1719
RegCloseKey.ADVAPI32 ref: 000001B1C6AC1734
RegOpenKeyExW.ADVAPI32 ref: 000001B1C6AC1754
RegCloseKey.ADVAPI32 ref: 000001B1C6AC176F
RegOpenKeyExW.ADVAPI32 ref: 000001B1C6AC178F
RegCloseKey.ADVAPI32 ref: 000001B1C6AC17AA
RegOpenKeyExW.ADVAPI32 ref: 000001B1C6AC17CA
RegCloseKey.ADVAPI32 ref: 000001B1C6AC17E5
RegOpenKeyExW.ADVAPI32 ref: 000001B1C6AC1805
RegCloseKey.ADVAPI32 ref: 000001B1C6AC1820
RegOpenKeyExW.ADVAPI32 ref: 000001B1C6AC1840
RegCloseKey.ADVAPI32 ref: 000001B1C6AC185B
RegOpenKeyExW.ADVAPI32 ref: 000001B1C6AC187B
RegCloseKey.ADVAPI32 ref: 000001B1C6AC1896
RegCloseKey.ADVAPI32 ref: 000001B1C6AC18A0

Part of subcall function 000001B1C6AC12BC: RegQueryInfoKeyW.ADVAPI32 ref: 000001B1C6AC1319
Part of subcall function 000001B1C6AC12BC: GetProcessHeap.KERNEL32 ref: 000001B1C6AC1327
Part of subcall function 000001B1C6AC12BC: HeapAlloc.KERNEL32 ref: 000001B1C6AC1338
Part of subcall function 000001B1C6AC12BC: RegEnumValueW.ADVAPI32 ref: 000001B1C6AC1397
Part of subcall function 000001B1C6AC12BC: GetProcessHeap.KERNEL32 ref: 000001B1C6AC13DF
Part of subcall function 000001B1C6AC12BC: HeapAlloc.KERNEL32 ref: 000001B1C6AC13ED
Part of subcall function 000001B1C6AC12BC: GetProcessHeap.KERNEL32 ref: 000001B1C6AC140A
Part of subcall function 000001B1C6AC12BC: HeapFree.KERNEL32 ref: 000001B1C6AC1418
Part of subcall function 000001B1C6AC12BC: lstrlenW.KERNEL32 ref: 000001B1C6AC1421
Part of subcall function 000001B1C6AC12BC: GetProcessHeap.KERNEL32 ref: 000001B1C6AC142F
Part of subcall function 000001B1C6AC12BC: HeapAlloc.KERNEL32 ref: 000001B1C6AC143D

Strings

udp, xrefs: 000001B1C6AC1874
startup, xrefs: 000001B1C6AC16D5
paths, xrefs: 000001B1C6AC1788
process_names, xrefs: 000001B1C6AC174D
service_names, xrefs: 000001B1C6AC17C3
tcp_local, xrefs: 000001B1C6AC17FE
SOFTWARE\dialerconfig, xrefs: 000001B1C6AC1692
tcp_remote, xrefs: 000001B1C6AC1839
pid, xrefs: 000001B1C6AC1712

Memory Dump Source

Source File: 00000004.00000002.3394196823.000001B1C6AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B1C6AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6ac0000_WmiPrvSE.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction ID: 4268d1acd38a6d69d0aa65e2f45344c97399848087cd0fb6de6cb85b2a853881
Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction Fuzzy Hash: 1E716F36350E10A6EB109F25E8A06DD3BB4FB94B88F826921FE4E47B68DF35D854C740

Function 000001B1C6AC2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 000001B1C6AC2BD0
lstrlenW.KERNEL32 ref: 000001B1C6AC2E0A

Part of subcall function 000001B1C6AC199C: OpenProcess.KERNEL32 ref: 000001B1C6AC19C2
Part of subcall function 000001B1C6AC199C: K32GetModuleFileNameExW.KERNEL32 ref: 000001B1C6AC19E0
Part of subcall function 000001B1C6AC199C: PathFindFileNameW.SHLWAPI ref: 000001B1C6AC19EF
Part of subcall function 000001B1C6AC199C: lstrlenW.KERNEL32 ref: 000001B1C6AC19FB
Part of subcall function 000001B1C6AC199C: StrCpyW.SHLWAPI ref: 000001B1C6AC1A0E
Part of subcall function 000001B1C6AC199C: CloseHandle.KERNEL32 ref: 000001B1C6AC1A1C

GetProcAddress.KERNEL32 ref: 000001B1C6AC2BE5

Part of subcall function 000001B1C6AC152C: StrCmpIW.SHLWAPI ref: 000001B1C6AC155D

Part of subcall function 000001B1C6AC3844: StrCmpNIW.SHLWAPI ref: 000001B1C6AC385C

StrCmpNIW.SHLWAPI ref: 000001B1C6AC2C28
lstrlenW.KERNEL32 ref: 000001B1C6AC2D50

Strings

NtQueryObject, xrefs: 000001B1C6AC2BDB
\Device\Nsi, xrefs: 000001B1C6AC2C1B
ntdll.dll, xrefs: 000001B1C6AC2BC9

Memory Dump Source

Source File: 00000004.00000002.3394196823.000001B1C6AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B1C6AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6ac0000_WmiPrvSE.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction ID: 22ed3a06bedcebe6aba735482cd97ed782bdf9368f46984893dd38028cdc8eb2
Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction Fuzzy Hash: D5B1E032258A50B2EB69CF25C4607E97BA4FB55B84F865816FE0D63798EF36EC40C340

Function 000001B1C6AC7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000001B1C6AC7DAC
RtlCaptureContext.NTDLL ref: 000001B1C6AC7DD9
RtlLookupFunctionEntry.NTDLL ref: 000001B1C6AC7DF3
RtlVirtualUnwind.NTDLL ref: 000001B1C6AC7E34
IsDebuggerPresent.KERNEL32 ref: 000001B1C6AC7E88
SetUnhandledExceptionFilter.KERNEL32 ref: 000001B1C6AC7EA9
UnhandledExceptionFilter.KERNEL32 ref: 000001B1C6AC7EB4

Memory Dump Source

Source File: 00000004.00000002.3394196823.000001B1C6AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B1C6AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6ac0000_WmiPrvSE.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction ID: 317df0a15267c9fa474001083f3c8d1baf619b88aa9a08f244a7dba71325071b
Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction Fuzzy Hash: 2B318372245B80AAEB609F60E8603ED77A0F795748F85482AEB4D47B98EF38D548C710

Function 000001B1C6ACD2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000001B1C6ACD31D
RtlLookupFunctionEntry.NTDLL ref: 000001B1C6ACD335
RtlVirtualUnwind.NTDLL ref: 000001B1C6ACD370
IsDebuggerPresent.KERNEL32 ref: 000001B1C6ACD3A9
SetUnhandledExceptionFilter.KERNEL32 ref: 000001B1C6ACD3B3
UnhandledExceptionFilter.KERNEL32 ref: 000001B1C6ACD3BE

Memory Dump Source

Source File: 00000004.00000002.3394196823.000001B1C6AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B1C6AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6ac0000_WmiPrvSE.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction ID: 3bc0bdfb2646163a9add036108dd2c71ef610d25bba207ea85a68d4bfad8cf32
Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction Fuzzy Hash: D931B132254F80A6EB60DF25E8503DE7BA0F789758F910526FA9D43BA8DF38D145CB00

Function 000001B1C6AC7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000001B1C6AC798C
GetCurrentThreadId.KERNEL32 ref: 000001B1C6AC799A
GetCurrentProcessId.KERNEL32 ref: 000001B1C6AC79A6
QueryPerformanceCounter.KERNEL32 ref: 000001B1C6AC79B6

Memory Dump Source

Source File: 00000004.00000002.3394196823.000001B1C6AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B1C6AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6ac0000_WmiPrvSE.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction ID: 8f7b8daffe220ae89f21292abc9ab5e05f75f5fc4e327aa01d51f29665194078
Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction Fuzzy Hash: D2112A32750F019AEB00CF60E8643A837A4F719758F851E21EA6D477A4DB78D5A88380

Function 000001B1C6AD44A8 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 000001B1C6AD46F7
RaiseException.KERNEL32 ref: 000001B1C6AD4708

Memory Dump Source

Source File: 00000004.00000002.3394196823.000001B1C6AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B1C6AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6ac0000_WmiPrvSE.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 91c45a23742243141810e6f77c67a66073dfa56da4d49e6a277af36b1acf7cf1
Instruction ID: 3f6b44b28d2ecea207336db961fd745a2605a5cc19f467aa1e33c6d960ffeb78
Opcode Fuzzy Hash: 91c45a23742243141810e6f77c67a66073dfa56da4d49e6a277af36b1acf7cf1
Instruction Fuzzy Hash: 7AB15B77600B889FEB15CF29C89639C3BA0F784B48F568911EB6E877A4CB39D851C701

Function 000001B1C6AA38A8 Relevance: 1.7, APIs: 1, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 000001B1C6AA3AF7

Memory Dump Source

Source File: 00000004.00000002.3393309014.000001B1C6A90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B1C6A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6a90000_WmiPrvSE.jbxd

Similarity

API ID: _clrfp
String ID:
API String ID: 3618594692-0
Opcode ID: 91c45a23742243141810e6f77c67a66073dfa56da4d49e6a277af36b1acf7cf1
Instruction ID: 9ac947b349dfdba859e667aebfab9aac7517027d1a242ec63eef34f11cd6c2ae
Opcode Fuzzy Hash: 91c45a23742243141810e6f77c67a66073dfa56da4d49e6a277af36b1acf7cf1
Instruction Fuzzy Hash: E9B15C73201B888BEB15CF29C89639C7BE1F344B58F568916EB9D837A5CB3AD451CB00

Function 000001B1C6ACDCE0 Relevance: 1.6, APIs: 1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3394196823.000001B1C6AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B1C6AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6ac0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
Instruction ID: 8011c5629240d9c3cae9c091d5e9331bd5437e590ee7448d0f5bc64f2d69fc4c
Opcode Fuzzy Hash: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
Instruction Fuzzy Hash: CC51D132740690A9FB20AB72A8507DA7FE1F7847A8F954919FE5C27B99DB39D401C700

Function 000001B1C6A91F2C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3393309014.000001B1C6A90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B1C6A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6a90000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ede98a6d8d02e88a1d8b84a5c6c80a15dedc9657b0a7b1a34b363c45f1d0dee8
Instruction ID: c8064cbe6074745e33a81e913246fc85839f831d9feb055e7417a8b6be06d54d
Opcode Fuzzy Hash: ede98a6d8d02e88a1d8b84a5c6c80a15dedc9657b0a7b1a34b363c45f1d0dee8
Instruction Fuzzy Hash: 0DB1033A2786D0A2EB648F25D8603E97BA4F744BA4FA65816FE0D53794DF35ED80C340

Function 000001B1C6A9D0E0 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3393309014.000001B1C6A90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B1C6A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6a90000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
Instruction ID: 3af193a71facd2171e84c3cbd6cf60d9a395f281a1ca28127921831a82211769
Opcode Fuzzy Hash: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
Instruction Fuzzy Hash: D651D036740AC0A9FB20AB72A8506DE7FA1F784799FA54914FE5D27B99CB38D441C700

Function 000001B1C6AA36F0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3393309014.000001B1C6A90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B1C6A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6a90000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06df2142d5dd0183fd0e01b7d5608ecb5bc0210788fa76ce78b9fbce82fbb0aa
Instruction ID: 664d64dc3103cff79e1492e28aacd1bba788de2fb2f6c738fb9cca47f47b634c
Opcode Fuzzy Hash: 06df2142d5dd0183fd0e01b7d5608ecb5bc0210788fa76ce78b9fbce82fbb0aa
Instruction Fuzzy Hash: 4DF0F4716556949ADB988F28A4627697B91F348384FD0891AE68D83E14D73CD451CF04

Function 000001B1C6AC12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001B1C6AC1319
GetProcessHeap.KERNEL32 ref: 000001B1C6AC1327
HeapAlloc.KERNEL32 ref: 000001B1C6AC1338
RegEnumValueW.ADVAPI32 ref: 000001B1C6AC1397

Part of subcall function 000001B1C6AC152C: StrCmpIW.SHLWAPI ref: 000001B1C6AC155D

GetProcessHeap.KERNEL32 ref: 000001B1C6AC13DF
HeapAlloc.KERNEL32 ref: 000001B1C6AC13ED
GetProcessHeap.KERNEL32 ref: 000001B1C6AC140A
HeapFree.KERNEL32 ref: 000001B1C6AC1418
lstrlenW.KERNEL32 ref: 000001B1C6AC1421
GetProcessHeap.KERNEL32 ref: 000001B1C6AC142F
HeapAlloc.KERNEL32 ref: 000001B1C6AC143D
StrCpyW.SHLWAPI ref: 000001B1C6AC145F
GetProcessHeap.KERNEL32 ref: 000001B1C6AC1476
HeapFree.KERNEL32 ref: 000001B1C6AC1484

Strings

d, xrefs: 000001B1C6AC135A

Memory Dump Source

Source File: 00000004.00000002.3394196823.000001B1C6AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B1C6AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6ac0000_WmiPrvSE.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction ID: b740fa242cbf1f266e4526be60f7363d19b6e9ac65ae64164cce1d92dafaab22
Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction Fuzzy Hash: A9516B76240B84A7EB50CF62E56839ABBA1F789F89F858524EA4D07728DF3CD449C710

Function 000001B1C6AC1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 000001B1C6AC1D1F

Part of subcall function 000001B1C6AC1FD4: GetModuleHandleA.KERNEL32 ref: 000001B1C6AC1FEC
Part of subcall function 000001B1C6AC1FD4: GetProcAddress.KERNEL32 ref: 000001B1C6AC1FFD

Part of subcall function 000001B1C6AC5B30: GetCurrentThreadId.KERNEL32 ref: 000001B1C6AC5B6B

Strings

NtQueryDirectoryFileEx, xrefs: 000001B1C6AC1D9C
advapi32.dll, xrefs: 000001B1C6AC1DF7, 000001B1C6AC1E18
NtQueryDirectoryFile, xrefs: 000001B1C6AC1D7F
NtResumeThread, xrefs: 000001B1C6AC1D62
NtEnumerateValueKey, xrefs: 000001B1C6AC1DD6
NtEnumerateKey, xrefs: 000001B1C6AC1DB9
NtDeviceIoControlFile, xrefs: 000001B1C6AC1E56
EnumServicesStatusExW, xrefs: 000001B1C6AC1E11, 000001B1C6AC1E32
EnumServiceGroupW, xrefs: 000001B1C6AC1DF0
ntdll.dll, xrefs: 000001B1C6AC1D2D
sechost.dll, xrefs: 000001B1C6AC1E39
NtQuerySystemInformation, xrefs: 000001B1C6AC1D45

Memory Dump Source

Source File: 00000004.00000002.3394196823.000001B1C6AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B1C6AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6ac0000_WmiPrvSE.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction ID: d8095b84292e233ac819eb03bbfedb0b50098bbdc8a3da09472025dc51ed1e18
Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction Fuzzy Hash: 163192742C4A4AB1EA04EF69EC716E43B60BB54348FC25C13F44D071AA9F79F659C391

Function 000001B1C6A96910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001B1C6A96938
__scrt_acquire_startup_lock.LIBCMT ref: 000001B1C6A9698A
_RTC_Initialize.LIBCMT ref: 000001B1C6A969B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001B1C6A969DE
__scrt_release_startup_lock.LIBCMT ref: 000001B1C6A96A09

Strings

`dynamic initializer for ', xrefs: 000001B1C6A969C7
scriptor', xrefs: 000001B1C6A96B39, 000001B1C6A96BB2, 000001B1C6A96BEC
`eh vector vbase copy constructor iterator', xrefs: 000001B1C6A969EE
`eh vector copy constructor iterator', xrefs: 000001B1C6A96A3B

Memory Dump Source

Source File: 00000004.00000002.3393309014.000001B1C6A90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B1C6A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6a90000_WmiPrvSE.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
API String ID: 190073905-1786718095
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: f448be6a39feb2ef7bc56c0f5d618c5755ea43ff2293a3133e011f3e77ce9258
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: 0781D279780281A6FA509B2594713D93EA0EF85780FF7AC25BA0D47BB7DB38F8458704

Function 000001B1C6ACCE28 Relevance: 18.1, APIs: 12, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 000001B1C6ACCE37
FlsGetValue.KERNEL32(?,?,?,000001B1C6AD0A6B,?,?,?,000001B1C6AD045C,?,?,?,000001B1C6ACC84F), ref: 000001B1C6ACCE4C
FlsSetValue.KERNEL32(?,?,?,000001B1C6AD0A6B,?,?,?,000001B1C6AD045C,?,?,?,000001B1C6ACC84F), ref: 000001B1C6ACCE6D
FlsSetValue.KERNEL32(?,?,?,000001B1C6AD0A6B,?,?,?,000001B1C6AD045C,?,?,?,000001B1C6ACC84F), ref: 000001B1C6ACCE9A
FlsSetValue.KERNEL32(?,?,?,000001B1C6AD0A6B,?,?,?,000001B1C6AD045C,?,?,?,000001B1C6ACC84F), ref: 000001B1C6ACCEAB
FlsSetValue.KERNEL32(?,?,?,000001B1C6AD0A6B,?,?,?,000001B1C6AD045C,?,?,?,000001B1C6ACC84F), ref: 000001B1C6ACCEBC
SetLastError.KERNEL32 ref: 000001B1C6ACCED7
FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000001B1C6AD0A6B,?,?,?,000001B1C6AD045C,?,?,?,000001B1C6ACC84F), ref: 000001B1C6ACCF0D
FlsSetValue.KERNEL32(?,?,00000001,000001B1C6ACECCC,?,?,?,?,000001B1C6ACBF9F,?,?,?,?,?,000001B1C6AC7AB0), ref: 000001B1C6ACCF2C

Part of subcall function 000001B1C6ACD6CC: HeapAlloc.KERNEL32 ref: 000001B1C6ACD721

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001B1C6AD0A6B,?,?,?,000001B1C6AD045C,?,?,?,000001B1C6ACC84F), ref: 000001B1C6ACCF54

Part of subcall function 000001B1C6ACD744: HeapFree.KERNEL32 ref: 000001B1C6ACD75A
Part of subcall function 000001B1C6ACD744: GetLastError.KERNEL32 ref: 000001B1C6ACD764

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001B1C6AD0A6B,?,?,?,000001B1C6AD045C,?,?,?,000001B1C6ACC84F), ref: 000001B1C6ACCF65
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001B1C6AD0A6B,?,?,?,000001B1C6AD045C,?,?,?,000001B1C6ACC84F), ref: 000001B1C6ACCF76

Memory Dump Source

Source File: 00000004.00000002.3394196823.000001B1C6AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B1C6AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6ac0000_WmiPrvSE.jbxd

Similarity

API ID: Value$ErrorLast$Heap$AllocFree
String ID:
API String ID: 570795689-0
Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction ID: c25bcbc689e24c66c1e3095cf70a305341d4106e748bd4568c7f8916963b8972
Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction Fuzzy Hash: F64173302C164475FA68A73955723E93A815F467B0FD64F24B93F076EEDF2AF4118600

Function 000001B1C6AC2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessIdOfThread.KERNEL32 ref: 000001B1C6AC2259
GetCurrentProcessId.KERNEL32 ref: 000001B1C6AC2263

Part of subcall function 000001B1C6AC1934: OpenProcess.KERNEL32 ref: 000001B1C6AC1952
Part of subcall function 000001B1C6AC1934: IsWow64Process.KERNEL32 ref: 000001B1C6AC1968
Part of subcall function 000001B1C6AC1934: CloseHandle.KERNEL32 ref: 000001B1C6AC1983

CreateFileW.KERNEL32 ref: 000001B1C6AC22BC
WriteFile.KERNEL32 ref: 000001B1C6AC22E4
ReadFile.KERNEL32 ref: 000001B1C6AC2303
CloseHandle.KERNEL32 ref: 000001B1C6AC230C

Strings

\\.\pipe\dialerchildproc32, xrefs: 000001B1C6AC2293
\\.\pipe\dialerchildproc64, xrefs: 000001B1C6AC228C

Memory Dump Source

Source File: 00000004.00000002.3394196823.000001B1C6AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B1C6AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6ac0000_WmiPrvSE.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction ID: 98e3922eac11cacbfc2a19cabede87a5eb414de4af235cdd8cf18581859dcf2e
Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction Fuzzy Hash: 35217C32658B40A3FB108B24F46439A7BA0F799BE4F914615FA5D03BA8CF3CE149CB01

Function 000001B1C6A99944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001B1C6A999A1

Part of subcall function 000001B1C6A9A814: __GetUnwindTryBlock.LIBCMT ref: 000001B1C6A9A857
Part of subcall function 000001B1C6A9A814: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001B1C6A9A87C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001B1C6A99A79
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001B1C6A99CCE
std::bad_alloc::bad_alloc.LIBCMT ref: 000001B1C6A99DDA

Strings

csm, xrefs: 000001B1C6A99A9C
csm, xrefs: 000001B1C6A999BB
csm, xrefs: 000001B1C6A99A22

Memory Dump Source

Source File: 00000004.00000002.3393309014.000001B1C6A90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B1C6A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6a90000_WmiPrvSE.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction ID: 49ffe97ff2380bfb29351c53732f7f06ef1d3a3cf25e399ad2a6f644fe3eedb8
Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction Fuzzy Hash: D0E1D13A640BC0AAEB60DF25D4903DD3BA0F749798FA60906FE8D47B99CB34E091C704

Function 000001B1C6ACA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001B1C6ACA5A1

Part of subcall function 000001B1C6ACB414: __GetUnwindTryBlock.LIBCMT ref: 000001B1C6ACB457
Part of subcall function 000001B1C6ACB414: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001B1C6ACB47C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001B1C6ACA679
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001B1C6ACA8CE
std::bad_alloc::bad_alloc.LIBCMT ref: 000001B1C6ACA9DA

Strings

csm, xrefs: 000001B1C6ACA622
csm, xrefs: 000001B1C6ACA69C
csm, xrefs: 000001B1C6ACA5BB

Memory Dump Source

Source File: 00000004.00000002.3394196823.000001B1C6AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B1C6AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6ac0000_WmiPrvSE.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction ID: 03422168af1b860ecf4f67d9a185186771ae888716f3b09531f1c6894cb59ddd
Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction Fuzzy Hash: 9AE18D72644B80BAEB209F69D4913ED7BA0F744B98F920915FF8D57B99CB36E481C700

Function 000001B1C6ACF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32 ref: 000001B1C6ACF510
GetProcAddress.KERNEL32 ref: 000001B1C6ACF51C

Strings

api-ms-, xrefs: 000001B1C6ACF45A
ext-ms-, xrefs: 000001B1C6ACF46D

Memory Dump Source

Source File: 00000004.00000002.3394196823.000001B1C6AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B1C6AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6ac0000_WmiPrvSE.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction ID: dd68129fc80123ccd890c035eb6b6910e33736fcaf356babbbf41ac8794ea16d
Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction Fuzzy Hash: FF41E932391A1072FA15CF16AA207D53B95BB49BE0F874925BD0E87798EF39E4458310

Function 000001B1C6AC104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99
memoryregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001B1C6AC10B1
RegEnumValueW.ADVAPI32 ref: 000001B1C6AC1117
GetProcessHeap.KERNEL32 ref: 000001B1C6AC115A
HeapAlloc.KERNEL32 ref: 000001B1C6AC1168
GetProcessHeap.KERNEL32 ref: 000001B1C6AC1185
HeapFree.KERNEL32 ref: 000001B1C6AC1193

Strings

d, xrefs: 000001B1C6AC10D6

Memory Dump Source

Source File: 00000004.00000002.3394196823.000001B1C6AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B1C6AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6ac0000_WmiPrvSE.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction ID: fc23889e34bab73044a0d59cfcc22dee8f75a5e2c1deb83a1f3e770fbe4eaf75
Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction Fuzzy Hash: C6418D33214B84E6E760CF65E45439A7BA1F388B88F848129EB8D07B58DF3DD849CB10

Function 000001B1C6ACD068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,000001B1C6ACC7DE,?,?,?,?,?,?,?,?,000001B1C6ACCF9D,?,?,00000001), ref: 000001B1C6ACD087
FlsSetValue.KERNEL32(?,?,?,000001B1C6ACC7DE,?,?,?,?,?,?,?,?,000001B1C6ACCF9D,?,?,00000001), ref: 000001B1C6ACD0A6
FlsSetValue.KERNEL32(?,?,?,000001B1C6ACC7DE,?,?,?,?,?,?,?,?,000001B1C6ACCF9D,?,?,00000001), ref: 000001B1C6ACD0CE
FlsSetValue.KERNEL32(?,?,?,000001B1C6ACC7DE,?,?,?,?,?,?,?,?,000001B1C6ACCF9D,?,?,00000001), ref: 000001B1C6ACD0DF
FlsSetValue.KERNEL32(?,?,?,000001B1C6ACC7DE,?,?,?,?,?,?,?,?,000001B1C6ACCF9D,?,?,00000001), ref: 000001B1C6ACD0F0

Strings

Y%, xrefs: 000001B1C6ACD0A6
1%, xrefs: 000001B1C6ACD0CE

Memory Dump Source

Source File: 00000004.00000002.3394196823.000001B1C6AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B1C6AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6ac0000_WmiPrvSE.jbxd

Similarity

API ID: Value
String ID: 1%$Y%
API String ID: 3702945584-1395475152
Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction ID: 36c8b79a06f3977a8ff02470e41d30a228c5a494f583a95489321fa1baa1510b
Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction Fuzzy Hash: 5C114F3068469471FA68A72959713E979815B447F0FD64B24F82E076DEDF2AE812C600

Function 000001B1C6AC7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001B1C6AC7538
__scrt_acquire_startup_lock.LIBCMT ref: 000001B1C6AC758A
_RTC_Initialize.LIBCMT ref: 000001B1C6AC75B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001B1C6AC75DE
__scrt_release_startup_lock.LIBCMT ref: 000001B1C6AC7609

Memory Dump Source

Source File: 00000004.00000002.3394196823.000001B1C6AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B1C6AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6ac0000_WmiPrvSE.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: 04987082a9ea673c8b8c9cbaea48ff1c48f52f097e92d6e5a47ec4460310f59b
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: EE81D331680605B6FB50AB2998713E97ED0AB95780FD74C15FA0D477AFEB3AE845C700

Function 000001B1C6AC9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 000001B1C6AC9E49
GetLastError.KERNEL32 ref: 000001B1C6AC9E57
LoadLibraryExW.KERNEL32 ref: 000001B1C6AC9E81
FreeLibrary.KERNEL32 ref: 000001B1C6AC9EC7
GetProcAddress.KERNEL32 ref: 000001B1C6AC9ED3

Strings

api-ms-, xrefs: 000001B1C6AC9E69

Memory Dump Source

Source File: 00000004.00000002.3394196823.000001B1C6AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B1C6AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6ac0000_WmiPrvSE.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction ID: 507661ff5144f00537b451bfe7be827fbc1386f3c62502647a7bf8c6b235eba2
Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction Fuzzy Hash: 0631C331292B40F1EE12DB46A4207D53B94B769BA0F9B4D25FD2F0B798EF3AE4458314

Function 000001B1C6AD3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000001B1C6AD3DE5
GetLastError.KERNEL32 ref: 000001B1C6AD3DF1
CloseHandle.KERNEL32 ref: 000001B1C6AD3E09
CreateFileW.KERNEL32 ref: 000001B1C6AD3E34
WriteConsoleW.KERNEL32 ref: 000001B1C6AD3E53

Strings

CONOUT$, xrefs: 000001B1C6AD3E15

Memory Dump Source

Source File: 00000004.00000002.3394196823.000001B1C6AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B1C6AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6ac0000_WmiPrvSE.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction ID: be3b0f8887062391fe1ae4cf53451e7235dccab882c1012ef0e111b28c801182
Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction Fuzzy Hash: CB11C132350B4093E7508B56E864399BBA0F799FE4F854A24FA1E877A4CF78D8148741

Function 000001B1C6AC3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000001B1C6AC379E
GetCurrentProcess.KERNEL32 ref: 000001B1C6AC37CC
VirtualProtectEx.KERNEL32 ref: 000001B1C6AC37EE
GetCurrentProcess.KERNEL32 ref: 000001B1C6AC3809
VirtualProtectEx.KERNEL32 ref: 000001B1C6AC382A

Strings

wr, xrefs: 000001B1C6AC37FF

Memory Dump Source

Source File: 00000004.00000002.3394196823.000001B1C6AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B1C6AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6ac0000_WmiPrvSE.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID: wr
API String ID: 1092925422-2678910430
Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction ID: b7bac0445357c990dfe6a6ac8974f74b321709d00a38a4d420291f54e7b77e09
Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction Fuzzy Hash: 9C118E36340B41E3EF549B15F4246A97AA0F748B84F864828EF8D037A8EF3ED505C704

Function 000001B1C6AC5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001B1C6AC5B6B
GetThreadContext.KERNEL32 ref: 000001B1C6AC5CD5

Part of subcall function 000001B1C6AC5960: GetCurrentThreadId.KERNEL32 ref: 000001B1C6AC5964

Memory Dump Source

Source File: 00000004.00000002.3394196823.000001B1C6AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B1C6AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6ac0000_WmiPrvSE.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
Instruction ID: 21a945ff8aa95bc20dcaf915828ad5ba8adac9587035b97c77f03359aa361f3b
Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
Instruction Fuzzy Hash: F9D1AA36248B88A5DA70DB06E4A039A7FA0F7C8B84F510516FACD47BA9DF3DD551CB40

Function 000001B1C6AC2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001B1C6AC2F27
HeapAlloc.KERNEL32 ref: 000001B1C6AC2F3A
StrCmpNIW.SHLWAPI ref: 000001B1C6AC2FAF
GetProcessHeap.KERNEL32 ref: 000001B1C6AC3015
HeapFree.KERNEL32 ref: 000001B1C6AC3023

Strings

dialer, xrefs: 000001B1C6AC2FA8

Memory Dump Source

Source File: 00000004.00000002.3394196823.000001B1C6AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B1C6AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6ac0000_WmiPrvSE.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction ID: b8accb6ef8aff5d08221ad3f8d0c44c472a000bb793e6ed3b1d0bc9fce79a5c1
Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction Fuzzy Hash: 0F31C236345B55B7E610CF16E5607A97BA0FB54B80F8A4820BF4C47B59EF35E461C740

Function 000001B1C6AC14A4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 70memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001B1C6AC14C5
HeapFree.KERNEL32 ref: 000001B1C6AC14D4
GetProcessHeap.KERNEL32 ref: 000001B1C6AC14E1
HeapFree.KERNEL32 ref: 000001B1C6AC14F0
GetProcessHeap.KERNEL32 ref: 000001B1C6AC1500

Strings

C:\Windows\system32\wbem\wmiprvse.exe, xrefs: 000001B1C6AD61A9, 000001B1C6AD61B1

Memory Dump Source

Source File: 00000004.00000002.3394196823.000001B1C6AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B1C6AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6ac0000_WmiPrvSE.jbxd

Similarity

API ID: Heap$Process$Free
String ID: C:\Windows\system32\wbem\wmiprvse.exe
API String ID: 3168794593-1259001766
Opcode ID: 335002606d0c58216c4b7b8c214cf2e956f7ef49abbb5e195d674a66fc258290
Instruction ID: d7fc4e1b615de034072dde7412f8cffbe11dec46ef61a794af04bdf23f84ccac
Opcode Fuzzy Hash: 335002606d0c58216c4b7b8c214cf2e956f7ef49abbb5e195d674a66fc258290
Instruction Fuzzy Hash: 1C21E377588AC0ABE250DF2598652C87FA0F766B44F8B5816FB4D43263DB25E4058712

Function 000001B1C6ACCFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000001B1C6ACCFAF
FlsSetValue.KERNEL32(?,?,?,000001B1C6ACD6B5,?,?,?,?,000001B1C6ACD778), ref: 000001B1C6ACCFE5
FlsSetValue.KERNEL32(?,?,?,000001B1C6ACD6B5,?,?,?,?,000001B1C6ACD778), ref: 000001B1C6ACD012
FlsSetValue.KERNEL32(?,?,?,000001B1C6ACD6B5,?,?,?,?,000001B1C6ACD778), ref: 000001B1C6ACD023
FlsSetValue.KERNEL32(?,?,?,000001B1C6ACD6B5,?,?,?,?,000001B1C6ACD778), ref: 000001B1C6ACD034
SetLastError.KERNEL32 ref: 000001B1C6ACD04F

Memory Dump Source

Source File: 00000004.00000002.3394196823.000001B1C6AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B1C6AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6ac0000_WmiPrvSE.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction ID: 613b65d7407ab29ee997d2a634b99022eeb73a04cedac2c3ab4eff958ab3b09c
Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction Fuzzy Hash: F6115130280690B2FA64672955753E979815F587F0FD64F24F83F476DEDF6AE411C600

Function 000001B1C6AC199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000001B1C6AC19C2
K32GetModuleFileNameExW.KERNEL32 ref: 000001B1C6AC19E0
PathFindFileNameW.SHLWAPI ref: 000001B1C6AC19EF
lstrlenW.KERNEL32 ref: 000001B1C6AC19FB
StrCpyW.SHLWAPI ref: 000001B1C6AC1A0E
CloseHandle.KERNEL32 ref: 000001B1C6AC1A1C

Memory Dump Source

Source File: 00000004.00000002.3394196823.000001B1C6AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B1C6AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6ac0000_WmiPrvSE.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction ID: 980cae9893c77f6852d200de1b4d3d05c7231acfb2edd9e2958734afd52be645
Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction Fuzzy Hash: 8A018C31340A40A2EB10DB52A868399BBA1F798FC0FC94835EE4D43768DF3CD989C700

Function 000001B1C6AC36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000001B1C6AC36E4
GetCurrentProcess.KERNEL32 ref: 000001B1C6AC36F2
VirtualProtectEx.KERNEL32 ref: 000001B1C6AC3714
GetCurrentProcess.KERNEL32 ref: 000001B1C6AC3732
VirtualProtectEx.KERNEL32 ref: 000001B1C6AC3753
TerminateThread.KERNEL32 ref: 000001B1C6AC3762

Memory Dump Source

Source File: 00000004.00000002.3394196823.000001B1C6AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B1C6AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6ac0000_WmiPrvSE.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction ID: 0b6985639906f41542042cdb8bd04432224b9c4183cad2879d4c7ae577c5bdcd
Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction Fuzzy Hash: 66018078351744E7FF249B22E8283953BA0BB55B82F864824EE4D07764EF3DE108C700

Function 000001B1C6AC9005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001B1C6AC9013
_IsNonwritableInCurrentImage.LIBCMT ref: 000001B1C6AC90A8
RtlUnwindEx.NTDLL ref: 000001B1C6AC90F7

Strings

csm, xrefs: 000001B1C6AC908E
f, xrefs: 000001B1C6AC9026

Memory Dump Source

Source File: 00000004.00000002.3394196823.000001B1C6AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B1C6AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6ac0000_WmiPrvSE.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: df30bac812e705aa93aabe8828380b214c73b4065404643d2704264535ea0798
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: 7851D632741200BBDB94CF19D459B983B99F344B88F938924EA0F4374CDB36E941C718

Function 000001B1C6AC8FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001B1C6AC9013
_IsNonwritableInCurrentImage.LIBCMT ref: 000001B1C6AC90A8
RtlUnwindEx.NTDLL ref: 000001B1C6AC90F7

Strings

csm, xrefs: 000001B1C6AC908E
f, xrefs: 000001B1C6AC9026

Memory Dump Source

Source File: 00000004.00000002.3394196823.000001B1C6AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B1C6AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6ac0000_WmiPrvSE.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction ID: cce8c978aea041559edddc82bfa948f1282a875985ba24eb681de7d9aa7576ea
Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction Fuzzy Hash: 6631AD32280640B6E754DF16E8687997FA9F744B88F868814FE4F0778DDB3AE941C709

Function 000001B1C6AC1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000001B1C6AC1A60
StrCmpNIW.SHLWAPI ref: 000001B1C6AC1A7A
lstrlenW.KERNEL32 ref: 000001B1C6AC1A89
StrCpyW.SHLWAPI ref: 000001B1C6AC1A9E

Strings

\\?\, xrefs: 000001B1C6AC1A6E

Memory Dump Source

Source File: 00000004.00000002.3394196823.000001B1C6AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B1C6AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6ac0000_WmiPrvSE.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction ID: 03f469b15207bf167db16f7c03a254700214e32310a71833cc3ed4b89b73cac2
Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction Fuzzy Hash: 37F04F32344641A3EB609B21F8A47D97B60F798B88FC59420EA4D47968DF3DDA8DCB00

Function 000001B1C6AC3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 000001B1C6AC3066
StrCpyW.SHLWAPI ref: 000001B1C6AC3076
StrCatW.SHLWAPI ref: 000001B1C6AC3082
PathCombineW.SHLWAPI ref: 000001B1C6AC3090

Strings

\\.\pipe\, xrefs: 000001B1C6AC305C

Memory Dump Source

Source File: 00000004.00000002.3394196823.000001B1C6AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B1C6AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6ac0000_WmiPrvSE.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction ID: b227b671d4e67eed1ded54a60a1f2944a386c55b893f6d14d4ba41f5df64ea97
Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction Fuzzy Hash: C3F08231344B80A3EA008F13B924199BA60BB58FC0F856830FE4E07B28DF3CD4458701

Function 000001B1C6ACBC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000001B1C6ACBCBD
GetProcAddress.KERNEL32 ref: 000001B1C6ACBCD3
FreeLibrary.KERNEL32 ref: 000001B1C6ACBCFA

Strings

mscoree.dll, xrefs: 000001B1C6ACBCB4
CorExitProcess, xrefs: 000001B1C6ACBCCC

Memory Dump Source

Source File: 00000004.00000002.3394196823.000001B1C6AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B1C6AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6ac0000_WmiPrvSE.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction ID: b125ed205e92b6aa361d0616ba8bcff5924271551aa4aa233fa3444cb924b2f5
Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction Fuzzy Hash: 05F0F631350704A3EB148B24E4643D97B30EB98BA4FC51A19EA6E071F4DF3DE444C300

Function 000001B1C6AC50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001B1C6AC5156

Memory Dump Source

Source File: 00000004.00000002.3394196823.000001B1C6AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B1C6AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6ac0000_WmiPrvSE.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
Instruction ID: 76e6d0fae13c16938a2042db75b79b27a2090ae1ab8243c23e18f414bb2a82e2
Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
Instruction Fuzzy Hash: 6202E832259B8496EB60CB59F4A079ABBA0F3C4794F510415FA8E87BA8DF7DD494CF00

Function 000001B1C6AC5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001B1C6AC5726

Memory Dump Source

Source File: 00000004.00000002.3394196823.000001B1C6AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B1C6AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6ac0000_WmiPrvSE.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
Instruction ID: 35ce9029f31d81feaf5b095a57c3b8cbe4a42b2023ddab7b93e285dbfca3c628
Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
Instruction Fuzzy Hash: 71613C36558B40E6EB60CB15E46075ABFE0F388784F910915FA8E47BA8CB7DD8A4CF00

Function 000001B1C6AA3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000001B1C6AA352C
_set_statfp.LIBCMT ref: 000001B1C6AA3547
_set_statfp.LIBCMT ref: 000001B1C6AA3563
_set_statfp.LIBCMT ref: 000001B1C6AA359F

Memory Dump Source

Source File: 00000004.00000002.3393309014.000001B1C6A90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B1C6A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6a90000_WmiPrvSE.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: f4eeeacd04ecb2e41daef18e56ffc623bd7f242eef64ab5e9261f1e0d73ab7ae
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: 4C118632990A1339FA54151CD4773FD39D0EB58374ECA4E2ABB6E872D78764E4455D00

Function 000001B1C6AD4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000001B1C6AD412C
_set_statfp.LIBCMT ref: 000001B1C6AD4147
_set_statfp.LIBCMT ref: 000001B1C6AD4163
_set_statfp.LIBCMT ref: 000001B1C6AD419F

Memory Dump Source

Source File: 00000004.00000002.3394196823.000001B1C6AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B1C6AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6ac0000_WmiPrvSE.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: 7d70fbecd9576c303d4b39871392893d72113701f3f254669319dea053847bc6
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: 9E119432AD0B903BF6641568D4763E93950EF783F8FCA0F24B57E076D68B24E8514162

Function 000001B1C6A9F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000001B1C6A9F124

Strings

or copy constructor iterator', xrefs: 000001B1C6A9F25A, 000001B1C6A9F275
Wednesday, xrefs: 000001B1C6A9F1ED
Tuesday, xrefs: 000001B1C6A9F0F4

Memory Dump Source

Source File: 00000004.00000002.3393309014.000001B1C6A90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B1C6A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6a90000_WmiPrvSE.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: Tuesday$Wednesday$or copy constructor iterator'
API String ID: 3215553584-4202648911
Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction ID: 8a0ca9d721b6eb4e3af4553f2d7ae5330e92f94a7d645c0b3bcfa555b6c20a00
Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction Fuzzy Hash: D661B27E6846C062FA699B24D4703EE7EA1E78A740FF74C15FA1E077A4EB34E8418350

Function 000001B1C6ACAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 000001B1C6ACAA68
_CallSETranslator.LIBVCRUNTIME ref: 000001B1C6ACAAB7

Strings

RCC, xrefs: 000001B1C6ACAA85
MOC, xrefs: 000001B1C6ACAA7C

Memory Dump Source

Source File: 00000004.00000002.3394196823.000001B1C6AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B1C6AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6ac0000_WmiPrvSE.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 784af5eb1faade5d558cda6845aa0a2f8ff390df7549530575874daebdd5e33b
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: A5616932A04B84AAEB20DF65D4503ED7BA0F388B8CF454A15EF4E17B99DB39E595C700

Function 000001B1C6A9A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001B1C6A9A1A0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001B1C6A9A288

Strings

csm, xrefs: 000001B1C6A9A1C2
csm, xrefs: 000001B1C6A9A2DA

Memory Dump Source

Source File: 00000004.00000002.3393309014.000001B1C6A90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B1C6A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6a90000_WmiPrvSE.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: bf2f027a5753205f0198892e719a1bc36210c3e55530b43b2422f9943f9932ee
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: 3251A03E1403C0EAEB649B269464399BBA0F355B84FAA5917FB9D87BD5CB38E450C700

Function 000001B1C6ACAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001B1C6ACADA0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001B1C6ACAE88

Strings

csm, xrefs: 000001B1C6ACADC2
csm, xrefs: 000001B1C6ACAEDA

Memory Dump Source

Source File: 00000004.00000002.3394196823.000001B1C6AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B1C6AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6ac0000_WmiPrvSE.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: 6ebdfb4ec8773dcd7a1e5f40637557e9561884987d3c95976d2b8ef0e27961e7
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: B151CF72180280BAEB648F1595A43A87BA0F755BC4F964915FB8D47BD9CB39E450C740

Function 000001B1C6A98405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001B1C6A98413
_IsNonwritableInCurrentImage.LIBCMT ref: 000001B1C6A984A8

Strings

csm, xrefs: 000001B1C6A9848E
f, xrefs: 000001B1C6A98426

Memory Dump Source

Source File: 00000004.00000002.3393309014.000001B1C6A90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B1C6A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6a90000_WmiPrvSE.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: bb2fe3d6429b31a73479642f3f874b8b7d8025426b33db784f0b649a527e6008
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: 0251D33A741280ABDB58CF15E454B9C3B95F350B98FA28D25FA1F47788EB34E844CB04

Function 000001B1C6A983E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001B1C6A98413
_IsNonwritableInCurrentImage.LIBCMT ref: 000001B1C6A984A8

Strings

csm, xrefs: 000001B1C6A9848E
f, xrefs: 000001B1C6A98426

Memory Dump Source

Source File: 00000004.00000002.3393309014.000001B1C6A90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B1C6A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6a90000_WmiPrvSE.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction ID: c533ce58de8cfd1016b4ab9f1dc4d9656fa7d107685e85ab233b76a0693b69c2
Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction Fuzzy Hash: 9531BF36241780A6E759DF11E86479D7BA8F740B88FA68C14FE5F47789DB38E940CB04

Function 000001B1C6AD2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000001B1C6AD20D7
WriteFile.KERNEL32 ref: 000001B1C6AD239F
WriteFile.KERNEL32 ref: 000001B1C6AD23E5
GetLastError.KERNEL32 ref: 000001B1C6AD249B

Memory Dump Source

Source File: 00000004.00000002.3394196823.000001B1C6AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B1C6AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6ac0000_WmiPrvSE.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction ID: ec3ce314404d70993f5e4c9894c5ca3a44715a0dbf2e3b51f371d536b7763860
Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction Fuzzy Hash: EED10072B18A80AAE711CFA9D4603DC3BB1F364798F818616EF5E97B99DB34D506C340

Function 000001B1C6AD2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32 ref: 000001B1C6AD2A9C
GetLastError.KERNEL32 ref: 000001B1C6AD2B27

Memory Dump Source

Source File: 00000004.00000002.3394196823.000001B1C6AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B1C6AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6ac0000_WmiPrvSE.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction ID: 3e488811482f005139fbe8b141cc474a38b6f147dba0c4b23f96e1ba0213d1cf
Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction Fuzzy Hash: 0C91F432748650A6F760DF2584603ED3FA0F724B88F964909EF4E57AD5DB74E882C702

Function 000001B1C6AC253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001B1C6AC2620
StrCpyW.SHLWAPI ref: 000001B1C6AC2639

Strings

\\.\pipe\, xrefs: 000001B1C6AC262B

Memory Dump Source

Source File: 00000004.00000002.3394196823.000001B1C6AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B1C6AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6ac0000_WmiPrvSE.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction ID: 6b8293a93ef6df7e5789905b956b20c5c6fd56f2705e24314fcb02ddeae6df13
Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction Fuzzy Hash: 6171BF36248781B6E7249F2598A43EA7B94F389B84F860426FE0D57B8DDF36E6458700

Function 000001B1C6A99E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 000001B1C6A99EB7

Strings

MOC, xrefs: 000001B1C6A99E7C
RCC, xrefs: 000001B1C6A99E85

Memory Dump Source

Source File: 00000004.00000002.3393309014.000001B1C6A90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B1C6A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6a90000_WmiPrvSE.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 2253ad4d16d751f3ada021f19c0b19e5337567deb8117d64d5f64436a18e0843
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: 0661AC3BA00B84AAEB20DF65D0903DD7BA0F744B88F694A06EF4D17B98DB38E454C704

Function 000001B1C6AC2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001B1C6AC2416
StrCpyW.SHLWAPI ref: 000001B1C6AC242D

Strings

\\.\pipe\, xrefs: 000001B1C6AC2421

Memory Dump Source

Source File: 00000004.00000002.3394196823.000001B1C6AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B1C6AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6ac0000_WmiPrvSE.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction ID: 2a206aeffeda2a39a30598c1543e0c20b9724c9ddfbc78ec32f9dce325111055
Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction Fuzzy Hash: B351D33628C381B2E6249B29A5783EA7E51F385740FC60925EE5E03B5DCB3AE5048740

Function 000001B1C6AD26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000001B1C6AD2807
GetLastError.KERNEL32 ref: 000001B1C6AD2829

Strings

U, xrefs: 000001B1C6AD27B3

Memory Dump Source

Source File: 00000004.00000002.3394196823.000001B1C6AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B1C6AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6ac0000_WmiPrvSE.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction ID: 6ffe1392b952c4f3879f674b061e7476ef3702aaf34cf104eff357a6618e0a32
Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction Fuzzy Hash: 3A41C432718A80A6EB20DF25E8543E9BBA0F7A8794F824421FF4D87798EB3CD441C741

Function 000001B1C6AC94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000001B1C6AC94F0
RaiseException.KERNEL32 ref: 000001B1C6AC9531

Strings

csm, xrefs: 000001B1C6AC951E

Memory Dump Source

Source File: 00000004.00000002.3394196823.000001B1C6AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B1C6AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6ac0000_WmiPrvSE.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction ID: 38f9546c50e4e3ebd441e610e11f5c84d752c88406199c83e476e62db676c861
Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction Fuzzy Hash: 7C118C36204B8492EB208F15F410399BBE0FB88B94F994621EF8D07B68DF3DC555CB04

Function 000001B1C6A97356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000001B1C6A9737C

Strings

riptor at (, xrefs: 000001B1C6A97364
ierarchy Descriptor', xrefs: 000001B1C6A97381

Memory Dump Source

Source File: 00000004.00000002.3393309014.000001B1C6A90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B1C6A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6a90000_WmiPrvSE.jbxd

Similarity

API ID: __std_exception_copy
String ID: ierarchy Descriptor'$riptor at (
API String ID: 592178966-758928094
Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction ID: bad4d4808b64bdb7a790b951e80baec918a62004558ab803e456f3639b9f1038
Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction Fuzzy Hash: F7E086B1681B44A0DF018F21E8512DC37A0DB58B64F999522A95C0B312FB38E1E9C701

Function 000001B1C6A973B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000001B1C6A973D8

Strings

riptor at (, xrefs: 000001B1C6A973C0
Locator', xrefs: 000001B1C6A973DD

Memory Dump Source

Source File: 00000004.00000002.3393309014.000001B1C6A90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B1C6A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6a90000_WmiPrvSE.jbxd

Similarity

API ID: __std_exception_copy
String ID: Locator'$riptor at (
API String ID: 592178966-4215709766
Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction ID: 62489b62b25fe473a36de41a71fc5381d4fdbc4919a257d61973101ba336363a
Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction Fuzzy Hash: 5AE086B1641B44A0DF058F21E4511DC7760E758B54FC99522D94C0B312EB38E1E5C300

Function 000001B1C6AC1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001B1C6AC1C2D
HeapAlloc.KERNEL32 ref: 000001B1C6AC1C3B
GetProcessHeap.KERNEL32 ref: 000001B1C6AC1C77
HeapFree.KERNEL32 ref: 000001B1C6AC1C85

Part of subcall function 000001B1C6AC152C: StrCmpIW.SHLWAPI ref: 000001B1C6AC155D

Memory Dump Source

Source File: 00000004.00000002.3394196823.000001B1C6AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B1C6AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6ac0000_WmiPrvSE.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction ID: 8c0da88e56fbf6e324f1e78663727557918132a6c129d742bd505db7ad998eb6
Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction Fuzzy Hash: EE11C135701B44A2EA44CB66A8142A97BE0FB89FC0F8A4424FE4D43779DF39E842C300

Function 000001B1C6AC1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001B1C6AC126E
HeapAlloc.KERNEL32 ref: 000001B1C6AC127D
GetProcessHeap.KERNEL32 ref: 000001B1C6AC1297
HeapAlloc.KERNEL32 ref: 000001B1C6AC12A8

Memory Dump Source

Source File: 00000004.00000002.3394196823.000001B1C6AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B1C6AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1b1c6ac0000_WmiPrvSE.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction ID: 9e0c168021f560b9a638885bb27f1370faf21859a7e4558a598f717a4ae150d2
Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction Fuzzy Hash: 4DE0923564160487EB048FA2D82838A3AE1FB9DF06F86D424DA1D07361DF7DD4D9C761

Analysis Process: dialer.exePID: 1172, Parent PID: 4004COMMON

Execution Graph

Execution Coverage:	47.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	38.1%
Total number of Nodes:	226
Total number of Limit Nodes:	22

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00007FF6AFBE226C Relevance: 61.4, APIs: 27, Strings: 8, Instructions: 165
registrymemorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6AFBE1F2C: StrCpyW.SHLWAPI ref: 00007FF6AFBE1F5D
Part of subcall function 00007FF6AFBE1F2C: StrCatW.SHLWAPI ref: 00007FF6AFBE1F6B
Part of subcall function 00007FF6AFBE1F2C: GetModuleHandleW.KERNEL32 ref: 00007FF6AFBE1F74
Part of subcall function 00007FF6AFBE1F2C: GetCurrentProcess.KERNEL32 ref: 00007FF6AFBE1F94
Part of subcall function 00007FF6AFBE1F2C: K32GetModuleInformation.KERNEL32 ref: 00007FF6AFBE1FA8
Part of subcall function 00007FF6AFBE1F2C: CreateFileW.KERNELBASE ref: 00007FF6AFBE1FD8
Part of subcall function 00007FF6AFBE1F2C: CreateFileMappingW.KERNELBASE ref: 00007FF6AFBE2002
Part of subcall function 00007FF6AFBE1F2C: MapViewOfFile.KERNELBASE ref: 00007FF6AFBE2025
Part of subcall function 00007FF6AFBE1F2C: lstrcmpiA.KERNEL32 ref: 00007FF6AFBE207B
Part of subcall function 00007FF6AFBE1F2C: CloseHandle.KERNELBASE ref: 00007FF6AFBE20E7
Part of subcall function 00007FF6AFBE1F2C: CloseHandle.KERNEL32 ref: 00007FF6AFBE20F0
Part of subcall function 00007FF6AFBE1F2C: FreeLibrary.KERNEL32 ref: 00007FF6AFBE20F9

Part of subcall function 00007FF6AFBE1F2C: VirtualProtect.KERNELBASE ref: 00007FF6AFBE20AE
Part of subcall function 00007FF6AFBE1F2C: VirtualProtect.KERNELBASE ref: 00007FF6AFBE20DE

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6AFBE2261), ref: 00007FF6AFBE228F
OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6AFBE2261), ref: 00007FF6AFBE229F
OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00007FF6AFBE2261), ref: 00007FF6AFBE22B9
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF6AFBE22D0
AdjustTokenPrivileges.KERNELBASE ref: 00007FF6AFBE2308
GetLastError.KERNEL32 ref: 00007FF6AFBE2312
CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00007FF6AFBE2261), ref: 00007FF6AFBE231B
FindResourceExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6AFBE2261), ref: 00007FF6AFBE232F
SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6AFBE2261), ref: 00007FF6AFBE2346
LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6AFBE2261), ref: 00007FF6AFBE235F
LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6AFBE2261), ref: 00007FF6AFBE2371
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6AFBE2261), ref: 00007FF6AFBE237E
RegCreateKeyExW.KERNELBASE ref: 00007FF6AFBE23BE
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00007FF6AFBE23E5
RegSetKeySecurity.KERNELBASE ref: 00007FF6AFBE23FE
LocalFree.KERNEL32 ref: 00007FF6AFBE2408
RegCreateKeyExW.KERNELBASE ref: 00007FF6AFBE243E
GetCurrentProcessId.KERNEL32 ref: 00007FF6AFBE2448
RegSetValueExW.KERNELBASE ref: 00007FF6AFBE246F
RegCloseKey.KERNELBASE ref: 00007FF6AFBE2479
RegCloseKey.ADVAPI32 ref: 00007FF6AFBE2483
CreateThread.KERNELBASE ref: 00007FF6AFBE24A4
GetProcessHeap.KERNEL32 ref: 00007FF6AFBE24AA
HeapAlloc.KERNEL32 ref: 00007FF6AFBE24B9
CreateThread.KERNELBASE ref: 00007FF6AFBE24E8
CreateThread.KERNELBASE ref: 00007FF6AFBE2509
SleepEx.KERNELBASE ref: 00007FF6AFBE2511

Strings

kernel32.dll, xrefs: 00007FF6AFBE2283
SOFTWARE\dialerconfig, xrefs: 00007FF6AFBE2399
pid, xrefs: 00007FF6AFBE241B
D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA), xrefs: 00007FF6AFBE23DE
svc64, xrefs: 00007FF6AFBE2452
SeDebugPrivilege, xrefs: 00007FF6AFBE22C9
ntdll.dll, xrefs: 00007FF6AFBE2277
DLL, xrefs: 00007FF6AFBE2321

Memory Dump Source

Source File: 0000000C.00000002.3379453219.00007FF6AFBE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6AFBE0000, based on PE: true

Associated: 0000000C.00000002.3378869560.00007FF6AFBE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3380018046.00007FF6AFBE3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3380580288.00007FF6AFBE6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6afbe0000_dialer.jbxd

Similarity

API ID: CreateProcess$Close$CurrentHandleResource$FileSecurityThread$DescriptorFreeHeapModuleOpenProtectTokenValueVirtual$AdjustAllocConvertErrorFindInformationLastLibraryLoadLocalLockLookupMappingPrivilegePrivilegesSizeofSleepStringViewlstrcmpi
String ID: D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$DLL$SOFTWARE\dialerconfig$SeDebugPrivilege$kernel32.dll$ntdll.dll$pid$svc64
API String ID: 4177739653-1130149537
Opcode ID: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
Instruction ID: 29aacac7fe7db07af24fbb701b71528e40b570e33ab3d471b0b34e25c44fea03
Opcode Fuzzy Hash: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
Instruction Fuzzy Hash: D2814F31A0AB4296E720CF21E8545B93BB0FF8B758B4C41B9D94E83AA4DF3CD148C702

Function 00007FF6AFBE10C0 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 257
memorystringnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6AFBE18AC: OpenProcess.KERNEL32(?,?,?,00007FF6AFBE110E), ref: 00007FF6AFBE18CA
Part of subcall function 00007FF6AFBE18AC: IsWow64Process.KERNEL32(?,?,?,00007FF6AFBE110E), ref: 00007FF6AFBE18E0
Part of subcall function 00007FF6AFBE18AC: CloseHandle.KERNELBASE(?,?,?,00007FF6AFBE110E), ref: 00007FF6AFBE18FB

OpenProcess.KERNEL32 ref: 00007FF6AFBE112C
OpenProcess.KERNEL32 ref: 00007FF6AFBE114B
K32GetModuleFileNameExW.KERNEL32 ref: 00007FF6AFBE1170
PathFindFileNameW.SHLWAPI ref: 00007FF6AFBE117E
lstrlenW.KERNEL32 ref: 00007FF6AFBE118A
StrCpyW.SHLWAPI ref: 00007FF6AFBE11A1
CloseHandle.KERNEL32 ref: 00007FF6AFBE11AD
StrCmpIW.SHLWAPI ref: 00007FF6AFBE11E2
NtQueryInformationProcess.NTDLL ref: 00007FF6AFBE1216
OpenProcessToken.ADVAPI32 ref: 00007FF6AFBE1240
GetTokenInformation.KERNELBASE ref: 00007FF6AFBE126C
GetLastError.KERNEL32 ref: 00007FF6AFBE1276
LocalAlloc.KERNEL32 ref: 00007FF6AFBE1289
GetTokenInformation.KERNELBASE ref: 00007FF6AFBE12B5
GetSidSubAuthorityCount.ADVAPI32 ref: 00007FF6AFBE12C2
GetSidSubAuthority.ADVAPI32 ref: 00007FF6AFBE12D1
LocalFree.KERNEL32 ref: 00007FF6AFBE12E9
CloseHandle.KERNEL32 ref: 00007FF6AFBE12FD
StrStrA.SHLWAPI ref: 00007FF6AFBE13A7
VirtualAllocEx.KERNELBASE ref: 00007FF6AFBE140E
WriteProcessMemory.KERNELBASE ref: 00007FF6AFBE1431
WaitForSingleObject.KERNEL32 ref: 00007FF6AFBE147D
GetExitCodeThread.KERNEL32 ref: 00007FF6AFBE1493
CloseHandle.KERNELBASE ref: 00007FF6AFBE14AB
CloseHandle.KERNEL32 ref: 00007FF6AFBE14B4

Strings

dialer.exe, xrefs: 00007FF6AFBE11CC
MSBuild.exe, xrefs: 00007FF6AFBE11B8
@, xrefs: 00007FF6AFBE1401
ReflectiveDllMain, xrefs: 00007FF6AFBE139D

Memory Dump Source

Source File: 0000000C.00000002.3379453219.00007FF6AFBE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6AFBE0000, based on PE: true

Associated: 0000000C.00000002.3378869560.00007FF6AFBE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3380018046.00007FF6AFBE3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3380580288.00007FF6AFBE6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6afbe0000_dialer.jbxd

Similarity

API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileLocalName$CodeCountErrorExitFindFreeLastMemoryModuleObjectPathQuerySingleThreadVirtualWaitWow64Writelstrlen
String ID: @$MSBuild.exe$ReflectiveDllMain$dialer.exe
API String ID: 2561231171-3753927220
Opcode ID: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
Instruction ID: 23ce0ad4d59e7f8da228b816d3d7c1cc04285d5d32c9df4675ee1733b757429b
Opcode Fuzzy Hash: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
Instruction Fuzzy Hash: 93B1A271A0A68286EB24DF12E84067927B5FF87F84F184175DA4E877A4DF3CE549C702

Function 00007FF6AFBE14D8 Relevance: 19.6, APIs: 13, Instructions: 130
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00007FF6AFBE150B
HeapAlloc.KERNEL32 ref: 00007FF6AFBE151E
GetProcessHeap.KERNEL32 ref: 00007FF6AFBE152C
HeapAlloc.KERNEL32 ref: 00007FF6AFBE153D
K32EnumProcesses.KERNEL32 ref: 00007FF6AFBE1557
OpenProcess.KERNEL32 ref: 00007FF6AFBE1585
K32EnumProcessModules.KERNEL32 ref: 00007FF6AFBE15AA
ReadProcessMemory.KERNELBASE ref: 00007FF6AFBE15E1
CloseHandle.KERNELBASE ref: 00007FF6AFBE161D
GetProcessHeap.KERNEL32 ref: 00007FF6AFBE162F
RtlFreeHeap.NTDLL ref: 00007FF6AFBE163D
GetProcessHeap.KERNEL32 ref: 00007FF6AFBE1643
RtlFreeHeap.NTDLL ref: 00007FF6AFBE1651

Memory Dump Source

Source File: 0000000C.00000002.3379453219.00007FF6AFBE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6AFBE0000, based on PE: true

Associated: 0000000C.00000002.3378869560.00007FF6AFBE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3380018046.00007FF6AFBE3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3380580288.00007FF6AFBE6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6afbe0000_dialer.jbxd

Similarity

API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
String ID:
API String ID: 4084875642-0
Opcode ID: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
Instruction ID: b27b93a59c4e87e7f8a2488b33f7b1f0958dc7f8ac4f7688a99fc3dd9261d8e3
Opcode Fuzzy Hash: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
Instruction Fuzzy Hash: A9519F32B166828AEB60DF62D8546B937A1FB4BB84F484078DE4E877A4DF3CD445C702

Function 00007FF6AFBE1B54 Relevance: 9.1, APIs: 6, Instructions: 82
memorypipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32 ref: 00007FF6AFBE1BA3
SetEntriesInAclW.ADVAPI32 ref: 00007FF6AFBE1BEB
LocalAlloc.KERNEL32 ref: 00007FF6AFBE1BFB
InitializeSecurityDescriptor.ADVAPI32 ref: 00007FF6AFBE1C0F
SetSecurityDescriptorDacl.ADVAPI32 ref: 00007FF6AFBE1C26
CreateNamedPipeW.KERNELBASE ref: 00007FF6AFBE1C67

Memory Dump Source

Source File: 0000000C.00000002.3379453219.00007FF6AFBE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6AFBE0000, based on PE: true

Associated: 0000000C.00000002.3378869560.00007FF6AFBE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3380018046.00007FF6AFBE3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3380580288.00007FF6AFBE6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6afbe0000_dialer.jbxd

Similarity

API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
String ID:
API String ID: 3197395349-0
Opcode ID: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
Instruction ID: afbdf46008477f39cb15a464a7d9209eabdbdcedd424dd3a8776e738be7e581c
Opcode Fuzzy Hash: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
Instruction Fuzzy Hash: E43171326156518AD720CF24E48079E7BB5FB49B98F54422AEB4D87F98DF7CD208CB40

Function 00007FF6AFBE1F2C Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 124
filememorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCpyW.SHLWAPI ref: 00007FF6AFBE1F5D
StrCatW.SHLWAPI ref: 00007FF6AFBE1F6B
GetModuleHandleW.KERNEL32 ref: 00007FF6AFBE1F74
GetCurrentProcess.KERNEL32 ref: 00007FF6AFBE1F94
K32GetModuleInformation.KERNEL32 ref: 00007FF6AFBE1FA8
CreateFileW.KERNELBASE ref: 00007FF6AFBE1FD8
CreateFileMappingW.KERNELBASE ref: 00007FF6AFBE2002
MapViewOfFile.KERNELBASE ref: 00007FF6AFBE2025
lstrcmpiA.KERNEL32 ref: 00007FF6AFBE207B
VirtualProtect.KERNELBASE ref: 00007FF6AFBE20AE
VirtualProtect.KERNELBASE ref: 00007FF6AFBE20DE
CloseHandle.KERNELBASE ref: 00007FF6AFBE20E7
CloseHandle.KERNEL32 ref: 00007FF6AFBE20F0
FreeLibrary.KERNEL32 ref: 00007FF6AFBE20F9

Strings

.text, xrefs: 00007FF6AFBE2074
C:\Windows\System32\, xrefs: 00007FF6AFBE1F4F

Memory Dump Source

Source File: 0000000C.00000002.3379453219.00007FF6AFBE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6AFBE0000, based on PE: true

Associated: 0000000C.00000002.3378869560.00007FF6AFBE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3380018046.00007FF6AFBE3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3380580288.00007FF6AFBE6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6afbe0000_dialer.jbxd

Similarity

API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
String ID: .text$C:\Windows\System32\
API String ID: 2721474350-832442975
Opcode ID: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
Instruction ID: 08ba3962a9689e77d48a8681c843085f952759440d297e5d0b440b9b854599f3
Opcode Fuzzy Hash: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
Instruction Fuzzy Hash: 7F51A032B0A68196EB208F16E85867A7771FB8AB94F484175DE4E83B94DF3CE548C701

Function 00007FF6AFBE2BF8 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40
sleepfilepipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6AFBE1B54: AllocateAndInitializeSid.ADVAPI32 ref: 00007FF6AFBE1BA3
Part of subcall function 00007FF6AFBE1B54: SetEntriesInAclW.ADVAPI32 ref: 00007FF6AFBE1BEB
Part of subcall function 00007FF6AFBE1B54: LocalAlloc.KERNEL32 ref: 00007FF6AFBE1BFB
Part of subcall function 00007FF6AFBE1B54: InitializeSecurityDescriptor.ADVAPI32 ref: 00007FF6AFBE1C0F
Part of subcall function 00007FF6AFBE1B54: SetSecurityDescriptorDacl.ADVAPI32 ref: 00007FF6AFBE1C26
Part of subcall function 00007FF6AFBE1B54: CreateNamedPipeW.KERNELBASE ref: 00007FF6AFBE1C67

Sleep.KERNEL32 ref: 00007FF6AFBE2C1D
ConnectNamedPipe.KERNELBASE ref: 00007FF6AFBE2C2A
ReadFile.KERNELBASE ref: 00007FF6AFBE2C4D
WriteFile.KERNEL32 ref: 00007FF6AFBE2C7B
Sleep.KERNEL32 ref: 00007FF6AFBE2C88
DisconnectNamedPipe.KERNELBASE ref: 00007FF6AFBE2C91

Strings

M, xrefs: 00007FF6AFBE2C6E
\\.\pipe\dialerchildproc64, xrefs: 00007FF6AFBE2C05

Memory Dump Source

Source File: 0000000C.00000002.3379453219.00007FF6AFBE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6AFBE0000, based on PE: true

Associated: 0000000C.00000002.3378869560.00007FF6AFBE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3380018046.00007FF6AFBE3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3380580288.00007FF6AFBE6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6afbe0000_dialer.jbxd

Similarity

API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
String ID: M$\\.\pipe\dialerchildproc64
API String ID: 2203880229-3489460547
Opcode ID: cb78decc689e444f168c8ecd1fa7ab696948f8a3ff5b9be1a13ae3c23ba91d6c
Instruction ID: f95d70f7421aba5d03d54b0545a1c64d3b7be9ccdf3d5624a71ea304b2a20ef8
Opcode Fuzzy Hash: cb78decc689e444f168c8ecd1fa7ab696948f8a3ff5b9be1a13ae3c23ba91d6c
Instruction Fuzzy Hash: 9C115221A5DA4692E714DB21E8043796B70BF877A0F0C4275D65F86BD4DF7CE548C702

Function 00007FF6AFBE21D0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36
sleeppipefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6AFBE1B54: AllocateAndInitializeSid.ADVAPI32 ref: 00007FF6AFBE1BA3
Part of subcall function 00007FF6AFBE1B54: SetEntriesInAclW.ADVAPI32 ref: 00007FF6AFBE1BEB
Part of subcall function 00007FF6AFBE1B54: LocalAlloc.KERNEL32 ref: 00007FF6AFBE1BFB
Part of subcall function 00007FF6AFBE1B54: InitializeSecurityDescriptor.ADVAPI32 ref: 00007FF6AFBE1C0F
Part of subcall function 00007FF6AFBE1B54: SetSecurityDescriptorDacl.ADVAPI32 ref: 00007FF6AFBE1C26
Part of subcall function 00007FF6AFBE1B54: CreateNamedPipeW.KERNELBASE ref: 00007FF6AFBE1C67

Sleep.KERNEL32 ref: 00007FF6AFBE21F5
ConnectNamedPipe.KERNELBASE ref: 00007FF6AFBE2202
ReadFile.KERNEL32 ref: 00007FF6AFBE2225
Sleep.KERNEL32 ref: 00007FF6AFBE2246
DisconnectNamedPipe.KERNEL32 ref: 00007FF6AFBE224F

Strings

\\.\pipe\dialercontrol_redirect64, xrefs: 00007FF6AFBE21DD

Memory Dump Source

Source File: 0000000C.00000002.3379453219.00007FF6AFBE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6AFBE0000, based on PE: true

Associated: 0000000C.00000002.3378869560.00007FF6AFBE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3380018046.00007FF6AFBE3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3380580288.00007FF6AFBE6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6afbe0000_dialer.jbxd

Similarity

API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
String ID: \\.\pipe\dialercontrol_redirect64
API String ID: 2071455217-3440882674
Opcode ID: 0eadeefac485689016ee7cb8901f6413b977b23d4cbf2cacf1e5db6f82192be8
Instruction ID: ac85c0685c5d552b0eadcc949e02bafcb85e410b558abb55d3d315b5531d6b3c
Opcode Fuzzy Hash: 0eadeefac485689016ee7cb8901f6413b977b23d4cbf2cacf1e5db6f82192be8
Instruction Fuzzy Hash: 8A017521E0D54291FA14AB21E8043797770AF43BA0F1C4274DA6EC66E4DF7CE548D703

Function 00007FF6AFBE2B38 Relevance: 9.1, APIs: 6, Instructions: 58
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00007FF6AFBE2B53
HeapAlloc.KERNEL32 ref: 00007FF6AFBE2B67
GetProcessHeap.KERNEL32 ref: 00007FF6AFBE2B70
HeapAlloc.KERNEL32 ref: 00007FF6AFBE2B7E
K32EnumProcesses.KERNEL32 ref: 00007FF6AFBE2B99
SleepEx.KERNELBASE ref: 00007FF6AFBE2BEE

Memory Dump Source

Source File: 0000000C.00000002.3379453219.00007FF6AFBE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6AFBE0000, based on PE: true

Associated: 0000000C.00000002.3378869560.00007FF6AFBE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3380018046.00007FF6AFBE3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3380580288.00007FF6AFBE6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6afbe0000_dialer.jbxd

Similarity

API ID: Heap$AllocProcess$EnumProcessesSleep
String ID:
API String ID: 3676546796-0
Opcode ID: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
Instruction ID: 758691c5fd6cfe066156621245043cb93ac1464d1cffb588142dc77531090274
Opcode Fuzzy Hash: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
Instruction Fuzzy Hash: 7D115135A0965286E728CF26E85543A7B71FB87B81F184078DA4A87758CE3DE841CB41

Function 00007FF6AFBE17EC Relevance: 9.1, APIs: 6, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(?,00000000,?,00007FF6AFBE238B,?,?,?,?,?,?,?,?,?,?,?,00007FF6AFBE2261), ref: 00007FF6AFBE1801
HeapAlloc.KERNEL32(?,00000000,?,00007FF6AFBE238B,?,?,?,?,?,?,?,?,?,?,?,00007FF6AFBE2261), ref: 00007FF6AFBE1812

Part of subcall function 00007FF6AFBE14D8: GetProcessHeap.KERNEL32 ref: 00007FF6AFBE150B
Part of subcall function 00007FF6AFBE14D8: HeapAlloc.KERNEL32 ref: 00007FF6AFBE151E
Part of subcall function 00007FF6AFBE14D8: GetProcessHeap.KERNEL32 ref: 00007FF6AFBE152C
Part of subcall function 00007FF6AFBE14D8: HeapAlloc.KERNEL32 ref: 00007FF6AFBE153D
Part of subcall function 00007FF6AFBE14D8: K32EnumProcesses.KERNEL32 ref: 00007FF6AFBE1557
Part of subcall function 00007FF6AFBE14D8: OpenProcess.KERNEL32 ref: 00007FF6AFBE1585
Part of subcall function 00007FF6AFBE14D8: K32EnumProcessModules.KERNEL32 ref: 00007FF6AFBE15AA
Part of subcall function 00007FF6AFBE14D8: ReadProcessMemory.KERNELBASE ref: 00007FF6AFBE15E1
Part of subcall function 00007FF6AFBE14D8: CloseHandle.KERNELBASE ref: 00007FF6AFBE161D
Part of subcall function 00007FF6AFBE14D8: GetProcessHeap.KERNEL32 ref: 00007FF6AFBE162F
Part of subcall function 00007FF6AFBE14D8: RtlFreeHeap.NTDLL ref: 00007FF6AFBE163D
Part of subcall function 00007FF6AFBE14D8: GetProcessHeap.KERNEL32 ref: 00007FF6AFBE1643
Part of subcall function 00007FF6AFBE14D8: RtlFreeHeap.NTDLL ref: 00007FF6AFBE1651

OpenProcess.KERNEL32 ref: 00007FF6AFBE1859
TerminateProcess.KERNEL32 ref: 00007FF6AFBE186C
CloseHandle.KERNEL32 ref: 00007FF6AFBE1875
GetProcessHeap.KERNEL32 ref: 00007FF6AFBE1885

Memory Dump Source

Source File: 0000000C.00000002.3379453219.00007FF6AFBE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6AFBE0000, based on PE: true

Associated: 0000000C.00000002.3378869560.00007FF6AFBE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3380018046.00007FF6AFBE3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3380580288.00007FF6AFBE6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6afbe0000_dialer.jbxd

Similarity

API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
String ID:
API String ID: 1323846700-0
Opcode ID: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
Instruction ID: bea24c0011cf66600ed7818410f139058823eb51879c7fbc48e0fb6506b2abfe
Opcode Fuzzy Hash: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
Instruction Fuzzy Hash: D5115421F0A64285FB189F16E8440796BB1AF8BB84F1C4078DE0D837A5DE3DD4458702

Function 00007FF6AFBE18AC Relevance: 4.5, APIs: 3, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(?,?,?,00007FF6AFBE110E), ref: 00007FF6AFBE18CA
IsWow64Process.KERNEL32(?,?,?,00007FF6AFBE110E), ref: 00007FF6AFBE18E0
CloseHandle.KERNELBASE(?,?,?,00007FF6AFBE110E), ref: 00007FF6AFBE18FB

Memory Dump Source

Source File: 0000000C.00000002.3379453219.00007FF6AFBE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6AFBE0000, based on PE: true

Associated: 0000000C.00000002.3378869560.00007FF6AFBE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3380018046.00007FF6AFBE3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3380580288.00007FF6AFBE6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6afbe0000_dialer.jbxd

Similarity

API ID: Process$CloseHandleOpenWow64
String ID:
API String ID: 10462204-0
Opcode ID: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
Instruction ID: fd33fdc68e3e6e49d6fa8043d30b181e029c41259a116cf6de28645878fe9666
Opcode Fuzzy Hash: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
Instruction Fuzzy Hash: 4AF01D22B0A78292EB548F16E5841296771EB8ABC0F589079EA8D83798DF3DD4858701

Function 00007FF6AFBE2258 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6AFBE226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6AFBE2261), ref: 00007FF6AFBE228F
Part of subcall function 00007FF6AFBE226C: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6AFBE2261), ref: 00007FF6AFBE229F
Part of subcall function 00007FF6AFBE226C: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00007FF6AFBE2261), ref: 00007FF6AFBE22B9
Part of subcall function 00007FF6AFBE226C: LookupPrivilegeValueW.ADVAPI32 ref: 00007FF6AFBE22D0
Part of subcall function 00007FF6AFBE226C: AdjustTokenPrivileges.KERNELBASE ref: 00007FF6AFBE2308
Part of subcall function 00007FF6AFBE226C: GetLastError.KERNEL32 ref: 00007FF6AFBE2312
Part of subcall function 00007FF6AFBE226C: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00007FF6AFBE2261), ref: 00007FF6AFBE231B
Part of subcall function 00007FF6AFBE226C: FindResourceExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6AFBE2261), ref: 00007FF6AFBE232F
Part of subcall function 00007FF6AFBE226C: SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6AFBE2261), ref: 00007FF6AFBE2346
Part of subcall function 00007FF6AFBE226C: LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6AFBE2261), ref: 00007FF6AFBE235F
Part of subcall function 00007FF6AFBE226C: LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6AFBE2261), ref: 00007FF6AFBE2371
Part of subcall function 00007FF6AFBE226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6AFBE2261), ref: 00007FF6AFBE237E
Part of subcall function 00007FF6AFBE226C: RegCreateKeyExW.KERNELBASE ref: 00007FF6AFBE23BE
Part of subcall function 00007FF6AFBE226C: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00007FF6AFBE23E5
Part of subcall function 00007FF6AFBE226C: RegSetKeySecurity.KERNELBASE ref: 00007FF6AFBE23FE
Part of subcall function 00007FF6AFBE226C: LocalFree.KERNEL32 ref: 00007FF6AFBE2408

ExitProcess.KERNEL32 ref: 00007FF6AFBE2263

Memory Dump Source

Source File: 0000000C.00000002.3379453219.00007FF6AFBE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6AFBE0000, based on PE: true

Associated: 0000000C.00000002.3378869560.00007FF6AFBE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3380018046.00007FF6AFBE3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3380580288.00007FF6AFBE6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6afbe0000_dialer.jbxd

Similarity

API ID: Process$Resource$Security$CurrentDescriptorOpenToken$AdjustCloseConvertCreateErrorExitFindFreeHandleLastLoadLocalLockLookupPrivilegePrivilegesSizeofStringValue
String ID:
API String ID: 3836936051-0
Opcode ID: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
Instruction ID: 4271998e0805194ada29f6a0abcb3867bb944a956f94a5eb3bb262c5c546528e
Opcode Fuzzy Hash: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
Instruction Fuzzy Hash: 54A00111E1B54286EA0837B5995A06827716F97A02F5804B8D00A86292DD2C64558617

Non-executed Functions

Function 00007FF6AFBE2560 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 296
memoryregistryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNEL32 ref: 00007FF6AFBE25E7

Part of subcall function 00007FF6AFBE18AC: OpenProcess.KERNEL32(?,?,?,00007FF6AFBE110E), ref: 00007FF6AFBE18CA
Part of subcall function 00007FF6AFBE18AC: IsWow64Process.KERNEL32(?,?,?,00007FF6AFBE110E), ref: 00007FF6AFBE18E0
Part of subcall function 00007FF6AFBE18AC: CloseHandle.KERNELBASE(?,?,?,00007FF6AFBE110E), ref: 00007FF6AFBE18FB

Part of subcall function 00007FF6AFBE10C0: OpenProcess.KERNEL32 ref: 00007FF6AFBE112C
Part of subcall function 00007FF6AFBE10C0: OpenProcess.KERNEL32 ref: 00007FF6AFBE114B
Part of subcall function 00007FF6AFBE10C0: K32GetModuleFileNameExW.KERNEL32 ref: 00007FF6AFBE1170
Part of subcall function 00007FF6AFBE10C0: PathFindFileNameW.SHLWAPI ref: 00007FF6AFBE117E
Part of subcall function 00007FF6AFBE10C0: lstrlenW.KERNEL32 ref: 00007FF6AFBE118A
Part of subcall function 00007FF6AFBE10C0: StrCpyW.SHLWAPI ref: 00007FF6AFBE11A1
Part of subcall function 00007FF6AFBE10C0: CloseHandle.KERNEL32 ref: 00007FF6AFBE11AD
Part of subcall function 00007FF6AFBE10C0: StrCmpIW.SHLWAPI ref: 00007FF6AFBE11E2
Part of subcall function 00007FF6AFBE10C0: NtQueryInformationProcess.NTDLL ref: 00007FF6AFBE1216
Part of subcall function 00007FF6AFBE10C0: OpenProcessToken.ADVAPI32 ref: 00007FF6AFBE1240

RegOpenKeyExW.ADVAPI32 ref: 00007FF6AFBE2683
RegDeleteValueW.ADVAPI32 ref: 00007FF6AFBE269B
ExitProcess.KERNEL32 ref: 00007FF6AFBE26BF
GetProcessHeap.KERNEL32 ref: 00007FF6AFBE26C6
HeapAlloc.KERNEL32 ref: 00007FF6AFBE26D9
K32EnumProcesses.KERNEL32 ref: 00007FF6AFBE26F6
ExitProcess.KERNEL32 ref: 00007FF6AFBE2796

Strings

open, xrefs: 00007FF6AFBE2960
SOFTWARE, xrefs: 00007FF6AFBE2675
dialerstager, xrefs: 00007FF6AFBE2694

Memory Dump Source

Source File: 0000000C.00000002.3379453219.00007FF6AFBE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6AFBE0000, based on PE: true

Associated: 0000000C.00000002.3378869560.00007FF6AFBE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3380018046.00007FF6AFBE3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3380580288.00007FF6AFBE6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6afbe0000_dialer.jbxd

Similarity

API ID: Process$Open$File$CloseExitHandleHeapName$AllocDeleteEnumFindInformationModulePathProcessesQueryReadTokenValueWow64lstrlen
String ID: SOFTWARE$dialerstager$open
API String ID: 3276259517-3931493855
Opcode ID: ae79544a1ca264f77e0040c582fad8c70a14f3da5095032f2fa0f831f935a8fc
Instruction ID: 66d4e43e6893562af8deaf36c2a137098d8fda11861db79a22b1b6ee5131dfff
Opcode Fuzzy Hash: ae79544a1ca264f77e0040c582fad8c70a14f3da5095032f2fa0f831f935a8fc
Instruction Fuzzy Hash: EBD18221F0A6838AEB799F25D8042B92775FF47B84F4412B9D94E87695DF3CE604C702

Function 00007FF6AFBE1C88 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 154
injectionthreadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNEL32 ref: 00007FF6AFBE1D1D
VirtualAllocEx.KERNEL32 ref: 00007FF6AFBE1D4C
WriteProcessMemory.KERNEL32 ref: 00007FF6AFBE1D73
WriteProcessMemory.KERNEL32 ref: 00007FF6AFBE1DB2
VirtualAlloc.KERNEL32 ref: 00007FF6AFBE1DE3
GetThreadContext.KERNEL32 ref: 00007FF6AFBE1DFF
WriteProcessMemory.KERNEL32 ref: 00007FF6AFBE1E26
SetThreadContext.KERNEL32 ref: 00007FF6AFBE1E44
ResumeThread.KERNEL32 ref: 00007FF6AFBE1E52
OpenProcess.KERNEL32 ref: 00007FF6AFBE1E6A
TerminateProcess.KERNEL32 ref: 00007FF6AFBE1E7D

Strings

@, xrefs: 00007FF6AFBE1D44

Memory Dump Source

Source File: 0000000C.00000002.3379453219.00007FF6AFBE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6AFBE0000, based on PE: true

Associated: 0000000C.00000002.3378869560.00007FF6AFBE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3380018046.00007FF6AFBE3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3380580288.00007FF6AFBE6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6afbe0000_dialer.jbxd

Similarity

API ID: Process$MemoryThreadWrite$AllocContextVirtual$CreateOpenResumeTerminate
String ID: @
API String ID: 3462610200-2766056989
Opcode ID: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
Instruction ID: 76ee852e0a2e34bd2a0e175f10f52762a7bb714f052318e3329e7dcb01193992
Opcode Fuzzy Hash: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
Instruction Fuzzy Hash: 3251BE32B05A4186EB50CF26E8406AE7BB1FB4AB88F194175DE4D97BA8DF3CE445C701

Function 00007FF6AFBE19C4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 102memorycomCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00007FF6AFBE19E6
SysAllocString.OLEAUT32 ref: 00007FF6AFBE19F6
CoInitializeEx.OLE32 ref: 00007FF6AFBE1A03
CoInitializeSecurity.OLE32 ref: 00007FF6AFBE1A3A
CoCreateInstance.OLE32 ref: 00007FF6AFBE1A7A
VariantInit.OLEAUT32 ref: 00007FF6AFBE1A8C
CoUninitialize.OLE32 ref: 00007FF6AFBE1B26
SysFreeString.OLEAUT32 ref: 00007FF6AFBE1B2F
SysFreeString.OLEAUT32 ref: 00007FF6AFBE1B38

Strings

dialersvc64, xrefs: 00007FF6AFBE19DD

Memory Dump Source

Source File: 0000000C.00000002.3379453219.00007FF6AFBE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6AFBE0000, based on PE: true

Associated: 0000000C.00000002.3378869560.00007FF6AFBE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3380018046.00007FF6AFBE3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3380580288.00007FF6AFBE6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6afbe0000_dialer.jbxd

Similarity

API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
String ID: dialersvc64
API String ID: 4184240511-3881820561
Opcode ID: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
Instruction ID: 68e6271601b0acfb5b67390ed3022bad3e6c642e63bdbbb402da7f50a674759a
Opcode Fuzzy Hash: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
Instruction Fuzzy Hash: 26419F36B09A8296E710DF35E4402AD77B5FB8AB89F085175EE4D87A64DF3CE149C300

Function 00007FF6AFBE1000 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF6AFBE1034
RegDeleteKeyW.ADVAPI32 ref: 00007FF6AFBE1045
RegEnumKeyExW.ADVAPI32 ref: 00007FF6AFBE1082
RegCloseKey.ADVAPI32 ref: 00007FF6AFBE1093
RegDeleteKeyExW.ADVAPI32 ref: 00007FF6AFBE10B0

Strings

SOFTWARE\dialerconfig, xrefs: 00007FF6AFBE1026, 00007FF6AFBE109C

Memory Dump Source

Source File: 0000000C.00000002.3379453219.00007FF6AFBE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6AFBE0000, based on PE: true

Associated: 0000000C.00000002.3378869560.00007FF6AFBE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3380018046.00007FF6AFBE3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3380580288.00007FF6AFBE6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6afbe0000_dialer.jbxd

Similarity

API ID: Delete$CloseEnumOpen
String ID: SOFTWARE\dialerconfig
API String ID: 3013565938-461861421
Opcode ID: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
Instruction ID: 4fa895e14733a0c8bed12f6cccae39bbf1520bd04ee9e9292db74aedeab9a348
Opcode Fuzzy Hash: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
Instruction Fuzzy Hash: AE112932B19A8581E770CF20E8457F92774FB4A794F480275D64D8AAD9DF3CD248CB06

Function 00007FF6AFBE2A90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF6AFBE2ACB
WriteFile.KERNEL32 ref: 00007FF6AFBE2AF3
WriteFile.KERNEL32 ref: 00007FF6AFBE2B16
CloseHandle.KERNEL32 ref: 00007FF6AFBE2B1F

Strings

\\.\pipe\dialercontrol_redirect64, xrefs: 00007FF6AFBE2AA8

Memory Dump Source

Source File: 0000000C.00000002.3379453219.00007FF6AFBE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6AFBE0000, based on PE: true

Associated: 0000000C.00000002.3378869560.00007FF6AFBE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3380018046.00007FF6AFBE3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3380580288.00007FF6AFBE6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6afbe0000_dialer.jbxd

Similarity

API ID: File$Write$CloseCreateHandle
String ID: \\.\pipe\dialercontrol_redirect64
API String ID: 148219782-3440882674
Opcode ID: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
Instruction ID: 396f944e49d9d0cab2d092ec64fd072960dbb0b59c825237fe3ead700c0b8813
Opcode Fuzzy Hash: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
Instruction Fuzzy Hash: 9A117C76B25B5182EB008F11E808329A770FB8AFA4F484275DA2943BD4CF7CD549C741

Function 00007FF6AFBE1914 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,00007FF6AFBE2138), ref: 00007FF6AFBE1924
GetProcAddress.KERNEL32(?,?,00000000,00007FF6AFBE2138), ref: 00007FF6AFBE1937

Strings

ntdll.dll, xrefs: 00007FF6AFBE191A

Memory Dump Source

Source File: 0000000C.00000002.3379453219.00007FF6AFBE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6AFBE0000, based on PE: true

Associated: 0000000C.00000002.3378869560.00007FF6AFBE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3380018046.00007FF6AFBE3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.3380580288.00007FF6AFBE6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6afbe0000_dialer.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: ntdll.dll
API String ID: 1646373207-2227199552
Opcode ID: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
Instruction ID: 84ae70ce6d67f21a5f2f6369f2003e08eaef5cf8cd2606ce258c4d5f6cf7f381
Opcode Fuzzy Hash: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
Instruction Fuzzy Hash: 00D0C998B1760782EE1A9762E8A503457B16F5BB86F8C40B4CD1EC6390DE2CD0998602

Analysis Process: winlogon.exePID: 560, Parent PID: 1172COMMON

Execution Graph

Execution Coverage:	1.7%
Dynamic/Decrypted Code Coverage:	95.2%
Signature Coverage:	0%
Total number of Nodes:	126
Total number of Limit Nodes:	16

Executed Functions

Function 000002D0165E1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000002D0165E1633
HeapAlloc.KERNEL32 ref: 000002D0165E1642

Part of subcall function 000002D0165E1268: GetProcessHeap.KERNEL32 ref: 000002D0165E126E
Part of subcall function 000002D0165E1268: HeapAlloc.KERNEL32 ref: 000002D0165E127D
Part of subcall function 000002D0165E1268: GetProcessHeap.KERNEL32 ref: 000002D0165E1297
Part of subcall function 000002D0165E1268: HeapAlloc.KERNEL32 ref: 000002D0165E12A8

RegOpenKeyExW.ADVAPI32 ref: 000002D0165E16B2
RegOpenKeyExW.ADVAPI32 ref: 000002D0165E16DF
RegCloseKey.ADVAPI32 ref: 000002D0165E16F9
RegOpenKeyExW.ADVAPI32 ref: 000002D0165E1719
RegCloseKey.ADVAPI32 ref: 000002D0165E1734
RegOpenKeyExW.ADVAPI32 ref: 000002D0165E1754
RegCloseKey.ADVAPI32 ref: 000002D0165E176F
RegOpenKeyExW.ADVAPI32 ref: 000002D0165E178F
RegCloseKey.ADVAPI32 ref: 000002D0165E17AA
RegOpenKeyExW.ADVAPI32 ref: 000002D0165E17CA
RegCloseKey.ADVAPI32 ref: 000002D0165E17E5
RegOpenKeyExW.ADVAPI32 ref: 000002D0165E1805
RegCloseKey.ADVAPI32 ref: 000002D0165E1820
RegOpenKeyExW.ADVAPI32 ref: 000002D0165E1840
RegCloseKey.ADVAPI32 ref: 000002D0165E185B
RegOpenKeyExW.ADVAPI32 ref: 000002D0165E187B
RegCloseKey.ADVAPI32 ref: 000002D0165E1896
RegCloseKey.ADVAPI32 ref: 000002D0165E18A0

Part of subcall function 000002D0165E12BC: RegQueryInfoKeyW.ADVAPI32 ref: 000002D0165E1319
Part of subcall function 000002D0165E12BC: GetProcessHeap.KERNEL32 ref: 000002D0165E1327
Part of subcall function 000002D0165E12BC: HeapAlloc.KERNEL32 ref: 000002D0165E1338
Part of subcall function 000002D0165E12BC: RegEnumValueW.ADVAPI32 ref: 000002D0165E1397
Part of subcall function 000002D0165E12BC: GetProcessHeap.KERNEL32 ref: 000002D0165E13DF
Part of subcall function 000002D0165E12BC: HeapAlloc.KERNEL32 ref: 000002D0165E13ED
Part of subcall function 000002D0165E12BC: GetProcessHeap.KERNEL32 ref: 000002D0165E140A
Part of subcall function 000002D0165E12BC: HeapFree.KERNEL32 ref: 000002D0165E1418
Part of subcall function 000002D0165E12BC: lstrlenW.KERNEL32 ref: 000002D0165E1421
Part of subcall function 000002D0165E12BC: GetProcessHeap.KERNEL32 ref: 000002D0165E142F
Part of subcall function 000002D0165E12BC: HeapAlloc.KERNEL32 ref: 000002D0165E143D

Strings

startup, xrefs: 000002D0165E16D5
paths, xrefs: 000002D0165E1788
tcp_remote, xrefs: 000002D0165E1839
SOFTWARE\dialerconfig, xrefs: 000002D0165E1692
service_names, xrefs: 000002D0165E17C3
udp, xrefs: 000002D0165E1874
pid, xrefs: 000002D0165E1712
tcp_local, xrefs: 000002D0165E17FE
process_names, xrefs: 000002D0165E174D

Memory Dump Source

Source File: 00000011.00000002.3390195675.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction ID: 5ecbaa186e8d59cd892059c32c6735f956b01256b6e0a22be3f8683e5b015701
Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction Fuzzy Hash: EE711936210A9086EB209FB6ECD8B9973A5F784B89F801112DE4E47B78EF35C954C744

Function 000002D0165E3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 000002D0165E379E
GetCurrentProcess.KERNEL32 ref: 000002D0165E37CC
VirtualProtectEx.KERNEL32 ref: 000002D0165E37EE
GetCurrentProcess.KERNEL32 ref: 000002D0165E3809
VirtualProtectEx.KERNEL32 ref: 000002D0165E382A

Strings

wr, xrefs: 000002D0165E37FF

Memory Dump Source

Source File: 00000011.00000002.3390195675.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID: wr
API String ID: 1092925422-2678910430
Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction ID: 4674d9df3d536e982c299afeb10ddbd57cf0d0b09ef677d7c97c0013872c700b
Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction Fuzzy Hash: 6411A126305781C2FF149B61F848769B2B4F748B85F84002ADE8D03765EF3ECA05C714

Function 000002D0165E5B30 Relevance: 9.2, APIs: 6, Instructions: 240
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 000002D0165E5B6B
GetThreadContext.KERNEL32 ref: 000002D0165E5CD5

Part of subcall function 000002D0165E5960: GetCurrentThreadId.KERNEL32 ref: 000002D0165E5964

Memory Dump Source

Source File: 00000011.00000002.3390195675.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: aba7c51250b0bd2785b454d2868164715ffdc60c22b63475f1bba81942d6465a
Instruction ID: d170addcbda7b12596392159c148f3388fdea41b115c5373cd1e58d87ea25250
Opcode Fuzzy Hash: aba7c51250b0bd2785b454d2868164715ffdc60c22b63475f1bba81942d6465a
Instruction Fuzzy Hash: 01D18B76205B8882DB709B56E8D435AB7A0F388B88F504117EACD47BB5DF3ECA55CB40

Function 000002D0165E50D0 Relevance: 7.8, APIs: 5, Instructions: 318
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 000002D0165E5156

Memory Dump Source

Source File: 00000011.00000002.3390195675.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: a9eeae0eee8a65d3360f20c0190c6c2044be682fe56af66e10426f66e33a6bd7
Instruction ID: c79f08a0408f7d8f647ff0ca48cb583e9eb7eb6c6cfc1174afee583460d097fa
Opcode Fuzzy Hash: a9eeae0eee8a65d3360f20c0190c6c2044be682fe56af66e10426f66e33a6bd7
Instruction Fuzzy Hash: 5402A832619BC486EB60CB95E89435AF7A1F3C4794F504016EACE87BA9DF7EC954CB00

Function 000002D0165E39E0 Relevance: 4.6, APIs: 3, Instructions: 64
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32 ref: 000002D0165E3A66
VirtualAlloc.KERNEL32 ref: 000002D0165E3AA0

Memory Dump Source

Source File: 00000011.00000002.3390195675.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: Virtual$AllocQuery
String ID:
API String ID: 31662377-0
Opcode ID: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
Instruction ID: 28efb8197a5b457b3dea2d752150fd58e1380e9d813bcaab70eb5bc99618508c
Opcode Fuzzy Hash: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
Instruction Fuzzy Hash: B9311722219AC481EF30DB95E89935EE6A0F384784F900526F5CD467B9DF7ECB808B04

Function 000002D0165E328C Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 000002D0165E32AE
PathFindFileNameW.SHLWAPI ref: 000002D0165E32BD

Part of subcall function 000002D0165E3844: StrCmpNIW.SHLWAPI ref: 000002D0165E385C

Part of subcall function 000002D0165E3790: GetModuleHandleW.KERNEL32 ref: 000002D0165E379E
Part of subcall function 000002D0165E3790: GetCurrentProcess.KERNEL32 ref: 000002D0165E37CC
Part of subcall function 000002D0165E3790: VirtualProtectEx.KERNEL32 ref: 000002D0165E37EE
Part of subcall function 000002D0165E3790: GetCurrentProcess.KERNEL32 ref: 000002D0165E3809
Part of subcall function 000002D0165E3790: VirtualProtectEx.KERNEL32 ref: 000002D0165E382A

CreateThread.KERNEL32 ref: 000002D0165E330B

Part of subcall function 000002D0165E1D14: GetCurrentThread.KERNEL32 ref: 000002D0165E1D1F

Memory Dump Source

Source File: 00000011.00000002.3390195675.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction ID: 9ff0edd3e6e9ab198c3d17986b58ccebaadaacc8bbb4bde1db76d12e6f3558f5
Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction Fuzzy Hash: 1C1161306147C182FF6097E1FDCDB69A298AB58345FD0512BE90E815F6EF7ACE44C210

Function 000002D0165E4DF0 Relevance: 4.5, APIs: 3, Instructions: 23
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 000002D0165E4DF4
VirtualProtect.KERNEL32 ref: 000002D0165E4E37
FlushInstructionCache.KERNEL32 ref: 000002D0165E4E4C

Memory Dump Source

Source File: 00000011.00000002.3390195675.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: CacheCurrentFlushInstructionProcessProtectVirtual
String ID:
API String ID: 3733156554-0
Opcode ID: efc513032ac2f8104d68ff6d1779eae6f51007478eb3e1ac0120cc0a77f626c8
Instruction ID: d1e0e70aa0f07598b53ed8611aa5d9f6cf8e10010ed7fed8d00852c42d35725f
Opcode Fuzzy Hash: efc513032ac2f8104d68ff6d1779eae6f51007478eb3e1ac0120cc0a77f626c8
Instruction Fuzzy Hash: FFF0BD26219B84C1DB30DB85E89575AABA0F3887D4F945117BACD47B79CA3ECA908B40

Function 000002D01658273C Relevance: 3.2, APIs: 2, Instructions: 187
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 000002D0165827DB
LoadLibraryA.KERNELBASE ref: 000002D01658285E

Memory Dump Source

Source File: 00000011.00000002.3388723676.000002D016580000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D016580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d016580000_winlogon.jbxd

Similarity

API ID: AllocLibraryLoadVirtual
String ID:
API String ID: 3550616410-0
Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction ID: 0197585b0632c450f7244b768ee28b396eb2739c6a19c1b09bc8c1b93abfbced
Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction Fuzzy Hash: 01610532B016D087EB54CF56988872D7B9AF754BD4F98C122DE5D07B98DA34DC92C780

Function 000002D0165E1ABC Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000002D0165E1628: GetProcessHeap.KERNEL32 ref: 000002D0165E1633
Part of subcall function 000002D0165E1628: HeapAlloc.KERNEL32 ref: 000002D0165E1642
Part of subcall function 000002D0165E1628: RegOpenKeyExW.ADVAPI32 ref: 000002D0165E16B2
Part of subcall function 000002D0165E1628: RegOpenKeyExW.ADVAPI32 ref: 000002D0165E16DF
Part of subcall function 000002D0165E1628: RegCloseKey.ADVAPI32 ref: 000002D0165E16F9
Part of subcall function 000002D0165E1628: RegOpenKeyExW.ADVAPI32 ref: 000002D0165E1719
Part of subcall function 000002D0165E1628: RegCloseKey.ADVAPI32 ref: 000002D0165E1734
Part of subcall function 000002D0165E1628: RegOpenKeyExW.ADVAPI32 ref: 000002D0165E1754
Part of subcall function 000002D0165E1628: RegCloseKey.ADVAPI32 ref: 000002D0165E176F
Part of subcall function 000002D0165E1628: RegOpenKeyExW.ADVAPI32 ref: 000002D0165E178F
Part of subcall function 000002D0165E1628: RegCloseKey.ADVAPI32 ref: 000002D0165E17AA
Part of subcall function 000002D0165E1628: RegOpenKeyExW.ADVAPI32 ref: 000002D0165E17CA

Sleep.KERNEL32 ref: 000002D0165E1AD7
SleepEx.KERNELBASE ref: 000002D0165E1ADD

Part of subcall function 000002D0165E1628: RegCloseKey.ADVAPI32 ref: 000002D0165E17E5
Part of subcall function 000002D0165E1628: RegOpenKeyExW.ADVAPI32 ref: 000002D0165E1805
Part of subcall function 000002D0165E1628: RegCloseKey.ADVAPI32 ref: 000002D0165E1820
Part of subcall function 000002D0165E1628: RegOpenKeyExW.ADVAPI32 ref: 000002D0165E1840
Part of subcall function 000002D0165E1628: RegCloseKey.ADVAPI32 ref: 000002D0165E185B
Part of subcall function 000002D0165E1628: RegOpenKeyExW.ADVAPI32 ref: 000002D0165E187B
Part of subcall function 000002D0165E1628: RegCloseKey.ADVAPI32 ref: 000002D0165E1896
Part of subcall function 000002D0165E1628: RegCloseKey.ADVAPI32 ref: 000002D0165E18A0

Memory Dump Source

Source File: 00000011.00000002.3390195675.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction ID: 07e4e4e3ba5978a263fb33c37be15a198cbe7b0fb120eabd57c8358f31885df7
Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction Fuzzy Hash: D331C061A006C141FF709BA6DEC93E9B3A9AB44BC6F8454279E0E8B7B5EE15CD51C210

Non-executed Functions

Function 000002D0165E2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 000002D0165E2BD0
lstrlenW.KERNEL32 ref: 000002D0165E2E0A

Part of subcall function 000002D0165E199C: OpenProcess.KERNEL32 ref: 000002D0165E19C2
Part of subcall function 000002D0165E199C: K32GetModuleFileNameExW.KERNEL32 ref: 000002D0165E19E0
Part of subcall function 000002D0165E199C: PathFindFileNameW.SHLWAPI ref: 000002D0165E19EF
Part of subcall function 000002D0165E199C: lstrlenW.KERNEL32 ref: 000002D0165E19FB
Part of subcall function 000002D0165E199C: StrCpyW.SHLWAPI ref: 000002D0165E1A0E
Part of subcall function 000002D0165E199C: CloseHandle.KERNEL32 ref: 000002D0165E1A1C

GetProcAddress.KERNEL32 ref: 000002D0165E2BE5

Part of subcall function 000002D0165E152C: StrCmpIW.SHLWAPI ref: 000002D0165E155D

Part of subcall function 000002D0165E3844: StrCmpNIW.SHLWAPI ref: 000002D0165E385C

StrCmpNIW.SHLWAPI ref: 000002D0165E2C28
lstrlenW.KERNEL32 ref: 000002D0165E2D50

Strings

NtQueryObject, xrefs: 000002D0165E2BDB
ntdll.dll, xrefs: 000002D0165E2BC9
\Device\Nsi, xrefs: 000002D0165E2C1B

Memory Dump Source

Source File: 00000011.00000002.3390195675.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction ID: d3b596ab05dff9b38269f4f9cd95cbcd315625dbf01702ec5e409f4043454db4
Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction Fuzzy Hash: 40B18166210AD18AEF648FA5DD887A9B3A5FB44BC4F849017EE0D537A8DF36CE41C740

Function 000002D0165E7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000002D0165E7DAC
RtlCaptureContext.NTDLL ref: 000002D0165E7DD9
RtlLookupFunctionEntry.NTDLL ref: 000002D0165E7DF3
RtlVirtualUnwind.NTDLL ref: 000002D0165E7E34
IsDebuggerPresent.KERNEL32 ref: 000002D0165E7E88
SetUnhandledExceptionFilter.KERNEL32 ref: 000002D0165E7EA9
UnhandledExceptionFilter.KERNEL32 ref: 000002D0165E7EB4

Memory Dump Source

Source File: 00000011.00000002.3390195675.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction ID: 20d5fac5d31b6f1b1b7ff7f3eed5433fc4695a7276fd3db9f08efe4689facb88
Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction Fuzzy Hash: 8A311C76205BC08AEB609FA0EC947ED7365F785744F84442ADA4E57BA8EF39CA48C710

Function 000002D0165ED2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000002D0165ED31D
RtlLookupFunctionEntry.NTDLL ref: 000002D0165ED335
RtlVirtualUnwind.NTDLL ref: 000002D0165ED370
IsDebuggerPresent.KERNEL32 ref: 000002D0165ED3A9
SetUnhandledExceptionFilter.KERNEL32 ref: 000002D0165ED3B3
UnhandledExceptionFilter.KERNEL32 ref: 000002D0165ED3BE

Memory Dump Source

Source File: 00000011.00000002.3390195675.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction ID: 3b7d1831335daaf51ebfd733c592f0e35ffd938c3d674718b742b5f189087fd6
Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction Fuzzy Hash: 09314036214FC086EB60CF65EC843AE73A4F789754F940226EA9D47BA5DF39CA55CB00

Function 000002D0165E12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000002D0165E1319
GetProcessHeap.KERNEL32 ref: 000002D0165E1327
HeapAlloc.KERNEL32 ref: 000002D0165E1338
RegEnumValueW.ADVAPI32 ref: 000002D0165E1397

Part of subcall function 000002D0165E152C: StrCmpIW.SHLWAPI ref: 000002D0165E155D

GetProcessHeap.KERNEL32 ref: 000002D0165E13DF
HeapAlloc.KERNEL32 ref: 000002D0165E13ED
GetProcessHeap.KERNEL32 ref: 000002D0165E140A
HeapFree.KERNEL32 ref: 000002D0165E1418
lstrlenW.KERNEL32 ref: 000002D0165E1421
GetProcessHeap.KERNEL32 ref: 000002D0165E142F
HeapAlloc.KERNEL32 ref: 000002D0165E143D
StrCpyW.SHLWAPI ref: 000002D0165E145F
GetProcessHeap.KERNEL32 ref: 000002D0165E1476
HeapFree.KERNEL32 ref: 000002D0165E1484

Strings

d, xrefs: 000002D0165E135A

Memory Dump Source

Source File: 00000011.00000002.3390195675.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction ID: e3e3399429e55960cf070cc16a5005b5190db7e605521ce6618ec048f68560e7
Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction Fuzzy Hash: BE517F76200B8486EB60CFA2E88879AB7A1F788FC9F844126DE4D07768DF3DC545CB10

Function 000002D0165E1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 000002D0165E1D1F

Part of subcall function 000002D0165E1FD4: GetModuleHandleA.KERNEL32 ref: 000002D0165E1FEC
Part of subcall function 000002D0165E1FD4: GetProcAddress.KERNEL32 ref: 000002D0165E1FFD

Part of subcall function 000002D0165E5B30: GetCurrentThreadId.KERNEL32 ref: 000002D0165E5B6B

Strings

EnumServicesStatusExW, xrefs: 000002D0165E1E11, 000002D0165E1E32
EnumServiceGroupW, xrefs: 000002D0165E1DF0
NtQueryDirectoryFileEx, xrefs: 000002D0165E1D9C
NtEnumerateValueKey, xrefs: 000002D0165E1DD6
NtQueryDirectoryFile, xrefs: 000002D0165E1D7F
NtQuerySystemInformation, xrefs: 000002D0165E1D45
ntdll.dll, xrefs: 000002D0165E1D2D
NtEnumerateKey, xrefs: 000002D0165E1DB9
NtDeviceIoControlFile, xrefs: 000002D0165E1E56
NtResumeThread, xrefs: 000002D0165E1D62
sechost.dll, xrefs: 000002D0165E1E39
advapi32.dll, xrefs: 000002D0165E1DF7, 000002D0165E1E18

Memory Dump Source

Source File: 00000011.00000002.3390195675.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction ID: 9dee3d71542fb905587bd6568b7d178f2fe6f5c2276b71c2ce632fa0ceebaf95
Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction Fuzzy Hash: B731C2A5500ACAA0EF50EFE5ECD97D4B324BB04385FC09563A42D02179AF79CF49C7A0

Function 000002D016586910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002D016586938
__scrt_acquire_startup_lock.LIBCMT ref: 000002D01658698A
_RTC_Initialize.LIBCMT ref: 000002D0165869B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002D0165869DE
__scrt_release_startup_lock.LIBCMT ref: 000002D016586A09

Strings

`eh vector copy constructor iterator', xrefs: 000002D016586A3B
`eh vector vbase copy constructor iterator', xrefs: 000002D0165869EE
`dynamic initializer for ', xrefs: 000002D0165869C7
scriptor', xrefs: 000002D016586B39, 000002D016586BB2, 000002D016586BEC

Memory Dump Source

Source File: 00000011.00000002.3388723676.000002D016580000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D016580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d016580000_winlogon.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
API String ID: 190073905-1786718095
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: dd7692e2b99b60a86f76d6b3ad3452ab25c272ff970cedf1c1e1e01c02871081
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: 8B81B1616102E186FB50ABE7DCDD3592298EB85B88FD48027AA4D47FB7DB38CD458720

Function 000002D0165ECE28 Relevance: 18.1, APIs: 12, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 000002D0165ECE37
FlsGetValue.KERNEL32(?,?,?,000002D0165F0A6B,?,?,?,000002D0165F045C,?,?,?,000002D0165EC84F), ref: 000002D0165ECE4C
FlsSetValue.KERNEL32(?,?,?,000002D0165F0A6B,?,?,?,000002D0165F045C,?,?,?,000002D0165EC84F), ref: 000002D0165ECE6D
FlsSetValue.KERNEL32(?,?,?,000002D0165F0A6B,?,?,?,000002D0165F045C,?,?,?,000002D0165EC84F), ref: 000002D0165ECE9A
FlsSetValue.KERNEL32(?,?,?,000002D0165F0A6B,?,?,?,000002D0165F045C,?,?,?,000002D0165EC84F), ref: 000002D0165ECEAB
FlsSetValue.KERNEL32(?,?,?,000002D0165F0A6B,?,?,?,000002D0165F045C,?,?,?,000002D0165EC84F), ref: 000002D0165ECEBC
SetLastError.KERNEL32 ref: 000002D0165ECED7
FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000002D0165F0A6B,?,?,?,000002D0165F045C,?,?,?,000002D0165EC84F), ref: 000002D0165ECF0D
FlsSetValue.KERNEL32(?,?,00000001,000002D0165EECCC,?,?,?,?,000002D0165EBF9F,?,?,?,?,?,000002D0165E7AB0), ref: 000002D0165ECF2C

Part of subcall function 000002D0165ED6CC: HeapAlloc.KERNEL32 ref: 000002D0165ED721

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002D0165F0A6B,?,?,?,000002D0165F045C,?,?,?,000002D0165EC84F), ref: 000002D0165ECF54

Part of subcall function 000002D0165ED744: HeapFree.KERNEL32 ref: 000002D0165ED75A
Part of subcall function 000002D0165ED744: GetLastError.KERNEL32 ref: 000002D0165ED764

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002D0165F0A6B,?,?,?,000002D0165F045C,?,?,?,000002D0165EC84F), ref: 000002D0165ECF65
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002D0165F0A6B,?,?,?,000002D0165F045C,?,?,?,000002D0165EC84F), ref: 000002D0165ECF76

Memory Dump Source

Source File: 00000011.00000002.3390195675.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: Value$ErrorLast$Heap$AllocFree
String ID:
API String ID: 570795689-0
Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction ID: 6cb119c879d4005e3e486556fd0f16809afcb4c169a1b85a080ac9ab7b906ee7
Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction Fuzzy Hash: D14162212016C546FF69A7F95DDE369E2425B447B0FD4472BB83E0A7F6DE2ACE418200

Function 000002D0165E2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 000002D0165E2259
GetCurrentProcessId.KERNEL32 ref: 000002D0165E2263

Part of subcall function 000002D0165E1934: OpenProcess.KERNEL32 ref: 000002D0165E1952
Part of subcall function 000002D0165E1934: IsWow64Process.KERNEL32 ref: 000002D0165E1968
Part of subcall function 000002D0165E1934: CloseHandle.KERNEL32 ref: 000002D0165E1983

CreateFileW.KERNEL32 ref: 000002D0165E22BC
WriteFile.KERNEL32 ref: 000002D0165E22E4
ReadFile.KERNEL32 ref: 000002D0165E2303
CloseHandle.KERNEL32 ref: 000002D0165E230C

Strings

\\.\pipe\dialerchildproc32, xrefs: 000002D0165E2293
\\.\pipe\dialerchildproc64, xrefs: 000002D0165E228C

Memory Dump Source

Source File: 00000011.00000002.3390195675.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction ID: 27c92a905a2f4f6f1a7d1a88f5f4c691c2a465980edda73e2f7a22435be0af33
Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction Fuzzy Hash: 92212F3661479082FB108B65F88875977A5F789BA5F904216EA5D03BB8DF7CC949CF00

Function 000002D016589944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000002D0165899A1

Part of subcall function 000002D01658A814: __GetUnwindTryBlock.LIBCMT ref: 000002D01658A857
Part of subcall function 000002D01658A814: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000002D01658A87C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000002D016589A79
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000002D016589CCE
std::bad_alloc::bad_alloc.LIBCMT ref: 000002D016589DDA

Strings

csm, xrefs: 000002D016589A22
csm, xrefs: 000002D0165899BB
csm, xrefs: 000002D016589A9C

Memory Dump Source

Source File: 00000011.00000002.3388723676.000002D016580000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D016580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d016580000_winlogon.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction ID: 8d33458c817a64122548c589ceefed1e9e6f3c6a843f5d4004e67bc5e997e060
Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction Fuzzy Hash: 16E170726057808AEB60DFAAD8C839D77B8F755B98F900116EE8D57FA6CB34C991C700

Function 000002D0165EA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000002D0165EA5A1

Part of subcall function 000002D0165EB414: __GetUnwindTryBlock.LIBCMT ref: 000002D0165EB457
Part of subcall function 000002D0165EB414: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000002D0165EB47C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000002D0165EA679
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000002D0165EA8CE
std::bad_alloc::bad_alloc.LIBCMT ref: 000002D0165EA9DA

Strings

csm, xrefs: 000002D0165EA622
csm, xrefs: 000002D0165EA5BB
csm, xrefs: 000002D0165EA69C

Memory Dump Source

Source File: 00000011.00000002.3390195675.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction ID: 3b43c7ab403b83ca95457f37da0d4b500b38ba5a1a126430ff915fab710d6147
Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction Fuzzy Hash: 7BE14C72A047C08AEF60DFB5988839DB7A0F755798F900117EE8D57BA9CB36CA91C740

Function 000002D0165EF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 000002D0165EF510
GetProcAddress.KERNEL32 ref: 000002D0165EF51C

Strings

ext-ms-, xrefs: 000002D0165EF46D
api-ms-, xrefs: 000002D0165EF45A

Memory Dump Source

Source File: 00000011.00000002.3390195675.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction ID: d0c3c69c08ddd6f5c27ead1c77a57a672af2ad5f3c132c9258f8044c477055ab
Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction Fuzzy Hash: D0410622311A9091FF16CFEAAD88756A395B744BE0FC4412B9D4E877A4EE3ECE458310

Function 000002D0165E104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000002D0165E10B1
RegEnumValueW.ADVAPI32 ref: 000002D0165E1117
GetProcessHeap.KERNEL32 ref: 000002D0165E115A
HeapAlloc.KERNEL32 ref: 000002D0165E1168
GetProcessHeap.KERNEL32 ref: 000002D0165E1185
HeapFree.KERNEL32 ref: 000002D0165E1193

Strings

d, xrefs: 000002D0165E10D6

Memory Dump Source

Source File: 00000011.00000002.3390195675.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction ID: 60b4ca63da48bf83ee31c643dec68d0684812f94169e8e12275eb22dcfa7cc50
Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction Fuzzy Hash: F4416273614BC4C6EB64CFA1E88879EB7A1F388B99F448116DA8D07768DF39C945CB40

Function 000002D0165ED068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,000002D0165EC7DE,?,?,?,?,?,?,?,?,000002D0165ECF9D,?,?,00000001), ref: 000002D0165ED087
FlsSetValue.KERNEL32(?,?,?,000002D0165EC7DE,?,?,?,?,?,?,?,?,000002D0165ECF9D,?,?,00000001), ref: 000002D0165ED0A6
FlsSetValue.KERNEL32(?,?,?,000002D0165EC7DE,?,?,?,?,?,?,?,?,000002D0165ECF9D,?,?,00000001), ref: 000002D0165ED0CE
FlsSetValue.KERNEL32(?,?,?,000002D0165EC7DE,?,?,?,?,?,?,?,?,000002D0165ECF9D,?,?,00000001), ref: 000002D0165ED0DF
FlsSetValue.KERNEL32(?,?,?,000002D0165EC7DE,?,?,?,?,?,?,?,?,000002D0165ECF9D,?,?,00000001), ref: 000002D0165ED0F0

Strings

Y%, xrefs: 000002D0165ED0A6
1%, xrefs: 000002D0165ED0CE

Memory Dump Source

Source File: 00000011.00000002.3390195675.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: Value
String ID: 1%$Y%
API String ID: 3702945584-1395475152
Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction ID: 7080bbce82f1be4da0ddcc39a1ebc959a46846a47c0639f49ef077fcb6817628
Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction Fuzzy Hash: F51133617042C442FF6857ED5DDD369E2415B447F0FD84327A83E466FAEE2ACE428600

Function 000002D0165E7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002D0165E7538
__scrt_acquire_startup_lock.LIBCMT ref: 000002D0165E758A
_RTC_Initialize.LIBCMT ref: 000002D0165E75B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002D0165E75DE
__scrt_release_startup_lock.LIBCMT ref: 000002D0165E7609

Memory Dump Source

Source File: 00000011.00000002.3390195675.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: cc22ab156fd64d921cb8bab48c84aed77748f638e97627413a858d82ffff3ace
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: 2E819F216007C186FF50ABE5ACC93B9E690EB85784FD4442BEA4D477B6EB3ACE45C700

Function 000002D0165E9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 000002D0165E9E49
GetLastError.KERNEL32 ref: 000002D0165E9E57
LoadLibraryExW.KERNEL32 ref: 000002D0165E9E81
FreeLibrary.KERNEL32 ref: 000002D0165E9EC7
GetProcAddress.KERNEL32 ref: 000002D0165E9ED3

Strings

api-ms-, xrefs: 000002D0165E9E69

Memory Dump Source

Source File: 00000011.00000002.3390195675.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction ID: aca1f05cb46fc00515c66d976e56b7ae3e88fb2388c081806b711800b0246c42
Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction Fuzzy Hash: 5031B821312BD1D1EF15DBD2AC88755A3A4B748BA0FD909279E1D477B0EF3ACA558310

Function 000002D0165F3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000002D0165F3DE5
GetLastError.KERNEL32 ref: 000002D0165F3DF1
CloseHandle.KERNEL32 ref: 000002D0165F3E09
CreateFileW.KERNEL32 ref: 000002D0165F3E34
WriteConsoleW.KERNEL32 ref: 000002D0165F3E53

Strings

CONOUT$, xrefs: 000002D0165F3E15

Memory Dump Source

Source File: 00000011.00000002.3390195675.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction ID: d628bd0090cde46b23efa145587aed2904a5f36c40d9d109057e4cb8b91bb961
Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction Fuzzy Hash: 71118F31310BD086E7508BA2EC88719B6A4F788FE5F944266EE5E877B5CF78CC148744

Function 000002D0165E2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002D0165E2F27
HeapAlloc.KERNEL32 ref: 000002D0165E2F3A
StrCmpNIW.SHLWAPI ref: 000002D0165E2FAF
GetProcessHeap.KERNEL32 ref: 000002D0165E3015
HeapFree.KERNEL32 ref: 000002D0165E3023

Strings

dialer, xrefs: 000002D0165E2FA8

Memory Dump Source

Source File: 00000011.00000002.3390195675.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction ID: a1042e87f8364f6b2e966bad11af8e790b8d99eaa053b685ef812c5dffe2a578
Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction Fuzzy Hash: 6531B522701B9186EB14CF96DD88769B7A0FB44BC0F8881229E4C47B75EF3ACD618700

Function 000002D0165E14A4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 70memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002D0165E14C5
HeapFree.KERNEL32 ref: 000002D0165E14D4
GetProcessHeap.KERNEL32 ref: 000002D0165E14E1
HeapFree.KERNEL32 ref: 000002D0165E14F0
GetProcessHeap.KERNEL32 ref: 000002D0165E1500

Strings

C:\Windows\system32\winlogon.exe, xrefs: 000002D0165F61A9, 000002D0165F61B1

Memory Dump Source

Source File: 00000011.00000002.3390195675.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: Heap$Process$Free
String ID: C:\Windows\system32\winlogon.exe
API String ID: 3168794593-3603389050
Opcode ID: d27b9b8ca154d9eedff1e610dfbacc8608a6d25d7c3fe3b6d17278c798082fda
Instruction ID: 7f7260ef79563c5a266f126e1a848f4d5cc61924374436ce50858df01a2f744e
Opcode Fuzzy Hash: d27b9b8ca154d9eedff1e610dfbacc8608a6d25d7c3fe3b6d17278c798082fda
Instruction Fuzzy Hash: 8621A0AB508AE08AE760DFB59CD9B9D37A1F749B44F894057DB4D83367DE25CC088720

Function 000002D0165ECFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000002D0165ECFAF
FlsSetValue.KERNEL32(?,?,?,000002D0165ED6B5,?,?,?,?,000002D0165ED778), ref: 000002D0165ECFE5
FlsSetValue.KERNEL32(?,?,?,000002D0165ED6B5,?,?,?,?,000002D0165ED778), ref: 000002D0165ED012
FlsSetValue.KERNEL32(?,?,?,000002D0165ED6B5,?,?,?,?,000002D0165ED778), ref: 000002D0165ED023
FlsSetValue.KERNEL32(?,?,?,000002D0165ED6B5,?,?,?,?,000002D0165ED778), ref: 000002D0165ED034
SetLastError.KERNEL32 ref: 000002D0165ED04F

Memory Dump Source

Source File: 00000011.00000002.3390195675.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction ID: 881857e728745ec88ca4b8388d6fa749b937d482b05cecb59b8676985d1b6840
Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction Fuzzy Hash: B7113D212052C482FF64A7F99DDD329E2426B947B0F945727A83E477F6EE6ACE418600

Function 000002D0165E199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000002D0165E19C2
K32GetModuleFileNameExW.KERNEL32 ref: 000002D0165E19E0
PathFindFileNameW.SHLWAPI ref: 000002D0165E19EF
lstrlenW.KERNEL32 ref: 000002D0165E19FB
StrCpyW.SHLWAPI ref: 000002D0165E1A0E
CloseHandle.KERNEL32 ref: 000002D0165E1A1C

Memory Dump Source

Source File: 00000011.00000002.3390195675.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction ID: 94470d76e8e99169dc1bd6030e286acf90538daadbbb330fa07aa5c63b58bfdf
Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction Fuzzy Hash: BD012931300A9082EB64DBA2A89C799A3A5F788BC5FC84076DE4E43765DF3DCD89C750

Function 000002D0165E36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000002D0165E36E4
GetCurrentProcess.KERNEL32 ref: 000002D0165E36F2
VirtualProtectEx.KERNEL32 ref: 000002D0165E3714
GetCurrentProcess.KERNEL32 ref: 000002D0165E3732
VirtualProtectEx.KERNEL32 ref: 000002D0165E3753
TerminateThread.KERNEL32 ref: 000002D0165E3762

Memory Dump Source

Source File: 00000011.00000002.3390195675.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction ID: 0ee65fdd732b982381bbf943d3faa4b165bcf9ac086ffcbc2b1acb993f4b5dc0
Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction Fuzzy Hash: 72012975211B80C2EF249BA1EC9C71A73A4BB49B86F94446ADD4D077B5EF3ECA488710

Function 000002D0165E8FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002D0165E9013
_IsNonwritableInCurrentImage.LIBCMT ref: 000002D0165E90A8
RtlUnwindEx.NTDLL ref: 000002D0165E90F7

Strings

csm, xrefs: 000002D0165E908E
f, xrefs: 000002D0165E9026

Memory Dump Source

Source File: 00000011.00000002.3390195675.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
Instruction ID: 289176f1ec5211bc532f7d3476c86f990fa8211b4c40f3c47dcc25eee0941410
Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
Instruction Fuzzy Hash: CB51A43270168086EF18DFA5EC8CB59B7BAF344B88F908526DE5A47758EB76CE41C700

Function 000002D0165E1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000002D0165E1A60
StrCmpNIW.SHLWAPI ref: 000002D0165E1A7A
lstrlenW.KERNEL32 ref: 000002D0165E1A89
StrCpyW.SHLWAPI ref: 000002D0165E1A9E

Strings

\\?\, xrefs: 000002D0165E1A6E

Memory Dump Source

Source File: 00000011.00000002.3390195675.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction ID: b0a73550e19d607c0733c4eed862a0f106358cff4bd746a1ba228e1ad1f57731
Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction Fuzzy Hash: B6F04F2270468192EB708FA1FCC87A9A760F748B89FD44022DA4D479A4DF7DCE8DCB10

Function 000002D0165E3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 000002D0165E3066
StrCpyW.SHLWAPI ref: 000002D0165E3076
StrCatW.SHLWAPI ref: 000002D0165E3082
PathCombineW.SHLWAPI ref: 000002D0165E3090

Strings

\\.\pipe\, xrefs: 000002D0165E305C

Memory Dump Source

Source File: 00000011.00000002.3390195675.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction ID: 9f9f7269bcd04a4d7622e5ff7d9e750e699f4d99e062e085e30b3f0fddd74a17
Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction Fuzzy Hash: 50F08C21704BD082EF008BA3BD8C219A260AB48FC0F888172EE4E07B79DF3CC9458710

Function 000002D0165EBC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000002D0165EBCBD
GetProcAddress.KERNEL32 ref: 000002D0165EBCD3
FreeLibrary.KERNEL32 ref: 000002D0165EBCFA

Strings

mscoree.dll, xrefs: 000002D0165EBCB4
CorExitProcess, xrefs: 000002D0165EBCCC

Memory Dump Source

Source File: 00000011.00000002.3390195675.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction ID: 73b21768389709e2f3859606edec8d020a16b8eaf151ef1aa857b1fe75e1916b
Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction Fuzzy Hash: BCF06D61311A9581EF108BB4EC8C36A6361EB88BA1FD4025ADA6E462F4DF2DC9488320

Function 000002D0165E5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002D0165E5726

Memory Dump Source

Source File: 00000011.00000002.3390195675.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 0c7f3a11ae4e5ff47235e902b7b6ce7055ed727b420134bb2449cab27e882fd8
Instruction ID: 9867a48db4e2f8fc4ca8a19f3b7debced05d252233e4c618cb6bf9eff3b46b8e
Opcode Fuzzy Hash: 0c7f3a11ae4e5ff47235e902b7b6ce7055ed727b420134bb2449cab27e882fd8
Instruction Fuzzy Hash: 2F619076519B84C6EB60CB95E88831AB7A0F384794F905116FACD47BB4DB7EC954CF00

Function 000002D016593504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000002D01659352C
_set_statfp.LIBCMT ref: 000002D016593547
_set_statfp.LIBCMT ref: 000002D016593563
_set_statfp.LIBCMT ref: 000002D01659359F

Memory Dump Source

Source File: 00000011.00000002.3388723676.000002D016580000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D016580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d016580000_winlogon.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: d75896c64213f2a1704ddb0ef00b701f646facd3cf9c70f6f098307262c4cee0
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: 28117326A14ED1D2FB6415E8ECDD36916816B5C37CFC8A63AA96F466F7CA28CC414100

Function 000002D0165F4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000002D0165F412C
_set_statfp.LIBCMT ref: 000002D0165F4147
_set_statfp.LIBCMT ref: 000002D0165F4163
_set_statfp.LIBCMT ref: 000002D0165F419F

Memory Dump Source

Source File: 00000011.00000002.3390195675.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: 8658335e92f09a8eeac19449c432923065bddb668eaed47daa1299e6c01b2058
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: 4211A322A52BD411F76415E8DCDD76629406B783B8FC80AB6A97E177F7CB24CC554240

Function 000002D01658F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000002D01658F124

Strings

or copy constructor iterator', xrefs: 000002D01658F25A, 000002D01658F275
Tuesday, xrefs: 000002D01658F0F4
Wednesday, xrefs: 000002D01658F1ED

Memory Dump Source

Source File: 00000011.00000002.3388723676.000002D016580000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D016580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d016580000_winlogon.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: Tuesday$Wednesday$or copy constructor iterator'
API String ID: 3215553584-4202648911
Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction ID: 7926be692a7c3970f031dc47edbaea785ae167cdd99d474087a09ccf8e4f8d1a
Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction Fuzzy Hash: 4F617D666006C086FB659BEEEDCC32A6AA9A7897C4FD44517CB4F17FB5DB38CC418210

Function 000002D0165EAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 000002D0165EAA68
_CallSETranslator.LIBVCRUNTIME ref: 000002D0165EAAB7

Strings

MOC, xrefs: 000002D0165EAA7C
RCC, xrefs: 000002D0165EAA85

Memory Dump Source

Source File: 00000011.00000002.3390195675.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 804a080e077f51fda726543e3350a461b6da8e690454341ee308e9e8ff120439
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: 8E615973A00B848AEB20DFA5D88439DB7B0F344B88F444216EF4D17BA8DB39CA95C700

Function 000002D01658A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002D01658A1A0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000002D01658A288

Strings

csm, xrefs: 000002D01658A2DA
csm, xrefs: 000002D01658A1C2

Memory Dump Source

Source File: 00000011.00000002.3388723676.000002D016580000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D016580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d016580000_winlogon.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: ef81340c4c69f026b87580c2449cc675fc22f141087421cbe63eea405b38429c
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: 6E516B321006C0CAEB748BA7998835877A8F355B94F988217DE9D87FE5CB38DC91C700

Function 000002D0165EAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002D0165EADA0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000002D0165EAE88

Strings

csm, xrefs: 000002D0165EADC2
csm, xrefs: 000002D0165EAEDA

Memory Dump Source

Source File: 00000011.00000002.3390195675.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: ad9e7e9185666ca75af795e8e0b1f6e55ca99cc2d9033536fe9523c4600d1b2c
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: 9D517C761006C08AEF648BB599C8359B7A0F354B85F984217EE9D47BE5CB39DE90CB00

Function 000002D016588405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002D016588413
_IsNonwritableInCurrentImage.LIBCMT ref: 000002D0165884A8

Strings

f, xrefs: 000002D016588426
csm, xrefs: 000002D01658848E

Memory Dump Source

Source File: 00000011.00000002.3388723676.000002D016580000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D016580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d016580000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: ebd46bf5b9efac163910b3874f46543552e5e73946441d757bd614891983f18b
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: 3251CE327017809AEB14DF96F888B193799F354B98F968126DA5F43FA8EB34DD41C704

Function 000002D0165883E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002D016588413
_IsNonwritableInCurrentImage.LIBCMT ref: 000002D0165884A8

Strings

f, xrefs: 000002D016588426
csm, xrefs: 000002D01658848E

Memory Dump Source

Source File: 00000011.00000002.3388723676.000002D016580000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D016580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d016580000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction ID: 7c97df61a7296e2470a292fba203d579020853e1c807cf3699b4a2e3da698be7
Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction Fuzzy Hash: ED316632201780D6E714DB92EC88B1977A8F780B98F968016AE9F07BA8DB38CD41C704

Function 000002D0165F2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000002D0165F20D7
WriteFile.KERNEL32 ref: 000002D0165F239F
WriteFile.KERNEL32 ref: 000002D0165F23E5
GetLastError.KERNEL32 ref: 000002D0165F249B

Memory Dump Source

Source File: 00000011.00000002.3390195675.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction ID: 5187ed22ee1aa0ccaa690343eb8763e497484eb7c5724e3e0ad55031fafd28ef
Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction Fuzzy Hash: A1D1D0B2B14A8089E711CFF9D88839C3BB1F3547D8F948256CE9D97BA9DA74C906C740

Function 000002D0165F2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32 ref: 000002D0165F2A9C
GetLastError.KERNEL32 ref: 000002D0165F2B27

Memory Dump Source

Source File: 00000011.00000002.3390195675.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction ID: fc307cff70842e2266af54710cb554fca6c11a8db0236a9223c07c1d4ecee361
Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction Fuzzy Hash: AA91AFB260069095F7609FE5DCC83AD2BA4B744BC8F94858BDE4E57AA5DB34CC86C700

Function 000002D0165E7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000002D0165E798C
GetCurrentThreadId.KERNEL32 ref: 000002D0165E799A
GetCurrentProcessId.KERNEL32 ref: 000002D0165E79A6
QueryPerformanceCounter.KERNEL32 ref: 000002D0165E79B6

Memory Dump Source

Source File: 00000011.00000002.3390195675.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction ID: 9a0ea9a6380481f60f05ebf9f0f7dac1e0ce870ea14a63a246dffcc75113e077
Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction Fuzzy Hash: 80113022714F5189EF00CFB0EC983A833A4F719758F840E26EA6D467A4DF78C5A88380

Function 000002D0165E253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000002D0165E2620
StrCpyW.SHLWAPI ref: 000002D0165E2639

Strings

\\.\pipe\, xrefs: 000002D0165E262B

Memory Dump Source

Source File: 00000011.00000002.3390195675.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction ID: 8ed4e21bebd3e23e3000fdb066cfaa34740bf68bfd650f15aaa82489475c79c3
Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction Fuzzy Hash: 6871AF762007C18AEF649EA59CC83AAB794F389BC4F944127DD0E53BA9DE36CF458700

Function 000002D016589E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 000002D016589EB7

Strings

MOC, xrefs: 000002D016589E7C
RCC, xrefs: 000002D016589E85

Memory Dump Source

Source File: 00000011.00000002.3388723676.000002D016580000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D016580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d016580000_winlogon.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 7d9756844898b90560aff503cb0a52449b1d73c23fde83014149b18977801b46
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: 36614A32600B848AEB24DFAAD88439D7BB4F744B88F444216EF4D17BA9DB38D955C740

Function 000002D0165E2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000002D0165E2416
StrCpyW.SHLWAPI ref: 000002D0165E242D

Strings

\\.\pipe\, xrefs: 000002D0165E2421

Memory Dump Source

Source File: 00000011.00000002.3390195675.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction ID: 4e8424fe214da5e11d23322d54be976519fd80502f98cc10b4f99395f6fd04db
Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction Fuzzy Hash: B651A2326047C185EF649BAAA9DC3AAF751F385780FC58127DD9D07B6DDA3ACE048740

Function 000002D0165F26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000002D0165F2807
GetLastError.KERNEL32 ref: 000002D0165F2829

Strings

U, xrefs: 000002D0165F27B3

Memory Dump Source

Source File: 00000011.00000002.3390195675.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction ID: 34cadd197f94b95d681e4a8cd0f756d6a2bd82b0c53d0e2054fc3c1200778bca
Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction Fuzzy Hash: 19419572715BC085DB209FA5E8883AAB7A1F7987D4F908026EE4D877A4DB7CC945C740

Function 000002D0165E94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000002D0165E94F0
RaiseException.KERNEL32 ref: 000002D0165E9531

Strings

csm, xrefs: 000002D0165E951E

Memory Dump Source

Source File: 00000011.00000002.3390195675.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction ID: 6af6caf33eed429f26f2400f1c1a474b57e550817839aeb2e9cd6687076bf096
Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction Fuzzy Hash: 82113032214B8082EB618F25F844359B7E5FB88B94F584222DECC07768DF3DC951C700

Function 000002D016587356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000002D01658737C

Strings

riptor at (, xrefs: 000002D016587364
ierarchy Descriptor', xrefs: 000002D016587381

Memory Dump Source

Source File: 00000011.00000002.3388723676.000002D016580000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D016580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d016580000_winlogon.jbxd

Similarity

API ID: __std_exception_copy
String ID: ierarchy Descriptor'$riptor at (
API String ID: 592178966-758928094
Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction ID: a87dbb86b00b2b98d5e7ae00f565f44d8c78c7afccc986630b2b213103a98e21
Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction Fuzzy Hash: D9E086A1640B84D0EF018F62EC8439833A4DB58B68FC89123DD5C47321FA38D5F9C300

Function 000002D0165873B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000002D0165873D8

Strings

Locator', xrefs: 000002D0165873DD
riptor at (, xrefs: 000002D0165873C0

Memory Dump Source

Source File: 00000011.00000002.3388723676.000002D016580000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D016580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d016580000_winlogon.jbxd

Similarity

API ID: __std_exception_copy
String ID: Locator'$riptor at (
API String ID: 592178966-4215709766
Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction ID: dffd4c35c552f18d438efc623f6b9ab54137c7cb9bea290096256bc086aaf240
Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction Fuzzy Hash: AFE086A1600B84C0EF018F61E8802987364E758B58FC89123CA4C47321EA38D5E5C300

Function 000002D0165E1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002D0165E1C2D
HeapAlloc.KERNEL32 ref: 000002D0165E1C3B
GetProcessHeap.KERNEL32 ref: 000002D0165E1C77
HeapFree.KERNEL32 ref: 000002D0165E1C85

Part of subcall function 000002D0165E152C: StrCmpIW.SHLWAPI ref: 000002D0165E155D

Memory Dump Source

Source File: 00000011.00000002.3390195675.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction ID: 6801c8294921cadce8a74c671636f0fe5ff9b85a627fac1833d6bc37b2bfe6e2
Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction Fuzzy Hash: 7F118F25701B8481EF54DBA6E888769B3A1FB89FC1F98406ADE4D87775DE39D942C300

Function 000002D0165E1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002D0165E126E
HeapAlloc.KERNEL32 ref: 000002D0165E127D
GetProcessHeap.KERNEL32 ref: 000002D0165E1297
HeapAlloc.KERNEL32 ref: 000002D0165E12A8

Memory Dump Source

Source File: 00000011.00000002.3390195675.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction ID: 68d956744345cf7861370da0470b2e65133afa0ec658b7fe96f4140d664497f0
Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction Fuzzy Hash: 57E06535A01A5486EB088FA2DC4C74A36E1FB89F06F88C024C90D07361DF7EC899CBA0

Analysis Process: updater.exePID: 5484, Parent PID: 1064COMMON

Executed Functions

Function 00007FF63DE712FD Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2145878781.00007FF63DE71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF63DE70000, based on PE: true

Associated: 00000014.00000002.2145844713.00007FF63DE70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000014.00000002.2145922676.00007FF63DE79000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000014.00000002.2146559168.00007FF63E3C8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000014.00000002.2146586673.00007FF63E3CA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000014.00000002.2146609995.00007FF63E3D0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000014.00000002.2146632639.00007FF63E3D3000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000014.00000002.2146656027.00007FF63E3D4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff63de70000_updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e2382d73125df78936d26452b80bcba07539e5c8c97af36270da171beb56e3f
Instruction ID: f7095cb65cbc216715e69405cd1f891ac40d0d87800313134cdd308a6615467d
Opcode Fuzzy Hash: 8e2382d73125df78936d26452b80bcba07539e5c8c97af36270da171beb56e3f
Instruction Fuzzy Hash: 01B01234F0470984F3003F41D84125C37206B14700F421830D40C47353CE7CD06C5720

Analysis Process: lsass.exePID: 652, Parent PID: 1172COMMON

Execution Graph

Execution Coverage:	1.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	124
Total number of Limit Nodes:	13

Executed Functions

Function 000002D6F151253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNEL32 ref: 000002D6F1512620
StrCpyW.SHLWAPI ref: 000002D6F1512639

Strings

\\.\pipe\, xrefs: 000002D6F151262B

Memory Dump Source

Source File: 00000015.00000002.3408805169.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f1510000_lsass.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction ID: fa04f75c9475a18510419c108b79fce0653dad0fa003f1e7f796e61fbc6322b7
Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction Fuzzy Hash: A07170A6200F858AE6669F25B85C3AA6794F3857D4F64002BDD0F67F89DF39CE458700

Function 000002D6F151202C Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpNIW.SHLWAPI ref: 000002D6F15120C6

Part of subcall function 000002D6F1512F04: GetProcessHeap.KERNEL32 ref: 000002D6F1512F27
Part of subcall function 000002D6F1512F04: HeapAlloc.KERNEL32 ref: 000002D6F1512F3A
Part of subcall function 000002D6F1512F04: StrCmpNIW.SHLWAPI ref: 000002D6F1512FAF
Part of subcall function 000002D6F1512F04: GetProcessHeap.KERNEL32 ref: 000002D6F1513015
Part of subcall function 000002D6F1512F04: HeapFree.KERNEL32 ref: 000002D6F1513023

Strings

dialer, xrefs: 000002D6F15120BF
S, xrefs: 000002D6F15121E7

Memory Dump Source

Source File: 00000015.00000002.3408805169.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f1510000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: S$dialer
API String ID: 756756679-3873981283
Opcode ID: 10a6181ad89868b013f95f8d430f86fb0b73c76b57149a1256a42c526e771eaa
Instruction ID: 7a83d85bf80e11694d2d7db4162bf47d6d0c4d20143003a03d639ac9e943c438
Opcode Fuzzy Hash: 10a6181ad89868b013f95f8d430f86fb0b73c76b57149a1256a42c526e771eaa
Instruction Fuzzy Hash: 6D518BB6A10E248AEB62CF26F84C6AD63A5F7047C4F25951ADE1E22E85DB39CC51C740

Function 000002D6F1511628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000002D6F1511633
HeapAlloc.KERNEL32 ref: 000002D6F1511642

Part of subcall function 000002D6F1511268: GetProcessHeap.KERNEL32 ref: 000002D6F151126E
Part of subcall function 000002D6F1511268: HeapAlloc.KERNEL32 ref: 000002D6F151127D
Part of subcall function 000002D6F1511268: GetProcessHeap.KERNEL32 ref: 000002D6F1511297
Part of subcall function 000002D6F1511268: HeapAlloc.KERNEL32 ref: 000002D6F15112A8

RegOpenKeyExW.ADVAPI32 ref: 000002D6F15116B2
RegOpenKeyExW.ADVAPI32 ref: 000002D6F15116DF
RegCloseKey.ADVAPI32 ref: 000002D6F15116F9
RegOpenKeyExW.ADVAPI32 ref: 000002D6F1511719
RegCloseKey.ADVAPI32 ref: 000002D6F1511734
RegOpenKeyExW.ADVAPI32 ref: 000002D6F1511754
RegCloseKey.ADVAPI32 ref: 000002D6F151176F
RegOpenKeyExW.ADVAPI32 ref: 000002D6F151178F
RegCloseKey.ADVAPI32 ref: 000002D6F15117AA
RegOpenKeyExW.ADVAPI32 ref: 000002D6F15117CA
RegCloseKey.ADVAPI32 ref: 000002D6F15117E5
RegOpenKeyExW.ADVAPI32 ref: 000002D6F1511805
RegCloseKey.ADVAPI32 ref: 000002D6F1511820
RegOpenKeyExW.ADVAPI32 ref: 000002D6F1511840
RegCloseKey.ADVAPI32 ref: 000002D6F151185B
RegOpenKeyExW.ADVAPI32 ref: 000002D6F151187B
RegCloseKey.ADVAPI32 ref: 000002D6F1511896
RegCloseKey.ADVAPI32 ref: 000002D6F15118A0

Part of subcall function 000002D6F15112BC: RegQueryInfoKeyW.ADVAPI32 ref: 000002D6F1511319
Part of subcall function 000002D6F15112BC: GetProcessHeap.KERNEL32 ref: 000002D6F1511327
Part of subcall function 000002D6F15112BC: HeapAlloc.KERNEL32 ref: 000002D6F1511338
Part of subcall function 000002D6F15112BC: RegEnumValueW.ADVAPI32 ref: 000002D6F1511397
Part of subcall function 000002D6F15112BC: GetProcessHeap.KERNEL32 ref: 000002D6F15113DF
Part of subcall function 000002D6F15112BC: HeapAlloc.KERNEL32 ref: 000002D6F15113ED
Part of subcall function 000002D6F15112BC: GetProcessHeap.KERNEL32 ref: 000002D6F151140A
Part of subcall function 000002D6F15112BC: HeapFree.KERNEL32 ref: 000002D6F1511418
Part of subcall function 000002D6F15112BC: lstrlenW.KERNEL32 ref: 000002D6F1511421
Part of subcall function 000002D6F15112BC: GetProcessHeap.KERNEL32 ref: 000002D6F151142F
Part of subcall function 000002D6F15112BC: HeapAlloc.KERNEL32 ref: 000002D6F151143D

Strings

tcp_remote, xrefs: 000002D6F1511839
process_names, xrefs: 000002D6F151174D
service_names, xrefs: 000002D6F15117C3
pid, xrefs: 000002D6F1511712
SOFTWARE\dialerconfig, xrefs: 000002D6F1511692
udp, xrefs: 000002D6F1511874
paths, xrefs: 000002D6F1511788
startup, xrefs: 000002D6F15116D5
tcp_local, xrefs: 000002D6F15117FE

Memory Dump Source

Source File: 00000015.00000002.3408805169.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f1510000_lsass.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction ID: 1e1e47678fa7c4b781087d3b5f8b15c943a24ad0d42d65cabc9df2231e8d4def
Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction Fuzzy Hash: 1B71A5A6710E918AEB119F76F89CA9923B4FB84BC8F405112DE4E57F69EF2CC844C744

Function 000002D6F1511A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000002D6F1511A60
StrCmpNIW.SHLWAPI ref: 000002D6F1511A7A
lstrlenW.KERNEL32 ref: 000002D6F1511A89
StrCpyW.SHLWAPI ref: 000002D6F1511A9E

Strings

\\?\, xrefs: 000002D6F1511A6E

Memory Dump Source

Source File: 00000015.00000002.3408805169.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f1510000_lsass.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction ID: 1a29fbed29bbccc1987992930e6102033b0a423cd1e4e3151e2afb20eff6506f
Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction Fuzzy Hash: 14F03CA3304A8196EB608F21F8DC75967A0F758BC8F944022DA4E46D58DB7CCE8DCB00

Function 000002D6F151328C Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 000002D6F15132AE
PathFindFileNameW.SHLWAPI ref: 000002D6F15132BD

Part of subcall function 000002D6F1513844: StrCmpNIW.SHLWAPI ref: 000002D6F151385C

Part of subcall function 000002D6F1513790: GetModuleHandleW.KERNEL32 ref: 000002D6F151379E
Part of subcall function 000002D6F1513790: GetCurrentProcess.KERNEL32 ref: 000002D6F15137CC
Part of subcall function 000002D6F1513790: VirtualProtectEx.KERNEL32 ref: 000002D6F15137EE
Part of subcall function 000002D6F1513790: GetCurrentProcess.KERNEL32 ref: 000002D6F1513809
Part of subcall function 000002D6F1513790: VirtualProtectEx.KERNEL32 ref: 000002D6F151382A

CreateThread.KERNEL32 ref: 000002D6F151330B

Part of subcall function 000002D6F1511D14: GetCurrentThread.KERNEL32 ref: 000002D6F1511D1F

Memory Dump Source

Source File: 00000015.00000002.3408805169.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f1510000_lsass.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction ID: 25535357102f4341e1be78c6643d6b7c1b19e4a9101efaa7cc3453e24cb777c9
Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction Fuzzy Hash: 7811C0F1610E808EFBA2AF61F86D75922A4A7543E4F40412B990F92E90EF7CCC48C204

Function 000002D6F1511ABC Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000002D6F1511628: GetProcessHeap.KERNEL32 ref: 000002D6F1511633
Part of subcall function 000002D6F1511628: HeapAlloc.KERNEL32 ref: 000002D6F1511642
Part of subcall function 000002D6F1511628: RegOpenKeyExW.ADVAPI32 ref: 000002D6F15116B2
Part of subcall function 000002D6F1511628: RegOpenKeyExW.ADVAPI32 ref: 000002D6F15116DF
Part of subcall function 000002D6F1511628: RegCloseKey.ADVAPI32 ref: 000002D6F15116F9
Part of subcall function 000002D6F1511628: RegOpenKeyExW.ADVAPI32 ref: 000002D6F1511719
Part of subcall function 000002D6F1511628: RegCloseKey.ADVAPI32 ref: 000002D6F1511734
Part of subcall function 000002D6F1511628: RegOpenKeyExW.ADVAPI32 ref: 000002D6F1511754
Part of subcall function 000002D6F1511628: RegCloseKey.ADVAPI32 ref: 000002D6F151176F
Part of subcall function 000002D6F1511628: RegOpenKeyExW.ADVAPI32 ref: 000002D6F151178F
Part of subcall function 000002D6F1511628: RegCloseKey.ADVAPI32 ref: 000002D6F15117AA
Part of subcall function 000002D6F1511628: RegOpenKeyExW.ADVAPI32 ref: 000002D6F15117CA

Sleep.KERNEL32 ref: 000002D6F1511AD7
SleepEx.KERNELBASE ref: 000002D6F1511ADD

Part of subcall function 000002D6F1511628: RegCloseKey.ADVAPI32 ref: 000002D6F15117E5
Part of subcall function 000002D6F1511628: RegOpenKeyExW.ADVAPI32 ref: 000002D6F1511805
Part of subcall function 000002D6F1511628: RegCloseKey.ADVAPI32 ref: 000002D6F1511820
Part of subcall function 000002D6F1511628: RegOpenKeyExW.ADVAPI32 ref: 000002D6F1511840
Part of subcall function 000002D6F1511628: RegCloseKey.ADVAPI32 ref: 000002D6F151185B
Part of subcall function 000002D6F1511628: RegOpenKeyExW.ADVAPI32 ref: 000002D6F151187B
Part of subcall function 000002D6F1511628: RegCloseKey.ADVAPI32 ref: 000002D6F1511896
Part of subcall function 000002D6F1511628: RegCloseKey.ADVAPI32 ref: 000002D6F15118A0

Memory Dump Source

Source File: 00000015.00000002.3408805169.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f1510000_lsass.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction ID: fabcacca4273e522b4c4af737a3624ee53845b919a9d6f50b07f832e41c12ee0
Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction Fuzzy Hash: 4A31BDE1210E4599EF529F36F6CD3A923A5BB44BD0F0854679E0FA7E95EE1CCC51C210

Function 000002D6F14E273C Relevance: 1.7, APIs: 1, Instructions: 187
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 000002D6F14E285E

Memory Dump Source

Source File: 00000015.00000002.3408155732.000002D6F14E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F14E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f14e0000_lsass.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction ID: 2a527126fa6660018da58d358d37c763bfb819c27c69be159df49911753554d9
Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction Fuzzy Hash: BB61D472B01A908BDB54CF15A44CB2D7392FB94BE4F58912ADE5A07B8CDA3CDD52C700

Non-executed Functions

Function 000002D6F1512B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 000002D6F1512BD0
lstrlenW.KERNEL32 ref: 000002D6F1512E0A

Part of subcall function 000002D6F151199C: OpenProcess.KERNEL32 ref: 000002D6F15119C2
Part of subcall function 000002D6F151199C: K32GetModuleFileNameExW.KERNEL32 ref: 000002D6F15119E0
Part of subcall function 000002D6F151199C: PathFindFileNameW.SHLWAPI ref: 000002D6F15119EF
Part of subcall function 000002D6F151199C: lstrlenW.KERNEL32 ref: 000002D6F15119FB
Part of subcall function 000002D6F151199C: StrCpyW.SHLWAPI ref: 000002D6F1511A0E
Part of subcall function 000002D6F151199C: CloseHandle.KERNEL32 ref: 000002D6F1511A1C

GetProcAddress.KERNEL32 ref: 000002D6F1512BE5

Part of subcall function 000002D6F151152C: StrCmpIW.SHLWAPI ref: 000002D6F151155D

Part of subcall function 000002D6F1513844: StrCmpNIW.SHLWAPI ref: 000002D6F151385C

StrCmpNIW.SHLWAPI ref: 000002D6F1512C28
lstrlenW.KERNEL32 ref: 000002D6F1512D50

Strings

NtQueryObject, xrefs: 000002D6F1512BDB
ntdll.dll, xrefs: 000002D6F1512BC9
\Device\Nsi, xrefs: 000002D6F1512C1B

Memory Dump Source

Source File: 00000015.00000002.3408805169.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f1510000_lsass.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction ID: e52bf68b31deb3b75f098f43a4d7db34dffa5d04e032c03eec0775e701bb4258
Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction Fuzzy Hash: B0B17CA2210E908EEB668F25E44C7A963A5F744BD4F64511BEE0E67F94DF38CC81C740

Function 000002D6F1517D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000002D6F1517DAC
RtlCaptureContext.NTDLL ref: 000002D6F1517DD9
RtlLookupFunctionEntry.NTDLL ref: 000002D6F1517DF3
RtlVirtualUnwind.NTDLL ref: 000002D6F1517E34
IsDebuggerPresent.KERNEL32 ref: 000002D6F1517E88
SetUnhandledExceptionFilter.KERNEL32 ref: 000002D6F1517EA9
UnhandledExceptionFilter.KERNEL32 ref: 000002D6F1517EB4

Memory Dump Source

Source File: 00000015.00000002.3408805169.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f1510000_lsass.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction ID: 2c2ab99ae258e3bf0c478ecf6a228b1e325b8175137ff9dca730b23599cdb4cd
Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction Fuzzy Hash: 97311AB2205E808AEB609F64F8887ED7364F785788F44442ADA4E57B95EF38CA48C710

Function 000002D6F151D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000002D6F151D31D
RtlLookupFunctionEntry.NTDLL ref: 000002D6F151D335
RtlVirtualUnwind.NTDLL ref: 000002D6F151D370
IsDebuggerPresent.KERNEL32 ref: 000002D6F151D3A9
SetUnhandledExceptionFilter.KERNEL32 ref: 000002D6F151D3B3
UnhandledExceptionFilter.KERNEL32 ref: 000002D6F151D3BE

Memory Dump Source

Source File: 00000015.00000002.3408805169.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f1510000_lsass.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction ID: 58eb25c51ad3c38e9823b02ddc7af6a39282a3411e5fadb664d5dd80ce479239
Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction Fuzzy Hash: BB315D76214F808AEB60CF25F88839E73A4F789794F500126EA9E57B99DF3CC945CB00

Function 000002D6F15112BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000002D6F1511319
GetProcessHeap.KERNEL32 ref: 000002D6F1511327
HeapAlloc.KERNEL32 ref: 000002D6F1511338
RegEnumValueW.ADVAPI32 ref: 000002D6F1511397

Part of subcall function 000002D6F151152C: StrCmpIW.SHLWAPI ref: 000002D6F151155D

GetProcessHeap.KERNEL32 ref: 000002D6F15113DF
HeapAlloc.KERNEL32 ref: 000002D6F15113ED
GetProcessHeap.KERNEL32 ref: 000002D6F151140A
HeapFree.KERNEL32 ref: 000002D6F1511418
lstrlenW.KERNEL32 ref: 000002D6F1511421
GetProcessHeap.KERNEL32 ref: 000002D6F151142F
HeapAlloc.KERNEL32 ref: 000002D6F151143D
StrCpyW.SHLWAPI ref: 000002D6F151145F
GetProcessHeap.KERNEL32 ref: 000002D6F1511476
HeapFree.KERNEL32 ref: 000002D6F1511484

Strings

d, xrefs: 000002D6F151135A

Memory Dump Source

Source File: 00000015.00000002.3408805169.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f1510000_lsass.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction ID: 5fb3b21df960b81225b638196f68b2da2c963b60e6c4826c36aa05b26c7c4fc2
Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction Fuzzy Hash: B95115B6200B848AEB55CF62F54C35AA7A1F789FD9F144126DE4A07B58DF3CD849CB00

Function 000002D6F1511D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 000002D6F1511D1F

Part of subcall function 000002D6F1511FD4: GetModuleHandleA.KERNEL32 ref: 000002D6F1511FEC
Part of subcall function 000002D6F1511FD4: GetProcAddress.KERNEL32 ref: 000002D6F1511FFD

Part of subcall function 000002D6F1515B30: GetCurrentThreadId.KERNEL32 ref: 000002D6F1515B6B

Strings

NtQuerySystemInformation, xrefs: 000002D6F1511D45
NtEnumerateKey, xrefs: 000002D6F1511DB9
NtQueryDirectoryFile, xrefs: 000002D6F1511D7F
EnumServiceGroupW, xrefs: 000002D6F1511DF0
sechost.dll, xrefs: 000002D6F1511E39
NtResumeThread, xrefs: 000002D6F1511D62
advapi32.dll, xrefs: 000002D6F1511DF7, 000002D6F1511E18
EnumServicesStatusExW, xrefs: 000002D6F1511E11, 000002D6F1511E32
NtQueryDirectoryFileEx, xrefs: 000002D6F1511D9C
NtDeviceIoControlFile, xrefs: 000002D6F1511E56
ntdll.dll, xrefs: 000002D6F1511D2D
NtEnumerateValueKey, xrefs: 000002D6F1511DD6

Memory Dump Source

Source File: 00000015.00000002.3408805169.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f1510000_lsass.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction ID: acd4e2c9eb3dd1a9bb1b7a25fe6521af63330346e6cf64fc31cecd724e9f3874
Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction Fuzzy Hash: C83162E9110E8AA8EE06EFA5F8AE6D46321B7143C4F905017981F23D75DF7C8E4AC760

Function 000002D6F14E6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002D6F14E6938
__scrt_acquire_startup_lock.LIBCMT ref: 000002D6F14E698A
_RTC_Initialize.LIBCMT ref: 000002D6F14E69B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002D6F14E69DE
__scrt_release_startup_lock.LIBCMT ref: 000002D6F14E6A09

Strings

`eh vector vbase copy constructor iterator', xrefs: 000002D6F14E69EE
`dynamic initializer for ', xrefs: 000002D6F14E69C7
scriptor', xrefs: 000002D6F14E6B39, 000002D6F14E6BB2, 000002D6F14E6BEC
`eh vector copy constructor iterator', xrefs: 000002D6F14E6A3B

Memory Dump Source

Source File: 00000015.00000002.3408155732.000002D6F14E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F14E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f14e0000_lsass.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
API String ID: 190073905-1786718095
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: a6791069ef224389268787c1cde3096a7f5d96d964d78a2d6507250396e19ec1
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: A681EF61A00E018EFA54EB66B44D3A966E1ABC57C0F54812B9A1B47F9FDF3CCE458B00

Function 000002D6F151CE28 Relevance: 18.1, APIs: 12, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 000002D6F151CE37
FlsGetValue.KERNEL32(?,?,?,000002D6F1520A6B,?,?,?,000002D6F152045C,?,?,?,000002D6F151C84F), ref: 000002D6F151CE4C
FlsSetValue.KERNEL32(?,?,?,000002D6F1520A6B,?,?,?,000002D6F152045C,?,?,?,000002D6F151C84F), ref: 000002D6F151CE6D
FlsSetValue.KERNEL32(?,?,?,000002D6F1520A6B,?,?,?,000002D6F152045C,?,?,?,000002D6F151C84F), ref: 000002D6F151CE9A
FlsSetValue.KERNEL32(?,?,?,000002D6F1520A6B,?,?,?,000002D6F152045C,?,?,?,000002D6F151C84F), ref: 000002D6F151CEAB
FlsSetValue.KERNEL32(?,?,?,000002D6F1520A6B,?,?,?,000002D6F152045C,?,?,?,000002D6F151C84F), ref: 000002D6F151CEBC
SetLastError.KERNEL32 ref: 000002D6F151CED7
FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000002D6F1520A6B,?,?,?,000002D6F152045C,?,?,?,000002D6F151C84F), ref: 000002D6F151CF0D
FlsSetValue.KERNEL32(?,?,00000001,000002D6F151ECCC,?,?,?,?,000002D6F151BF9F,?,?,?,?,?,000002D6F1517AB0), ref: 000002D6F151CF2C

Part of subcall function 000002D6F151D6CC: HeapAlloc.KERNEL32 ref: 000002D6F151D721

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002D6F1520A6B,?,?,?,000002D6F152045C,?,?,?,000002D6F151C84F), ref: 000002D6F151CF54

Part of subcall function 000002D6F151D744: HeapFree.KERNEL32 ref: 000002D6F151D75A
Part of subcall function 000002D6F151D744: GetLastError.KERNEL32 ref: 000002D6F151D764

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002D6F1520A6B,?,?,?,000002D6F152045C,?,?,?,000002D6F151C84F), ref: 000002D6F151CF65
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002D6F1520A6B,?,?,?,000002D6F152045C,?,?,?,000002D6F151C84F), ref: 000002D6F151CF76

Memory Dump Source

Source File: 00000015.00000002.3408805169.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f1510000_lsass.jbxd

Similarity

API ID: Value$ErrorLast$Heap$AllocFree
String ID:
API String ID: 570795689-0
Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction ID: cbe95e8add907aa0b2c73cf7f4231efe5140574644f478dc5db001f93a5baefd
Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction Fuzzy Hash: C4410EE0301E444EFE6BAF35755E36962429B447F0F240B27A93F6AED6DE2DDC418600

Function 000002D6F1512244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessIdOfThread.KERNEL32 ref: 000002D6F1512259
GetCurrentProcessId.KERNEL32 ref: 000002D6F1512263

Part of subcall function 000002D6F1511934: OpenProcess.KERNEL32 ref: 000002D6F1511952
Part of subcall function 000002D6F1511934: IsWow64Process.KERNEL32 ref: 000002D6F1511968
Part of subcall function 000002D6F1511934: CloseHandle.KERNEL32 ref: 000002D6F1511983

CreateFileW.KERNEL32 ref: 000002D6F15122BC
WriteFile.KERNEL32 ref: 000002D6F15122E4
ReadFile.KERNEL32 ref: 000002D6F1512303
CloseHandle.KERNEL32 ref: 000002D6F151230C

Strings

\\.\pipe\dialerchildproc32, xrefs: 000002D6F1512293
\\.\pipe\dialerchildproc64, xrefs: 000002D6F151228C

Memory Dump Source

Source File: 00000015.00000002.3408805169.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f1510000_lsass.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction ID: 16cc91b0a522ba52fd30a106300581a7bfe1bf7e397ef6e488c8d9df07b3eb6a
Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction Fuzzy Hash: 44212CB6614B8086FB108B25F44C76A77A1F789BE5F504216EA5E03FA8DF7CC949CB00

Function 000002D6F14E9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000002D6F14E99A1

Part of subcall function 000002D6F14EA814: __GetUnwindTryBlock.LIBCMT ref: 000002D6F14EA857
Part of subcall function 000002D6F14EA814: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000002D6F14EA87C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000002D6F14E9A79
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000002D6F14E9CCE
std::bad_alloc::bad_alloc.LIBCMT ref: 000002D6F14E9DDA

Strings

csm, xrefs: 000002D6F14E99BB
csm, xrefs: 000002D6F14E9A9C
csm, xrefs: 000002D6F14E9A22

Memory Dump Source

Source File: 00000015.00000002.3408155732.000002D6F14E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F14E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f14e0000_lsass.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction ID: d823906c8357baff7e49bf9f9c1525c5136429e0f71f4035b6608ff5472b74b6
Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction Fuzzy Hash: 11E16C72604B808EEB60DF65E49C39D77A0F795BD8F100516EE8A97F99CB38CA91C700

Function 000002D6F151A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000002D6F151A5A1

Part of subcall function 000002D6F151B414: __GetUnwindTryBlock.LIBCMT ref: 000002D6F151B457
Part of subcall function 000002D6F151B414: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000002D6F151B47C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000002D6F151A679
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000002D6F151A8CE
std::bad_alloc::bad_alloc.LIBCMT ref: 000002D6F151A9DA

Strings

csm, xrefs: 000002D6F151A5BB
csm, xrefs: 000002D6F151A69C
csm, xrefs: 000002D6F151A622

Memory Dump Source

Source File: 00000015.00000002.3408805169.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f1510000_lsass.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction ID: c723f1f196541d97861d438692a693aba2ea927f234d4d4577a4b0ac93f6314a
Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction Fuzzy Hash: C6E15DB6604B808AEB629FA5E44C39D77A0F745BD8F100517EE8E67F99CB38D991C700

Function 000002D6F151F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 000002D6F151F510
GetProcAddress.KERNEL32 ref: 000002D6F151F51C

Strings

ext-ms-, xrefs: 000002D6F151F46D
api-ms-, xrefs: 000002D6F151F45A

Memory Dump Source

Source File: 00000015.00000002.3408805169.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f1510000_lsass.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction ID: 261ecf9bf2a1f0678fa278aa22b30c90f33c111913abcd05092592ff9b1f8fec
Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction Fuzzy Hash: B44192A2311E409AEA1BCF26B84C7566395B749BE0F5941279D1FA7F84EE3CCC498350

Function 000002D6F151104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000002D6F15110B1
RegEnumValueW.ADVAPI32 ref: 000002D6F1511117
GetProcessHeap.KERNEL32 ref: 000002D6F151115A
HeapAlloc.KERNEL32 ref: 000002D6F1511168
GetProcessHeap.KERNEL32 ref: 000002D6F1511185
HeapFree.KERNEL32 ref: 000002D6F1511193

Strings

d, xrefs: 000002D6F15110D6

Memory Dump Source

Source File: 00000015.00000002.3408805169.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f1510000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction ID: 7c308a324f3a3b915ae5c740d95f6965976605312a1237647059209b5cbc419f
Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction Fuzzy Hash: AC413D73614F84CAEB61CF21E44879AB7A1F388B98F54811ADA8A17B58DF3CD945CB40

Function 000002D6F151D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,000002D6F151C7DE,?,?,?,?,?,?,?,?,000002D6F151CF9D,?,?,00000001), ref: 000002D6F151D087
FlsSetValue.KERNEL32(?,?,?,000002D6F151C7DE,?,?,?,?,?,?,?,?,000002D6F151CF9D,?,?,00000001), ref: 000002D6F151D0A6
FlsSetValue.KERNEL32(?,?,?,000002D6F151C7DE,?,?,?,?,?,?,?,?,000002D6F151CF9D,?,?,00000001), ref: 000002D6F151D0CE
FlsSetValue.KERNEL32(?,?,?,000002D6F151C7DE,?,?,?,?,?,?,?,?,000002D6F151CF9D,?,?,00000001), ref: 000002D6F151D0DF
FlsSetValue.KERNEL32(?,?,?,000002D6F151C7DE,?,?,?,?,?,?,?,?,000002D6F151CF9D,?,?,00000001), ref: 000002D6F151D0F0

Strings

Y%, xrefs: 000002D6F151D0A6
1%, xrefs: 000002D6F151D0CE

Memory Dump Source

Source File: 00000015.00000002.3408805169.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f1510000_lsass.jbxd

Similarity

API ID: Value
String ID: 1%$Y%
API String ID: 3702945584-1395475152
Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction ID: 2480a359072ec50eb541e18d4b91d9545f280b7cfca78c1f54feae84ed9f0741
Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction Fuzzy Hash: A61103E0705E444AFA6A5F36755E36962429B447F0F144727983F67EDAEE2CDC428600

Function 000002D6F1517510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002D6F1517538
__scrt_acquire_startup_lock.LIBCMT ref: 000002D6F151758A
_RTC_Initialize.LIBCMT ref: 000002D6F15175B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002D6F15175DE
__scrt_release_startup_lock.LIBCMT ref: 000002D6F1517609

Memory Dump Source

Source File: 00000015.00000002.3408805169.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f1510000_lsass.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: 9e9a13fecbd3ee6dd4b9af7d8544c3df26673650e91134e0a1763e142b039acf
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: 8A81B0E1600E418EFB56AF6DB84D3992691A7857C0F544827AA0F67F97EB7CCC468700

Function 000002D6F1519DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 000002D6F1519E49
GetLastError.KERNEL32 ref: 000002D6F1519E57
LoadLibraryExW.KERNEL32 ref: 000002D6F1519E81
FreeLibrary.KERNEL32 ref: 000002D6F1519EC7
GetProcAddress.KERNEL32 ref: 000002D6F1519ED3

Strings

api-ms-, xrefs: 000002D6F1519E69

Memory Dump Source

Source File: 00000015.00000002.3408805169.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f1510000_lsass.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction ID: 1b9a7946070453fa793877a5e81080cf6b3e7f40ad096b1fe8965e9392f62bd4
Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction Fuzzy Hash: E331A3A2212E40EDEE17DF42F41C7552294B748BE4F590A269D2F1BB94EF3DC8858310

Function 000002D6F1523DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000002D6F1523DE5
GetLastError.KERNEL32 ref: 000002D6F1523DF1
CloseHandle.KERNEL32 ref: 000002D6F1523E09
CreateFileW.KERNEL32 ref: 000002D6F1523E34
WriteConsoleW.KERNEL32 ref: 000002D6F1523E53

Strings

CONOUT$, xrefs: 000002D6F1523E15

Memory Dump Source

Source File: 00000015.00000002.3408805169.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f1510000_lsass.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction ID: f7805de5885bb23c4ed2acbf2a3bac675694138274e2d29da4d1e0af9514ac00
Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction Fuzzy Hash: D8112BA2210FC08AE7908B56F85D71966A0F788FE4F144226EE5F87B94DB7CC9158744

Function 000002D6F1513790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000002D6F151379E
GetCurrentProcess.KERNEL32 ref: 000002D6F15137CC
VirtualProtectEx.KERNEL32 ref: 000002D6F15137EE
GetCurrentProcess.KERNEL32 ref: 000002D6F1513809
VirtualProtectEx.KERNEL32 ref: 000002D6F151382A

Strings

wr, xrefs: 000002D6F15137FF

Memory Dump Source

Source File: 00000015.00000002.3408805169.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f1510000_lsass.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID: wr
API String ID: 1092925422-2678910430
Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction ID: 56a1fc91981ff5b9860e83c331195b973d21dc503a25c2b603b9cee17e6af388
Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction Fuzzy Hash: FD1157AA705B81CAEF559F21F41C66962B0FB88BD5F44042ADE8E07B94EF3DCA05C704

Function 000002D6F1515B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002D6F1515B6B
GetThreadContext.KERNEL32 ref: 000002D6F1515CD5

Part of subcall function 000002D6F1515960: GetCurrentThreadId.KERNEL32 ref: 000002D6F1515964

Memory Dump Source

Source File: 00000015.00000002.3408805169.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f1510000_lsass.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
Instruction ID: 48f46886f9a4c9f0af87d4b559936913019cc1f1eed6d2fcc966534f28762692
Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
Instruction Fuzzy Hash: 76D187B6214F8889DA719F1AF49835A77A0F389BC4F104216EA8E57BA5DF7CC941CF40

Function 000002D6F1512F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002D6F1512F27
HeapAlloc.KERNEL32 ref: 000002D6F1512F3A
StrCmpNIW.SHLWAPI ref: 000002D6F1512FAF
GetProcessHeap.KERNEL32 ref: 000002D6F1513015
HeapFree.KERNEL32 ref: 000002D6F1513023

Strings

dialer, xrefs: 000002D6F1512FA8

Memory Dump Source

Source File: 00000015.00000002.3408805169.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f1510000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction ID: 6f7c6b014d4bd7126e3bbbff313cacc6244a2be32cd63f79b011c0dee58239f0
Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction Fuzzy Hash: F631CDA2301F918AEB56CF16F54C72A67A0FB44BC0F1880269E4E57F55EF3CD8A18300

Function 000002D6F15114A4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 70memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002D6F15114C5
HeapFree.KERNEL32 ref: 000002D6F15114D4
GetProcessHeap.KERNEL32 ref: 000002D6F15114E1
HeapFree.KERNEL32 ref: 000002D6F15114F0
GetProcessHeap.KERNEL32 ref: 000002D6F1511500

Strings

C:\Windows\system32\lsass.exe, xrefs: 000002D6F15261A9, 000002D6F15261B1

Memory Dump Source

Source File: 00000015.00000002.3408805169.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f1510000_lsass.jbxd

Similarity

API ID: Heap$Process$Free
String ID: C:\Windows\system32\lsass.exe
API String ID: 3168794593-3553486595
Opcode ID: d27b9b8ca154d9eedff1e610dfbacc8608a6d25d7c3fe3b6d17278c798082fda
Instruction ID: 4c3fb5dbda590ede340f70e239d951b1946e93fc28bd49ed613bd9f4bb13803d
Opcode Fuzzy Hash: d27b9b8ca154d9eedff1e610dfbacc8608a6d25d7c3fe3b6d17278c798082fda
Instruction Fuzzy Hash: 77219EEB509ED08EF651DF25B89D29D27A0F749BC4F194017DF4E93A43DA2DAC048700

Function 000002D6F151CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000002D6F151CFAF
FlsSetValue.KERNEL32(?,?,?,000002D6F151D6B5,?,?,?,?,000002D6F151D778), ref: 000002D6F151CFE5
FlsSetValue.KERNEL32(?,?,?,000002D6F151D6B5,?,?,?,?,000002D6F151D778), ref: 000002D6F151D012
FlsSetValue.KERNEL32(?,?,?,000002D6F151D6B5,?,?,?,?,000002D6F151D778), ref: 000002D6F151D023
FlsSetValue.KERNEL32(?,?,?,000002D6F151D6B5,?,?,?,?,000002D6F151D778), ref: 000002D6F151D034
SetLastError.KERNEL32 ref: 000002D6F151D04F

Memory Dump Source

Source File: 00000015.00000002.3408805169.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f1510000_lsass.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction ID: 64ae360e53322a3fe6ae1786423e02a03aa622958712b9455162e794dcab319a
Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction Fuzzy Hash: 931157E0301E804AFA6A9F35765D73952529B447F0F144717983F67FD6DE6DCC428600

Function 000002D6F151199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000002D6F15119C2
K32GetModuleFileNameExW.KERNEL32 ref: 000002D6F15119E0
PathFindFileNameW.SHLWAPI ref: 000002D6F15119EF
lstrlenW.KERNEL32 ref: 000002D6F15119FB
StrCpyW.SHLWAPI ref: 000002D6F1511A0E
CloseHandle.KERNEL32 ref: 000002D6F1511A1C

Memory Dump Source

Source File: 00000015.00000002.3408805169.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f1510000_lsass.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction ID: cff459d1bd899cdfd44676a5a381a09abba527aeb6cc39614b6ef60cc1fcaaaf
Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction Fuzzy Hash: 070129B2300E808AEB54DB62B89C75967A5F788BC4F984036DE4E53B55DF3CC989C740

Function 000002D6F15136C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000002D6F15136E4
GetCurrentProcess.KERNEL32 ref: 000002D6F15136F2
VirtualProtectEx.KERNEL32 ref: 000002D6F1513714
GetCurrentProcess.KERNEL32 ref: 000002D6F1513732
VirtualProtectEx.KERNEL32 ref: 000002D6F1513753
TerminateThread.KERNEL32 ref: 000002D6F1513762

Memory Dump Source

Source File: 00000015.00000002.3408805169.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f1510000_lsass.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction ID: 4cb24c3c5e9fa141b5df1c6a7c4a8c5dc67f34b77b6b13790439d7932f787d30
Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction Fuzzy Hash: 320129A6611F808AFF659B22F81C71963B0BB49BC6F04042ACE4E07B64EF3DC919C704

Function 000002D6F1518FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002D6F1519013
_IsNonwritableInCurrentImage.LIBCMT ref: 000002D6F15190A8
RtlUnwindEx.NTDLL ref: 000002D6F15190F7

Strings

f, xrefs: 000002D6F1519026
csm, xrefs: 000002D6F151908E

Memory Dump Source

Source File: 00000015.00000002.3408805169.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f1510000_lsass.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
Instruction ID: 3b0e631b75504db4463a701d796cd14c903cf2e77cba2ed9bb482b335b50820a
Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
Instruction Fuzzy Hash: 7C518AB2601A408EEB16DF15F85CB5937A6F384BC8F55852ADE0B67B88DB39DD81C700

Function 000002D6F1513044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 000002D6F1513066
StrCpyW.SHLWAPI ref: 000002D6F1513076
StrCatW.SHLWAPI ref: 000002D6F1513082
PathCombineW.SHLWAPI ref: 000002D6F1513090

Strings

\\.\pipe\, xrefs: 000002D6F151305C

Memory Dump Source

Source File: 00000015.00000002.3408805169.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f1510000_lsass.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction ID: 3e4723502f59a8f1e07ded70428830228723a6d762285bf7447ffc8a7d9f86c1
Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction Fuzzy Hash: 16F01CA6714FC486EA548F57B91C11966A1BB58FE0F089132EE4F57F18DF3CC8558700

Function 000002D6F151BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000002D6F151BCBD
GetProcAddress.KERNEL32 ref: 000002D6F151BCD3
FreeLibrary.KERNEL32 ref: 000002D6F151BCFA

Strings

mscoree.dll, xrefs: 000002D6F151BCB4
CorExitProcess, xrefs: 000002D6F151BCCC

Memory Dump Source

Source File: 00000015.00000002.3408805169.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f1510000_lsass.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction ID: 23a4a7cfba681eafd7acd153de910ccfab7048bd4207ecad1fa1577b34c1d807
Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction Fuzzy Hash: 55F06DA2211E8585EB248F24F84C3696330EB99BE5F94121ACE6F46AE4CF2CC9488340

Function 000002D6F15150D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002D6F1515156

Memory Dump Source

Source File: 00000015.00000002.3408805169.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f1510000_lsass.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
Instruction ID: 42075970a9a9322463efdc1a56445cb29a1d8840ca77651260a4224c7a6fbde6
Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
Instruction Fuzzy Hash: 7302B576219B848AEB61CF55F49835AB7A1F3857D4F100016EA8E97BA9DB7CC884CF00

Function 000002D6F1515710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002D6F1515726

Memory Dump Source

Source File: 00000015.00000002.3408805169.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f1510000_lsass.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
Instruction ID: 3ee684a2051b0626537bb21df19f72d7656a23c79b275dde9432cc418d5cd82d
Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
Instruction Fuzzy Hash: 4461B2B6529E84CAEA618F15F49D31AB7A1F3897C4F100116EA8E57FA8DB7CC841CF40

Function 000002D6F14F3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000002D6F14F352C
_set_statfp.LIBCMT ref: 000002D6F14F3547
_set_statfp.LIBCMT ref: 000002D6F14F3563
_set_statfp.LIBCMT ref: 000002D6F14F359F

Memory Dump Source

Source File: 00000015.00000002.3408155732.000002D6F14E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F14E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f14e0000_lsass.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: ba703c9331ee713b56c495894a3d73b0a2062aaebb232e8d6e30e25fb009abb4
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: 12117323A14E5119FBA41769F45D36911816BD93F4F889A3AAA770FFDECA2CCC45C110

Function 000002D6F1524104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000002D6F152412C
_set_statfp.LIBCMT ref: 000002D6F1524147
_set_statfp.LIBCMT ref: 000002D6F1524163
_set_statfp.LIBCMT ref: 000002D6F152419F

Memory Dump Source

Source File: 00000015.00000002.3408805169.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f1510000_lsass.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: 424267331a93190a57d2639305031bc8998964835541697d1ff8627115ec689c
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: E11173A7B10FD119F7641768F45D36621416F783F8F280626EA7F17ED6CA6CCC418200

Function 000002D6F14EF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000002D6F14EF124

Strings

Tuesday, xrefs: 000002D6F14EF0F4
or copy constructor iterator', xrefs: 000002D6F14EF25A, 000002D6F14EF275
Wednesday, xrefs: 000002D6F14EF1ED

Memory Dump Source

Source File: 00000015.00000002.3408155732.000002D6F14E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F14E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f14e0000_lsass.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: Tuesday$Wednesday$or copy constructor iterator'
API String ID: 3215553584-4202648911
Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction ID: e6160abfd5a2cc9cf80f440168c8954cb50692cc9a53660c5a43eaca46e9ff2f
Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction Fuzzy Hash: C3619C72601E448AFA6DCB69F54C32AAAA1A7C67C0F55451BCA0B07FECDB3DCE458301

Function 000002D6F151AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 000002D6F151AA68
_CallSETranslator.LIBVCRUNTIME ref: 000002D6F151AAB7

Strings

RCC, xrefs: 000002D6F151AA85
MOC, xrefs: 000002D6F151AA7C

Memory Dump Source

Source File: 00000015.00000002.3408805169.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f1510000_lsass.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 1d7432d42cb839326b1ec519d8e3b4db095f3ae002e7f932d77f27b7b20c2c01
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: 556158B7600B848AEB22DFA5E44879D77A0F344BDCF044616EE4E27B98DB78C995C700

Function 000002D6F14EA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002D6F14EA1A0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000002D6F14EA288

Strings

csm, xrefs: 000002D6F14EA1C2
csm, xrefs: 000002D6F14EA2DA

Memory Dump Source

Source File: 00000015.00000002.3408155732.000002D6F14E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F14E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f14e0000_lsass.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: cfee3a79a6332420dfddfd621a8844a6e200f43d99eb8e2e0c62dd5cb1a16251
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: 89517C32100A80CEEB64CB25A54C35877A1F795BD4F288217DA9A87FD9CB7CDA90CB11

Function 000002D6F151AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002D6F151ADA0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000002D6F151AE88

Strings

csm, xrefs: 000002D6F151ADC2
csm, xrefs: 000002D6F151AEDA

Memory Dump Source

Source File: 00000015.00000002.3408805169.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f1510000_lsass.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: a1fa52ff5b8a92164aef8a90dc21d442fce71749ed4764205dc9c63b39132c2b
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: 72517CB6100AC08EEB668FA5A48C35977A0F354BD9F144217DA9EA7FD5CB3CD891C701

Function 000002D6F14E8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002D6F14E8413
_IsNonwritableInCurrentImage.LIBCMT ref: 000002D6F14E84A8

Strings

f, xrefs: 000002D6F14E8426
csm, xrefs: 000002D6F14E848E

Memory Dump Source

Source File: 00000015.00000002.3408155732.000002D6F14E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F14E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f14e0000_lsass.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: 972f85bd260c2ee75a15eccb82eca9add97efd3e6d8f92d2c71b54b9a0724d42
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: 07518832601A028EEF64CB16F44CB1937A5F3D4BD8F558526DA1747B8CEB39DE418B04

Function 000002D6F14E83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002D6F14E8413
_IsNonwritableInCurrentImage.LIBCMT ref: 000002D6F14E84A8

Strings

f, xrefs: 000002D6F14E8426
csm, xrefs: 000002D6F14E848E

Memory Dump Source

Source File: 00000015.00000002.3408155732.000002D6F14E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F14E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f14e0000_lsass.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction ID: fac092133bcf5273d306a1bfba47854e7a8849c5731493164c1dc531c6143850
Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction Fuzzy Hash: D6314672601A419AEB14DF12F84CB5977A4F780BD8F15852AAE6B07B8CDB3CCE41CB04

Function 000002D6F1522058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000002D6F15220D7
WriteFile.KERNEL32 ref: 000002D6F152239F
WriteFile.KERNEL32 ref: 000002D6F15223E5
GetLastError.KERNEL32 ref: 000002D6F152249B

Memory Dump Source

Source File: 00000015.00000002.3408805169.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f1510000_lsass.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction ID: 46840878b0cc5d224b34d7d0e9dac87f5955736167c6a31398be0b02f4667bf4
Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction Fuzzy Hash: CED1BFB7714A808DE711CFA9E44829C3BB1F7547D8F14421ADE5E9BF99DA38C906C780

Function 000002D6F1522980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32 ref: 000002D6F1522A9C
GetLastError.KERNEL32 ref: 000002D6F1522B27

Memory Dump Source

Source File: 00000015.00000002.3408805169.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f1510000_lsass.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction ID: c9214aef26bfacb35296ae088b721dff4a15a35e123c9ee8ba9635ca1e8333b4
Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction Fuzzy Hash: 5A9177A7700E909DFB649F65A48C3AD2BA0A754BC8F54410EDE4F67E95DB78C882C700

Function 000002D6F1517960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000002D6F151798C
GetCurrentThreadId.KERNEL32 ref: 000002D6F151799A
GetCurrentProcessId.KERNEL32 ref: 000002D6F15179A6
QueryPerformanceCounter.KERNEL32 ref: 000002D6F15179B6

Memory Dump Source

Source File: 00000015.00000002.3408805169.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f1510000_lsass.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction ID: 46c5aac05c874f4bb09711078cff6ceae9bbf1676f6b8508b6834c3418bbca38
Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction Fuzzy Hash: 30111C66710F418AEF008F60E8993A833A4F719798F440E22DE6E46BA4DB7CD5998380

Function 000002D6F14E9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 000002D6F14E9EB7

Strings

RCC, xrefs: 000002D6F14E9E85
MOC, xrefs: 000002D6F14E9E7C

Memory Dump Source

Source File: 00000015.00000002.3408155732.000002D6F14E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F14E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f14e0000_lsass.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: d070504b4f6ab16698584910d28eb8b80bc01e4cc0e3f10349b5f2c037af8c0d
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: 6E616B73600F848AEB20DF65E4583AD7BA0F784BD8F144216EF4A57B99DB38DA95C700

Function 000002D6F1512330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000002D6F1512416
StrCpyW.SHLWAPI ref: 000002D6F151242D

Strings

\\.\pipe\, xrefs: 000002D6F1512421

Memory Dump Source

Source File: 00000015.00000002.3408805169.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f1510000_lsass.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction ID: 394cc914bfb9ce43346b5ff93633d9b94699b0b3b218dfcc43da45d9579c068f
Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction Fuzzy Hash: 1951F5B2204B8189E6769F2AB09C3AA6BA1F3857C0F65412BDD4F27F49DA7DCD04C740

Function 000002D6F15226F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000002D6F1522807
GetLastError.KERNEL32 ref: 000002D6F1522829

Strings

U, xrefs: 000002D6F15227B3

Memory Dump Source

Source File: 00000015.00000002.3408805169.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f1510000_lsass.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction ID: 824dda5bf0e141a0eccdff39b2f392aa61083a03da449fe0be0865378a6b09d5
Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction Fuzzy Hash: 75419FB3314B808ADB208F25F84C3A9A7A1F7987D4F444126EE4E87B94EB7CC841CB40

Function 000002D6F15194A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000002D6F15194F0
RaiseException.KERNEL32 ref: 000002D6F1519531

Strings

csm, xrefs: 000002D6F151951E

Memory Dump Source

Source File: 00000015.00000002.3408805169.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f1510000_lsass.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction ID: 0179ef454bca868754a89d0f14593ff5d1bafe773b9c0e76b87cdcda21dd5abb
Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction Fuzzy Hash: C6113A76214F8086EB618F15F458359B7E5FB88B98F594222EE8E17B68DF3CC951CB00

Function 000002D6F14E7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000002D6F14E737C

Strings

riptor at (, xrefs: 000002D6F14E7364
ierarchy Descriptor', xrefs: 000002D6F14E7381

Memory Dump Source

Source File: 00000015.00000002.3408155732.000002D6F14E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F14E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f14e0000_lsass.jbxd

Similarity

API ID: __std_exception_copy
String ID: ierarchy Descriptor'$riptor at (
API String ID: 592178966-758928094
Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction ID: 42604dadee08075db72dd804d857af22540e6553bd8cf7546b60624dadb498d8
Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction Fuzzy Hash: 2DE08661640F4594DF058F22F84829873A0DB99BA4F499123996D0B315FA3CD6F9C700

Function 000002D6F14E73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000002D6F14E73D8

Strings

riptor at (, xrefs: 000002D6F14E73C0
Locator', xrefs: 000002D6F14E73DD

Memory Dump Source

Source File: 00000015.00000002.3408155732.000002D6F14E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F14E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f14e0000_lsass.jbxd

Similarity

API ID: __std_exception_copy
String ID: Locator'$riptor at (
API String ID: 592178966-4215709766
Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction ID: d05b7e5c656130d9458ccdc22e0b75791a29142332b64578b38792f26bb6b93c
Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction Fuzzy Hash: 41E08661640F4484DF058F21F8441987360E799B94B889123C96D0B355EA3CD5E5C700

Function 000002D6F1511BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002D6F1511C2D
HeapAlloc.KERNEL32 ref: 000002D6F1511C3B
GetProcessHeap.KERNEL32 ref: 000002D6F1511C77
HeapFree.KERNEL32 ref: 000002D6F1511C85

Part of subcall function 000002D6F151152C: StrCmpIW.SHLWAPI ref: 000002D6F151155D

Memory Dump Source

Source File: 00000015.00000002.3408805169.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f1510000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction ID: fd815924ccaf22e34c037317531bc049dc234f77afa6770aba1465aea0f85cca
Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction Fuzzy Hash: F5118C66601F8489EE05DF66F84C22973A1FB89FC4F18406ADE4E57B66DE3CD842C300

Function 000002D6F1511268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002D6F151126E
HeapAlloc.KERNEL32 ref: 000002D6F151127D
GetProcessHeap.KERNEL32 ref: 000002D6F1511297
HeapAlloc.KERNEL32 ref: 000002D6F15112A8

Memory Dump Source

Source File: 00000015.00000002.3408805169.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_2d6f1510000_lsass.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction ID: 5530d73242211928b6024003faf75465f242705db9492874eec173ea436ce9dc
Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction Fuzzy Hash: 48E092B6601A848AEB048F62E80C34A36E1FB8DF86F14C024CD0E07751DF7D98D9CB50

Analysis Process: svchost.exePID: 928, Parent PID: 1172COMMON

Execution Graph

Execution Coverage:	0.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	74
Total number of Limit Nodes:	2

Executed Functions

Function 0000014E41FD328C Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 0000014E41FD32AE
PathFindFileNameW.SHLWAPI ref: 0000014E41FD32BD

Part of subcall function 0000014E41FD3844: StrCmpNIW.SHLWAPI ref: 0000014E41FD385C

Part of subcall function 0000014E41FD3790: GetModuleHandleW.KERNEL32 ref: 0000014E41FD379E
Part of subcall function 0000014E41FD3790: GetCurrentProcess.KERNEL32 ref: 0000014E41FD37CC
Part of subcall function 0000014E41FD3790: VirtualProtectEx.KERNEL32 ref: 0000014E41FD37EE
Part of subcall function 0000014E41FD3790: GetCurrentProcess.KERNEL32 ref: 0000014E41FD3809
Part of subcall function 0000014E41FD3790: VirtualProtectEx.KERNEL32 ref: 0000014E41FD382A

CreateThread.KERNEL32 ref: 0000014E41FD330B

Part of subcall function 0000014E41FD1D14: GetCurrentThread.KERNEL32 ref: 0000014E41FD1D1F

Memory Dump Source

Source File: 00000016.00000002.3391758050.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fd0000_svchost.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction ID: 701d4b212a0684b59ab9b099f346debbb554c1cfb4979cb8b986742d3a5a455b
Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction Fuzzy Hash: CB1139B271864182FF60AB61BB1D3F9A3E4BF54344F5841259A0BC16B5EF7CC1468230

Function 0000014E41FD1ABC Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000014E41FD1628: GetProcessHeap.KERNEL32 ref: 0000014E41FD1633
Part of subcall function 0000014E41FD1628: HeapAlloc.KERNEL32 ref: 0000014E41FD1642
Part of subcall function 0000014E41FD1628: RegOpenKeyExW.ADVAPI32 ref: 0000014E41FD16B2
Part of subcall function 0000014E41FD1628: RegOpenKeyExW.ADVAPI32 ref: 0000014E41FD16DF
Part of subcall function 0000014E41FD1628: RegCloseKey.ADVAPI32 ref: 0000014E41FD16F9
Part of subcall function 0000014E41FD1628: RegOpenKeyExW.ADVAPI32 ref: 0000014E41FD1719
Part of subcall function 0000014E41FD1628: RegCloseKey.ADVAPI32 ref: 0000014E41FD1734
Part of subcall function 0000014E41FD1628: RegOpenKeyExW.ADVAPI32 ref: 0000014E41FD1754
Part of subcall function 0000014E41FD1628: RegCloseKey.ADVAPI32 ref: 0000014E41FD176F
Part of subcall function 0000014E41FD1628: RegOpenKeyExW.ADVAPI32 ref: 0000014E41FD178F
Part of subcall function 0000014E41FD1628: RegCloseKey.ADVAPI32 ref: 0000014E41FD17AA
Part of subcall function 0000014E41FD1628: RegOpenKeyExW.ADVAPI32 ref: 0000014E41FD17CA

Sleep.KERNEL32 ref: 0000014E41FD1AD7
SleepEx.KERNELBASE ref: 0000014E41FD1ADD

Part of subcall function 0000014E41FD1628: RegCloseKey.ADVAPI32 ref: 0000014E41FD17E5
Part of subcall function 0000014E41FD1628: RegOpenKeyExW.ADVAPI32 ref: 0000014E41FD1805
Part of subcall function 0000014E41FD1628: RegCloseKey.ADVAPI32 ref: 0000014E41FD1820
Part of subcall function 0000014E41FD1628: RegOpenKeyExW.ADVAPI32 ref: 0000014E41FD1840
Part of subcall function 0000014E41FD1628: RegCloseKey.ADVAPI32 ref: 0000014E41FD185B
Part of subcall function 0000014E41FD1628: RegOpenKeyExW.ADVAPI32 ref: 0000014E41FD187B
Part of subcall function 0000014E41FD1628: RegCloseKey.ADVAPI32 ref: 0000014E41FD1896
Part of subcall function 0000014E41FD1628: RegCloseKey.ADVAPI32 ref: 0000014E41FD18A0

Memory Dump Source

Source File: 00000016.00000002.3391758050.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fd0000_svchost.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction ID: 27739bd1d7c2b649979a3e3ac9a2f5b2f111066e3f9e7ba65cc6bd2b1fdd864d
Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction Fuzzy Hash: 1231B771308A4182EF509B66DA593F9A3E4BF84BD0F0C55229E0BC76B6EF24C8538330

Function 0000014E41FD3844 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpNIW.SHLWAPI ref: 0000014E41FD385C

Strings

dialer, xrefs: 0000014E41FD3855

Memory Dump Source

Source File: 00000016.00000002.3391758050.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fd0000_svchost.jbxd

Similarity

API ID:
String ID: dialer
API String ID: 0-3528709123
Opcode ID: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
Instruction ID: edc9b53c890d6efa8cfb08019f2e5464623e49ddff2869f1cd1f5de1b6805b2a
Opcode Fuzzy Hash: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
Instruction Fuzzy Hash: 8BD05EB13117058AFF14DFAA88CD6B0A390BF04754F8C40208A0181660DB18C99E9620

Function 0000014E41FA273C Relevance: 1.7, APIs: 1, Instructions: 187
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 0000014E41FA285E

Memory Dump Source

Source File: 00000016.00000002.3390979377.0000014E41FA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fa0000_svchost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction ID: 67325ab9c1bf59a10d455d8bffd91d13401eaaa9fb1b126a29269b2ed4ac34ab
Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction Fuzzy Hash: CA61DD32B0169087DF54CF9590487ADB3E2FB58BE4F1C8121EE5A87B98DA38D853D720

Non-executed Functions

Function 0000014E41FD2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 0000014E41FD2BD0
lstrlenW.KERNEL32 ref: 0000014E41FD2E0A

Part of subcall function 0000014E41FD199C: OpenProcess.KERNEL32 ref: 0000014E41FD19C2
Part of subcall function 0000014E41FD199C: K32GetModuleFileNameExW.KERNEL32 ref: 0000014E41FD19E0
Part of subcall function 0000014E41FD199C: PathFindFileNameW.SHLWAPI ref: 0000014E41FD19EF
Part of subcall function 0000014E41FD199C: lstrlenW.KERNEL32 ref: 0000014E41FD19FB
Part of subcall function 0000014E41FD199C: StrCpyW.SHLWAPI ref: 0000014E41FD1A0E
Part of subcall function 0000014E41FD199C: CloseHandle.KERNEL32 ref: 0000014E41FD1A1C

GetProcAddress.KERNEL32 ref: 0000014E41FD2BE5

Part of subcall function 0000014E41FD152C: StrCmpIW.SHLWAPI ref: 0000014E41FD155D

Part of subcall function 0000014E41FD3844: StrCmpNIW.SHLWAPI ref: 0000014E41FD385C

StrCmpNIW.SHLWAPI ref: 0000014E41FD2C28
lstrlenW.KERNEL32 ref: 0000014E41FD2D50

Strings

\Device\Nsi, xrefs: 0000014E41FD2C1B
ntdll.dll, xrefs: 0000014E41FD2BC9
NtQueryObject, xrefs: 0000014E41FD2BDB

Memory Dump Source

Source File: 00000016.00000002.3391758050.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fd0000_svchost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction ID: effd1d481dd4490a16ad21cf9b2687bc37b8d46439eecc8b1afc957421dada5b
Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction Fuzzy Hash: DBB16972310A9086FF649FA5D4587E9A3E5FF44B94F485016EE0A937A4DB35CC42C7A0

Function 0000014E41FD7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 0000014E41FD7DAC
RtlCaptureContext.NTDLL ref: 0000014E41FD7DD9
RtlLookupFunctionEntry.NTDLL ref: 0000014E41FD7DF3
RtlVirtualUnwind.NTDLL ref: 0000014E41FD7E34
IsDebuggerPresent.KERNEL32 ref: 0000014E41FD7E88
SetUnhandledExceptionFilter.KERNEL32 ref: 0000014E41FD7EA9
UnhandledExceptionFilter.KERNEL32 ref: 0000014E41FD7EB4

Memory Dump Source

Source File: 00000016.00000002.3391758050.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fd0000_svchost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction ID: 4a8a08b1cb576b9d78726fe8905b333cbd284622d38cdc1c56e494f92cae6b39
Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction Fuzzy Hash: 4B316172305B8489EF609F60E8543EDB3A0FB84758F48412ADA4E87BA4EF38C549C720

Function 0000014E41FDD2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 0000014E41FDD31D
RtlLookupFunctionEntry.NTDLL ref: 0000014E41FDD335
RtlVirtualUnwind.NTDLL ref: 0000014E41FDD370
IsDebuggerPresent.KERNEL32 ref: 0000014E41FDD3A9
SetUnhandledExceptionFilter.KERNEL32 ref: 0000014E41FDD3B3
UnhandledExceptionFilter.KERNEL32 ref: 0000014E41FDD3BE

Memory Dump Source

Source File: 00000016.00000002.3391758050.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fd0000_svchost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction ID: 6ff2dff154542a0378403bbbd0c8e4de9d1707aa7ebe8d406dd5d67eefb56c20
Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction Fuzzy Hash: 39313136314F8086DB60CF25E8443EEB3A4FB89764F580116EA9E87BA5DF38C556CB10

Function 0000014E41FD1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000014E41FD1633
HeapAlloc.KERNEL32 ref: 0000014E41FD1642

Part of subcall function 0000014E41FD1268: GetProcessHeap.KERNEL32 ref: 0000014E41FD126E
Part of subcall function 0000014E41FD1268: HeapAlloc.KERNEL32 ref: 0000014E41FD127D
Part of subcall function 0000014E41FD1268: GetProcessHeap.KERNEL32 ref: 0000014E41FD1297
Part of subcall function 0000014E41FD1268: HeapAlloc.KERNEL32 ref: 0000014E41FD12A8

RegOpenKeyExW.ADVAPI32 ref: 0000014E41FD16B2
RegOpenKeyExW.ADVAPI32 ref: 0000014E41FD16DF
RegCloseKey.ADVAPI32 ref: 0000014E41FD16F9
RegOpenKeyExW.ADVAPI32 ref: 0000014E41FD1719
RegCloseKey.ADVAPI32 ref: 0000014E41FD1734
RegOpenKeyExW.ADVAPI32 ref: 0000014E41FD1754
RegCloseKey.ADVAPI32 ref: 0000014E41FD176F
RegOpenKeyExW.ADVAPI32 ref: 0000014E41FD178F
RegCloseKey.ADVAPI32 ref: 0000014E41FD17AA
RegOpenKeyExW.ADVAPI32 ref: 0000014E41FD17CA
RegCloseKey.ADVAPI32 ref: 0000014E41FD17E5
RegOpenKeyExW.ADVAPI32 ref: 0000014E41FD1805
RegCloseKey.ADVAPI32 ref: 0000014E41FD1820
RegOpenKeyExW.ADVAPI32 ref: 0000014E41FD1840
RegCloseKey.ADVAPI32 ref: 0000014E41FD185B
RegOpenKeyExW.ADVAPI32 ref: 0000014E41FD187B
RegCloseKey.ADVAPI32 ref: 0000014E41FD1896
RegCloseKey.ADVAPI32 ref: 0000014E41FD18A0

Part of subcall function 0000014E41FD12BC: RegQueryInfoKeyW.ADVAPI32 ref: 0000014E41FD1319
Part of subcall function 0000014E41FD12BC: GetProcessHeap.KERNEL32 ref: 0000014E41FD1327
Part of subcall function 0000014E41FD12BC: HeapAlloc.KERNEL32 ref: 0000014E41FD1338
Part of subcall function 0000014E41FD12BC: RegEnumValueW.ADVAPI32 ref: 0000014E41FD1397
Part of subcall function 0000014E41FD12BC: GetProcessHeap.KERNEL32 ref: 0000014E41FD13DF
Part of subcall function 0000014E41FD12BC: HeapAlloc.KERNEL32 ref: 0000014E41FD13ED
Part of subcall function 0000014E41FD12BC: GetProcessHeap.KERNEL32 ref: 0000014E41FD140A
Part of subcall function 0000014E41FD12BC: HeapFree.KERNEL32 ref: 0000014E41FD1418
Part of subcall function 0000014E41FD12BC: lstrlenW.KERNEL32 ref: 0000014E41FD1421
Part of subcall function 0000014E41FD12BC: GetProcessHeap.KERNEL32 ref: 0000014E41FD142F
Part of subcall function 0000014E41FD12BC: HeapAlloc.KERNEL32 ref: 0000014E41FD143D

Strings

paths, xrefs: 0000014E41FD1788
startup, xrefs: 0000014E41FD16D5
SOFTWARE\dialerconfig, xrefs: 0000014E41FD1692
udp, xrefs: 0000014E41FD1874
tcp_local, xrefs: 0000014E41FD17FE
service_names, xrefs: 0000014E41FD17C3
process_names, xrefs: 0000014E41FD174D
tcp_remote, xrefs: 0000014E41FD1839
pid, xrefs: 0000014E41FD1712

Memory Dump Source

Source File: 00000016.00000002.3391758050.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fd0000_svchost.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction ID: a2090c4e061c94f1704aee29069009e9ac06c7e615b494ced23eb7a84219142a
Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction Fuzzy Hash: ED712836318B1486EF10AF61E8886E9A3F5FB84B98F091111DE4E87B39DF38C546C360

Function 0000014E41FD12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000014E41FD1319
GetProcessHeap.KERNEL32 ref: 0000014E41FD1327
HeapAlloc.KERNEL32 ref: 0000014E41FD1338
RegEnumValueW.ADVAPI32 ref: 0000014E41FD1397

Part of subcall function 0000014E41FD152C: StrCmpIW.SHLWAPI ref: 0000014E41FD155D

GetProcessHeap.KERNEL32 ref: 0000014E41FD13DF
HeapAlloc.KERNEL32 ref: 0000014E41FD13ED
GetProcessHeap.KERNEL32 ref: 0000014E41FD140A
HeapFree.KERNEL32 ref: 0000014E41FD1418
lstrlenW.KERNEL32 ref: 0000014E41FD1421
GetProcessHeap.KERNEL32 ref: 0000014E41FD142F
HeapAlloc.KERNEL32 ref: 0000014E41FD143D
StrCpyW.SHLWAPI ref: 0000014E41FD145F
GetProcessHeap.KERNEL32 ref: 0000014E41FD1476
HeapFree.KERNEL32 ref: 0000014E41FD1484

Strings

d, xrefs: 0000014E41FD135A

Memory Dump Source

Source File: 00000016.00000002.3391758050.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fd0000_svchost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction ID: 013e14f2c87ef41763d25eff144d490c8d2c3adaa6cff7853b3d531281aa9866
Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction Fuzzy Hash: D5513036708B8886EB55CF62E5483AAB7E1FB89F95F494124DE4A47768DF3CC046C710

Function 0000014E41FD1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 0000014E41FD1D1F

Part of subcall function 0000014E41FD1FD4: GetModuleHandleA.KERNEL32 ref: 0000014E41FD1FEC
Part of subcall function 0000014E41FD1FD4: GetProcAddress.KERNEL32 ref: 0000014E41FD1FFD

Part of subcall function 0000014E41FD5B30: GetCurrentThreadId.KERNEL32 ref: 0000014E41FD5B6B

Strings

EnumServiceGroupW, xrefs: 0000014E41FD1DF0
NtQueryDirectoryFileEx, xrefs: 0000014E41FD1D9C
NtQueryDirectoryFile, xrefs: 0000014E41FD1D7F
sechost.dll, xrefs: 0000014E41FD1E39
NtEnumerateKey, xrefs: 0000014E41FD1DB9
NtDeviceIoControlFile, xrefs: 0000014E41FD1E56
EnumServicesStatusExW, xrefs: 0000014E41FD1E11, 0000014E41FD1E32
NtEnumerateValueKey, xrefs: 0000014E41FD1DD6
ntdll.dll, xrefs: 0000014E41FD1D2D
NtQuerySystemInformation, xrefs: 0000014E41FD1D45
advapi32.dll, xrefs: 0000014E41FD1DF7, 0000014E41FD1E18
NtResumeThread, xrefs: 0000014E41FD1D62

Memory Dump Source

Source File: 00000016.00000002.3391758050.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fd0000_svchost.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction ID: d2164b162b6ae80d87fccfd4c10993e61a433f491f5e0695c4aef27492673104
Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction Fuzzy Hash: 60318274704A4AA0FF04EFA9E8597E4E3A1BF54354F8D5013941A97676AF78C24BC3B0

Function 0000014E41FA6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000014E41FA6938
__scrt_acquire_startup_lock.LIBCMT ref: 0000014E41FA698A
_RTC_Initialize.LIBCMT ref: 0000014E41FA69B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000014E41FA69DE
__scrt_release_startup_lock.LIBCMT ref: 0000014E41FA6A09

Strings

scriptor', xrefs: 0000014E41FA6B39, 0000014E41FA6BB2, 0000014E41FA6BEC
`dynamic initializer for ', xrefs: 0000014E41FA69C7
`eh vector copy constructor iterator', xrefs: 0000014E41FA6A3B
`eh vector vbase copy constructor iterator', xrefs: 0000014E41FA69EE

Memory Dump Source

Source File: 00000016.00000002.3390979377.0000014E41FA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fa0000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
API String ID: 190073905-1786718095
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: 3e159b189dba1bc57bfc5d577fc7ac4b56b81dc430d962f8f9d12e70aa5f2c50
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: 3C81C03170064286FE90AB6694593D9E3D0FF897E0F5C80259A09C7FB6EB3DC8478720

Function 0000014E41FDCE28 Relevance: 18.1, APIs: 12, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 0000014E41FDCE37
FlsGetValue.KERNEL32(?,?,?,0000014E41FE0A6B,?,?,?,0000014E41FE045C,?,?,?,0000014E41FDC84F), ref: 0000014E41FDCE4C
FlsSetValue.KERNEL32(?,?,?,0000014E41FE0A6B,?,?,?,0000014E41FE045C,?,?,?,0000014E41FDC84F), ref: 0000014E41FDCE6D
FlsSetValue.KERNEL32(?,?,?,0000014E41FE0A6B,?,?,?,0000014E41FE045C,?,?,?,0000014E41FDC84F), ref: 0000014E41FDCE9A
FlsSetValue.KERNEL32(?,?,?,0000014E41FE0A6B,?,?,?,0000014E41FE045C,?,?,?,0000014E41FDC84F), ref: 0000014E41FDCEAB
FlsSetValue.KERNEL32(?,?,?,0000014E41FE0A6B,?,?,?,0000014E41FE045C,?,?,?,0000014E41FDC84F), ref: 0000014E41FDCEBC
SetLastError.KERNEL32 ref: 0000014E41FDCED7
FlsGetValue.KERNEL32(?,?,?,?,?,?,?,0000014E41FE0A6B,?,?,?,0000014E41FE045C,?,?,?,0000014E41FDC84F), ref: 0000014E41FDCF0D
FlsSetValue.KERNEL32(?,?,00000001,0000014E41FDECCC,?,?,?,?,0000014E41FDBF9F,?,?,?,?,?,0000014E41FD7AB0), ref: 0000014E41FDCF2C

Part of subcall function 0000014E41FDD6CC: HeapAlloc.KERNEL32 ref: 0000014E41FDD721

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000014E41FE0A6B,?,?,?,0000014E41FE045C,?,?,?,0000014E41FDC84F), ref: 0000014E41FDCF54

Part of subcall function 0000014E41FDD744: HeapFree.KERNEL32 ref: 0000014E41FDD75A
Part of subcall function 0000014E41FDD744: GetLastError.KERNEL32 ref: 0000014E41FDD764

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000014E41FE0A6B,?,?,?,0000014E41FE045C,?,?,?,0000014E41FDC84F), ref: 0000014E41FDCF65
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000014E41FE0A6B,?,?,?,0000014E41FE045C,?,?,?,0000014E41FDC84F), ref: 0000014E41FDCF76

Memory Dump Source

Source File: 00000016.00000002.3391758050.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fd0000_svchost.jbxd

Similarity

API ID: Value$ErrorLast$Heap$AllocFree
String ID:
API String ID: 570795689-0
Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction ID: d05d1a81437cdd74f7d820c0fbdd9315d75b8d778be0daec336e8a8adf9e924f
Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction Fuzzy Hash: 8141E7B034528441FE69A735955D7F9E3C2BF847B0F1C0B28A92BC66F6EE68D5039230

Function 0000014E41FD2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessIdOfThread.KERNEL32 ref: 0000014E41FD2259
GetCurrentProcessId.KERNEL32 ref: 0000014E41FD2263

Part of subcall function 0000014E41FD1934: OpenProcess.KERNEL32 ref: 0000014E41FD1952
Part of subcall function 0000014E41FD1934: IsWow64Process.KERNEL32 ref: 0000014E41FD1968
Part of subcall function 0000014E41FD1934: CloseHandle.KERNEL32 ref: 0000014E41FD1983

CreateFileW.KERNEL32 ref: 0000014E41FD22BC
WriteFile.KERNEL32 ref: 0000014E41FD22E4
ReadFile.KERNEL32 ref: 0000014E41FD2303
CloseHandle.KERNEL32 ref: 0000014E41FD230C

Strings

\\.\pipe\dialerchildproc32, xrefs: 0000014E41FD2293
\\.\pipe\dialerchildproc64, xrefs: 0000014E41FD228C

Memory Dump Source

Source File: 00000016.00000002.3391758050.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fd0000_svchost.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction ID: 7e5f448f2627fb39cf378e58a67f4c7b29978e30c1d81c84a71b5fabbdbaa53a
Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction Fuzzy Hash: B0213032718B5482FB10CB25E4483A9A7E0FB85BA4F580215DA5A42BB8CF7CC54ACB10

Function 0000014E41FDA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 0000014E41FDA5A1

Part of subcall function 0000014E41FDB414: __GetUnwindTryBlock.LIBCMT ref: 0000014E41FDB457
Part of subcall function 0000014E41FDB414: __SetUnwindTryBlock.LIBVCRUNTIME ref: 0000014E41FDB47C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 0000014E41FDA679
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 0000014E41FDA8CE
std::bad_alloc::bad_alloc.LIBCMT ref: 0000014E41FDA9DA

Strings

csm, xrefs: 0000014E41FDA5BB
csm, xrefs: 0000014E41FDA622
csm, xrefs: 0000014E41FDA69C

Memory Dump Source

Source File: 00000016.00000002.3391758050.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fd0000_svchost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction ID: d2352766757894f1e6b2819fe3e7d64d43612c435bf147b291665c758718f4e6
Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction Fuzzy Hash: 43E16B72704B408AEF60DF6594493EDB7E0FB85B98F180115EE8E97BA9CB34C492C725

Function 0000014E41FA9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 0000014E41FA99A1

Part of subcall function 0000014E41FAA814: __GetUnwindTryBlock.LIBCMT ref: 0000014E41FAA857
Part of subcall function 0000014E41FAA814: __SetUnwindTryBlock.LIBVCRUNTIME ref: 0000014E41FAA87C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 0000014E41FA9A79
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 0000014E41FA9CCE
std::bad_alloc::bad_alloc.LIBCMT ref: 0000014E41FA9DDA

Strings

csm, xrefs: 0000014E41FA99BB
csm, xrefs: 0000014E41FA9A9C
csm, xrefs: 0000014E41FA9A22

Memory Dump Source

Source File: 00000016.00000002.3390979377.0000014E41FA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fa0000_svchost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction ID: 092061804e2acfd85856a6fbf8df1efce0ac3395992e54896de2f0b233cc8006
Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction Fuzzy Hash: F5E16A72704B408AEF609BA5D4883DDB7E0FB557D8F5C4125EA8997FA5CB38C092C760

Function 0000014E41FDF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32 ref: 0000014E41FDF510
GetProcAddress.KERNEL32 ref: 0000014E41FDF51C

Strings

ext-ms-, xrefs: 0000014E41FDF46D
api-ms-, xrefs: 0000014E41FDF45A

Memory Dump Source

Source File: 00000016.00000002.3391758050.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fd0000_svchost.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction ID: eccfb42c00e0fcebc11fba8db2cb5dd556603cf0515602b7340d8b3a720e917a
Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction Fuzzy Hash: A0418032315A5091FF16CB56E808BE9A3D6BF46BA0F5D42299D0FD77A4EE38C4478360

Function 0000014E41FD104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99
memoryregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000014E41FD10B1
RegEnumValueW.ADVAPI32 ref: 0000014E41FD1117
GetProcessHeap.KERNEL32 ref: 0000014E41FD115A
HeapAlloc.KERNEL32 ref: 0000014E41FD1168
GetProcessHeap.KERNEL32 ref: 0000014E41FD1185
HeapFree.KERNEL32 ref: 0000014E41FD1193

Strings

d, xrefs: 0000014E41FD10D6

Memory Dump Source

Source File: 00000016.00000002.3391758050.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fd0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction ID: dcb51b6df01793caf54422eba4bcf925065baaae7f996ed60d537fcaac24bad6
Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction Fuzzy Hash: 4A414233218B84C6EB60CF21E44879EB7E5F789B98F448119DA8A47768DF3CC546CB50

Function 0000014E41FDD068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,0000014E41FDC7DE,?,?,?,?,?,?,?,?,0000014E41FDCF9D,?,?,00000001), ref: 0000014E41FDD087
FlsSetValue.KERNEL32(?,?,?,0000014E41FDC7DE,?,?,?,?,?,?,?,?,0000014E41FDCF9D,?,?,00000001), ref: 0000014E41FDD0A6
FlsSetValue.KERNEL32(?,?,?,0000014E41FDC7DE,?,?,?,?,?,?,?,?,0000014E41FDCF9D,?,?,00000001), ref: 0000014E41FDD0CE
FlsSetValue.KERNEL32(?,?,?,0000014E41FDC7DE,?,?,?,?,?,?,?,?,0000014E41FDCF9D,?,?,00000001), ref: 0000014E41FDD0DF
FlsSetValue.KERNEL32(?,?,?,0000014E41FDC7DE,?,?,?,?,?,?,?,?,0000014E41FDCF9D,?,?,00000001), ref: 0000014E41FDD0F0

Strings

Y%, xrefs: 0000014E41FDD0A6
1%, xrefs: 0000014E41FDD0CE

Memory Dump Source

Source File: 00000016.00000002.3391758050.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fd0000_svchost.jbxd

Similarity

API ID: Value
String ID: 1%$Y%
API String ID: 3702945584-1395475152
Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction ID: a9bf51a53c9a1f80fc76c82896e2421d109dbda82caf93dda9c71af6b8fc7838
Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction Fuzzy Hash: D0111C7070468441FE68A735995D7F9E3C6BF847F0F1C4325A82BC6AFADE68C5039620

Function 0000014E41FD7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000014E41FD7538
__scrt_acquire_startup_lock.LIBCMT ref: 0000014E41FD758A
_RTC_Initialize.LIBCMT ref: 0000014E41FD75B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000014E41FD75DE
__scrt_release_startup_lock.LIBCMT ref: 0000014E41FD7609

Memory Dump Source

Source File: 00000016.00000002.3391758050.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fd0000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: a28f0207ded7251b2138ce8eaabf7731b6e17eb6dd1893435d04d01492ed5137
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: D781F271704B418AFF50AB6598493F9E3D0BF85788F5C46169A0ACB7B6EB78C8078730

Function 0000014E41FD9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 0000014E41FD9E49
GetLastError.KERNEL32 ref: 0000014E41FD9E57
LoadLibraryExW.KERNEL32 ref: 0000014E41FD9E81
FreeLibrary.KERNEL32 ref: 0000014E41FD9EC7
GetProcAddress.KERNEL32 ref: 0000014E41FD9ED3

Strings

api-ms-, xrefs: 0000014E41FD9E69

Memory Dump Source

Source File: 00000016.00000002.3391758050.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fd0000_svchost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction ID: 03ee9c64fc4e5180bd68ea4e23d85fb7920b7978f1ef5f904570876798f634f1
Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction Fuzzy Hash: 80317231316A40A1EF169B82A4087E9A3D4BF48BA0F5D46259D1F87BA5DF39C5468330

Function 0000014E41FE3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 0000014E41FE3DE5
GetLastError.KERNEL32 ref: 0000014E41FE3DF1
CloseHandle.KERNEL32 ref: 0000014E41FE3E09
CreateFileW.KERNEL32 ref: 0000014E41FE3E34
WriteConsoleW.KERNEL32 ref: 0000014E41FE3E53

Strings

CONOUT$, xrefs: 0000014E41FE3E15

Memory Dump Source

Source File: 00000016.00000002.3391758050.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fd0000_svchost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction ID: 58d35a48e73ae5a6a2069cbe50502fe36390fdbaf60b5645c7a944c23e30e8f6
Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction Fuzzy Hash: 86116031318B8486EB608F52E858359B7E0FB88FE4F094225EA5EC77A4DF7CC5168750

Function 0000014E41FD3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000014E41FD379E
GetCurrentProcess.KERNEL32 ref: 0000014E41FD37CC
VirtualProtectEx.KERNEL32 ref: 0000014E41FD37EE
GetCurrentProcess.KERNEL32 ref: 0000014E41FD3809
VirtualProtectEx.KERNEL32 ref: 0000014E41FD382A

Strings

wr, xrefs: 0000014E41FD37FF

Memory Dump Source

Source File: 00000016.00000002.3391758050.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fd0000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID: wr
API String ID: 1092925422-2678910430
Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction ID: 8310219fc58ae82eb0bcc7bfba685b767ad38c6a0f57641c290d7d667e99c083
Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction Fuzzy Hash: 80115B76708B4582EF549B21E5082A9B7F1FB88B95F490029DF8E877A4EF3DC506C724

Function 0000014E41FD5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000014E41FD5B6B
GetThreadContext.KERNEL32 ref: 0000014E41FD5CD5

Part of subcall function 0000014E41FD5960: GetCurrentThreadId.KERNEL32 ref: 0000014E41FD5964

Memory Dump Source

Source File: 00000016.00000002.3391758050.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fd0000_svchost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
Instruction ID: 07ea2566a821138ba5b41bcd2566ad333a6cc9f6e2a32e52345a153ce6aaa6b8
Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
Instruction Fuzzy Hash: 61D18D76209B8881DE709B16E4943AAB7F0F788B84F144216EACE87B75DF7CC552CB50

Function 0000014E41FD2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000014E41FD2F27
HeapAlloc.KERNEL32 ref: 0000014E41FD2F3A
StrCmpNIW.SHLWAPI ref: 0000014E41FD2FAF
GetProcessHeap.KERNEL32 ref: 0000014E41FD3015
HeapFree.KERNEL32 ref: 0000014E41FD3023

Strings

dialer, xrefs: 0000014E41FD2FA8

Memory Dump Source

Source File: 00000016.00000002.3391758050.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fd0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction ID: 64828584eb3bfdbaceddc1153c386e701d38d80c8c2db94475a50a70e660af8b
Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction Fuzzy Hash: 48317832705B5582FF15CF56A9487AAA7E0BF44B94F0C85249E4A87B65EB38C4A38360

Function 0000014E41FD14A4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 70memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000014E41FD14C5
HeapFree.KERNEL32 ref: 0000014E41FD14D4
GetProcessHeap.KERNEL32 ref: 0000014E41FD14E1
HeapFree.KERNEL32 ref: 0000014E41FD14F0
GetProcessHeap.KERNEL32 ref: 0000014E41FD1500

Strings

C:\Windows\system32\svchost.exe, xrefs: 0000014E41FE61A9, 0000014E41FE61B1

Memory Dump Source

Source File: 00000016.00000002.3391758050.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fd0000_svchost.jbxd

Similarity

API ID: Heap$Process$Free
String ID: C:\Windows\system32\svchost.exe
API String ID: 3168794593-4180442734
Opcode ID: 335002606d0c58216c4b7b8c214cf2e956f7ef49abbb5e195d674a66fc258290
Instruction ID: 1ea6c2aa508163f35958e79cb2a9901d7fd2f010a3072b3d942776ec3241fee8
Opcode Fuzzy Hash: 335002606d0c58216c4b7b8c214cf2e956f7ef49abbb5e195d674a66fc258290
Instruction Fuzzy Hash: D021917B60CBD88AEB52DF2598592DDABE1FB49F64F0E4016DB45C3363DA2DC4068720

Function 0000014E41FDCFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000014E41FDCFAF
FlsSetValue.KERNEL32(?,?,?,0000014E41FDD6B5,?,?,?,?,0000014E41FDD778), ref: 0000014E41FDCFE5
FlsSetValue.KERNEL32(?,?,?,0000014E41FDD6B5,?,?,?,?,0000014E41FDD778), ref: 0000014E41FDD012
FlsSetValue.KERNEL32(?,?,?,0000014E41FDD6B5,?,?,?,?,0000014E41FDD778), ref: 0000014E41FDD023
FlsSetValue.KERNEL32(?,?,?,0000014E41FDD6B5,?,?,?,?,0000014E41FDD778), ref: 0000014E41FDD034
SetLastError.KERNEL32 ref: 0000014E41FDD04F

Memory Dump Source

Source File: 00000016.00000002.3391758050.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fd0000_svchost.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction ID: 4c605ab0eebe7c8a65e16142fd15fb062952cf9a22b794a22443e09c107b39ea
Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction Fuzzy Hash: 9511063030528042FE64A735955D7F9A3D2BF847F0F1C4729A92BC6AFAEE69C4039620

Function 0000014E41FD199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 0000014E41FD19C2
K32GetModuleFileNameExW.KERNEL32 ref: 0000014E41FD19E0
PathFindFileNameW.SHLWAPI ref: 0000014E41FD19EF
lstrlenW.KERNEL32 ref: 0000014E41FD19FB
StrCpyW.SHLWAPI ref: 0000014E41FD1A0E
CloseHandle.KERNEL32 ref: 0000014E41FD1A1C

Memory Dump Source

Source File: 00000016.00000002.3391758050.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fd0000_svchost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction ID: 45260b5053477a1902ed5b314b8ddb3b202787d03d162f4498fe3015baeaf19a
Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction Fuzzy Hash: 0B012931308B4486EB64DB52A85C799A3E5FB88FD4F894035DE4A83765DF3CC98AC760

Function 0000014E41FD36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000014E41FD36E4
GetCurrentProcess.KERNEL32 ref: 0000014E41FD36F2
VirtualProtectEx.KERNEL32 ref: 0000014E41FD3714
GetCurrentProcess.KERNEL32 ref: 0000014E41FD3732
VirtualProtectEx.KERNEL32 ref: 0000014E41FD3753
TerminateThread.KERNEL32 ref: 0000014E41FD3762

Memory Dump Source

Source File: 00000016.00000002.3391758050.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fd0000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction ID: 27845c9942124fe15b1c72357d23f614dfff2e05e98621f38ac1f8b99baeb5ad
Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction Fuzzy Hash: 44011B75315B4482FF259B61E81C3A9A7F1BF45B96F090429CA4E87774EF3DC10A8720

Function 0000014E41FD9005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000014E41FD9013
_IsNonwritableInCurrentImage.LIBCMT ref: 0000014E41FD90A8
RtlUnwindEx.NTDLL ref: 0000014E41FD90F7

Strings

csm, xrefs: 0000014E41FD908E
f, xrefs: 0000014E41FD9026

Memory Dump Source

Source File: 00000016.00000002.3391758050.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fd0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: a1bf88d4b9d8004459b5fa9669b2167566428502909aa59e78964a9a5b042688
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: 8951D63270160186EF14DF75E44CBB9B7D6FB45B98F598128DA1B83BA8DB75C842C720

Function 0000014E41FD8FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000014E41FD9013
_IsNonwritableInCurrentImage.LIBCMT ref: 0000014E41FD90A8
RtlUnwindEx.NTDLL ref: 0000014E41FD90F7

Strings

csm, xrefs: 0000014E41FD908E
f, xrefs: 0000014E41FD9026

Memory Dump Source

Source File: 00000016.00000002.3391758050.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fd0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction ID: 6bc827c4c3bb3e0c98ca9239eca2c50e04eb8a87f0c80140b29f13db2d6fb965
Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction Fuzzy Hash: 2631D43230074096EF14DF61E84C7A9B7E5FB44B98F098118EE5B83BA9DB39C942C724

Function 0000014E41FD1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 0000014E41FD1A60
StrCmpNIW.SHLWAPI ref: 0000014E41FD1A7A
lstrlenW.KERNEL32 ref: 0000014E41FD1A89
StrCpyW.SHLWAPI ref: 0000014E41FD1A9E

Strings

\\?\, xrefs: 0000014E41FD1A6E

Memory Dump Source

Source File: 00000016.00000002.3391758050.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fd0000_svchost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction ID: b12ca8b25fa5122955bb982c68454bcc7e018bb98c49cc1ed73afc7e3ae07854
Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction Fuzzy Hash: 30F0493270874591EF608B51F888799A7E0FB48B98F884120DA4986A64DF3CC64FC710

Function 0000014E41FDBC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 0000014E41FDBCBD
GetProcAddress.KERNEL32 ref: 0000014E41FDBCD3
FreeLibrary.KERNEL32 ref: 0000014E41FDBCFA

Strings

CorExitProcess, xrefs: 0000014E41FDBCCC
mscoree.dll, xrefs: 0000014E41FDBCB4

Memory Dump Source

Source File: 00000016.00000002.3391758050.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fd0000_svchost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction ID: 035e3789f53f373a927057afabb0f361c24ef996c6f03b6afc748e9683801fc8
Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction Fuzzy Hash: 9FF06271319B0881EF148F24E44C3A9A3A0FF89775F590319CA6A853F4CF2CC1468760

Function 0000014E41FD3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 0000014E41FD3066
StrCpyW.SHLWAPI ref: 0000014E41FD3076
StrCatW.SHLWAPI ref: 0000014E41FD3082
PathCombineW.SHLWAPI ref: 0000014E41FD3090

Strings

\\.\pipe\, xrefs: 0000014E41FD305C

Memory Dump Source

Source File: 00000016.00000002.3391758050.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fd0000_svchost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction ID: cc80a717613b9aef5249e127a8ce4b2df5163e301108ee4070d8aa47fa087152
Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction Fuzzy Hash: A7F05E70308B8482EF108B12B90C1A9A3A1BF48FE4F0D4120EE4A87B28DE2CC4468720

Function 0000014E41FD50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000014E41FD5156

Memory Dump Source

Source File: 00000016.00000002.3391758050.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fd0000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
Instruction ID: 742035003ab41573749cbaf50ab97c77026f2c65be4dc385caaa5c533d93989b
Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
Instruction Fuzzy Hash: 7402B432219B8486EB60CB59E4943AAB7F0F7C5794F144116EA8E87BB8DF7CD485CB10

Function 0000014E41FD5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000014E41FD5726

Memory Dump Source

Source File: 00000016.00000002.3391758050.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fd0000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
Instruction ID: 4debb5f53ed61f6123289aa0e5a7e5e44eede09a84607efc51eced9d514b7eed
Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
Instruction Fuzzy Hash: B561A736619A84C6EB60CB15E44836AB7F0F788784F140216EA8E87BB8DB7CD456CB10

Function 0000014E41FE4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 0000014E41FE412C
_set_statfp.LIBCMT ref: 0000014E41FE4147
_set_statfp.LIBCMT ref: 0000014E41FE4163
_set_statfp.LIBCMT ref: 0000014E41FE419F

Memory Dump Source

Source File: 00000016.00000002.3391758050.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fd0000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: e72965eb51f99d8a0ac95fcd431345854843bb65debfdf1bdb0de3510e35bf29
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: 6E118F32B58B5011FF665568D45D3E593C17FA83A8E0F062CA976C67F68A2CC9438224

Function 0000014E41FB3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 0000014E41FB352C
_set_statfp.LIBCMT ref: 0000014E41FB3547
_set_statfp.LIBCMT ref: 0000014E41FB3563
_set_statfp.LIBCMT ref: 0000014E41FB359F

Memory Dump Source

Source File: 00000016.00000002.3390979377.0000014E41FA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fa0000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: ead154b9435ffe6a454870689a50e6f6704023e04e4d2936ba47f9ea0b1d783b
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: 0711A0B2BD0E1351FEA41569E75E3E993C07FD8374F4C8628A966862F7CA28C8474230

Function 0000014E41FAF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000014E41FAF124

Strings

Tuesday, xrefs: 0000014E41FAF0F4
Wednesday, xrefs: 0000014E41FAF1ED
or copy constructor iterator', xrefs: 0000014E41FAF25A, 0000014E41FAF275

Memory Dump Source

Source File: 00000016.00000002.3390979377.0000014E41FA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fa0000_svchost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: Tuesday$Wednesday$or copy constructor iterator'
API String ID: 3215553584-4202648911
Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction ID: 9afa7e71d04fa23ee4952312235bac51a1d74b63e64a95d112a04740b73905c4
Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction Fuzzy Hash: 45614C7670064042FE659B65E58C3EEEBE1BF867C0F5D4515DA0A9BFB4EA3CD8438220

Function 0000014E41FDAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 0000014E41FDAA68
_CallSETranslator.LIBVCRUNTIME ref: 0000014E41FDAAB7

Strings

RCC, xrefs: 0000014E41FDAA85
MOC, xrefs: 0000014E41FDAA7C

Memory Dump Source

Source File: 00000016.00000002.3391758050.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fd0000_svchost.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 0789a3831c1f6d771d65473aec04d891a6e65c0c978cd43e319f5209d2f070c5
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: F7614833705B848AEB209F65D4443EDB7E0FB84B98F084215EE4A57BA8DB38D596C714

Function 0000014E41FDAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000014E41FDADA0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 0000014E41FDAE88

Strings

csm, xrefs: 0000014E41FDAEDA
csm, xrefs: 0000014E41FDADC2

Memory Dump Source

Source File: 00000016.00000002.3391758050.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fd0000_svchost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: 321aa2bf97eac6cafb4f774fd1c13e020d27b9bfb404d6bee772e39a7e361af9
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: 54516E722003808AEF648F26D5883A9B7E0FB94B95F1C4255DA9E87BE5CB38D453C718

Function 0000014E41FAA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000014E41FAA1A0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 0000014E41FAA288

Strings

csm, xrefs: 0000014E41FAA1C2
csm, xrefs: 0000014E41FAA2DA

Memory Dump Source

Source File: 00000016.00000002.3390979377.0000014E41FA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fa0000_svchost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: 9fc2ac829e4d419cfb4e4e7491d5e77e61521fb2b31f7c138b84e684f10f9101
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: E0516E32200380CAEF648B659548398B7E0FB55BD4F1C4116DA9DC7FA5CB7ED466CB20

Function 0000014E41FA8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000014E41FA8413
_IsNonwritableInCurrentImage.LIBCMT ref: 0000014E41FA84A8

Strings

csm, xrefs: 0000014E41FA848E
f, xrefs: 0000014E41FA8426

Memory Dump Source

Source File: 00000016.00000002.3390979377.0000014E41FA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fa0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: 0bce45575947cd2407113779943a525e14445a621b98b0471fe801dac2351894
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: C951B4327412008EDF54CB15D40CB98B7E5FB94BE9F9C8124DE8683B6CE7B8D8428724

Function 0000014E41FA83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000014E41FA8413
_IsNonwritableInCurrentImage.LIBCMT ref: 0000014E41FA84A8

Strings

csm, xrefs: 0000014E41FA848E
f, xrefs: 0000014E41FA8426

Memory Dump Source

Source File: 00000016.00000002.3390979377.0000014E41FA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fa0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction ID: c159a0ba046949333dfa247496e2d25aa9719a0157f25d5229989bbc026eab31
Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction Fuzzy Hash: A2319E313416409AEB14DF11E848799B7E4FB44BD9F9D8018EE9B83BA8DB7CD942C724

Function 0000014E41FE2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 0000014E41FE20D7
WriteFile.KERNEL32 ref: 0000014E41FE239F
WriteFile.KERNEL32 ref: 0000014E41FE23E5
GetLastError.KERNEL32 ref: 0000014E41FE249B

Memory Dump Source

Source File: 00000016.00000002.3391758050.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fd0000_svchost.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction ID: afeff5cfcaf4403b8b152d041e9c12e6ce2064c04c3d4c674498ddf2345b7502
Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction Fuzzy Hash: 44D1D072718B8089EB11CFA9D4443ECBBF1FB54798F194216CE5A97BAAEA34C507C350

Function 0000014E41FE2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32 ref: 0000014E41FE2A9C
GetLastError.KERNEL32 ref: 0000014E41FE2B27

Memory Dump Source

Source File: 00000016.00000002.3391758050.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fd0000_svchost.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction ID: cea13cf84bf215eda1d4e32a4ca8aa5317b936fd82c1a643056d64915862160e
Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction Fuzzy Hash: 2091B372708B5485FF60DFA994883EDABE0BB44B98F1D4109DE0A977A5EB74C483C720

Function 0000014E41FD7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 0000014E41FD798C
GetCurrentThreadId.KERNEL32 ref: 0000014E41FD799A
GetCurrentProcessId.KERNEL32 ref: 0000014E41FD79A6
QueryPerformanceCounter.KERNEL32 ref: 0000014E41FD79B6

Memory Dump Source

Source File: 00000016.00000002.3391758050.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fd0000_svchost.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction ID: dfc3c1974cbad934db9993865ec08b5f9e443c71fc6a37ba405ddabd85e8d405
Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction Fuzzy Hash: 65113032714F4589EF00CF60E8583E873B4FB59B68F480E25DA6D867A4DF78C1998390

Function 0000014E41FD253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000014E41FD2620
StrCpyW.SHLWAPI ref: 0000014E41FD2639

Strings

\\.\pipe\, xrefs: 0000014E41FD262B

Memory Dump Source

Source File: 00000016.00000002.3391758050.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fd0000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction ID: a326b1bb8bb403e4a0d4c0446bf3a53fe52e6195dedbf9b24ed740f8b36a4abd
Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction Fuzzy Hash: B171C236304B8185EF359E65D8483FAA7D4FB85784F4A0126DE0B83BA9DF35C6468750

Function 0000014E41FA9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 0000014E41FA9EB7

Strings

RCC, xrefs: 0000014E41FA9E85
MOC, xrefs: 0000014E41FA9E7C

Memory Dump Source

Source File: 00000016.00000002.3390979377.0000014E41FA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fa0000_svchost.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 9082f48436bddb50fbe074ea12ed5132107a6f235155bfae31550afec4f2ce97
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: ED613736A00B848AEB20DFA5D4843DDB7A0FB44BC8F184215EF4957FA9DB78D596C720

Function 0000014E41FD2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000014E41FD2416
StrCpyW.SHLWAPI ref: 0000014E41FD242D

Strings

\\.\pipe\, xrefs: 0000014E41FD2421

Memory Dump Source

Source File: 00000016.00000002.3391758050.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fd0000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction ID: cc360d09ba06bcdff2f15c29ced7a4e175476a6bb9ba5d9fe31b0890df6299d6
Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction Fuzzy Hash: 7851E73230478181FF259A69A55C3FAE7E1FBC6750F8D0125DE4B83B6ECA39C50687A0

Function 0000014E41FE26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 0000014E41FE2807
GetLastError.KERNEL32 ref: 0000014E41FE2829

Strings

U, xrefs: 0000014E41FE27B3

Memory Dump Source

Source File: 00000016.00000002.3391758050.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fd0000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction ID: c83ac0f76dcb79476ddf21a95a19c8a865843251dc56904ff8b0029dd694ac40
Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction Fuzzy Hash: E941A232318B8082DF20CF65E8483E9A7A0FB98794F494022EE4EC77A4EB7CC542C750

Function 0000014E41FD94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 0000014E41FD94F0
RaiseException.KERNEL32 ref: 0000014E41FD9531

Strings

csm, xrefs: 0000014E41FD951E

Memory Dump Source

Source File: 00000016.00000002.3391758050.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fd0000_svchost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction ID: 558f2c2fa83ee08c27e1fc5abc980bded73aea70065ff57803d74eae209385c4
Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction Fuzzy Hash: 0F112832218B8482EF618B15F448399B7E5FB88B94F5D8220EE8D47B69DF3DC552CB00

Function 0000014E41FA7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 0000014E41FA737C

Strings

riptor at (, xrefs: 0000014E41FA7364
ierarchy Descriptor', xrefs: 0000014E41FA7381

Memory Dump Source

Source File: 00000016.00000002.3390979377.0000014E41FA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fa0000_svchost.jbxd

Similarity

API ID: __std_exception_copy
String ID: ierarchy Descriptor'$riptor at (
API String ID: 592178966-758928094
Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction ID: eb669838bcd11bd9391b268dc568cb615196d67751b03d9664e942e19c7f9c9a
Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction Fuzzy Hash: F0E08671740B4490DF018F21E8442D873E0EF59B64B8C9122D95C46331FA3CD1FAC310

Function 0000014E41FA73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 0000014E41FA73D8

Strings

riptor at (, xrefs: 0000014E41FA73C0
Locator', xrefs: 0000014E41FA73DD

Memory Dump Source

Source File: 00000016.00000002.3390979377.0000014E41FA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fa0000_svchost.jbxd

Similarity

API ID: __std_exception_copy
String ID: Locator'$riptor at (
API String ID: 592178966-4215709766
Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction ID: dcf211704ab779cfcff42d5391f5e7064cd144a077eba1243619bea389c199af
Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction Fuzzy Hash: 92E08671740B4480EF028F21D4401D8B3A0FB59B54B8C9122C94C46331EA3CD1E6C310

Function 0000014E41FD1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000014E41FD1C2D
HeapAlloc.KERNEL32 ref: 0000014E41FD1C3B
GetProcessHeap.KERNEL32 ref: 0000014E41FD1C77
HeapFree.KERNEL32 ref: 0000014E41FD1C85

Part of subcall function 0000014E41FD152C: StrCmpIW.SHLWAPI ref: 0000014E41FD155D

Memory Dump Source

Source File: 00000016.00000002.3391758050.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fd0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction ID: f9751e398ec6f9e8c393d2d9c50e353c79f978f663c39b1dde9fddacf25f1213
Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction Fuzzy Hash: E2115535705B8881EF059B66A8082AAB3E1FB89FD0F1D40289E4E83776DF78C842C310

Function 0000014E41FD1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000014E41FD126E
HeapAlloc.KERNEL32 ref: 0000014E41FD127D
GetProcessHeap.KERNEL32 ref: 0000014E41FD1297
HeapAlloc.KERNEL32 ref: 0000014E41FD12A8

Memory Dump Source

Source File: 00000016.00000002.3391758050.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_14e41fd0000_svchost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction ID: 58e4b1372e48106c13d9c210e95dfed249a6192135837390fc88e392b1da2cd8
Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction Fuzzy Hash: 52E0393570170886EB058B62D80838AB7E1FB89F26F0A8028890947361DF7DC49AC760

Analysis Process: dwm.exePID: 996, Parent PID: 1172COMMON

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	95.2%
Signature Coverage:	0%
Total number of Nodes:	126
Total number of Limit Nodes:	16

Executed Functions

Function 000001D15B041628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000001D15B041633
HeapAlloc.KERNEL32 ref: 000001D15B041642

Part of subcall function 000001D15B041268: GetProcessHeap.KERNEL32 ref: 000001D15B04126E
Part of subcall function 000001D15B041268: HeapAlloc.KERNEL32 ref: 000001D15B04127D
Part of subcall function 000001D15B041268: GetProcessHeap.KERNEL32 ref: 000001D15B041297
Part of subcall function 000001D15B041268: HeapAlloc.KERNEL32 ref: 000001D15B0412A8

RegOpenKeyExW.ADVAPI32 ref: 000001D15B0416B2
RegOpenKeyExW.ADVAPI32 ref: 000001D15B0416DF
RegCloseKey.ADVAPI32 ref: 000001D15B0416F9
RegOpenKeyExW.ADVAPI32 ref: 000001D15B041719
RegCloseKey.ADVAPI32 ref: 000001D15B041734
RegOpenKeyExW.ADVAPI32 ref: 000001D15B041754
RegCloseKey.ADVAPI32 ref: 000001D15B04176F
RegOpenKeyExW.ADVAPI32 ref: 000001D15B04178F
RegCloseKey.ADVAPI32 ref: 000001D15B0417AA
RegOpenKeyExW.ADVAPI32 ref: 000001D15B0417CA
RegCloseKey.ADVAPI32 ref: 000001D15B0417E5
RegOpenKeyExW.ADVAPI32 ref: 000001D15B041805
RegCloseKey.ADVAPI32 ref: 000001D15B041820
RegOpenKeyExW.ADVAPI32 ref: 000001D15B041840
RegCloseKey.ADVAPI32 ref: 000001D15B04185B
RegOpenKeyExW.ADVAPI32 ref: 000001D15B04187B
RegCloseKey.ADVAPI32 ref: 000001D15B041896
RegCloseKey.ADVAPI32 ref: 000001D15B0418A0

Part of subcall function 000001D15B0412BC: RegQueryInfoKeyW.ADVAPI32 ref: 000001D15B041319
Part of subcall function 000001D15B0412BC: GetProcessHeap.KERNEL32 ref: 000001D15B041327
Part of subcall function 000001D15B0412BC: HeapAlloc.KERNEL32 ref: 000001D15B041338
Part of subcall function 000001D15B0412BC: RegEnumValueW.ADVAPI32 ref: 000001D15B041397
Part of subcall function 000001D15B0412BC: GetProcessHeap.KERNEL32 ref: 000001D15B0413DF
Part of subcall function 000001D15B0412BC: HeapAlloc.KERNEL32 ref: 000001D15B0413ED
Part of subcall function 000001D15B0412BC: GetProcessHeap.KERNEL32 ref: 000001D15B04140A
Part of subcall function 000001D15B0412BC: HeapFree.KERNEL32 ref: 000001D15B041418
Part of subcall function 000001D15B0412BC: lstrlenW.KERNEL32 ref: 000001D15B041421
Part of subcall function 000001D15B0412BC: GetProcessHeap.KERNEL32 ref: 000001D15B04142F
Part of subcall function 000001D15B0412BC: HeapAlloc.KERNEL32 ref: 000001D15B04143D

Strings

tcp_local, xrefs: 000001D15B0417FE
tcp_remote, xrefs: 000001D15B041839
service_names, xrefs: 000001D15B0417C3
SOFTWARE\dialerconfig, xrefs: 000001D15B041692
startup, xrefs: 000001D15B0416D5
process_names, xrefs: 000001D15B04174D
udp, xrefs: 000001D15B041874
pid, xrefs: 000001D15B041712
paths, xrefs: 000001D15B041788

Memory Dump Source

Source File: 00000017.00000002.3443668911.000001D15B040000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B040000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b040000_dwm.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction ID: 453843c826014ee9d4a6b1b80832e57562e63a9a670120dbd6c5dd4b91236827
Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction Fuzzy Hash: B471E936210A10B6EB109FA5F9557DA27B4F7C6B98F401212DE4E47B69EF3CC455CB40

Function 000001D15B043790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 000001D15B04379E
GetCurrentProcess.KERNEL32 ref: 000001D15B0437CC
VirtualProtectEx.KERNEL32 ref: 000001D15B0437EE
GetCurrentProcess.KERNEL32 ref: 000001D15B043809
VirtualProtectEx.KERNEL32 ref: 000001D15B04382A

Strings

wr, xrefs: 000001D15B0437FF

Memory Dump Source

Source File: 00000017.00000002.3443668911.000001D15B040000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B040000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b040000_dwm.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID: wr
API String ID: 1092925422-2678910430
Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction ID: 09a9871909fb91616313d3dfe72f3358092feacd673046fb11bcacce72f9df50
Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction Fuzzy Hash: CF118E36300740A3EF549BA1F5083AAB2B0F78AB84F04063ADE8903B94EF3DC545CB04

Function 000001D15B045B30 Relevance: 9.2, APIs: 6, Instructions: 240
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 000001D15B045B6B
GetThreadContext.KERNEL32 ref: 000001D15B045CD5

Part of subcall function 000001D15B045960: GetCurrentThreadId.KERNEL32 ref: 000001D15B045964

Memory Dump Source

Source File: 00000017.00000002.3443668911.000001D15B040000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B040000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b040000_dwm.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: aba7c51250b0bd2785b454d2868164715ffdc60c22b63475f1bba81942d6465a
Instruction ID: 9b023f872805ecaba43b1b218ad38660bce20da88bab6f021ba470494500eab3
Opcode Fuzzy Hash: aba7c51250b0bd2785b454d2868164715ffdc60c22b63475f1bba81942d6465a
Instruction Fuzzy Hash: C6D18776208B88A6DA709B4AF59439A77B0F7C9B84F100617EA8D87BA5DF7CC541CF40

Function 000001D15B0450D0 Relevance: 7.8, APIs: 5, Instructions: 318
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 000001D15B045156

Memory Dump Source

Source File: 00000017.00000002.3443668911.000001D15B040000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B040000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b040000_dwm.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: a9eeae0eee8a65d3360f20c0190c6c2044be682fe56af66e10426f66e33a6bd7
Instruction ID: da1cee91b76316671709d0c2ddac76896230337d1aa948a32c7c28ce66da79ac
Opcode Fuzzy Hash: a9eeae0eee8a65d3360f20c0190c6c2044be682fe56af66e10426f66e33a6bd7
Instruction Fuzzy Hash: CA02BB32619B84A6EB60CB95F59039AB7B0F3C6794F105516EA8E87BA9DF7CC444CF00

Function 000001D15B0439E0 Relevance: 4.6, APIs: 3, Instructions: 64
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32 ref: 000001D15B043A66
VirtualAlloc.KERNEL32 ref: 000001D15B043AA0

Memory Dump Source

Source File: 00000017.00000002.3443668911.000001D15B040000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B040000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b040000_dwm.jbxd

Similarity

API ID: Virtual$AllocQuery
String ID:
API String ID: 31662377-0
Opcode ID: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
Instruction ID: ce5e2d355a247ae9cd240daf42ee24941c63a16161df7f87918a567be0b6b48d
Opcode Fuzzy Hash: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
Instruction Fuzzy Hash: 25311E32219A84B1EA30DA95F15539EA6B0F3CA784F101776F6CE46BA8DF7CC5948F04

Function 000001D15B04328C Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 000001D15B0432AE
PathFindFileNameW.SHLWAPI ref: 000001D15B0432BD

Part of subcall function 000001D15B043844: StrCmpNIW.SHLWAPI ref: 000001D15B04385C

Part of subcall function 000001D15B043790: GetModuleHandleW.KERNEL32 ref: 000001D15B04379E
Part of subcall function 000001D15B043790: GetCurrentProcess.KERNEL32 ref: 000001D15B0437CC
Part of subcall function 000001D15B043790: VirtualProtectEx.KERNEL32 ref: 000001D15B0437EE
Part of subcall function 000001D15B043790: GetCurrentProcess.KERNEL32 ref: 000001D15B043809
Part of subcall function 000001D15B043790: VirtualProtectEx.KERNEL32 ref: 000001D15B04382A

CreateThread.KERNEL32 ref: 000001D15B04330B

Part of subcall function 000001D15B041D14: GetCurrentThread.KERNEL32 ref: 000001D15B041D1F

Memory Dump Source

Source File: 00000017.00000002.3443668911.000001D15B040000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B040000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b040000_dwm.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction ID: 22544b8be529a5e8a95904585740c79996de017cecdbbc7f9568830ed788161b
Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction Fuzzy Hash: 20119270614641B2FB609BE1FB093DA23B4BBD7746F60633BA946825D1EF7CC4588E10

Function 000001D15B044DF0 Relevance: 4.5, APIs: 3, Instructions: 23
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 000001D15B044DF4
VirtualProtect.KERNEL32 ref: 000001D15B044E37
FlushInstructionCache.KERNEL32 ref: 000001D15B044E4C

Memory Dump Source

Source File: 00000017.00000002.3443668911.000001D15B040000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B040000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b040000_dwm.jbxd

Similarity

API ID: CacheCurrentFlushInstructionProcessProtectVirtual
String ID:
API String ID: 3733156554-0
Opcode ID: efc513032ac2f8104d68ff6d1779eae6f51007478eb3e1ac0120cc0a77f626c8
Instruction ID: 4934cd98a60dfd5feda394540bd5bea279a0c3649f9ce5edad0d1af88ecc479f
Opcode Fuzzy Hash: efc513032ac2f8104d68ff6d1779eae6f51007478eb3e1ac0120cc0a77f626c8
Instruction Fuzzy Hash: 54F01D36218A04A0D6709B82F6403AA6BB0F3C97D4F140212FA8E43B69DF3CC6808F40

Function 000001D15B01273C Relevance: 3.2, APIs: 2, Instructions: 187
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 000001D15B0127DB
LoadLibraryA.KERNELBASE ref: 000001D15B01285E

Memory Dump Source

Source File: 00000017.00000002.3443608691.000001D15B010000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b010000_dwm.jbxd

Similarity

API ID: AllocLibraryLoadVirtual
String ID:
API String ID: 3550616410-0
Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction ID: 55679c72331ed3e7bab0be7cb74d28a35aaaa4e86c910775603edd0d527ff162
Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction Fuzzy Hash: 80612932B01694A7DB58CF99EA007AD73B2F795B94F548226DE59077C4DE3CD852CB00

Function 000001D15B041ABC Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000001D15B041628: GetProcessHeap.KERNEL32 ref: 000001D15B041633
Part of subcall function 000001D15B041628: HeapAlloc.KERNEL32 ref: 000001D15B041642
Part of subcall function 000001D15B041628: RegOpenKeyExW.ADVAPI32 ref: 000001D15B0416B2
Part of subcall function 000001D15B041628: RegOpenKeyExW.ADVAPI32 ref: 000001D15B0416DF
Part of subcall function 000001D15B041628: RegCloseKey.ADVAPI32 ref: 000001D15B0416F9
Part of subcall function 000001D15B041628: RegOpenKeyExW.ADVAPI32 ref: 000001D15B041719
Part of subcall function 000001D15B041628: RegCloseKey.ADVAPI32 ref: 000001D15B041734
Part of subcall function 000001D15B041628: RegOpenKeyExW.ADVAPI32 ref: 000001D15B041754
Part of subcall function 000001D15B041628: RegCloseKey.ADVAPI32 ref: 000001D15B04176F
Part of subcall function 000001D15B041628: RegOpenKeyExW.ADVAPI32 ref: 000001D15B04178F
Part of subcall function 000001D15B041628: RegCloseKey.ADVAPI32 ref: 000001D15B0417AA
Part of subcall function 000001D15B041628: RegOpenKeyExW.ADVAPI32 ref: 000001D15B0417CA

Sleep.KERNEL32 ref: 000001D15B041AD7
SleepEx.KERNELBASE ref: 000001D15B041ADD

Part of subcall function 000001D15B041628: RegCloseKey.ADVAPI32 ref: 000001D15B0417E5
Part of subcall function 000001D15B041628: RegOpenKeyExW.ADVAPI32 ref: 000001D15B041805
Part of subcall function 000001D15B041628: RegCloseKey.ADVAPI32 ref: 000001D15B041820
Part of subcall function 000001D15B041628: RegOpenKeyExW.ADVAPI32 ref: 000001D15B041840
Part of subcall function 000001D15B041628: RegCloseKey.ADVAPI32 ref: 000001D15B04185B
Part of subcall function 000001D15B041628: RegOpenKeyExW.ADVAPI32 ref: 000001D15B04187B
Part of subcall function 000001D15B041628: RegCloseKey.ADVAPI32 ref: 000001D15B041896
Part of subcall function 000001D15B041628: RegCloseKey.ADVAPI32 ref: 000001D15B0418A0

Memory Dump Source

Source File: 00000017.00000002.3443668911.000001D15B040000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B040000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b040000_dwm.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction ID: fea29bda833cbf6feecde1edf61a05fd6ff1c728ed5deaf4c81c3ae280df4bee
Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction Fuzzy Hash: 69311EB1210641B1FF509BA6FB413E927B4FBC6FD0F2456239E0987695FE6CC851CA50

Non-executed Functions

Function 000001D15B042B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 000001D15B042BD0
lstrlenW.KERNEL32 ref: 000001D15B042E0A

Part of subcall function 000001D15B04199C: OpenProcess.KERNEL32 ref: 000001D15B0419C2
Part of subcall function 000001D15B04199C: K32GetModuleFileNameExW.KERNEL32 ref: 000001D15B0419E0
Part of subcall function 000001D15B04199C: PathFindFileNameW.SHLWAPI ref: 000001D15B0419EF
Part of subcall function 000001D15B04199C: lstrlenW.KERNEL32 ref: 000001D15B0419FB
Part of subcall function 000001D15B04199C: StrCpyW.SHLWAPI ref: 000001D15B041A0E
Part of subcall function 000001D15B04199C: CloseHandle.KERNEL32 ref: 000001D15B041A1C

GetProcAddress.KERNEL32 ref: 000001D15B042BE5

Part of subcall function 000001D15B04152C: StrCmpIW.SHLWAPI ref: 000001D15B04155D

Part of subcall function 000001D15B043844: StrCmpNIW.SHLWAPI ref: 000001D15B04385C

StrCmpNIW.SHLWAPI ref: 000001D15B042C28
lstrlenW.KERNEL32 ref: 000001D15B042D50

Strings

ntdll.dll, xrefs: 000001D15B042BC9
\Device\Nsi, xrefs: 000001D15B042C1B
NtQueryObject, xrefs: 000001D15B042BDB

Memory Dump Source

Source File: 00000017.00000002.3443668911.000001D15B040000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B040000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b040000_dwm.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction ID: c3f45f54cfe0e6efe55a1f18bcb72a9f2d9a57496c34c3394087bd1612bcbc7c
Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction Fuzzy Hash: 25B17F72320A50B2EB549FA6E6407E963B5FB86B94F545217EE0A53B94DF3CCC84CB40

Function 000001D15B047D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000001D15B047DAC
RtlCaptureContext.NTDLL ref: 000001D15B047DD9
RtlLookupFunctionEntry.NTDLL ref: 000001D15B047DF3
RtlVirtualUnwind.NTDLL ref: 000001D15B047E34
IsDebuggerPresent.KERNEL32 ref: 000001D15B047E88
SetUnhandledExceptionFilter.KERNEL32 ref: 000001D15B047EA9
UnhandledExceptionFilter.KERNEL32 ref: 000001D15B047EB4

Memory Dump Source

Source File: 00000017.00000002.3443668911.000001D15B040000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B040000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b040000_dwm.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction ID: a34cf7e0d496b590cbfd30a297da93d07b58e5048821cf8556a3df1515db0795
Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction Fuzzy Hash: BE316F72205B80AAEB609FA0F9403EE7370F786744F44462ADA4E57B94EF3CC548CB10

Function 000001D15B04D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000001D15B04D31D
RtlLookupFunctionEntry.NTDLL ref: 000001D15B04D335
RtlVirtualUnwind.NTDLL ref: 000001D15B04D370
IsDebuggerPresent.KERNEL32 ref: 000001D15B04D3A9
SetUnhandledExceptionFilter.KERNEL32 ref: 000001D15B04D3B3
UnhandledExceptionFilter.KERNEL32 ref: 000001D15B04D3BE

Memory Dump Source

Source File: 00000017.00000002.3443668911.000001D15B040000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B040000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b040000_dwm.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction ID: eb2f7c0e75e15c37d588947af3a4c728285934d8ab349f98802041ec9af97f6a
Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction Fuzzy Hash: 9C314C32214B80A6EB609F65E9413EE73B4F7CA794F500226EA9D43B95DF3CC546CB00

Function 000001D15B0412BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001D15B041319
GetProcessHeap.KERNEL32 ref: 000001D15B041327
HeapAlloc.KERNEL32 ref: 000001D15B041338
RegEnumValueW.ADVAPI32 ref: 000001D15B041397

Part of subcall function 000001D15B04152C: StrCmpIW.SHLWAPI ref: 000001D15B04155D

GetProcessHeap.KERNEL32 ref: 000001D15B0413DF
HeapAlloc.KERNEL32 ref: 000001D15B0413ED
GetProcessHeap.KERNEL32 ref: 000001D15B04140A
HeapFree.KERNEL32 ref: 000001D15B041418
lstrlenW.KERNEL32 ref: 000001D15B041421
GetProcessHeap.KERNEL32 ref: 000001D15B04142F
HeapAlloc.KERNEL32 ref: 000001D15B04143D
StrCpyW.SHLWAPI ref: 000001D15B04145F
GetProcessHeap.KERNEL32 ref: 000001D15B041476
HeapFree.KERNEL32 ref: 000001D15B041484

Strings

d, xrefs: 000001D15B04135A

Memory Dump Source

Source File: 00000017.00000002.3443668911.000001D15B040000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B040000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b040000_dwm.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction ID: c3a5b493701ebe3be855de449fbcfcac54c230e3a369df843498cc9476486bd5
Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction Fuzzy Hash: 24513E36604B84A6EB54CFA2F6483AA77B1F7CAF95F544225DA4907B68DF3CC045CB00

Function 000001D15B041D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 000001D15B041D1F

Part of subcall function 000001D15B041FD4: GetModuleHandleA.KERNEL32 ref: 000001D15B041FEC
Part of subcall function 000001D15B041FD4: GetProcAddress.KERNEL32 ref: 000001D15B041FFD

Part of subcall function 000001D15B045B30: GetCurrentThreadId.KERNEL32 ref: 000001D15B045B6B

Strings

NtQueryDirectoryFileEx, xrefs: 000001D15B041D9C
EnumServiceGroupW, xrefs: 000001D15B041DF0
advapi32.dll, xrefs: 000001D15B041DF7, 000001D15B041E18
NtResumeThread, xrefs: 000001D15B041D62
NtEnumerateKey, xrefs: 000001D15B041DB9
sechost.dll, xrefs: 000001D15B041E39
ntdll.dll, xrefs: 000001D15B041D2D
NtEnumerateValueKey, xrefs: 000001D15B041DD6
NtDeviceIoControlFile, xrefs: 000001D15B041E56
NtQuerySystemInformation, xrefs: 000001D15B041D45
NtQueryDirectoryFile, xrefs: 000001D15B041D7F
EnumServicesStatusExW, xrefs: 000001D15B041E11, 000001D15B041E32

Memory Dump Source

Source File: 00000017.00000002.3443668911.000001D15B040000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B040000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b040000_dwm.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction ID: 847c38b232b83622efb6ab40ef388ee6e63c0594573860f4b8bb776333f38959
Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction Fuzzy Hash: 7931827421094AB1FA04EFE5FA52BD46731BBC6394F905313984A029A6AF7C868ECF50

Function 000001D15B016910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001D15B016938
__scrt_acquire_startup_lock.LIBCMT ref: 000001D15B01698A
_RTC_Initialize.LIBCMT ref: 000001D15B0169B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001D15B0169DE
__scrt_release_startup_lock.LIBCMT ref: 000001D15B016A09

Strings

`eh vector vbase copy constructor iterator', xrefs: 000001D15B0169EE
scriptor', xrefs: 000001D15B016B39, 000001D15B016BB2, 000001D15B016BEC
`eh vector copy constructor iterator', xrefs: 000001D15B016A3B
`dynamic initializer for ', xrefs: 000001D15B0169C7

Memory Dump Source

Source File: 00000017.00000002.3443608691.000001D15B010000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b010000_dwm.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
API String ID: 190073905-1786718095
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: 0f92f31a59dc00eaf722c44483f8f73cd2cc03c828f1b8628713d74c64339858
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: 9481AE71701241B6FA58ABE5FE413EA62B1BBC7780F588727AA0547796EF3DC8458F00

Function 000001D15B04CE28 Relevance: 18.1, APIs: 12, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 000001D15B04CE37
FlsGetValue.KERNEL32(?,?,?,000001D15B050A6B,?,?,?,000001D15B05045C,?,?,?,000001D15B04C84F), ref: 000001D15B04CE4C
FlsSetValue.KERNEL32(?,?,?,000001D15B050A6B,?,?,?,000001D15B05045C,?,?,?,000001D15B04C84F), ref: 000001D15B04CE6D
FlsSetValue.KERNEL32(?,?,?,000001D15B050A6B,?,?,?,000001D15B05045C,?,?,?,000001D15B04C84F), ref: 000001D15B04CE9A
FlsSetValue.KERNEL32(?,?,?,000001D15B050A6B,?,?,?,000001D15B05045C,?,?,?,000001D15B04C84F), ref: 000001D15B04CEAB
FlsSetValue.KERNEL32(?,?,?,000001D15B050A6B,?,?,?,000001D15B05045C,?,?,?,000001D15B04C84F), ref: 000001D15B04CEBC
SetLastError.KERNEL32 ref: 000001D15B04CED7
FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000001D15B050A6B,?,?,?,000001D15B05045C,?,?,?,000001D15B04C84F), ref: 000001D15B04CF0D
FlsSetValue.KERNEL32(?,?,00000001,000001D15B04ECCC,?,?,?,?,000001D15B04BF9F,?,?,?,?,?,000001D15B047AB0), ref: 000001D15B04CF2C

Part of subcall function 000001D15B04D6CC: HeapAlloc.KERNEL32 ref: 000001D15B04D721

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001D15B050A6B,?,?,?,000001D15B05045C,?,?,?,000001D15B04C84F), ref: 000001D15B04CF54

Part of subcall function 000001D15B04D744: HeapFree.KERNEL32 ref: 000001D15B04D75A
Part of subcall function 000001D15B04D744: GetLastError.KERNEL32 ref: 000001D15B04D764

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001D15B050A6B,?,?,?,000001D15B05045C,?,?,?,000001D15B04C84F), ref: 000001D15B04CF65
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001D15B050A6B,?,?,?,000001D15B05045C,?,?,?,000001D15B04C84F), ref: 000001D15B04CF76

Memory Dump Source

Source File: 00000017.00000002.3443668911.000001D15B040000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B040000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b040000_dwm.jbxd

Similarity

API ID: Value$ErrorLast$Heap$AllocFree
String ID:
API String ID: 570795689-0
Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction ID: f4e4c5d8a9473628a33d2f5077bad01fe2aff28fa31526ffdc9f22cb9663eb6f
Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction Fuzzy Hash: 76416E3030174476FE78A7F177563E922727BC77B4F244726A93A466E6EE6CC4118E00

Function 000001D15B042244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 000001D15B042259
GetCurrentProcessId.KERNEL32 ref: 000001D15B042263

Part of subcall function 000001D15B041934: OpenProcess.KERNEL32 ref: 000001D15B041952
Part of subcall function 000001D15B041934: IsWow64Process.KERNEL32 ref: 000001D15B041968
Part of subcall function 000001D15B041934: CloseHandle.KERNEL32 ref: 000001D15B041983

CreateFileW.KERNEL32 ref: 000001D15B0422BC
WriteFile.KERNEL32 ref: 000001D15B0422E4
ReadFile.KERNEL32 ref: 000001D15B042303
CloseHandle.KERNEL32 ref: 000001D15B04230C

Strings

\\.\pipe\dialerchildproc32, xrefs: 000001D15B042293
\\.\pipe\dialerchildproc64, xrefs: 000001D15B04228C

Memory Dump Source

Source File: 00000017.00000002.3443668911.000001D15B040000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B040000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b040000_dwm.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction ID: 1814f6f17bd4eb66c9f2dddb447243add5568939834a825ba936ce2150b15ff5
Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction Fuzzy Hash: D9213A36614A40A2EB10CB65F6447AA77B0F7CABA5F500316EA5903AE8DF3CC149CF00

Function 000001D15B019944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001D15B0199A1

Part of subcall function 000001D15B01A814: __GetUnwindTryBlock.LIBCMT ref: 000001D15B01A857
Part of subcall function 000001D15B01A814: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001D15B01A87C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001D15B019A79
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001D15B019CCE
std::bad_alloc::bad_alloc.LIBCMT ref: 000001D15B019DDA

Strings

csm, xrefs: 000001D15B0199BB
csm, xrefs: 000001D15B019A22
csm, xrefs: 000001D15B019A9C

Memory Dump Source

Source File: 00000017.00000002.3443608691.000001D15B010000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b010000_dwm.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction ID: b53b4730d465f63d2a7def7e89c16d69a2edfaff4366ff9ac57791692d03caa6
Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction Fuzzy Hash: 35E18172605740BAEF68DFA5EA803DD77B4F786B98F500216EE8957B55CB38C192CB00

Function 000001D15B04A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001D15B04A5A1

Part of subcall function 000001D15B04B414: __GetUnwindTryBlock.LIBCMT ref: 000001D15B04B457
Part of subcall function 000001D15B04B414: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001D15B04B47C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001D15B04A679
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001D15B04A8CE
std::bad_alloc::bad_alloc.LIBCMT ref: 000001D15B04A9DA

Strings

csm, xrefs: 000001D15B04A5BB
csm, xrefs: 000001D15B04A69C
csm, xrefs: 000001D15B04A622

Memory Dump Source

Source File: 00000017.00000002.3443668911.000001D15B040000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B040000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b040000_dwm.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction ID: 17998792467375abc9129f657349386c6784c676afe6f45b0ab8792e5e6f4a6e
Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction Fuzzy Hash: 6BE17D72604B90BAEB60DFA5E6803DD77B4F796798F100216EE8957B99CB3CC591CB00

Function 000001D15B04F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 000001D15B04F510
GetProcAddress.KERNEL32 ref: 000001D15B04F51C

Strings

ext-ms-, xrefs: 000001D15B04F46D
api-ms-, xrefs: 000001D15B04F45A

Memory Dump Source

Source File: 00000017.00000002.3443668911.000001D15B040000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B040000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b040000_dwm.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction ID: 3b4d740a519865691dfe855b5d6464f370dee77d0199f89936172b489e873010
Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction Fuzzy Hash: 0741A332311A00B1FA56CBE6BA447D623B5B7CABE0F1957279D0E97794EE3CC4458B10

Function 000001D15B04104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001D15B0410B1
RegEnumValueW.ADVAPI32 ref: 000001D15B041117
GetProcessHeap.KERNEL32 ref: 000001D15B04115A
HeapAlloc.KERNEL32 ref: 000001D15B041168
GetProcessHeap.KERNEL32 ref: 000001D15B041185
HeapFree.KERNEL32 ref: 000001D15B041193

Strings

d, xrefs: 000001D15B0410D6

Memory Dump Source

Source File: 00000017.00000002.3443668911.000001D15B040000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B040000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b040000_dwm.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction ID: 372c0fc510a34042df3b78ae393c332b75fef1e6576bf3f42cee1a02985385ae
Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction Fuzzy Hash: A9414F73214B84E6E760CF61E54479A77B1F38AB98F54822ADA8A07B68DF3CC545CB40

Function 000001D15B04D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,000001D15B04C7DE,?,?,?,?,?,?,?,?,000001D15B04CF9D,?,?,00000001), ref: 000001D15B04D087
FlsSetValue.KERNEL32(?,?,?,000001D15B04C7DE,?,?,?,?,?,?,?,?,000001D15B04CF9D,?,?,00000001), ref: 000001D15B04D0A6
FlsSetValue.KERNEL32(?,?,?,000001D15B04C7DE,?,?,?,?,?,?,?,?,000001D15B04CF9D,?,?,00000001), ref: 000001D15B04D0CE
FlsSetValue.KERNEL32(?,?,?,000001D15B04C7DE,?,?,?,?,?,?,?,?,000001D15B04CF9D,?,?,00000001), ref: 000001D15B04D0DF
FlsSetValue.KERNEL32(?,?,?,000001D15B04C7DE,?,?,?,?,?,?,?,?,000001D15B04CF9D,?,?,00000001), ref: 000001D15B04D0F0

Strings

Y%, xrefs: 000001D15B04D0A6
1%, xrefs: 000001D15B04D0CE

Memory Dump Source

Source File: 00000017.00000002.3443668911.000001D15B040000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B040000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b040000_dwm.jbxd

Similarity

API ID: Value
String ID: 1%$Y%
API String ID: 3702945584-1395475152
Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction ID: aaa40cc3dae03fe42047bf22d2dee8f6eb8b998fca8c59d9ce6efb97ee1b705c
Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction Fuzzy Hash: 93117C3070464475FE68A7A57B533EA61617BC77F0F245327A939476EADE6CC8038E00

Function 000001D15B047510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001D15B047538
__scrt_acquire_startup_lock.LIBCMT ref: 000001D15B04758A
_RTC_Initialize.LIBCMT ref: 000001D15B0475B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001D15B0475DE
__scrt_release_startup_lock.LIBCMT ref: 000001D15B047609

Memory Dump Source

Source File: 00000017.00000002.3443668911.000001D15B040000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B040000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b040000_dwm.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: 7ef64722bd0dc5fb4b9f500cacf65c22ac5721653966aa96bf1b5e2c7589d070
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: E881D470600241BAFB55ABE5B7413F922B1BBC7B80F54872BAA08877D6DB7CC9458F00

Function 000001D15B049DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 000001D15B049E49
GetLastError.KERNEL32 ref: 000001D15B049E57
LoadLibraryExW.KERNEL32 ref: 000001D15B049E81
FreeLibrary.KERNEL32 ref: 000001D15B049EC7
GetProcAddress.KERNEL32 ref: 000001D15B049ED3

Strings

api-ms-, xrefs: 000001D15B049E69

Memory Dump Source

Source File: 00000017.00000002.3443668911.000001D15B040000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B040000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b040000_dwm.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction ID: 6542dcfbc63717f96d7d63913bac547d86f1b1a7744658e0e453bbadd4220068
Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction Fuzzy Hash: CA318331312A40F9EE61DB83B6407E562B4B78ABA0F590B369D1E4B795EF3DC4458B10

Function 000001D15B053DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000001D15B053DE5
GetLastError.KERNEL32 ref: 000001D15B053DF1
CloseHandle.KERNEL32 ref: 000001D15B053E09
CreateFileW.KERNEL32 ref: 000001D15B053E34
WriteConsoleW.KERNEL32 ref: 000001D15B053E53

Strings

CONOUT$, xrefs: 000001D15B053E15

Memory Dump Source

Source File: 00000017.00000002.3443668911.000001D15B040000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B040000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b040000_dwm.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction ID: ef750de1a3247c2b990a38252a26ec16a1a500887a1a57f35be73e00687f7190
Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction Fuzzy Hash: DD118231710B40A6E7508B92F94435976B0F7CAFE4F144316EA5A87BE4CF7CC5548B44

Function 000001D15B042F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001D15B042F27
HeapAlloc.KERNEL32 ref: 000001D15B042F3A
StrCmpNIW.SHLWAPI ref: 000001D15B042FAF
GetProcessHeap.KERNEL32 ref: 000001D15B043015
HeapFree.KERNEL32 ref: 000001D15B043023

Strings

dialer, xrefs: 000001D15B042FA8

Memory Dump Source

Source File: 00000017.00000002.3443668911.000001D15B040000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B040000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b040000_dwm.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction ID: 470472a3f7cd5d0495c0947c9801221add11dfc7a548ebf5f89e7b2cb495ddd3
Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction Fuzzy Hash: 3E319032711B51B2EB55DF96F6407A977B0FB86B84F4842329E4847B65EF3CD4A18B00

Function 000001D15B0414A4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 70memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001D15B0414C5
HeapFree.KERNEL32 ref: 000001D15B0414D4
GetProcessHeap.KERNEL32 ref: 000001D15B0414E1
HeapFree.KERNEL32 ref: 000001D15B0414F0
GetProcessHeap.KERNEL32 ref: 000001D15B041500

Strings

C:\Windows\system32\dwm.exe, xrefs: 000001D15B0561A9, 000001D15B0561B1

Memory Dump Source

Source File: 00000017.00000002.3443668911.000001D15B040000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B040000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b040000_dwm.jbxd

Similarity

API ID: Heap$Process$Free
String ID: C:\Windows\system32\dwm.exe
API String ID: 3168794593-3609004125
Opcode ID: d27b9b8ca154d9eedff1e610dfbacc8608a6d25d7c3fe3b6d17278c798082fda
Instruction ID: dabdbcab862d5c823847bb9f1a36c8033248665f108b1bacb787cf94f28979d4
Opcode Fuzzy Hash: d27b9b8ca154d9eedff1e610dfbacc8608a6d25d7c3fe3b6d17278c798082fda
Instruction Fuzzy Hash: D321CE7B509AD0BAE250DBA5BA553E937B0F7CAB44F0D4117DB4583BA3DA2CC8048B04

Function 000001D15B04CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000001D15B04CFAF
FlsSetValue.KERNEL32(?,?,?,000001D15B04D6B5,?,?,?,?,000001D15B04D778), ref: 000001D15B04CFE5
FlsSetValue.KERNEL32(?,?,?,000001D15B04D6B5,?,?,?,?,000001D15B04D778), ref: 000001D15B04D012
FlsSetValue.KERNEL32(?,?,?,000001D15B04D6B5,?,?,?,?,000001D15B04D778), ref: 000001D15B04D023
FlsSetValue.KERNEL32(?,?,?,000001D15B04D6B5,?,?,?,?,000001D15B04D778), ref: 000001D15B04D034
SetLastError.KERNEL32 ref: 000001D15B04D04F

Memory Dump Source

Source File: 00000017.00000002.3443668911.000001D15B040000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B040000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b040000_dwm.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction ID: 6c26d7327e980a861b3c673c3d551bd8f8f308b2d161f0646f62ba0765a90d2e
Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction Fuzzy Hash: 37116D3030464475FE64A7B177463E922727BC77B4F244727A936477EADE6CC8028E00

Function 000001D15B04199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000001D15B0419C2
K32GetModuleFileNameExW.KERNEL32 ref: 000001D15B0419E0
PathFindFileNameW.SHLWAPI ref: 000001D15B0419EF
lstrlenW.KERNEL32 ref: 000001D15B0419FB
StrCpyW.SHLWAPI ref: 000001D15B041A0E
CloseHandle.KERNEL32 ref: 000001D15B041A1C

Memory Dump Source

Source File: 00000017.00000002.3443668911.000001D15B040000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B040000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b040000_dwm.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction ID: 4c96f278e092e0b0f794ec832aa575c1f647d4affd0ad6e980a144d8dc4d615a
Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction Fuzzy Hash: EF016D31300A40A2EB50DB92B55839963B1FBC9BC4F584176DE4A43BA4DF3CC549CB00

Function 000001D15B0436C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000001D15B0436E4
GetCurrentProcess.KERNEL32 ref: 000001D15B0436F2
VirtualProtectEx.KERNEL32 ref: 000001D15B043714
GetCurrentProcess.KERNEL32 ref: 000001D15B043732
VirtualProtectEx.KERNEL32 ref: 000001D15B043753
TerminateThread.KERNEL32 ref: 000001D15B043762

Memory Dump Source

Source File: 00000017.00000002.3443668911.000001D15B040000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B040000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b040000_dwm.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction ID: 40e51d0f4e9512fbc0a718f310f1a3067eebee3720eb786dbb6ef4ec6dc5c18b
Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction Fuzzy Hash: B6012D75311B40B2FB249BA2FA0839673B0BB86B96F144626CD4907BA5EF3DC5588B10

Function 000001D15B048FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001D15B049013
_IsNonwritableInCurrentImage.LIBCMT ref: 000001D15B0490A8
RtlUnwindEx.NTDLL ref: 000001D15B0490F7

Strings

f, xrefs: 000001D15B049026
csm, xrefs: 000001D15B04908E

Memory Dump Source

Source File: 00000017.00000002.3443668911.000001D15B040000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B040000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b040000_dwm.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
Instruction ID: 3fee21bba9d3fe2bfa8deb657e831f747f53e45e90f46698b57da63f8244e478
Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
Instruction Fuzzy Hash: 3851A032601600BEEF54DB95FA48B9937B5F387B88F108636DA16477A8DB3DD841CB00

Function 000001D15B041A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000001D15B041A60
StrCmpNIW.SHLWAPI ref: 000001D15B041A7A
lstrlenW.KERNEL32 ref: 000001D15B041A89
StrCpyW.SHLWAPI ref: 000001D15B041A9E

Strings

\\?\, xrefs: 000001D15B041A6E

Memory Dump Source

Source File: 00000017.00000002.3443668911.000001D15B040000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B040000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b040000_dwm.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction ID: a9b1f993bb0293b32e3b46a0da01bbb9d5a4d3da55de9a8386228187a2bfec33
Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction Fuzzy Hash: EEF04F32304641B2EB608BA1FA9479A6771FB89BC8F944222DA4946994DF3CC68DCF00

Function 000001D15B043044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 000001D15B043066
StrCpyW.SHLWAPI ref: 000001D15B043076
StrCatW.SHLWAPI ref: 000001D15B043082
PathCombineW.SHLWAPI ref: 000001D15B043090

Strings

\\.\pipe\, xrefs: 000001D15B04305C

Memory Dump Source

Source File: 00000017.00000002.3443668911.000001D15B040000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B040000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b040000_dwm.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction ID: 8de4b29a83fd7d82f2757d8ceb37c35c38af776b9c637d1fa30d62fbef3d41a5
Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction Fuzzy Hash: C1F0FE74714B84B2EB549B92BA142996671BB8AFD0F445232EE4647B99DE3CC445CB00

Function 000001D15B04BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000001D15B04BCBD
GetProcAddress.KERNEL32 ref: 000001D15B04BCD3
FreeLibrary.KERNEL32 ref: 000001D15B04BCFA

Strings

mscoree.dll, xrefs: 000001D15B04BCB4
CorExitProcess, xrefs: 000001D15B04BCCC

Memory Dump Source

Source File: 00000017.00000002.3443668911.000001D15B040000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B040000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b040000_dwm.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction ID: 0feca59dc5012b5cd855235799a9d2ce8aef14da6f8a5b0d5747376c96c0ed5f
Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction Fuzzy Hash: E0F09071311B04B1EB109FA4F9843AA6331FBCABA1F54031BDA6A46AE4DF3DC048CB00

Function 000001D15B045710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001D15B045726

Memory Dump Source

Source File: 00000017.00000002.3443668911.000001D15B040000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B040000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b040000_dwm.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 0c7f3a11ae4e5ff47235e902b7b6ce7055ed727b420134bb2449cab27e882fd8
Instruction ID: d0d8aac31dab52b84cafc33b616324b7f1738be150fbe118ae97fb46216a54bb
Opcode Fuzzy Hash: 0c7f3a11ae4e5ff47235e902b7b6ce7055ed727b420134bb2449cab27e882fd8
Instruction Fuzzy Hash: 5B61C936519B44E6EB608F95F64035AB7B0F7C9784F20521AEA8D87BA8DBBCC444CF00

Function 000001D15B023504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000001D15B02352C
_set_statfp.LIBCMT ref: 000001D15B023547
_set_statfp.LIBCMT ref: 000001D15B023563
_set_statfp.LIBCMT ref: 000001D15B02359F

Memory Dump Source

Source File: 00000017.00000002.3443608691.000001D15B010000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b010000_dwm.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: 30584bc57789e6ee81416ff34d8a95e2d7b77e77304d0cfcf3086ea6b74576e2
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: AE11A732610A2139FA5415E8F7523E9D1A07BDB3B4F98472BA96E063D6CB2CC88D4E00

Function 000001D15B054104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000001D15B05412C
_set_statfp.LIBCMT ref: 000001D15B054147
_set_statfp.LIBCMT ref: 000001D15B054163
_set_statfp.LIBCMT ref: 000001D15B05419F

Memory Dump Source

Source File: 00000017.00000002.3443668911.000001D15B040000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B040000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b040000_dwm.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: 87c04dc855c83be6cf03c2d5bce00b20f52ab8d45107f2f1f9cfc53284570236
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: 8B115132A10A5131F6E415E8F6573ED1171BBEB3F8F190726A97607EFE9A2CC8414A08

Function 000001D15B01F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000001D15B01F124

Strings

Tuesday, xrefs: 000001D15B01F0F4
or copy constructor iterator', xrefs: 000001D15B01F25A, 000001D15B01F275
Wednesday, xrefs: 000001D15B01F1ED

Memory Dump Source

Source File: 00000017.00000002.3443608691.000001D15B010000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b010000_dwm.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: Tuesday$Wednesday$or copy constructor iterator'
API String ID: 3215553584-4202648911
Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction ID: 4255c40cf4609273125910dc4f725253a0c0094a12a1b1d3e0a6b5997d5294aa
Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction Fuzzy Hash: 9D619C76600A40B2FA6D9BE9FF443EA6AB1B7C7790F544717DA0A077A5DB3CC8458E00

Function 000001D15B04AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 000001D15B04AA68
_CallSETranslator.LIBVCRUNTIME ref: 000001D15B04AAB7

Strings

RCC, xrefs: 000001D15B04AA85
MOC, xrefs: 000001D15B04AA7C

Memory Dump Source

Source File: 00000017.00000002.3443668911.000001D15B040000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B040000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b040000_dwm.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 67b3543c748d2b3be81196d0d9147a1e7aa28ffd8122ffd7290412c99aa1c4c4
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: BE614732600B94AAEB20DFA5E6803DD77B1F389B98F044216EF4917B99DB7CC595CB40

Function 000001D15B01A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001D15B01A1A0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001D15B01A288

Strings

csm, xrefs: 000001D15B01A1C2
csm, xrefs: 000001D15B01A2DA

Memory Dump Source

Source File: 00000017.00000002.3443608691.000001D15B010000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b010000_dwm.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: 7438c07df478a27d675d7ffde1f1338b61774b9e45e667ffbb933001aba2f3ff
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: D1516E32100390FAEB688F95AA4439977B0F396B94F184317EAA987BD5CB3CD491CF01

Function 000001D15B04AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001D15B04ADA0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001D15B04AE88

Strings

csm, xrefs: 000001D15B04ADC2
csm, xrefs: 000001D15B04AEDA

Memory Dump Source

Source File: 00000017.00000002.3443668911.000001D15B040000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B040000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b040000_dwm.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: c511c1d56ef009ebeb2e79d06855cd9913738c7efc7b967cda3122ace8f4b95b
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: 87517D72100690BAEB748F96A68439977B0F3D6B95F144317EA9A47BD5CB3CD491CF00

Function 000001D15B018405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001D15B018413
_IsNonwritableInCurrentImage.LIBCMT ref: 000001D15B0184A8

Strings

f, xrefs: 000001D15B018426
csm, xrefs: 000001D15B01848E

Memory Dump Source

Source File: 00000017.00000002.3443608691.000001D15B010000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b010000_dwm.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: a65d357b83cb533cf093432d5ab809af4dcfb38c6c0eda6697071d7300313a4c
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: 2351A132701700BBDB18CF55FA44BA937B6F396B98F548226DA0643788FB38CA418F04

Function 000001D15B0183E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001D15B018413
_IsNonwritableInCurrentImage.LIBCMT ref: 000001D15B0184A8

Strings

f, xrefs: 000001D15B018426
csm, xrefs: 000001D15B01848E

Memory Dump Source

Source File: 00000017.00000002.3443608691.000001D15B010000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b010000_dwm.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction ID: 935151499f3d542732ff949c3ca27a4128c0367f1ef5e7c9261de7048f993fb3
Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction Fuzzy Hash: CB316832201740B6E7189F51FA44BA977B5F386B98F558216EE5A07788EF3CCA40CB04

Function 000001D15B052058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000001D15B0520D7
WriteFile.KERNEL32 ref: 000001D15B05239F
WriteFile.KERNEL32 ref: 000001D15B0523E5
GetLastError.KERNEL32 ref: 000001D15B05249B

Memory Dump Source

Source File: 00000017.00000002.3443668911.000001D15B040000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B040000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b040000_dwm.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction ID: 549096681085db3ec9784c85d99991bdbb80500f4305d58c37b34a5c93628a8d
Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction Fuzzy Hash: A1D1E032B14A80A9EB11CFA9E6403EC3BB1F796798F144316DE5997FD9DA38D406CB40

Function 000001D15B052980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32 ref: 000001D15B052A9C
GetLastError.KERNEL32 ref: 000001D15B052B27

Memory Dump Source

Source File: 00000017.00000002.3443668911.000001D15B040000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B040000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b040000_dwm.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction ID: 7b79d4494b9c56ce8ae86e1994d304fe12ae4d8a6305853edd73f5b12fe13e73
Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction Fuzzy Hash: 1E919072710654B9F7649FA5A6503ED3BB0BB96B88F14420BDE4A67ED5DB3CC482CB00

Function 000001D15B047960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000001D15B04798C
GetCurrentThreadId.KERNEL32 ref: 000001D15B04799A
GetCurrentProcessId.KERNEL32 ref: 000001D15B0479A6
QueryPerformanceCounter.KERNEL32 ref: 000001D15B0479B6

Memory Dump Source

Source File: 00000017.00000002.3443668911.000001D15B040000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B040000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b040000_dwm.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction ID: 5b5c35b1175247e5273e9bf437aab90f0a04240741291e3a26e916c0b6d18cd4
Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction Fuzzy Hash: 90111C32710B01AAEF408FA0E9553A833B4F75A758F441E22DA6D86BA4DF7CC1988780

Function 000001D15B04253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001D15B042620
StrCpyW.SHLWAPI ref: 000001D15B042639

Strings

\\.\pipe\, xrefs: 000001D15B04262B

Memory Dump Source

Source File: 00000017.00000002.3443668911.000001D15B040000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B040000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b040000_dwm.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction ID: b822d88d406f96f7f5968053efa4e95dab568485db567580b04a688fd4eb3749
Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction Fuzzy Hash: 3071E136320781B6E7249FA6BA443EA67B4F7CAB84F544227DD0953B89DA3CC6458F00

Function 000001D15B019E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 000001D15B019EB7

Strings

RCC, xrefs: 000001D15B019E85
MOC, xrefs: 000001D15B019E7C

Memory Dump Source

Source File: 00000017.00000002.3443608691.000001D15B010000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b010000_dwm.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 837f3a118a1ffc4853e67fdd03e407b5c6d28617691c74c45fea9710cc7b4a26
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: 4D617D37601B84AAEB28DFA5E9803DD77B0F385B88F144216EF4917B99DB38D195CB00

Function 000001D15B042330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001D15B042416
StrCpyW.SHLWAPI ref: 000001D15B04242D

Strings

\\.\pipe\, xrefs: 000001D15B042421

Memory Dump Source

Source File: 00000017.00000002.3443668911.000001D15B040000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B040000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b040000_dwm.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction ID: da552857855effc6cb260d69286bdff249e21fb565f997edec76b48a8281462b
Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction Fuzzy Hash: 2A51CF32724781B1E6649EAAB6683FAA7B1F3C7780F450727DE5903B99DA3DC5048F40

Function 000001D15B0526F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000001D15B052807
GetLastError.KERNEL32 ref: 000001D15B052829

Strings

U, xrefs: 000001D15B0527B3

Memory Dump Source

Source File: 00000017.00000002.3443668911.000001D15B040000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B040000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b040000_dwm.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction ID: edfa0340a2b61bc4df6774f2da4fb4af1873c429cd1ec09329ee9fff47884b31
Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction Fuzzy Hash: C141A032715A84A6EB20CFA5F9443EA67B4F799794F504222EE4D87B98EB3CC541CB40

Function 000001D15B0494A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000001D15B0494F0
RaiseException.KERNEL32 ref: 000001D15B049531

Strings

csm, xrefs: 000001D15B04951E

Memory Dump Source

Source File: 00000017.00000002.3443668911.000001D15B040000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B040000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b040000_dwm.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction ID: 95977bb38f9df96595b236887bcfd50ef01fd6f04194bab099295ba62419ba2e
Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction Fuzzy Hash: 5D112832214B80A2EB618B15F544399B7E5FBC9B94F584322EE8D47B68DF3CC551CB00

Function 000001D15B017356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000001D15B01737C

Strings

riptor at (, xrefs: 000001D15B017364
ierarchy Descriptor', xrefs: 000001D15B017381

Memory Dump Source

Source File: 00000017.00000002.3443608691.000001D15B010000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b010000_dwm.jbxd

Similarity

API ID: __std_exception_copy
String ID: ierarchy Descriptor'$riptor at (
API String ID: 592178966-758928094
Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction ID: 8f66a92c325a30d226c3968c140b7013ecc90217a4077a61c1c7d0017b0ed424
Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction Fuzzy Hash: 8EE04F61640B44B0DB028F61E9412D873A1AB99B64B889222995C46311FA3CD2E9C700

Function 000001D15B0173B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000001D15B0173D8

Strings

riptor at (, xrefs: 000001D15B0173C0
Locator', xrefs: 000001D15B0173DD

Memory Dump Source

Source File: 00000017.00000002.3443608691.000001D15B010000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B010000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b010000_dwm.jbxd

Similarity

API ID: __std_exception_copy
String ID: Locator'$riptor at (
API String ID: 592178966-4215709766
Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction ID: 837328f5ae0287d0af7e7d5c6260f2d9ab2d69ed995cdf6e96feb25a95f52fd5
Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction Fuzzy Hash: 18E08671600B44B0DF018F61E9412E87371F799B64F88D223CD4C46311EA3CD1E9C700

Function 000001D15B041BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001D15B041C2D
HeapAlloc.KERNEL32 ref: 000001D15B041C3B
GetProcessHeap.KERNEL32 ref: 000001D15B041C77
HeapFree.KERNEL32 ref: 000001D15B041C85

Part of subcall function 000001D15B04152C: StrCmpIW.SHLWAPI ref: 000001D15B04155D

Memory Dump Source

Source File: 00000017.00000002.3443668911.000001D15B040000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B040000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b040000_dwm.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction ID: 804419b86838cfa2a071d65cdf2e5bc7eb77247df5a01ac741e4d9c9ac48bae4
Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction Fuzzy Hash: 38116035601B44A1EA44DBA7B9043AA77B1F7CAFC0F184226DE4D43B65DE3CC4428B00

Function 000001D15B041268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001D15B04126E
HeapAlloc.KERNEL32 ref: 000001D15B04127D
GetProcessHeap.KERNEL32 ref: 000001D15B041297
HeapAlloc.KERNEL32 ref: 000001D15B0412A8

Memory Dump Source

Source File: 00000017.00000002.3443668911.000001D15B040000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B040000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_1d15b040000_dwm.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction ID: dd047e11ee53c4bbb03a0791eb1b859c29dce02efb5b6fd11d193f6817388917
Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction Fuzzy Hash: 5AE09235601604A6EB448FA2E9083AA36F1FBCEF06F08C124C90907BA1DF7DC4D9CB50

Analysis Process: svchost.exePID: 436, Parent PID: 1172COMMON

Execution Graph

Execution Coverage:	0.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	74
Total number of Limit Nodes:	2

Executed Functions

Function 0000023AF32E1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000023AF32E1633
HeapAlloc.KERNEL32 ref: 0000023AF32E1642

Part of subcall function 0000023AF32E1268: GetProcessHeap.KERNEL32 ref: 0000023AF32E126E
Part of subcall function 0000023AF32E1268: HeapAlloc.KERNEL32 ref: 0000023AF32E127D
Part of subcall function 0000023AF32E1268: GetProcessHeap.KERNEL32 ref: 0000023AF32E1297
Part of subcall function 0000023AF32E1268: HeapAlloc.KERNEL32 ref: 0000023AF32E12A8

RegOpenKeyExW.ADVAPI32 ref: 0000023AF32E16B2
RegOpenKeyExW.ADVAPI32 ref: 0000023AF32E16DF
RegCloseKey.ADVAPI32 ref: 0000023AF32E16F9
RegOpenKeyExW.ADVAPI32 ref: 0000023AF32E1719
RegCloseKey.ADVAPI32 ref: 0000023AF32E1734
RegOpenKeyExW.ADVAPI32 ref: 0000023AF32E1754
RegCloseKey.ADVAPI32 ref: 0000023AF32E176F
RegOpenKeyExW.ADVAPI32 ref: 0000023AF32E178F
RegCloseKey.ADVAPI32 ref: 0000023AF32E17AA
RegOpenKeyExW.ADVAPI32 ref: 0000023AF32E17CA
RegCloseKey.ADVAPI32 ref: 0000023AF32E17E5
RegOpenKeyExW.ADVAPI32 ref: 0000023AF32E1805
RegCloseKey.ADVAPI32 ref: 0000023AF32E1820
RegOpenKeyExW.ADVAPI32 ref: 0000023AF32E1840
RegCloseKey.ADVAPI32 ref: 0000023AF32E185B
RegOpenKeyExW.ADVAPI32 ref: 0000023AF32E187B
RegCloseKey.ADVAPI32 ref: 0000023AF32E1896
RegCloseKey.ADVAPI32 ref: 0000023AF32E18A0

Part of subcall function 0000023AF32E12BC: RegQueryInfoKeyW.ADVAPI32 ref: 0000023AF32E1319
Part of subcall function 0000023AF32E12BC: GetProcessHeap.KERNEL32 ref: 0000023AF32E1327
Part of subcall function 0000023AF32E12BC: HeapAlloc.KERNEL32 ref: 0000023AF32E1338
Part of subcall function 0000023AF32E12BC: RegEnumValueW.ADVAPI32 ref: 0000023AF32E1397
Part of subcall function 0000023AF32E12BC: GetProcessHeap.KERNEL32 ref: 0000023AF32E13DF
Part of subcall function 0000023AF32E12BC: HeapAlloc.KERNEL32 ref: 0000023AF32E13ED
Part of subcall function 0000023AF32E12BC: GetProcessHeap.KERNEL32 ref: 0000023AF32E140A
Part of subcall function 0000023AF32E12BC: HeapFree.KERNEL32 ref: 0000023AF32E1418
Part of subcall function 0000023AF32E12BC: lstrlenW.KERNEL32 ref: 0000023AF32E1421
Part of subcall function 0000023AF32E12BC: GetProcessHeap.KERNEL32 ref: 0000023AF32E142F
Part of subcall function 0000023AF32E12BC: HeapAlloc.KERNEL32 ref: 0000023AF32E143D

Strings

pid, xrefs: 0000023AF32E1712
tcp_local, xrefs: 0000023AF32E17FE
paths, xrefs: 0000023AF32E1788
service_names, xrefs: 0000023AF32E17C3
startup, xrefs: 0000023AF32E16D5
process_names, xrefs: 0000023AF32E174D
tcp_remote, xrefs: 0000023AF32E1839
udp, xrefs: 0000023AF32E1874
SOFTWARE\dialerconfig, xrefs: 0000023AF32E1692

Memory Dump Source

Source File: 00000018.00000002.3389377755.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32e0000_svchost.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction ID: ee723ffc3aa04360758a76d5d7d100dccbb7a60cfb46d6529805fec6e03ef3e0
Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction Fuzzy Hash: 57711B26310A1086EB149F36E85969D7368FBA4F88F401135DD8E47FA8DF3EC684C741

Function 0000023AF32E328C Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 0000023AF32E32AE
PathFindFileNameW.SHLWAPI ref: 0000023AF32E32BD

Part of subcall function 0000023AF32E3844: StrCmpNIW.SHLWAPI ref: 0000023AF32E385C

Part of subcall function 0000023AF32E3790: GetModuleHandleW.KERNEL32 ref: 0000023AF32E379E
Part of subcall function 0000023AF32E3790: GetCurrentProcess.KERNEL32 ref: 0000023AF32E37CC
Part of subcall function 0000023AF32E3790: VirtualProtectEx.KERNEL32 ref: 0000023AF32E37EE
Part of subcall function 0000023AF32E3790: GetCurrentProcess.KERNEL32 ref: 0000023AF32E3809
Part of subcall function 0000023AF32E3790: VirtualProtectEx.KERNEL32 ref: 0000023AF32E382A

CreateThread.KERNEL32 ref: 0000023AF32E330B

Part of subcall function 0000023AF32E1D14: GetCurrentThread.KERNEL32 ref: 0000023AF32E1D1F

Memory Dump Source

Source File: 00000018.00000002.3389377755.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32e0000_svchost.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction ID: bfc441e202b70e990e34d141dd28dcd24dd31b6297016785c974490ec41ce35d
Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction Fuzzy Hash: 3211617061064082F7689721F88EB69A39CBF7474AF584138AADA81DD1EF7FC3C48752

Function 0000023AF32E1ABC Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000023AF32E1628: GetProcessHeap.KERNEL32 ref: 0000023AF32E1633
Part of subcall function 0000023AF32E1628: HeapAlloc.KERNEL32 ref: 0000023AF32E1642
Part of subcall function 0000023AF32E1628: RegOpenKeyExW.ADVAPI32 ref: 0000023AF32E16B2
Part of subcall function 0000023AF32E1628: RegOpenKeyExW.ADVAPI32 ref: 0000023AF32E16DF
Part of subcall function 0000023AF32E1628: RegCloseKey.ADVAPI32 ref: 0000023AF32E16F9
Part of subcall function 0000023AF32E1628: RegOpenKeyExW.ADVAPI32 ref: 0000023AF32E1719
Part of subcall function 0000023AF32E1628: RegCloseKey.ADVAPI32 ref: 0000023AF32E1734
Part of subcall function 0000023AF32E1628: RegOpenKeyExW.ADVAPI32 ref: 0000023AF32E1754
Part of subcall function 0000023AF32E1628: RegCloseKey.ADVAPI32 ref: 0000023AF32E176F
Part of subcall function 0000023AF32E1628: RegOpenKeyExW.ADVAPI32 ref: 0000023AF32E178F
Part of subcall function 0000023AF32E1628: RegCloseKey.ADVAPI32 ref: 0000023AF32E17AA
Part of subcall function 0000023AF32E1628: RegOpenKeyExW.ADVAPI32 ref: 0000023AF32E17CA

Sleep.KERNEL32 ref: 0000023AF32E1AD7
SleepEx.KERNELBASE ref: 0000023AF32E1ADD

Part of subcall function 0000023AF32E1628: RegCloseKey.ADVAPI32 ref: 0000023AF32E17E5
Part of subcall function 0000023AF32E1628: RegOpenKeyExW.ADVAPI32 ref: 0000023AF32E1805
Part of subcall function 0000023AF32E1628: RegCloseKey.ADVAPI32 ref: 0000023AF32E1820
Part of subcall function 0000023AF32E1628: RegOpenKeyExW.ADVAPI32 ref: 0000023AF32E1840
Part of subcall function 0000023AF32E1628: RegCloseKey.ADVAPI32 ref: 0000023AF32E185B
Part of subcall function 0000023AF32E1628: RegOpenKeyExW.ADVAPI32 ref: 0000023AF32E187B
Part of subcall function 0000023AF32E1628: RegCloseKey.ADVAPI32 ref: 0000023AF32E1896
Part of subcall function 0000023AF32E1628: RegCloseKey.ADVAPI32 ref: 0000023AF32E18A0

Memory Dump Source

Source File: 00000018.00000002.3389377755.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32e0000_svchost.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction ID: d293a7ecf22ae8c07a26979ff054afc44229310735744583370fa13e0ba43a09
Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction Fuzzy Hash: 8331F16120064141FF58DB26DA4A3A993ACAF64BC4F0854359E8D87FD9FF1EE6D1C212

Function 0000023AF32B273C Relevance: 1.7, APIs: 1, Instructions: 187
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 0000023AF32B285E

Memory Dump Source

Source File: 00000018.00000002.3388365829.0000023AF32B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32b0000_svchost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction ID: 3da15631c9552bda4809b53278dd1c51c7a8308e220c86789214b26559236580
Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction Fuzzy Hash: 3861FF32B01B9087EB588F15900872DB3A2FB64BA4F688135DE9D07BC8DB3DE952C711

Non-executed Functions

Function 0000023AF32E2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 0000023AF32E2BD0
lstrlenW.KERNEL32 ref: 0000023AF32E2E0A

Part of subcall function 0000023AF32E199C: OpenProcess.KERNEL32 ref: 0000023AF32E19C2
Part of subcall function 0000023AF32E199C: K32GetModuleFileNameExW.KERNEL32 ref: 0000023AF32E19E0
Part of subcall function 0000023AF32E199C: PathFindFileNameW.SHLWAPI ref: 0000023AF32E19EF
Part of subcall function 0000023AF32E199C: lstrlenW.KERNEL32 ref: 0000023AF32E19FB
Part of subcall function 0000023AF32E199C: StrCpyW.SHLWAPI ref: 0000023AF32E1A0E
Part of subcall function 0000023AF32E199C: CloseHandle.KERNEL32 ref: 0000023AF32E1A1C

GetProcAddress.KERNEL32 ref: 0000023AF32E2BE5

Part of subcall function 0000023AF32E152C: StrCmpIW.SHLWAPI ref: 0000023AF32E155D

Part of subcall function 0000023AF32E3844: StrCmpNIW.SHLWAPI ref: 0000023AF32E385C

StrCmpNIW.SHLWAPI ref: 0000023AF32E2C28
lstrlenW.KERNEL32 ref: 0000023AF32E2D50

Strings

ntdll.dll, xrefs: 0000023AF32E2BC9
\Device\Nsi, xrefs: 0000023AF32E2C1B
NtQueryObject, xrefs: 0000023AF32E2BDB

Memory Dump Source

Source File: 00000018.00000002.3389377755.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32e0000_svchost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction ID: 98dc20d53b9ffa1a8ca992e3ea5a6f8ebec1cdeae552b08220cceac7e5cea71a
Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction Fuzzy Hash: 0AB1926221075082EB5CEF25D4497A9A3A9FB64B84F445036DE8A53FD4DF3EDE80C781

Function 0000023AF32E7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 0000023AF32E7DAC
RtlCaptureContext.NTDLL ref: 0000023AF32E7DD9
RtlLookupFunctionEntry.NTDLL ref: 0000023AF32E7DF3
RtlVirtualUnwind.NTDLL ref: 0000023AF32E7E34
IsDebuggerPresent.KERNEL32 ref: 0000023AF32E7E88
SetUnhandledExceptionFilter.KERNEL32 ref: 0000023AF32E7EA9
UnhandledExceptionFilter.KERNEL32 ref: 0000023AF32E7EB4

Memory Dump Source

Source File: 00000018.00000002.3389377755.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32e0000_svchost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction ID: f80704e4090aec457dd619ddbf93a46e313ac98ba8684ae4ab85bc3349a4acc6
Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction Fuzzy Hash: 48315D72305B808AEB649F64E8447ED7368F794B44F44402ADA8D57B98EF3DC648CB10

Function 0000023AF32ED2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 0000023AF32ED31D
RtlLookupFunctionEntry.NTDLL ref: 0000023AF32ED335
RtlVirtualUnwind.NTDLL ref: 0000023AF32ED370
IsDebuggerPresent.KERNEL32 ref: 0000023AF32ED3A9
SetUnhandledExceptionFilter.KERNEL32 ref: 0000023AF32ED3B3
UnhandledExceptionFilter.KERNEL32 ref: 0000023AF32ED3BE

Memory Dump Source

Source File: 00000018.00000002.3389377755.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32e0000_svchost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction ID: 9624eecabc732b79e81a6373d390755405d02b5869d1bd8e9f427c0fee0c5b47
Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction Fuzzy Hash: A6317E32214B808AEB64CF25E84539E73A8FB99B54F500126EADD43F98DF3DC695CB01

Function 0000023AF32E12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000023AF32E1319
GetProcessHeap.KERNEL32 ref: 0000023AF32E1327
HeapAlloc.KERNEL32 ref: 0000023AF32E1338
RegEnumValueW.ADVAPI32 ref: 0000023AF32E1397

Part of subcall function 0000023AF32E152C: StrCmpIW.SHLWAPI ref: 0000023AF32E155D

GetProcessHeap.KERNEL32 ref: 0000023AF32E13DF
HeapAlloc.KERNEL32 ref: 0000023AF32E13ED
GetProcessHeap.KERNEL32 ref: 0000023AF32E140A
HeapFree.KERNEL32 ref: 0000023AF32E1418
lstrlenW.KERNEL32 ref: 0000023AF32E1421
GetProcessHeap.KERNEL32 ref: 0000023AF32E142F
HeapAlloc.KERNEL32 ref: 0000023AF32E143D
StrCpyW.SHLWAPI ref: 0000023AF32E145F
GetProcessHeap.KERNEL32 ref: 0000023AF32E1476
HeapFree.KERNEL32 ref: 0000023AF32E1484

Strings

d, xrefs: 0000023AF32E135A

Memory Dump Source

Source File: 00000018.00000002.3389377755.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32e0000_svchost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction ID: 44ec96c4dca53712827799cb354bea119c19488123cee649313871abe28699f2
Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction Fuzzy Hash: 49516C76200B8486EB58DF62E44835EB7A5F798F89F044134DE8A07B98DF3EC249CB01

Function 0000023AF32E1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 0000023AF32E1D1F

Part of subcall function 0000023AF32E1FD4: GetModuleHandleA.KERNEL32 ref: 0000023AF32E1FEC
Part of subcall function 0000023AF32E1FD4: GetProcAddress.KERNEL32 ref: 0000023AF32E1FFD

Part of subcall function 0000023AF32E5B30: GetCurrentThreadId.KERNEL32 ref: 0000023AF32E5B6B

Strings

NtDeviceIoControlFile, xrefs: 0000023AF32E1E56
EnumServicesStatusExW, xrefs: 0000023AF32E1E11, 0000023AF32E1E32
NtEnumerateValueKey, xrefs: 0000023AF32E1DD6
sechost.dll, xrefs: 0000023AF32E1E39
advapi32.dll, xrefs: 0000023AF32E1DF7, 0000023AF32E1E18
NtQueryDirectoryFile, xrefs: 0000023AF32E1D7F
NtResumeThread, xrefs: 0000023AF32E1D62
NtQueryDirectoryFileEx, xrefs: 0000023AF32E1D9C
ntdll.dll, xrefs: 0000023AF32E1D2D
NtEnumerateKey, xrefs: 0000023AF32E1DB9
EnumServiceGroupW, xrefs: 0000023AF32E1DF0
NtQuerySystemInformation, xrefs: 0000023AF32E1D45

Memory Dump Source

Source File: 00000018.00000002.3389377755.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32e0000_svchost.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction ID: de7cba9eaa82766f2ac71d34862b1f30ad60a327fc8075d0386d60777f2da56b
Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction Fuzzy Hash: 9E31AEA4210A4AA0EB08EF65E85A7D4A324BB24744F84513394D942DEADF7FC389D793

Function 0000023AF32B6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000023AF32B6938
__scrt_acquire_startup_lock.LIBCMT ref: 0000023AF32B698A
_RTC_Initialize.LIBCMT ref: 0000023AF32B69B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000023AF32B69DE
__scrt_release_startup_lock.LIBCMT ref: 0000023AF32B6A09

Strings

scriptor', xrefs: 0000023AF32B6B39, 0000023AF32B6BB2, 0000023AF32B6BEC
`eh vector copy constructor iterator', xrefs: 0000023AF32B6A3B
`dynamic initializer for ', xrefs: 0000023AF32B69C7
`eh vector vbase copy constructor iterator', xrefs: 0000023AF32B69EE

Memory Dump Source

Source File: 00000018.00000002.3388365829.0000023AF32B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32b0000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
API String ID: 190073905-1786718095
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: aa7523ff3450d8138d324d1415d18bdd61c465b0ca31d792af1584c48e49331f
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: 0281BF2170064186FB5CAB66944D35962A0FBB5B80F5880359AC987FE7DF3FCB868743

Function 0000023AF32ECE28 Relevance: 18.1, APIs: 12, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 0000023AF32ECE37
FlsGetValue.KERNEL32(?,?,?,0000023AF32F0A6B,?,?,?,0000023AF32F045C,?,?,?,0000023AF32EC84F), ref: 0000023AF32ECE4C
FlsSetValue.KERNEL32(?,?,?,0000023AF32F0A6B,?,?,?,0000023AF32F045C,?,?,?,0000023AF32EC84F), ref: 0000023AF32ECE6D
FlsSetValue.KERNEL32(?,?,?,0000023AF32F0A6B,?,?,?,0000023AF32F045C,?,?,?,0000023AF32EC84F), ref: 0000023AF32ECE9A
FlsSetValue.KERNEL32(?,?,?,0000023AF32F0A6B,?,?,?,0000023AF32F045C,?,?,?,0000023AF32EC84F), ref: 0000023AF32ECEAB
FlsSetValue.KERNEL32(?,?,?,0000023AF32F0A6B,?,?,?,0000023AF32F045C,?,?,?,0000023AF32EC84F), ref: 0000023AF32ECEBC
SetLastError.KERNEL32 ref: 0000023AF32ECED7
FlsGetValue.KERNEL32(?,?,?,?,?,?,?,0000023AF32F0A6B,?,?,?,0000023AF32F045C,?,?,?,0000023AF32EC84F), ref: 0000023AF32ECF0D
FlsSetValue.KERNEL32(?,?,00000001,0000023AF32EECCC,?,?,?,?,0000023AF32EBF9F,?,?,?,?,?,0000023AF32E7AB0), ref: 0000023AF32ECF2C

Part of subcall function 0000023AF32ED6CC: HeapAlloc.KERNEL32 ref: 0000023AF32ED721

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000023AF32F0A6B,?,?,?,0000023AF32F045C,?,?,?,0000023AF32EC84F), ref: 0000023AF32ECF54

Part of subcall function 0000023AF32ED744: HeapFree.KERNEL32 ref: 0000023AF32ED75A
Part of subcall function 0000023AF32ED744: GetLastError.KERNEL32 ref: 0000023AF32ED764

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000023AF32F0A6B,?,?,?,0000023AF32F045C,?,?,?,0000023AF32EC84F), ref: 0000023AF32ECF65
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000023AF32F0A6B,?,?,?,0000023AF32F045C,?,?,?,0000023AF32EC84F), ref: 0000023AF32ECF76

Memory Dump Source

Source File: 00000018.00000002.3389377755.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32e0000_svchost.jbxd

Similarity

API ID: Value$ErrorLast$Heap$AllocFree
String ID:
API String ID: 570795689-0
Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction ID: 4f1da59daabb27cd6b0dd6ca2d60cef7b0ed2b74a20c8addae82343016ffbeb4
Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction Fuzzy Hash: 52419D6060025446FB6CA3B9554F369B24A5F647B4F184734E8F606EEADE3EDBC18203

Function 0000023AF32E2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessIdOfThread.KERNEL32 ref: 0000023AF32E2259
GetCurrentProcessId.KERNEL32 ref: 0000023AF32E2263

Part of subcall function 0000023AF32E1934: OpenProcess.KERNEL32 ref: 0000023AF32E1952
Part of subcall function 0000023AF32E1934: IsWow64Process.KERNEL32 ref: 0000023AF32E1968
Part of subcall function 0000023AF32E1934: CloseHandle.KERNEL32 ref: 0000023AF32E1983

CreateFileW.KERNEL32 ref: 0000023AF32E22BC
WriteFile.KERNEL32 ref: 0000023AF32E22E4
ReadFile.KERNEL32 ref: 0000023AF32E2303
CloseHandle.KERNEL32 ref: 0000023AF32E230C

Strings

\\.\pipe\dialerchildproc64, xrefs: 0000023AF32E228C
\\.\pipe\dialerchildproc32, xrefs: 0000023AF32E2293

Memory Dump Source

Source File: 00000018.00000002.3389377755.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32e0000_svchost.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction ID: a8d4ddb08ab43e39ca41348e59499764ae55964e0db52882bde19170e5b30b0e
Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction Fuzzy Hash: 84213D3261475083EB14DB25E54875A67A4F799BA4F500225EA9A03FE8CF3DC249CF01

Function 0000023AF32EA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 0000023AF32EA5A1

Part of subcall function 0000023AF32EB414: __GetUnwindTryBlock.LIBCMT ref: 0000023AF32EB457
Part of subcall function 0000023AF32EB414: __SetUnwindTryBlock.LIBVCRUNTIME ref: 0000023AF32EB47C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 0000023AF32EA679
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 0000023AF32EA8CE
std::bad_alloc::bad_alloc.LIBCMT ref: 0000023AF32EA9DA

Strings

csm, xrefs: 0000023AF32EA5BB
csm, xrefs: 0000023AF32EA622
csm, xrefs: 0000023AF32EA69C

Memory Dump Source

Source File: 00000018.00000002.3389377755.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32e0000_svchost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction ID: b4d8cd867aaeb3ad171d14d2f9034518e5dc5eb0835e7de6886729e79cec17f7
Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction Fuzzy Hash: 76E17D726047808AEB28DF65D48A39DB7A8FB65798F100126EEC957F95CB3DC6C1C702

Function 0000023AF32B9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 0000023AF32B99A1

Part of subcall function 0000023AF32BA814: __GetUnwindTryBlock.LIBCMT ref: 0000023AF32BA857
Part of subcall function 0000023AF32BA814: __SetUnwindTryBlock.LIBVCRUNTIME ref: 0000023AF32BA87C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 0000023AF32B9A79
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 0000023AF32B9CCE
std::bad_alloc::bad_alloc.LIBCMT ref: 0000023AF32B9DDA

Strings

csm, xrefs: 0000023AF32B99BB
csm, xrefs: 0000023AF32B9A22
csm, xrefs: 0000023AF32B9A9C

Memory Dump Source

Source File: 00000018.00000002.3388365829.0000023AF32B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32b0000_svchost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction ID: 5cd99f4a483f263c615ceea0efd3ddc411abd48ac49001fa3fe7c477d7fb9094
Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction Fuzzy Hash: 81E19C72604B80CAEB689B25D48839D77A0F769B88F104525EEC957F99CB3EC291C702

Function 0000023AF32EF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32 ref: 0000023AF32EF510
GetProcAddress.KERNEL32 ref: 0000023AF32EF51C

Strings

ext-ms-, xrefs: 0000023AF32EF46D
api-ms-, xrefs: 0000023AF32EF45A

Memory Dump Source

Source File: 00000018.00000002.3389377755.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32e0000_svchost.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction ID: 7e27abf47b83b17f015314e1dc6a0d4402c721e608e4e3179cb03febb156a4ab
Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction Fuzzy Hash: 5541F823315A0051FB19CB66A809759A399FF65BE0F0A41359E8D87FC4EF3EC7858302

Function 0000023AF32E104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99
memoryregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000023AF32E10B1
RegEnumValueW.ADVAPI32 ref: 0000023AF32E1117
GetProcessHeap.KERNEL32 ref: 0000023AF32E115A
HeapAlloc.KERNEL32 ref: 0000023AF32E1168
GetProcessHeap.KERNEL32 ref: 0000023AF32E1185
HeapFree.KERNEL32 ref: 0000023AF32E1193

Strings

d, xrefs: 0000023AF32E10D6

Memory Dump Source

Source File: 00000018.00000002.3389377755.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32e0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction ID: c2ce9a83bb39aa8cf87631e872da634b098ba8a270060c436afb6f1334a8ced9
Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction Fuzzy Hash: B9417C76214B84C6E764CF21E44979EB7A5F388B88F048129DA890BB98DF3DD589CB01

Function 0000023AF32ED068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FlsGetValue.KERNEL32(?,?,?,0000023AF32EC7DE,?,?,?,?,?,?,?,?,0000023AF32ECF9D,?,?,00000001), ref: 0000023AF32ED087
FlsSetValue.KERNEL32(?,?,?,0000023AF32EC7DE,?,?,?,?,?,?,?,?,0000023AF32ECF9D,?,?,00000001), ref: 0000023AF32ED0A6
FlsSetValue.KERNEL32(?,?,?,0000023AF32EC7DE,?,?,?,?,?,?,?,?,0000023AF32ECF9D,?,?,00000001), ref: 0000023AF32ED0CE
FlsSetValue.KERNEL32(?,?,?,0000023AF32EC7DE,?,?,?,?,?,?,?,?,0000023AF32ECF9D,?,?,00000001), ref: 0000023AF32ED0DF
FlsSetValue.KERNEL32(?,?,?,0000023AF32EC7DE,?,?,?,?,?,?,?,?,0000023AF32ECF9D,?,?,00000001), ref: 0000023AF32ED0F0

Strings

Y%, xrefs: 0000023AF32ED0A6
1%, xrefs: 0000023AF32ED0CE

Memory Dump Source

Source File: 00000018.00000002.3389377755.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32e0000_svchost.jbxd

Similarity

API ID: Value
String ID: 1%$Y%
API String ID: 3702945584-1395475152
Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction ID: 9b97164e2f521d5ce6a6030bd677edd7b008a30c487866d669dd02ea5029d614
Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction Fuzzy Hash: F211936470024046FB6CA726965F369E2495F647F0F184334A8F90BEDADE2FC7828212

Function 0000023AF32E7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000023AF32E7538
__scrt_acquire_startup_lock.LIBCMT ref: 0000023AF32E758A
_RTC_Initialize.LIBCMT ref: 0000023AF32E75B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000023AF32E75DE
__scrt_release_startup_lock.LIBCMT ref: 0000023AF32E7609

Memory Dump Source

Source File: 00000018.00000002.3389377755.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32e0000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: cc4bd47b747a076d3a70656ebe8af1318798e3ef24b2b66c07c979a3a6a4a38b
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: F781D02170020186FB5CAB6DE44B39DA298AF75B84F184435EAC447FD6EB3FCB859702

Function 0000023AF32E9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 0000023AF32E9E49
GetLastError.KERNEL32 ref: 0000023AF32E9E57
LoadLibraryExW.KERNEL32 ref: 0000023AF32E9E81
FreeLibrary.KERNEL32 ref: 0000023AF32E9EC7
GetProcAddress.KERNEL32 ref: 0000023AF32E9ED3

Strings

api-ms-, xrefs: 0000023AF32E9E69

Memory Dump Source

Source File: 00000018.00000002.3389377755.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32e0000_svchost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction ID: 29a3aad0747f712a65b36c3bf1f5cb4a4b5ca32a0e5e27ed2c0d311cdf3eb7cb
Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction Fuzzy Hash: 7131C721312740D1EF19DB52A409B59A29CFB68BA0F5D09379E9D07BD0DF3EC6C58742

Function 0000023AF32F3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 0000023AF32F3DE5
GetLastError.KERNEL32 ref: 0000023AF32F3DF1
CloseHandle.KERNEL32 ref: 0000023AF32F3E09
CreateFileW.KERNEL32 ref: 0000023AF32F3E34
WriteConsoleW.KERNEL32 ref: 0000023AF32F3E53

Strings

CONOUT$, xrefs: 0000023AF32F3E15

Memory Dump Source

Source File: 00000018.00000002.3389377755.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32e0000_svchost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction ID: 9dc6895154f490a0fa1379aad1beb104b20039b2d52934f260433463d6ad7ce2
Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction Fuzzy Hash: 5E118231710B4086E7549B66E84831D76A4F798FE8F144234EEDA87BD4CF3DC6148B85

Function 0000023AF32E3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000023AF32E379E
GetCurrentProcess.KERNEL32 ref: 0000023AF32E37CC
VirtualProtectEx.KERNEL32 ref: 0000023AF32E37EE
GetCurrentProcess.KERNEL32 ref: 0000023AF32E3809
VirtualProtectEx.KERNEL32 ref: 0000023AF32E382A

Strings

wr, xrefs: 0000023AF32E37FF

Memory Dump Source

Source File: 00000018.00000002.3389377755.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32e0000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID: wr
API String ID: 1092925422-2678910430
Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction ID: ee159a358a29a47cc67f4c3be2c5703ed440c377ad2b83d771141e801391207f
Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction Fuzzy Hash: 9E113C2670474183EF189B21F449669B2B8FB58B85F540039DFC907B94EF3EC645CB05

Function 0000023AF32E5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000023AF32E5B6B
GetThreadContext.KERNEL32 ref: 0000023AF32E5CD5

Part of subcall function 0000023AF32E5960: GetCurrentThreadId.KERNEL32 ref: 0000023AF32E5964

Memory Dump Source

Source File: 00000018.00000002.3389377755.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32e0000_svchost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
Instruction ID: 78766e4399c8dc549f545ec081a1babf1706de50ce668165723e5713332fdb27
Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
Instruction Fuzzy Hash: E6D1BC76214B8881DB74DB0AE49535AB7B4F7D8B88F140226EACD47BA5CF3DC681CB41

Function 0000023AF32E2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000023AF32E2F27
HeapAlloc.KERNEL32 ref: 0000023AF32E2F3A
StrCmpNIW.SHLWAPI ref: 0000023AF32E2FAF
GetProcessHeap.KERNEL32 ref: 0000023AF32E3015
HeapFree.KERNEL32 ref: 0000023AF32E3023

Strings

dialer, xrefs: 0000023AF32E2FA8

Memory Dump Source

Source File: 00000018.00000002.3389377755.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32e0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction ID: e058bc9bb3b8aa6a493347436ec1e847b338baec1071684e9e682a020670fa46
Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction Fuzzy Hash: D431C722701B5182E718DF26D54972AA7A4FF64B85F0841349FC947F95EF3EC6E18701

Function 0000023AF32E14A4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 70memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000023AF32E14C5
HeapFree.KERNEL32 ref: 0000023AF32E14D4
GetProcessHeap.KERNEL32 ref: 0000023AF32E14E1
HeapFree.KERNEL32 ref: 0000023AF32E14F0
GetProcessHeap.KERNEL32 ref: 0000023AF32E1500

Strings

C:\Windows\system32\svchost.exe, xrefs: 0000023AF32F61A9, 0000023AF32F61B1

Memory Dump Source

Source File: 00000018.00000002.3389377755.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32e0000_svchost.jbxd

Similarity

API ID: Heap$Process$Free
String ID: C:\Windows\system32\svchost.exe
API String ID: 3168794593-4180442734
Opcode ID: d27b9b8ca154d9eedff1e610dfbacc8608a6d25d7c3fe3b6d17278c798082fda
Instruction ID: 86b26c9247c8104daadc16f0a306905e38207ed0c73cb0503fda9d0042af8dc4
Opcode Fuzzy Hash: d27b9b8ca154d9eedff1e610dfbacc8608a6d25d7c3fe3b6d17278c798082fda
Instruction Fuzzy Hash: 3821A567608AD08AE358EF359C5929E27A9F765F44F094035DBC543BC3DE2FD6048B02

Function 0000023AF32ECFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000023AF32ECFAF
FlsSetValue.KERNEL32(?,?,?,0000023AF32ED6B5,?,?,?,?,0000023AF32ED778), ref: 0000023AF32ECFE5
FlsSetValue.KERNEL32(?,?,?,0000023AF32ED6B5,?,?,?,?,0000023AF32ED778), ref: 0000023AF32ED012
FlsSetValue.KERNEL32(?,?,?,0000023AF32ED6B5,?,?,?,?,0000023AF32ED778), ref: 0000023AF32ED023
FlsSetValue.KERNEL32(?,?,?,0000023AF32ED6B5,?,?,?,?,0000023AF32ED778), ref: 0000023AF32ED034
SetLastError.KERNEL32 ref: 0000023AF32ED04F

Memory Dump Source

Source File: 00000018.00000002.3389377755.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32e0000_svchost.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction ID: d626b139bf2515b181b52ca9d9c8d6f5990de9874432f050005ae24276e9d5b3
Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction Fuzzy Hash: E111632070024046FB6CA776965F329A24A6F647B4F184735A8F647FDADE2EC7818612

Function 0000023AF32E199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 0000023AF32E19C2
K32GetModuleFileNameExW.KERNEL32 ref: 0000023AF32E19E0
PathFindFileNameW.SHLWAPI ref: 0000023AF32E19EF
lstrlenW.KERNEL32 ref: 0000023AF32E19FB
StrCpyW.SHLWAPI ref: 0000023AF32E1A0E
CloseHandle.KERNEL32 ref: 0000023AF32E1A1C

Memory Dump Source

Source File: 00000018.00000002.3389377755.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32e0000_svchost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction ID: aa8edf9784ca19634c0ee458ceaeb90963ad875c59a58248a1554905202c4035
Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction Fuzzy Hash: 24012D21700A4082EB68DB62E45C75AA3A9FB98FC4F584035DEC943B95DF3DCA89CB41

Function 0000023AF32E36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000023AF32E36E4
GetCurrentProcess.KERNEL32 ref: 0000023AF32E36F2
VirtualProtectEx.KERNEL32 ref: 0000023AF32E3714
GetCurrentProcess.KERNEL32 ref: 0000023AF32E3732
VirtualProtectEx.KERNEL32 ref: 0000023AF32E3753
TerminateThread.KERNEL32 ref: 0000023AF32E3762

Memory Dump Source

Source File: 00000018.00000002.3389377755.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32e0000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction ID: 423760b10cb6e8f78dc04e5dde3cead2652d295327a5c384355b2ac6181d5524
Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction Fuzzy Hash: 18012D6531174082EB289B21E84D71A77A8FB65B86F180538CED907BD5EF3FC648CB02

Function 0000023AF32E9005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000023AF32E9013
_IsNonwritableInCurrentImage.LIBCMT ref: 0000023AF32E90A8
RtlUnwindEx.NTDLL ref: 0000023AF32E90F7

Strings

f, xrefs: 0000023AF32E9026
csm, xrefs: 0000023AF32E908E

Memory Dump Source

Source File: 00000018.00000002.3389377755.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32e0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: 9626061da8fd3a460f6d6bcb32d7400cd34d453b169b234c9771e9f97e557f6b
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: 0A51A236701200C6DB1CCB25D44DB58B79AFB64F88F508136DA964BBC8EB7ECA80C702

Function 0000023AF32E8FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000023AF32E9013
_IsNonwritableInCurrentImage.LIBCMT ref: 0000023AF32E90A8
RtlUnwindEx.NTDLL ref: 0000023AF32E90F7

Strings

f, xrefs: 0000023AF32E9026
csm, xrefs: 0000023AF32E908E

Memory Dump Source

Source File: 00000018.00000002.3389377755.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32e0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction ID: 63ffd36dcd3943f539e9afe8a9a4ee23790d34f2e488548bf04ad3c00dfbb63a
Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction Fuzzy Hash: 9B31B135300640C6E718DF21E84D719B7A9FB60B88F458025EE9647BC9DB3ECA80CB06

Function 0000023AF32E1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 0000023AF32E1A60
StrCmpNIW.SHLWAPI ref: 0000023AF32E1A7A
lstrlenW.KERNEL32 ref: 0000023AF32E1A89
StrCpyW.SHLWAPI ref: 0000023AF32E1A9E

Strings

\\?\, xrefs: 0000023AF32E1A6E

Memory Dump Source

Source File: 00000018.00000002.3389377755.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32e0000_svchost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction ID: 9a0e6a1fe0657e61cc3420f84ac3a8e5e479968615e898656d2d3c1efce8d65c
Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction Fuzzy Hash: 0BF0442230464192EB749F21F88875D6764F768B88F944034DAC946ED4DF3DC78DCB01

Function 0000023AF32E3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 0000023AF32E3066
StrCpyW.SHLWAPI ref: 0000023AF32E3076
StrCatW.SHLWAPI ref: 0000023AF32E3082
PathCombineW.SHLWAPI ref: 0000023AF32E3090

Strings

\\.\pipe\, xrefs: 0000023AF32E305C

Memory Dump Source

Source File: 00000018.00000002.3389377755.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32e0000_svchost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction ID: 8cbddb09e37f53dfba20b492dcc1bf506de27857d4e4897c64d7ae3e1c0e4dbf
Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction Fuzzy Hash: A0F01264714B8482EB188B63F95C11DA669FB68FD1F085130EEC647F98DF3DC6858B01

Function 0000023AF32EBC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 0000023AF32EBCBD
GetProcAddress.KERNEL32 ref: 0000023AF32EBCD3
FreeLibrary.KERNEL32 ref: 0000023AF32EBCFA

Strings

CorExitProcess, xrefs: 0000023AF32EBCCC
mscoree.dll, xrefs: 0000023AF32EBCB4

Memory Dump Source

Source File: 00000018.00000002.3389377755.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32e0000_svchost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction ID: 4552aeee208f1e4eb317f117dcf18f4d43626f128b76397a397e3b68f671a9f9
Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction Fuzzy Hash: 78F0966131570582EB188B39E45D35D6364FBA4BA1F540239CEEA45AE4DF3EC284CB01

Function 0000023AF32E50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000023AF32E5156

Memory Dump Source

Source File: 00000018.00000002.3389377755.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32e0000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
Instruction ID: bfe489d3787a43adbdb8949a248df29ba402fffb18460cabcb06d35754e30a04
Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
Instruction Fuzzy Hash: A502F836219B8086EB64CB59F49535AB7A4F7D5B84F200025EACE87FA8DF7DC584CB01

Function 0000023AF32E5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000023AF32E5726

Memory Dump Source

Source File: 00000018.00000002.3389377755.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32e0000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
Instruction ID: fe422fe2fd9d0706cea3f397b35ccc64bf2cadb06e89a3cd03a3bdbea785b399
Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
Instruction Fuzzy Hash: B2610736528B44C6E764CB15E45931AB7A4F798784F200225EACE47FE8DB7EC690CF02

Function 0000023AF32F4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 0000023AF32F412C
_set_statfp.LIBCMT ref: 0000023AF32F4147
_set_statfp.LIBCMT ref: 0000023AF32F4163
_set_statfp.LIBCMT ref: 0000023AF32F419F

Memory Dump Source

Source File: 00000018.00000002.3389377755.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32e0000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: e9de8037cbce042c27c932672d77890c086474da7a56bb84ffd5d32a8a1e3d9f
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: 3611A322B10A5411FB6C357AE85D76F11406B78BB8F080634A9F607FD6CBEECB454A02

Function 0000023AF32C3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 0000023AF32C352C
_set_statfp.LIBCMT ref: 0000023AF32C3547
_set_statfp.LIBCMT ref: 0000023AF32C3563
_set_statfp.LIBCMT ref: 0000023AF32C359F

Memory Dump Source

Source File: 00000018.00000002.3388365829.0000023AF32B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32b0000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: acea8926f7d136cfad38a04c0ef70594d412019f0ee89facdd49f03dfbda46d2
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: 0111A722650A1111FB9D1528E4CEB6911806B7D3F4F494E38ABE606FD7CA2ECB414103

Function 0000023AF32BF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000023AF32BF124

Strings

Wednesday, xrefs: 0000023AF32BF1ED
or copy constructor iterator', xrefs: 0000023AF32BF25A, 0000023AF32BF275
Tuesday, xrefs: 0000023AF32BF0F4

Memory Dump Source

Source File: 00000018.00000002.3388365829.0000023AF32B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32b0000_svchost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: Tuesday$Wednesday$or copy constructor iterator'
API String ID: 3215553584-4202648911
Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction ID: 9efe82dca6fcfd4791c48a83946f65ccc29f20e32eafcd21540cc00e88081b6b
Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction Fuzzy Hash: DE61C73661064066FB6D8B69E54C32E66A0F775780F548835CAC617FE9DB3ECB418303

Function 0000023AF32EAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 0000023AF32EAA68
_CallSETranslator.LIBVCRUNTIME ref: 0000023AF32EAAB7

Strings

MOC, xrefs: 0000023AF32EAA7C
RCC, xrefs: 0000023AF32EAA85

Memory Dump Source

Source File: 00000018.00000002.3389377755.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32e0000_svchost.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 2e8c72c1664f9f4bebce3a912c6b2e38c4a59c609ae7cbd361f64ae5fe444afe
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: AC615A33600B848AEB18DF65D44539DB7B4FB68B88F045226EF8917B98DB3DC695C701

Function 0000023AF32EAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000023AF32EADA0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 0000023AF32EAE88

Strings

csm, xrefs: 0000023AF32EADC2
csm, xrefs: 0000023AF32EAEDA

Memory Dump Source

Source File: 00000018.00000002.3389377755.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32e0000_svchost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: 2e758ee95c6cf0a9fc398afdb6447f599c145550cfacbb52d9e3712b1ed94f51
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: 9C517E721003808AEB788F26958A359B7A8FF65B85F184136DAD947FD5CB3ED6D0C702

Function 0000023AF32BA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000023AF32BA1A0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 0000023AF32BA288

Strings

csm, xrefs: 0000023AF32BA1C2
csm, xrefs: 0000023AF32BA2DA

Memory Dump Source

Source File: 00000018.00000002.3388365829.0000023AF32B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32b0000_svchost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: e22a72a4e32a4c346d049e31fc576438882dc496dc454bcd5971b3730cb575cf
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: AA516C32104680CAEB788F25955835C77A0F365B94F188226DED987FD6CB3ED6A1CB02

Function 0000023AF32B8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000023AF32B8413
_IsNonwritableInCurrentImage.LIBCMT ref: 0000023AF32B84A8

Strings

f, xrefs: 0000023AF32B8426
csm, xrefs: 0000023AF32B848E

Memory Dump Source

Source File: 00000018.00000002.3388365829.0000023AF32B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32b0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: 066f296e7c69333cf7eab93cc9b9949eb87835866d5e2c19bc447ded2b282f1c
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: 2D51BD327016808AEB1DCF15E448B5937A5F364B98F568134DA8A43BC8EB3EDA81C746

Function 0000023AF32B83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000023AF32B8413
_IsNonwritableInCurrentImage.LIBCMT ref: 0000023AF32B84A8

Strings

f, xrefs: 0000023AF32B8426
csm, xrefs: 0000023AF32B848E

Memory Dump Source

Source File: 00000018.00000002.3388365829.0000023AF32B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32b0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction ID: fbf4d1ea09ca530c11bc050d45c78e5c1af422512be69d4936dbcf0bfcdabb2a
Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction Fuzzy Hash: 18316B32201A80D6EB19DF12E848B5977A4F760BD8F558124EEDA07BC8DB3EDA41C746

Function 0000023AF32F2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 0000023AF32F20D7
WriteFile.KERNEL32 ref: 0000023AF32F239F
WriteFile.KERNEL32 ref: 0000023AF32F23E5
GetLastError.KERNEL32 ref: 0000023AF32F249B

Memory Dump Source

Source File: 00000018.00000002.3389377755.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32e0000_svchost.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction ID: e2751f37c9afc06bab20269fd30b95b3ce7bf53436da13fe763090e07bb22a2b
Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction Fuzzy Hash: C3D1ED36B04B8089E715CFB9D44429C3BA5F365B98F108226CE9997FD9DB3DC606CB41

Function 0000023AF32F2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32 ref: 0000023AF32F2A9C
GetLastError.KERNEL32 ref: 0000023AF32F2B27

Memory Dump Source

Source File: 00000018.00000002.3389377755.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32e0000_svchost.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction ID: 6fd4068f5fde012c4dde791a9f378234b0b4c7c006b5b8258291a18aebbb5ec4
Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction Fuzzy Hash: CD91AC7670075085F768DF75D4883AD2BA4F726B88F144129DE8A67EC4DB3EC682CB02

Function 0000023AF32E7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 0000023AF32E798C
GetCurrentThreadId.KERNEL32 ref: 0000023AF32E799A
GetCurrentProcessId.KERNEL32 ref: 0000023AF32E79A6
QueryPerformanceCounter.KERNEL32 ref: 0000023AF32E79B6

Memory Dump Source

Source File: 00000018.00000002.3389377755.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32e0000_svchost.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction ID: 4d56da54cf78304b59e941c3840ad02a4e27cfa3874fb6ac860baba0de6867c0
Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction Fuzzy Hash: 6B113026710F018AEB40DF75E8593A933A4F729B58F440E35DAAD46BA4DF7DC2988381

Function 0000023AF32E253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000023AF32E2620
StrCpyW.SHLWAPI ref: 0000023AF32E2639

Strings

\\.\pipe\, xrefs: 0000023AF32E262B

Memory Dump Source

Source File: 00000018.00000002.3389377755.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32e0000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction ID: 6f851ab7d2fffd7563023ef623ee8a7de8c3bed235268dd0d459f42558e32ad4
Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction Fuzzy Hash: 3A71A73620078185D72CEF25D8493A9A7A8FBA6B84F540135DE8A53FC9DF3EC7859701

Function 0000023AF32B9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 0000023AF32B9EB7

Strings

MOC, xrefs: 0000023AF32B9E7C
RCC, xrefs: 0000023AF32B9E85

Memory Dump Source

Source File: 00000018.00000002.3388365829.0000023AF32B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32b0000_svchost.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 9af03a94526e124235052eff05af4d6ef70a64bd906bbf711c34630943867be5
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: 31619A33A00B84CAEB28CF65D04439D77A0F764B88F144626EF8917B98DB3DD295C741

Function 0000023AF32E2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000023AF32E2416
StrCpyW.SHLWAPI ref: 0000023AF32E242D

Strings

\\.\pipe\, xrefs: 0000023AF32E2421

Memory Dump Source

Source File: 00000018.00000002.3389377755.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32e0000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction ID: f057078fdf437363ca3006686a2bf0829581c85bcab3189ee86c3b948c680c9c
Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction Fuzzy Hash: 8551D13220478181E76CEA29A15D3AAE799FBA5B40F440135DEDA03FC9CB3FC6848742

Function 0000023AF32F26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 0000023AF32F2807
GetLastError.KERNEL32 ref: 0000023AF32F2829

Strings

U, xrefs: 0000023AF32F27B3

Memory Dump Source

Source File: 00000018.00000002.3389377755.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32e0000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction ID: 35ef467bd1b652655df33300a8af76435eb501ed725965b0e419b5e742ae772f
Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction Fuzzy Hash: 74419F76714B8082EB208F25E8483AEB7A4F7A9794F544131EE8D87BD4EB3DC641CB51

Function 0000023AF32E94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 0000023AF32E94F0
RaiseException.KERNEL32 ref: 0000023AF32E9531

Strings

csm, xrefs: 0000023AF32E951E

Memory Dump Source

Source File: 00000018.00000002.3389377755.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32e0000_svchost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction ID: 0e956435bf9f0bef2125082f9e1e6bfa42cb3a6339d934bf258d92915eab66d0
Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction Fuzzy Hash: 06110D36214B8082EB658F25F444359B7E9FB98B94F584225EECD07B99DF3DC691CB00

Function 0000023AF32B7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 0000023AF32B737C

Strings

ierarchy Descriptor', xrefs: 0000023AF32B7381
riptor at (, xrefs: 0000023AF32B7364

Memory Dump Source

Source File: 00000018.00000002.3388365829.0000023AF32B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32b0000_svchost.jbxd

Similarity

API ID: __std_exception_copy
String ID: ierarchy Descriptor'$riptor at (
API String ID: 592178966-758928094
Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction ID: 42c6951a3d5e62022741cb552a0faaa8dc454750388d80c2111df8216ab36858
Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction Fuzzy Hash: 26E08661640B4491DF058F22E84429873A4DB68B64B989132999C06351FA3CD2E9C301

Function 0000023AF32B73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 0000023AF32B73D8

Strings

Locator', xrefs: 0000023AF32B73DD
riptor at (, xrefs: 0000023AF32B73C0

Memory Dump Source

Source File: 00000018.00000002.3388365829.0000023AF32B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32b0000_svchost.jbxd

Similarity

API ID: __std_exception_copy
String ID: Locator'$riptor at (
API String ID: 592178966-4215709766
Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction ID: 220dd3407894242afa797735461295e715a9582d507b77829c604985c3d977a1
Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction Fuzzy Hash: E9E08661600B4480DF058F22D8401987364EB68B64F989132C98C06351EA3CD2E5C301

Function 0000023AF32E1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000023AF32E1C2D
HeapAlloc.KERNEL32 ref: 0000023AF32E1C3B
GetProcessHeap.KERNEL32 ref: 0000023AF32E1C77
HeapFree.KERNEL32 ref: 0000023AF32E1C85

Part of subcall function 0000023AF32E152C: StrCmpIW.SHLWAPI ref: 0000023AF32E155D

Memory Dump Source

Source File: 00000018.00000002.3389377755.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32e0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction ID: f1725fcd5410c0a07ce4f1123f09774ab2f82a588070bbaed81ab7e775db846a
Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction Fuzzy Hash: B1118F25701B5481EB08DB66E40A26AB7A5FB99FC0F185034DECD83BA5DE3ED582C701

Function 0000023AF32E1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000023AF32E126E
HeapAlloc.KERNEL32 ref: 0000023AF32E127D
GetProcessHeap.KERNEL32 ref: 0000023AF32E1297
HeapAlloc.KERNEL32 ref: 0000023AF32E12A8

Memory Dump Source

Source File: 00000018.00000002.3389377755.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_23af32e0000_svchost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction ID: 1cfd4273923a9902b80302180c9fa92e6bed877094e565062285121f79e1ac25
Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction Fuzzy Hash: 2DE03235B01A0486EB08AB62D80834A36E5FB99F06F0880248989077A1DF7EC699CF91

Analysis Process: svchost.exePID: 376, Parent PID: 1172COMMON

Execution Graph

Execution Coverage:	0.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	468
Total number of Limit Nodes:	3

Executed Functions

Function 0000023C9FD91268 Relevance: 5.0, APIs: 4, Instructions: 21
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000023C9FD9126E
HeapAlloc.KERNEL32 ref: 0000023C9FD9127D
GetProcessHeap.KERNEL32 ref: 0000023C9FD91297
HeapAlloc.KERNEL32 ref: 0000023C9FD912A8

Memory Dump Source

Source File: 00000019.00000002.3382187239.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd90000_svchost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction ID: cbded6a7cf5b7805f93012bc6e9f91fd45a45d9c4a0ce9048524cc3669026ffc
Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction Fuzzy Hash: 41E06D3B601704C6EB058F62D80C36A3AE1FB89F0AF16C024CA0907351DF7DC599C750

Function 0000023C9FD9F1EC Relevance: 4.6, APIs: 3, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0000023C9FD9F205
FreeEnvironmentStringsW.KERNEL32 ref: 0000023C9FD9F277

Part of subcall function 0000023C9FD9CA0C: HeapAlloc.KERNEL32 ref: 0000023C9FD9CA4A

FreeEnvironmentStringsW.KERNEL32 ref: 0000023C9FD9F2D6

Part of subcall function 0000023C9FD9D744: HeapFree.KERNEL32 ref: 0000023C9FD9D75A
Part of subcall function 0000023C9FD9D744: GetLastError.KERNEL32 ref: 0000023C9FD9D764

Memory Dump Source

Source File: 00000019.00000002.3382187239.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd90000_svchost.jbxd

Similarity

API ID: EnvironmentFreeStrings$Heap$AllocErrorLast
String ID:
API String ID: 3331406755-0
Opcode ID: 987753ff894a599cb567346e89517f1ee9597d4cd7e0ed4d9062b173d8f816d4
Instruction ID: f6557c66b56c6872ac1de7e600478dd8ff0236ec382c4d22c79d246fffc99fc4
Opcode Fuzzy Hash: 987753ff894a599cb567346e89517f1ee9597d4cd7e0ed4d9062b173d8f816d4
Instruction Fuzzy Hash: FC31D933225B50C1EB24DF61644437A7794F784FD5F694225E98AA3BC5DF3CC6918304

Function 0000023C9FD9328C Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 0000023C9FD932AE
PathFindFileNameW.SHLWAPI ref: 0000023C9FD932BD

Part of subcall function 0000023C9FD93844: StrCmpNIW.SHLWAPI ref: 0000023C9FD9385C

Part of subcall function 0000023C9FD93790: GetModuleHandleW.KERNEL32 ref: 0000023C9FD9379E
Part of subcall function 0000023C9FD93790: GetCurrentProcess.KERNEL32 ref: 0000023C9FD937CC
Part of subcall function 0000023C9FD93790: VirtualProtectEx.KERNEL32 ref: 0000023C9FD937EE
Part of subcall function 0000023C9FD93790: GetCurrentProcess.KERNEL32 ref: 0000023C9FD93809
Part of subcall function 0000023C9FD93790: VirtualProtectEx.KERNEL32 ref: 0000023C9FD9382A

CreateThread.KERNEL32 ref: 0000023C9FD9330B

Part of subcall function 0000023C9FD91D14: GetCurrentThread.KERNEL32 ref: 0000023C9FD91D1F

Memory Dump Source

Source File: 00000019.00000002.3382187239.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd90000_svchost.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction ID: 55455f91b24e61534834da54e7534c5b240e236b9e7244e17661c136f86b0d8f
Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction Fuzzy Hash: 5211803361274082FB60BFB1F84D3792298AF55747F724129D91AA2591EF7CC3C48354

Function 0000023C9FD91ABC Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000023C9FD91628: GetProcessHeap.KERNEL32 ref: 0000023C9FD91633
Part of subcall function 0000023C9FD91628: HeapAlloc.KERNEL32 ref: 0000023C9FD91642
Part of subcall function 0000023C9FD91628: RegOpenKeyExW.ADVAPI32 ref: 0000023C9FD916B2
Part of subcall function 0000023C9FD91628: RegOpenKeyExW.ADVAPI32 ref: 0000023C9FD916DF
Part of subcall function 0000023C9FD91628: RegCloseKey.ADVAPI32 ref: 0000023C9FD916F9
Part of subcall function 0000023C9FD91628: RegOpenKeyExW.ADVAPI32 ref: 0000023C9FD91719
Part of subcall function 0000023C9FD91628: RegCloseKey.ADVAPI32 ref: 0000023C9FD91734
Part of subcall function 0000023C9FD91628: RegOpenKeyExW.ADVAPI32 ref: 0000023C9FD91754
Part of subcall function 0000023C9FD91628: RegCloseKey.ADVAPI32 ref: 0000023C9FD9176F
Part of subcall function 0000023C9FD91628: RegOpenKeyExW.ADVAPI32 ref: 0000023C9FD9178F
Part of subcall function 0000023C9FD91628: RegCloseKey.ADVAPI32 ref: 0000023C9FD917AA
Part of subcall function 0000023C9FD91628: RegOpenKeyExW.ADVAPI32 ref: 0000023C9FD917CA

Sleep.KERNEL32 ref: 0000023C9FD91AD7
SleepEx.KERNELBASE ref: 0000023C9FD91ADD

Part of subcall function 0000023C9FD91628: RegCloseKey.ADVAPI32 ref: 0000023C9FD917E5
Part of subcall function 0000023C9FD91628: RegOpenKeyExW.ADVAPI32 ref: 0000023C9FD91805
Part of subcall function 0000023C9FD91628: RegCloseKey.ADVAPI32 ref: 0000023C9FD91820
Part of subcall function 0000023C9FD91628: RegOpenKeyExW.ADVAPI32 ref: 0000023C9FD91840
Part of subcall function 0000023C9FD91628: RegCloseKey.ADVAPI32 ref: 0000023C9FD9185B
Part of subcall function 0000023C9FD91628: RegOpenKeyExW.ADVAPI32 ref: 0000023C9FD9187B
Part of subcall function 0000023C9FD91628: RegCloseKey.ADVAPI32 ref: 0000023C9FD91896
Part of subcall function 0000023C9FD91628: RegCloseKey.ADVAPI32 ref: 0000023C9FD918A0

Memory Dump Source

Source File: 00000019.00000002.3382187239.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd90000_svchost.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction ID: e86c9777ab782df55b82f34e4b551db4e7b06d2da40f16e4b0d0133f8a38cfbe
Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction Fuzzy Hash: A831236320274141FF519F66D6493B913A5AB45BCBF266421CE09A72D5FF1CCAD1C310

Function 0000023C9FD93844 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpNIW.SHLWAPI ref: 0000023C9FD9385C

Strings

dialer, xrefs: 0000023C9FD93855

Memory Dump Source

Source File: 00000019.00000002.3382187239.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd90000_svchost.jbxd

Similarity

API ID:
String ID: dialer
API String ID: 0-3528709123
Opcode ID: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
Instruction ID: b64d195b827d9c602696f12b174718a7dbec88416db533b65e07794dea540fe7
Opcode Fuzzy Hash: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
Instruction Fuzzy Hash: E9D05E623127058AFB149FE688CC7742355AB18B4AFD94020C90011150DB5DCADE9710

Function 0000023C9FD6273C Relevance: 1.7, APIs: 1, Instructions: 187
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 0000023C9FD6285E

Memory Dump Source

Source File: 00000019.00000002.3381516680.0000023C9FD60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd60000_svchost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction ID: 3a619fa86ca54a05c4de5bba6d8deee738dfcef4faeac7959e32349048c00175
Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction Fuzzy Hash: 4161F233B0179087DF54CF15980873DB3A2FB95BA6F698126DE5927B88DA3CD952C700

Non-executed Functions

Function 0000023C9FD92B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 0000023C9FD92BD0
lstrlenW.KERNEL32 ref: 0000023C9FD92E0A

Part of subcall function 0000023C9FD9199C: OpenProcess.KERNEL32 ref: 0000023C9FD919C2
Part of subcall function 0000023C9FD9199C: K32GetModuleFileNameExW.KERNEL32 ref: 0000023C9FD919E0
Part of subcall function 0000023C9FD9199C: PathFindFileNameW.SHLWAPI ref: 0000023C9FD919EF
Part of subcall function 0000023C9FD9199C: lstrlenW.KERNEL32 ref: 0000023C9FD919FB
Part of subcall function 0000023C9FD9199C: StrCpyW.SHLWAPI ref: 0000023C9FD91A0E
Part of subcall function 0000023C9FD9199C: CloseHandle.KERNEL32 ref: 0000023C9FD91A1C

GetProcAddress.KERNEL32 ref: 0000023C9FD92BE5

Part of subcall function 0000023C9FD9152C: StrCmpIW.SHLWAPI ref: 0000023C9FD9155D

Part of subcall function 0000023C9FD93844: StrCmpNIW.SHLWAPI ref: 0000023C9FD9385C

StrCmpNIW.SHLWAPI ref: 0000023C9FD92C28
lstrlenW.KERNEL32 ref: 0000023C9FD92D50

Strings

NtQueryObject, xrefs: 0000023C9FD92BDB
\Device\Nsi, xrefs: 0000023C9FD92C1B
ntdll.dll, xrefs: 0000023C9FD92BC9

Memory Dump Source

Source File: 00000019.00000002.3382187239.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd90000_svchost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction ID: c7ee9107203d44bdf36ae34525c02def78a0d96f8ae86e0cdae0ec7bb850561a
Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction Fuzzy Hash: A4B1C323212B5082EB59DFA5D4487B963A4FB46B97F66501AEE0963794DF3DCEC0C340

Function 0000023C9FD97D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 0000023C9FD97DAC
RtlCaptureContext.NTDLL ref: 0000023C9FD97DD9
RtlLookupFunctionEntry.NTDLL ref: 0000023C9FD97DF3
RtlVirtualUnwind.NTDLL ref: 0000023C9FD97E34
IsDebuggerPresent.KERNEL32 ref: 0000023C9FD97E88
SetUnhandledExceptionFilter.KERNEL32 ref: 0000023C9FD97EA9
UnhandledExceptionFilter.KERNEL32 ref: 0000023C9FD97EB4

Memory Dump Source

Source File: 00000019.00000002.3382187239.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd90000_svchost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction ID: b66be5f753f9a1e6a56771ef2465323605b3be2834fbd8b588db6c5ca349ed3b
Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction Fuzzy Hash: 6A313E73205B80CAEB609F60E8447ED7364F784749F55442ADA5E67B98EF3CC648C714

Function 0000023C9FD9D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 0000023C9FD9D31D
RtlLookupFunctionEntry.NTDLL ref: 0000023C9FD9D335
RtlVirtualUnwind.NTDLL ref: 0000023C9FD9D370
IsDebuggerPresent.KERNEL32 ref: 0000023C9FD9D3A9
SetUnhandledExceptionFilter.KERNEL32 ref: 0000023C9FD9D3B3
UnhandledExceptionFilter.KERNEL32 ref: 0000023C9FD9D3BE

Memory Dump Source

Source File: 00000019.00000002.3382187239.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd90000_svchost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction ID: f9ba92a2141ec3dc68b3688644f0a3304593a1e55a1c8035841cfe0f429b0bd5
Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction Fuzzy Hash: 3F317133215F8086DB60DF65E8443AE73A0F789B5AF650225EA9D53B98DF3CC695CB00

Function 0000023C9FD91628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000023C9FD91633
HeapAlloc.KERNEL32 ref: 0000023C9FD91642

Part of subcall function 0000023C9FD91268: GetProcessHeap.KERNEL32 ref: 0000023C9FD9126E
Part of subcall function 0000023C9FD91268: HeapAlloc.KERNEL32 ref: 0000023C9FD9127D
Part of subcall function 0000023C9FD91268: GetProcessHeap.KERNEL32 ref: 0000023C9FD91297
Part of subcall function 0000023C9FD91268: HeapAlloc.KERNEL32 ref: 0000023C9FD912A8

RegOpenKeyExW.ADVAPI32 ref: 0000023C9FD916B2
RegOpenKeyExW.ADVAPI32 ref: 0000023C9FD916DF
RegCloseKey.ADVAPI32 ref: 0000023C9FD916F9
RegOpenKeyExW.ADVAPI32 ref: 0000023C9FD91719
RegCloseKey.ADVAPI32 ref: 0000023C9FD91734
RegOpenKeyExW.ADVAPI32 ref: 0000023C9FD91754
RegCloseKey.ADVAPI32 ref: 0000023C9FD9176F
RegOpenKeyExW.ADVAPI32 ref: 0000023C9FD9178F
RegCloseKey.ADVAPI32 ref: 0000023C9FD917AA
RegOpenKeyExW.ADVAPI32 ref: 0000023C9FD917CA
RegCloseKey.ADVAPI32 ref: 0000023C9FD917E5
RegOpenKeyExW.ADVAPI32 ref: 0000023C9FD91805
RegCloseKey.ADVAPI32 ref: 0000023C9FD91820
RegOpenKeyExW.ADVAPI32 ref: 0000023C9FD91840
RegCloseKey.ADVAPI32 ref: 0000023C9FD9185B
RegOpenKeyExW.ADVAPI32 ref: 0000023C9FD9187B
RegCloseKey.ADVAPI32 ref: 0000023C9FD91896
RegCloseKey.ADVAPI32 ref: 0000023C9FD918A0

Part of subcall function 0000023C9FD912BC: RegQueryInfoKeyW.ADVAPI32 ref: 0000023C9FD91319
Part of subcall function 0000023C9FD912BC: GetProcessHeap.KERNEL32 ref: 0000023C9FD91327
Part of subcall function 0000023C9FD912BC: HeapAlloc.KERNEL32 ref: 0000023C9FD91338
Part of subcall function 0000023C9FD912BC: RegEnumValueW.ADVAPI32 ref: 0000023C9FD91397
Part of subcall function 0000023C9FD912BC: GetProcessHeap.KERNEL32 ref: 0000023C9FD913DF
Part of subcall function 0000023C9FD912BC: HeapAlloc.KERNEL32 ref: 0000023C9FD913ED
Part of subcall function 0000023C9FD912BC: GetProcessHeap.KERNEL32 ref: 0000023C9FD9140A
Part of subcall function 0000023C9FD912BC: HeapFree.KERNEL32 ref: 0000023C9FD91418
Part of subcall function 0000023C9FD912BC: lstrlenW.KERNEL32 ref: 0000023C9FD91421
Part of subcall function 0000023C9FD912BC: GetProcessHeap.KERNEL32 ref: 0000023C9FD9142F
Part of subcall function 0000023C9FD912BC: HeapAlloc.KERNEL32 ref: 0000023C9FD9143D

Strings

tcp_remote, xrefs: 0000023C9FD91839
pid, xrefs: 0000023C9FD91712
startup, xrefs: 0000023C9FD916D5
tcp_local, xrefs: 0000023C9FD917FE
paths, xrefs: 0000023C9FD91788
udp, xrefs: 0000023C9FD91874
process_names, xrefs: 0000023C9FD9174D
service_names, xrefs: 0000023C9FD917C3
SOFTWARE\dialerconfig, xrefs: 0000023C9FD91692

Memory Dump Source

Source File: 00000019.00000002.3382187239.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd90000_svchost.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction ID: 00ff3e7dc70780f66e364e3fffae47cb081e8ce491ffe87b295e596850d53c96
Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction Fuzzy Hash: F0711827311B11C6EB109F65E8987A923A4FB84F8EF121111DE4E67B69EF3CC694D348

Function 0000023C9FD912BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000023C9FD91319
GetProcessHeap.KERNEL32 ref: 0000023C9FD91327
HeapAlloc.KERNEL32 ref: 0000023C9FD91338
RegEnumValueW.ADVAPI32 ref: 0000023C9FD91397

Part of subcall function 0000023C9FD9152C: StrCmpIW.SHLWAPI ref: 0000023C9FD9155D

GetProcessHeap.KERNEL32 ref: 0000023C9FD913DF
HeapAlloc.KERNEL32 ref: 0000023C9FD913ED
GetProcessHeap.KERNEL32 ref: 0000023C9FD9140A
HeapFree.KERNEL32 ref: 0000023C9FD91418
lstrlenW.KERNEL32 ref: 0000023C9FD91421
GetProcessHeap.KERNEL32 ref: 0000023C9FD9142F
HeapAlloc.KERNEL32 ref: 0000023C9FD9143D
StrCpyW.SHLWAPI ref: 0000023C9FD9145F
GetProcessHeap.KERNEL32 ref: 0000023C9FD91476
HeapFree.KERNEL32 ref: 0000023C9FD91484

Strings

d, xrefs: 0000023C9FD9135A

Memory Dump Source

Source File: 00000019.00000002.3382187239.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd90000_svchost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction ID: f8b257494904f019d3604dcecc85034657a5c10260cac0c89fcb9b1474f2a89f
Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction Fuzzy Hash: 89515A37201B84C6EB51CF62E54836AB7A1F788FCAF254124DA4A17768DF3CC249CB04

Function 0000023C9FD91D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 0000023C9FD91D1F

Part of subcall function 0000023C9FD91FD4: GetModuleHandleA.KERNEL32 ref: 0000023C9FD91FEC
Part of subcall function 0000023C9FD91FD4: GetProcAddress.KERNEL32 ref: 0000023C9FD91FFD

Part of subcall function 0000023C9FD95B30: GetCurrentThreadId.KERNEL32 ref: 0000023C9FD95B6B

Strings

EnumServicesStatusExW, xrefs: 0000023C9FD91E11, 0000023C9FD91E32
NtEnumerateKey, xrefs: 0000023C9FD91DB9
sechost.dll, xrefs: 0000023C9FD91E39
advapi32.dll, xrefs: 0000023C9FD91DF7, 0000023C9FD91E18
NtDeviceIoControlFile, xrefs: 0000023C9FD91E56
NtResumeThread, xrefs: 0000023C9FD91D62
NtQuerySystemInformation, xrefs: 0000023C9FD91D45
NtQueryDirectoryFileEx, xrefs: 0000023C9FD91D9C
NtEnumerateValueKey, xrefs: 0000023C9FD91DD6
NtQueryDirectoryFile, xrefs: 0000023C9FD91D7F
ntdll.dll, xrefs: 0000023C9FD91D2D
EnumServiceGroupW, xrefs: 0000023C9FD91DF0

Memory Dump Source

Source File: 00000019.00000002.3382187239.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd90000_svchost.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction ID: 32e0c514c15e67092b4d8cf3e36448ca5e605fb48b53fd217be05a92b649f763
Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction Fuzzy Hash: 6931816B202B4AA0EB06EFA5E85D7F86320B745747FE25623D419325759F3CC38AC394

Function 0000023C9FD66910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000023C9FD66938
__scrt_acquire_startup_lock.LIBCMT ref: 0000023C9FD6698A
_RTC_Initialize.LIBCMT ref: 0000023C9FD669B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000023C9FD669DE
__scrt_release_startup_lock.LIBCMT ref: 0000023C9FD66A09

Strings

`eh vector copy constructor iterator', xrefs: 0000023C9FD66A3B
scriptor', xrefs: 0000023C9FD66B39, 0000023C9FD66BB2, 0000023C9FD66BEC
`dynamic initializer for ', xrefs: 0000023C9FD669C7
`eh vector vbase copy constructor iterator', xrefs: 0000023C9FD669EE

Memory Dump Source

Source File: 00000019.00000002.3381516680.0000023C9FD60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd60000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
API String ID: 190073905-1786718095
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: 7aafad37e4582c41821c69376d83aac845966f6b7e31f34f751b40f63f222fa9
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: 7981FF6370070586FB50AF25944D3BD6690EB89B8AF778125EA09BB396DF3DCB458300

Function 0000023C9FD9CE28 Relevance: 18.1, APIs: 12, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 0000023C9FD9CE37
FlsGetValue.KERNEL32(?,?,?,0000023C9FDA0A6B,?,?,?,0000023C9FDA045C,?,?,?,0000023C9FD9C84F), ref: 0000023C9FD9CE4C
FlsSetValue.KERNEL32(?,?,?,0000023C9FDA0A6B,?,?,?,0000023C9FDA045C,?,?,?,0000023C9FD9C84F), ref: 0000023C9FD9CE6D
FlsSetValue.KERNEL32(?,?,?,0000023C9FDA0A6B,?,?,?,0000023C9FDA045C,?,?,?,0000023C9FD9C84F), ref: 0000023C9FD9CE9A
FlsSetValue.KERNEL32(?,?,?,0000023C9FDA0A6B,?,?,?,0000023C9FDA045C,?,?,?,0000023C9FD9C84F), ref: 0000023C9FD9CEAB
FlsSetValue.KERNEL32(?,?,?,0000023C9FDA0A6B,?,?,?,0000023C9FDA045C,?,?,?,0000023C9FD9C84F), ref: 0000023C9FD9CEBC
SetLastError.KERNEL32 ref: 0000023C9FD9CED7
FlsGetValue.KERNEL32(?,?,?,?,?,?,?,0000023C9FDA0A6B,?,?,?,0000023C9FDA045C,?,?,?,0000023C9FD9C84F), ref: 0000023C9FD9CF0D
FlsSetValue.KERNEL32(?,?,00000001,0000023C9FD9ECCC,?,?,?,?,0000023C9FD9BF9F,?,?,?,?,?,0000023C9FD97AB0), ref: 0000023C9FD9CF2C

Part of subcall function 0000023C9FD9D6CC: HeapAlloc.KERNEL32 ref: 0000023C9FD9D721

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000023C9FDA0A6B,?,?,?,0000023C9FDA045C,?,?,?,0000023C9FD9C84F), ref: 0000023C9FD9CF54

Part of subcall function 0000023C9FD9D744: HeapFree.KERNEL32 ref: 0000023C9FD9D75A
Part of subcall function 0000023C9FD9D744: GetLastError.KERNEL32 ref: 0000023C9FD9D764

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000023C9FDA0A6B,?,?,?,0000023C9FDA045C,?,?,?,0000023C9FD9C84F), ref: 0000023C9FD9CF65
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000023C9FDA0A6B,?,?,?,0000023C9FDA045C,?,?,?,0000023C9FD9C84F), ref: 0000023C9FD9CF76

Memory Dump Source

Source File: 00000019.00000002.3382187239.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd90000_svchost.jbxd

Similarity

API ID: Value$ErrorLast$Heap$AllocFree
String ID:
API String ID: 570795689-0
Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction ID: 72943e90d7e32eff41b8364ecc90685daeceec26b5f1b16d2aadd79b0beb58a0
Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction Fuzzy Hash: E3418F2330374542FA69AFB1955E37922829B857B7F3A0724E937376E6DE2C87C19300

Function 0000023C9FD92244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessIdOfThread.KERNEL32 ref: 0000023C9FD92259
GetCurrentProcessId.KERNEL32 ref: 0000023C9FD92263

Part of subcall function 0000023C9FD91934: OpenProcess.KERNEL32 ref: 0000023C9FD91952
Part of subcall function 0000023C9FD91934: IsWow64Process.KERNEL32 ref: 0000023C9FD91968
Part of subcall function 0000023C9FD91934: CloseHandle.KERNEL32 ref: 0000023C9FD91983

CreateFileW.KERNEL32 ref: 0000023C9FD922BC
WriteFile.KERNEL32 ref: 0000023C9FD922E4
ReadFile.KERNEL32 ref: 0000023C9FD92303
CloseHandle.KERNEL32 ref: 0000023C9FD9230C

Strings

\\.\pipe\dialerchildproc64, xrefs: 0000023C9FD9228C
\\.\pipe\dialerchildproc32, xrefs: 0000023C9FD92293

Memory Dump Source

Source File: 00000019.00000002.3382187239.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd90000_svchost.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction ID: 3c1ec7224b6520f0259cbb9759a1b88848df04e4d64bf2f9d1463577e4702a20
Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction Fuzzy Hash: 75212C37614B40C2FB149F25F44C36A77A1F789BAAF614215EA5913BA8DF7CC289CB04

Function 0000023C9FD9A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 0000023C9FD9A5A1

Part of subcall function 0000023C9FD9B414: __GetUnwindTryBlock.LIBCMT ref: 0000023C9FD9B457
Part of subcall function 0000023C9FD9B414: __SetUnwindTryBlock.LIBVCRUNTIME ref: 0000023C9FD9B47C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 0000023C9FD9A679
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 0000023C9FD9A8CE
std::bad_alloc::bad_alloc.LIBCMT ref: 0000023C9FD9A9DA

Strings

csm, xrefs: 0000023C9FD9A622
csm, xrefs: 0000023C9FD9A5BB
csm, xrefs: 0000023C9FD9A69C

Memory Dump Source

Source File: 00000019.00000002.3382187239.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd90000_svchost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction ID: 0e1c3c77f64e8f4aa83c67f0269d300be4ae649b87345167c74bed53c09d7bb8
Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction Fuzzy Hash: 3CE1B277602B408AFB20DFA5D4883AD77A0F745BA9F620115EE8967B99CB3CC6C1C701

Function 0000023C9FD69944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 0000023C9FD699A1

Part of subcall function 0000023C9FD6A814: __GetUnwindTryBlock.LIBCMT ref: 0000023C9FD6A857
Part of subcall function 0000023C9FD6A814: __SetUnwindTryBlock.LIBVCRUNTIME ref: 0000023C9FD6A87C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 0000023C9FD69A79
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 0000023C9FD69CCE
std::bad_alloc::bad_alloc.LIBCMT ref: 0000023C9FD69DDA

Strings

csm, xrefs: 0000023C9FD699BB
csm, xrefs: 0000023C9FD69A22
csm, xrefs: 0000023C9FD69A9C

Memory Dump Source

Source File: 00000019.00000002.3381516680.0000023C9FD60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd60000_svchost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction ID: 509737f3685c2d1a6d071fba31afd0590e104cea89739642c8b0d4ddad272356
Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction Fuzzy Hash: 8CE1C073604B808AEB60DF65D4883AD77B0F755B99F220115EE8967B9ACB3CC291CB01

Function 0000023C9FD9F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 0000023C9FD9F510
GetProcAddress.KERNEL32 ref: 0000023C9FD9F51C

Strings

api-ms-, xrefs: 0000023C9FD9F45A
ext-ms-, xrefs: 0000023C9FD9F46D

Memory Dump Source

Source File: 00000019.00000002.3382187239.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd90000_svchost.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction ID: dc8ad38878208d8ca577ebbaeebc6c7377358e1fa9398032812038abc6e92bc4
Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction Fuzzy Hash: C741C423322F0091FB16CFA6A80C7752391F745BE6F2A4125DD1DAB784EE3CC6859344

Function 0000023C9FD9104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000023C9FD910B1
RegEnumValueW.ADVAPI32 ref: 0000023C9FD91117
GetProcessHeap.KERNEL32 ref: 0000023C9FD9115A
HeapAlloc.KERNEL32 ref: 0000023C9FD91168
GetProcessHeap.KERNEL32 ref: 0000023C9FD91185
HeapFree.KERNEL32 ref: 0000023C9FD91193

Strings

d, xrefs: 0000023C9FD910D6

Memory Dump Source

Source File: 00000019.00000002.3382187239.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd90000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction ID: bf4d5e9b72a927c354924b6789bf90666660a3f57e477406bce86737f63aeb7b
Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction Fuzzy Hash: 4D417133214B84D6E760CF61E4487AE77A1F388B99F558129DB8927B58DF3CC589CB40

Function 0000023C9FD9D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,0000023C9FD9C7DE,?,?,?,?,?,?,?,?,0000023C9FD9CF9D,?,?,00000001), ref: 0000023C9FD9D087
FlsSetValue.KERNEL32(?,?,?,0000023C9FD9C7DE,?,?,?,?,?,?,?,?,0000023C9FD9CF9D,?,?,00000001), ref: 0000023C9FD9D0A6
FlsSetValue.KERNEL32(?,?,?,0000023C9FD9C7DE,?,?,?,?,?,?,?,?,0000023C9FD9CF9D,?,?,00000001), ref: 0000023C9FD9D0CE
FlsSetValue.KERNEL32(?,?,?,0000023C9FD9C7DE,?,?,?,?,?,?,?,?,0000023C9FD9CF9D,?,?,00000001), ref: 0000023C9FD9D0DF
FlsSetValue.KERNEL32(?,?,?,0000023C9FD9C7DE,?,?,?,?,?,?,?,?,0000023C9FD9CF9D,?,?,00000001), ref: 0000023C9FD9D0F0

Strings

1%, xrefs: 0000023C9FD9D0CE
Y%, xrefs: 0000023C9FD9D0A6

Memory Dump Source

Source File: 00000019.00000002.3382187239.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd90000_svchost.jbxd

Similarity

API ID: Value
String ID: 1%$Y%
API String ID: 3702945584-1395475152
Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction ID: e8c26fe5fe4feb14e3ba4e03a1f9060b6ef82e331d8c99b7b9407e267a680212
Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction Fuzzy Hash: 7011862370674441FA686FB6955E37962459B447F2F3A4324E879377DADF2CC6829300

Function 0000023C9FD97510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000023C9FD97538
__scrt_acquire_startup_lock.LIBCMT ref: 0000023C9FD9758A
_RTC_Initialize.LIBCMT ref: 0000023C9FD975B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000023C9FD975DE
__scrt_release_startup_lock.LIBCMT ref: 0000023C9FD97609

Memory Dump Source

Source File: 00000019.00000002.3382187239.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd90000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: c81ae31f02d2e224a68d0c04c6ddf062c43f5ec167f886d717914fbe70619f4a
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: 9081E32370270186FB90AFE5944D3B96690AB85B87F3B4525D92877796DB3CCBC58700

Function 0000023C9FD99DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 0000023C9FD99E49
GetLastError.KERNEL32 ref: 0000023C9FD99E57
LoadLibraryExW.KERNEL32 ref: 0000023C9FD99E81
FreeLibrary.KERNEL32 ref: 0000023C9FD99EC7
GetProcAddress.KERNEL32 ref: 0000023C9FD99ED3

Strings

api-ms-, xrefs: 0000023C9FD99E69

Memory Dump Source

Source File: 00000019.00000002.3382187239.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd90000_svchost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction ID: bcdf0de65a7d2d3d11683321deb0e480384ed9bad8611b56bf596f421dc6149d
Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction Fuzzy Hash: B631C323313B40E1EE22DF92A4887752394B748BA2F6B0525DD2D2B394EF3EC6D58305

Function 0000023C9FDA3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 0000023C9FDA3DE5
GetLastError.KERNEL32 ref: 0000023C9FDA3DF1
CloseHandle.KERNEL32 ref: 0000023C9FDA3E09
CreateFileW.KERNEL32 ref: 0000023C9FDA3E34
WriteConsoleW.KERNEL32 ref: 0000023C9FDA3E53

Strings

CONOUT$, xrefs: 0000023C9FDA3E15

Memory Dump Source

Source File: 00000019.00000002.3382187239.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd90000_svchost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction ID: fc3ee547b90a58897c853057f39df720ccbe3a45c8b939da15aca02b7eb807e6
Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction Fuzzy Hash: 9C118F33310B8086E7508F52E84832976A0F788FEAF254225EA6A97794CF7DCA548748

Function 0000023C9FD93790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000023C9FD9379E
GetCurrentProcess.KERNEL32 ref: 0000023C9FD937CC
VirtualProtectEx.KERNEL32 ref: 0000023C9FD937EE
GetCurrentProcess.KERNEL32 ref: 0000023C9FD93809
VirtualProtectEx.KERNEL32 ref: 0000023C9FD9382A

Strings

wr, xrefs: 0000023C9FD937FF

Memory Dump Source

Source File: 00000019.00000002.3382187239.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd90000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID: wr
API String ID: 1092925422-2678910430
Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction ID: f581b2753d3311771d2ef88649b5c3dbc002ea74c6a5500dacb6231ddfec3b34
Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction Fuzzy Hash: E9115B2B705B41C2EF149F61E40837A76A4FB88F8AF660429DE9917794EF3DC685C708

Function 0000023C9FD95B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000023C9FD95B6B
GetThreadContext.KERNEL32 ref: 0000023C9FD95CD5

Part of subcall function 0000023C9FD95960: GetCurrentThreadId.KERNEL32 ref: 0000023C9FD95964

Memory Dump Source

Source File: 00000019.00000002.3382187239.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd90000_svchost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
Instruction ID: c7858c9595cf304ad0778e2fc3f229bfab6e13f368fba6bf50820e945dd4b50a
Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
Instruction Fuzzy Hash: C2D19A37205B8882DB709F46E49836A77A0F3C8B85F214216EACD57BA5DF3DC691CB00

Function 0000023C9FD92F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000023C9FD92F27
HeapAlloc.KERNEL32 ref: 0000023C9FD92F3A
StrCmpNIW.SHLWAPI ref: 0000023C9FD92FAF
GetProcessHeap.KERNEL32 ref: 0000023C9FD93015
HeapFree.KERNEL32 ref: 0000023C9FD93023

Strings

dialer, xrefs: 0000023C9FD92FA8

Memory Dump Source

Source File: 00000019.00000002.3382187239.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd90000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction ID: 9359298e96b3c04a7ea4b820f75502f3f97a85a75e9c2082bfe538fa6ca21202
Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction Fuzzy Hash: A131B023702B5582EA15DF97E94877A67A0FB45B86F1A4120DF4867B55EF3CC6E1C300

Function 0000023C9FD914A4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 70memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000023C9FD914C5
HeapFree.KERNEL32 ref: 0000023C9FD914D4
GetProcessHeap.KERNEL32 ref: 0000023C9FD914E1
HeapFree.KERNEL32 ref: 0000023C9FD914F0
GetProcessHeap.KERNEL32 ref: 0000023C9FD91500

Strings

C:\Windows\System32\svchost.exe, xrefs: 0000023C9FDA61A9, 0000023C9FDA61B1

Memory Dump Source

Source File: 00000019.00000002.3382187239.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd90000_svchost.jbxd

Similarity

API ID: Heap$Process$Free
String ID: C:\Windows\System32\svchost.exe
API String ID: 3168794593-3822071397
Opcode ID: 335002606d0c58216c4b7b8c214cf2e956f7ef49abbb5e195d674a66fc258290
Instruction ID: ef2c8a893de3dfc8a32d16b7cd1fc9c1132167686339b654e377d72c87c66156
Opcode Fuzzy Hash: 335002606d0c58216c4b7b8c214cf2e956f7ef49abbb5e195d674a66fc258290
Instruction Fuzzy Hash: 6B21A06B909BD0CAE352DF259C593AD2BE0F759F4AF2A4016DB45A3247DE2DC6048704

Function 0000023C9FD9CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000023C9FD9CFAF
FlsSetValue.KERNEL32(?,?,?,0000023C9FD9D6B5,?,?,?,?,0000023C9FD9D778), ref: 0000023C9FD9CFE5
FlsSetValue.KERNEL32(?,?,?,0000023C9FD9D6B5,?,?,?,?,0000023C9FD9D778), ref: 0000023C9FD9D012
FlsSetValue.KERNEL32(?,?,?,0000023C9FD9D6B5,?,?,?,?,0000023C9FD9D778), ref: 0000023C9FD9D023
FlsSetValue.KERNEL32(?,?,?,0000023C9FD9D6B5,?,?,?,?,0000023C9FD9D778), ref: 0000023C9FD9D034
SetLastError.KERNEL32 ref: 0000023C9FD9D04F

Memory Dump Source

Source File: 00000019.00000002.3382187239.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd90000_svchost.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction ID: 56e012b5d1dc7e002c7adf90bc31e60c974fd27b6bfcadef6d938c98811c32d9
Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction Fuzzy Hash: C511812330374081FA64AFB2954D33D6242AB857F6F360724E876677DADE2CC6819300

Function 0000023C9FD9199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 0000023C9FD919C2
K32GetModuleFileNameExW.KERNEL32 ref: 0000023C9FD919E0
PathFindFileNameW.SHLWAPI ref: 0000023C9FD919EF
lstrlenW.KERNEL32 ref: 0000023C9FD919FB
StrCpyW.SHLWAPI ref: 0000023C9FD91A0E
CloseHandle.KERNEL32 ref: 0000023C9FD91A1C

Memory Dump Source

Source File: 00000019.00000002.3382187239.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd90000_svchost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction ID: 13d99b4807abd619a55dff71f34bee12b8a4746c9564a352daa39f4ca56a7e68
Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction Fuzzy Hash: 5F016922300B4082EB10DF52A84C36A63A1F788FCAFAA4035DE5963754DF3CCA8AC704

Function 0000023C9FD936C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000023C9FD936E4
GetCurrentProcess.KERNEL32 ref: 0000023C9FD936F2
VirtualProtectEx.KERNEL32 ref: 0000023C9FD93714
GetCurrentProcess.KERNEL32 ref: 0000023C9FD93732
VirtualProtectEx.KERNEL32 ref: 0000023C9FD93753
TerminateThread.KERNEL32 ref: 0000023C9FD93762

Memory Dump Source

Source File: 00000019.00000002.3382187239.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd90000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction ID: 14583a40f98bfed3850a83447e8838843ceab951dfca40f2a9e477f603da09be
Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction Fuzzy Hash: 72012967212B40C6EB259F61F80D33A73A4BB49F8BF260424CD5927764EF3DC2988708

Function 0000023C9FD99005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000023C9FD99013
_IsNonwritableInCurrentImage.LIBCMT ref: 0000023C9FD990A8
RtlUnwindEx.NTDLL ref: 0000023C9FD990F7

Strings

f, xrefs: 0000023C9FD99026
csm, xrefs: 0000023C9FD9908E

Memory Dump Source

Source File: 00000019.00000002.3382187239.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd90000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: 1f90d7c7ad59199f97c1a7438c6a9a4619e7d053edb22fbc608bcc98bd4b9d08
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: 4451BE337027008AEB54DF65E44CB7937A6F344B8AF628124DA1673788EB79DAC1C705

Function 0000023C9FD98FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000023C9FD99013
_IsNonwritableInCurrentImage.LIBCMT ref: 0000023C9FD990A8
RtlUnwindEx.NTDLL ref: 0000023C9FD990F7

Strings

f, xrefs: 0000023C9FD99026
csm, xrefs: 0000023C9FD9908E

Memory Dump Source

Source File: 00000019.00000002.3382187239.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd90000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction ID: 07a3565f698964cbb3a4654292ca8ae5c348360f6e4fe9823536838693a240fb
Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction Fuzzy Hash: 9731D133202740C6EB54DF62E84C7293BA5F344B8AF268014EE5A23789DB3DCA80C706

Function 0000023C9FD91A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 0000023C9FD91A60
StrCmpNIW.SHLWAPI ref: 0000023C9FD91A7A
lstrlenW.KERNEL32 ref: 0000023C9FD91A89
StrCpyW.SHLWAPI ref: 0000023C9FD91A9E

Strings

\\?\, xrefs: 0000023C9FD91A6E

Memory Dump Source

Source File: 00000019.00000002.3382187239.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd90000_svchost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction ID: 23ca7c8f60db608dac3268c4892bef963bbdddfd80e7d2892e867c6f1acef7e4
Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction Fuzzy Hash: A2F06223304B41D2EB609F61F8C87696761F758F8AFA58021DA4956958DF7CCB8ECB04

Function 0000023C9FD9BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 0000023C9FD9BCBD
GetProcAddress.KERNEL32 ref: 0000023C9FD9BCD3
FreeLibrary.KERNEL32 ref: 0000023C9FD9BCFA

Strings

CorExitProcess, xrefs: 0000023C9FD9BCCC
mscoree.dll, xrefs: 0000023C9FD9BCB4

Memory Dump Source

Source File: 00000019.00000002.3382187239.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd90000_svchost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction ID: f120134d89cc3ff4ac82abde9f44cd907dde6f2fa0f09169b0ae68eb03632b04
Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction Fuzzy Hash: 65F09663311B04C1EF148F64E44C3796320EB85F66F661219DA7A561E4CF3CC785C304

Function 0000023C9FD93044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 0000023C9FD93066
StrCpyW.SHLWAPI ref: 0000023C9FD93076
StrCatW.SHLWAPI ref: 0000023C9FD93082
PathCombineW.SHLWAPI ref: 0000023C9FD93090

Strings

\\.\pipe\, xrefs: 0000023C9FD9305C

Memory Dump Source

Source File: 00000019.00000002.3382187239.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd90000_svchost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction ID: 63bf0631c2ce08038e8afd47d845ce43b19718df71123393761432e8610f9e68
Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction Fuzzy Hash: 4FF08222304B80C2EA009F53B90C2396264AB48FC6F298030EE5A27B18DF3CC6868704

Function 0000023C9FD950D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000023C9FD95156

Memory Dump Source

Source File: 00000019.00000002.3382187239.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd90000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
Instruction ID: 27460493759cfd513e95e9acbc061ad8e741853e6674a0c4eb1be6d369746711
Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
Instruction Fuzzy Hash: 5F02ED33219B8486E7A0CF95F49436AB7A0F3C4785F210125EA8E97BA9DF7CC594CB00

Function 0000023C9FD95710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000023C9FD95726

Memory Dump Source

Source File: 00000019.00000002.3382187239.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd90000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
Instruction ID: 13d60bb38955cae3189d8a2bb61af228ad7e90773a2fa293d18278bd4efa4042
Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
Instruction Fuzzy Hash: 6761CC3751AB44C6E760CF55E44832AB7E0F388786F210126EA8E57BA8DB7CC695CF00

Function 0000023C9FDA4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 0000023C9FDA412C
_set_statfp.LIBCMT ref: 0000023C9FDA4147
_set_statfp.LIBCMT ref: 0000023C9FDA4163
_set_statfp.LIBCMT ref: 0000023C9FDA419F

Memory Dump Source

Source File: 00000019.00000002.3382187239.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd90000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: a6d18e22d9c748128799939e0654a87f56c25303a8cede26c8329d518403cd37
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: 2C11E323A10F4051F6A61F68E45D37511806B7BBBAF3B4A34E976276F6CB2CCB405308

Function 0000023C9FD73504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 0000023C9FD7352C
_set_statfp.LIBCMT ref: 0000023C9FD73547
_set_statfp.LIBCMT ref: 0000023C9FD73563
_set_statfp.LIBCMT ref: 0000023C9FD7359F

Memory Dump Source

Source File: 00000019.00000002.3381516680.0000023C9FD60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd60000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: fa3e9c6ef34ac44beecf1d4a20471fad6334f75cbed2dd7473b6ff3efb3b142c
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: 3211A7A3610B5112FB551D28E44E37911816F58B76FBB4628E9662E2D6CA2CCB414300

Function 0000023C9FD99650 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000023C9FD9966F
SetLastError.KERNEL32 ref: 0000023C9FD996F6

Memory Dump Source

Source File: 00000019.00000002.3382187239.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd90000_svchost.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 46c896f13dff0714c7ccebb8ca9383bb675cc38bcf091c92c481f4a556b8b138
Instruction ID: 7cd8ba41c2925395cb7c9359367532a4a56c2306d61c1e992674a85071185b21
Opcode Fuzzy Hash: 46c896f13dff0714c7ccebb8ca9383bb675cc38bcf091c92c481f4a556b8b138
Instruction Fuzzy Hash: A211632330239082FE549FA6984C37962956B48BE3F364724D936377D9DA2CCA81C701

Function 0000023C9FD6F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000023C9FD6F124

Strings

or copy constructor iterator', xrefs: 0000023C9FD6F25A, 0000023C9FD6F275
Tuesday, xrefs: 0000023C9FD6F0F4
Wednesday, xrefs: 0000023C9FD6F1ED

Memory Dump Source

Source File: 00000019.00000002.3381516680.0000023C9FD60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd60000_svchost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: Tuesday$Wednesday$or copy constructor iterator'
API String ID: 3215553584-4202648911
Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction ID: 7a8a2c0e20e62a8c4cb2861eaf2d624801dc3252f6813319446057c431b085cc
Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction Fuzzy Hash: A2619D63620B4082FA69DF68E54C33E6BA1E785787F734425CA0A777A4EB3CCB418700

Function 0000023C9FD9AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 0000023C9FD9AA68
_CallSETranslator.LIBVCRUNTIME ref: 0000023C9FD9AAB7

Strings

RCC, xrefs: 0000023C9FD9AA85
MOC, xrefs: 0000023C9FD9AA7C

Memory Dump Source

Source File: 00000019.00000002.3382187239.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd90000_svchost.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 0bebfacf85e04dc8df566765b1bb9a45dc94805908403f3c6b4d7d15f2017294
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: C461583B602B848AEB20DFA5D4843AD77B0F348B99F254215EF4927B98DB38D695C700

Function 0000023C9FD9AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000023C9FD9ADA0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 0000023C9FD9AE88

Strings

csm, xrefs: 0000023C9FD9AEDA
csm, xrefs: 0000023C9FD9ADC2

Memory Dump Source

Source File: 00000019.00000002.3382187239.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd90000_svchost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: b5b3cd2e7d2b3ba65c0c38fc053bdc294db5e1aadc0f0551ef11afe4c2e778d2
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: 9451B07B2013808AFB748F95948837977A0F355BA6F265216EB9967BD5CB3CC6D0C700

Function 0000023C9FD6A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000023C9FD6A1A0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 0000023C9FD6A288

Strings

csm, xrefs: 0000023C9FD6A1C2
csm, xrefs: 0000023C9FD6A2DA

Memory Dump Source

Source File: 00000019.00000002.3381516680.0000023C9FD60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd60000_svchost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: b168591e56fa7dec459e3dd0a2ff4fc174a44e46958cfe6ea52c0a5410adab20
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: C4518C33100380CAFB749FA5944837C77A0F755BAAF2A5216DA99A7BD5CB3CD690CB01

Function 0000023C9FD68405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000023C9FD68413
_IsNonwritableInCurrentImage.LIBCMT ref: 0000023C9FD684A8

Strings

csm, xrefs: 0000023C9FD6848E
f, xrefs: 0000023C9FD68426

Memory Dump Source

Source File: 00000019.00000002.3381516680.0000023C9FD60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd60000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: 4e56314c3d2453347bf65fb276cd521628cde032df79e7e53ff8890b8b23fc81
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: 4651DD337023008AEB16CF25E448B3C37A5FB54B9EF668125DA0667788EB38DF518704

Function 0000023C9FD683E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000023C9FD68413
_IsNonwritableInCurrentImage.LIBCMT ref: 0000023C9FD684A8

Strings

csm, xrefs: 0000023C9FD6848E
f, xrefs: 0000023C9FD68426

Memory Dump Source

Source File: 00000019.00000002.3381516680.0000023C9FD60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd60000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction ID: 1ac0af79340df761112eaa8314d83ad2fc85700253a99754cc2bce0b1d559ae3
Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction Fuzzy Hash: 0031897320178096EB15DF22E848B2D77A5FB44B9EF268014EE5A27788DB3CDB61C704

Function 0000023C9FDA2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 0000023C9FDA20D7
WriteFile.KERNEL32 ref: 0000023C9FDA239F
WriteFile.KERNEL32 ref: 0000023C9FDA23E5
GetLastError.KERNEL32 ref: 0000023C9FDA249B

Memory Dump Source

Source File: 00000019.00000002.3382187239.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd90000_svchost.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction ID: d2a503851be96b6516d99fb73f83dfb610c96ca901761488bc4f8c611d374a52
Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction Fuzzy Hash: A7D10333714B8089E711CFBAD5483AC3BB1F355B9AF214216CE5DA7B99DA38C646C344

Function 0000023C9FDA2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32 ref: 0000023C9FDA2A9C
GetLastError.KERNEL32 ref: 0000023C9FDA2B27

Memory Dump Source

Source File: 00000019.00000002.3382187239.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd90000_svchost.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction ID: dfac7770a03030c8138235460075494dc8b96b5442b412831c4990e57e6e5698
Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction Fuzzy Hash: 8C91BF7370075086F7619F6695883BD3BA0B706F8BF264109DE0A77A88DB3CC682C708

Function 0000023C9FD97960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 0000023C9FD9798C
GetCurrentThreadId.KERNEL32 ref: 0000023C9FD9799A
GetCurrentProcessId.KERNEL32 ref: 0000023C9FD979A6
QueryPerformanceCounter.KERNEL32 ref: 0000023C9FD979B6

Memory Dump Source

Source File: 00000019.00000002.3382187239.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd90000_svchost.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction ID: 4ed76368ea000a64330ec930436fe3a4810d52bf42b8390d9f0f35c83193dfce
Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction Fuzzy Hash: A9113023711F0189EB00CF70E8593B833A4F759B59F550E21EA6D567A8DF7CC2A88380

Function 0000023C9FD9253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000023C9FD92620
StrCpyW.SHLWAPI ref: 0000023C9FD92639

Strings

\\.\pipe\, xrefs: 0000023C9FD9262B

Memory Dump Source

Source File: 00000019.00000002.3382187239.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd90000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction ID: 0c33aa86fb6af781ab4bd2801129ac058fc1aff8e06ccd9e83e02b0cf9a38ee3
Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction Fuzzy Hash: 1871B23720178185E7299EA5984C3BA77A4F78BB87F660116DD0A73F89DE39C785C700

Function 0000023C9FD69E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 0000023C9FD69EB7

Strings

MOC, xrefs: 0000023C9FD69E7C
RCC, xrefs: 0000023C9FD69E85

Memory Dump Source

Source File: 00000019.00000002.3381516680.0000023C9FD60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd60000_svchost.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 5190f0ac30fff565778e5031f2d5a440088a6580906e12c691fded75e2fd0fce
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: 8A61A933A01B84CAEB20CF65D0843AD77A0F748B8DF264215EF8927B99DB39D695C700

Function 0000023C9FD92330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000023C9FD92416
StrCpyW.SHLWAPI ref: 0000023C9FD9242D

Strings

\\.\pipe\, xrefs: 0000023C9FD92421

Memory Dump Source

Source File: 00000019.00000002.3382187239.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd90000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction ID: 952c2bbf2d9725709fdd0ee35ed40a443fa4884fddd7f1e576d89f22e70156ec
Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction Fuzzy Hash: 6D51283320638181E679DFA9A05C3BE6791F396743FA70125DD5923B4ADA3DCB84C780

Function 0000023C9FDA26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 0000023C9FDA2807
GetLastError.KERNEL32 ref: 0000023C9FDA2829

Strings

U, xrefs: 0000023C9FDA27B3

Memory Dump Source

Source File: 00000019.00000002.3382187239.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd90000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction ID: f8e9af451c7e187f0b3c134bc8ce29196dafec2d7c4623f8744763774a61f3a2
Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction Fuzzy Hash: 4741D533315B8082DB20CF26E9483BA77A0F799B96F624021EE4D97798EB3CC641C744

Function 0000023C9FD994A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 0000023C9FD994F0
RaiseException.KERNEL32 ref: 0000023C9FD99531

Strings

csm, xrefs: 0000023C9FD9951E

Memory Dump Source

Source File: 00000019.00000002.3382187239.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd90000_svchost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction ID: da9330c3968a2f4648570f24bcb8dedcce468af78ba686aeb91ff33026581370
Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction Fuzzy Hash: BD113D37215B8082EB618F15F44436A77E5F788B99F694220EE8C17758DF3CC691CB04

Function 0000023C9FD67356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 0000023C9FD6737C

Strings

riptor at (, xrefs: 0000023C9FD67364
ierarchy Descriptor', xrefs: 0000023C9FD67381

Memory Dump Source

Source File: 00000019.00000002.3381516680.0000023C9FD60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd60000_svchost.jbxd

Similarity

API ID: __std_exception_copy
String ID: ierarchy Descriptor'$riptor at (
API String ID: 592178966-758928094
Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction ID: 4cda0189ba7ad33cdc60815da3b34e9d2c4a24c0ec22eb9d9b8f22f249be8676
Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction Fuzzy Hash: 05E086A2640B4490EF018F21E8443A873A0DB58B64B599122D95C5A351FB3CD3F9C301

Function 0000023C9FD673B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 0000023C9FD673D8

Strings

riptor at (, xrefs: 0000023C9FD673C0
Locator', xrefs: 0000023C9FD673DD

Memory Dump Source

Source File: 00000019.00000002.3381516680.0000023C9FD60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd60000_svchost.jbxd

Similarity

API ID: __std_exception_copy
String ID: Locator'$riptor at (
API String ID: 592178966-4215709766
Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction ID: 6f2cc3152310eb36d7cc8336d39e743a0d278e23f43703834979fe4af312773f
Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction Fuzzy Hash: 9EE086A2640B4480DF018F21D4443A873A0EB58B54B999122C94C5A311EB3CD2E5C300

Function 0000023C9FD91BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000023C9FD91C2D
HeapAlloc.KERNEL32 ref: 0000023C9FD91C3B
GetProcessHeap.KERNEL32 ref: 0000023C9FD91C77
HeapFree.KERNEL32 ref: 0000023C9FD91C85

Part of subcall function 0000023C9FD9152C: StrCmpIW.SHLWAPI ref: 0000023C9FD9155D

Memory Dump Source

Source File: 00000019.00000002.3382187239.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_23c9fd90000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction ID: fb274fbcc73c847d3c6e09d570d25983daaf9cd5edc6c7e414eda49a85b8252f
Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction Fuzzy Hash: 9B113D26602B4481EA55DFA6A40833967A1FB89FC6F2A4124DE4D67765DE3CC5828300

Analysis Process: svchost.exePID: 60, Parent PID: 1172COMMON

Execution Graph

Execution Coverage:	0.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	74
Total number of Limit Nodes:	2

Executed Functions

Function 000001A1CA71328C Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 000001A1CA7132AE
PathFindFileNameW.SHLWAPI ref: 000001A1CA7132BD

Part of subcall function 000001A1CA713844: StrCmpNIW.SHLWAPI ref: 000001A1CA71385C

Part of subcall function 000001A1CA713790: GetModuleHandleW.KERNEL32 ref: 000001A1CA71379E
Part of subcall function 000001A1CA713790: GetCurrentProcess.KERNEL32 ref: 000001A1CA7137CC
Part of subcall function 000001A1CA713790: VirtualProtectEx.KERNEL32 ref: 000001A1CA7137EE
Part of subcall function 000001A1CA713790: GetCurrentProcess.KERNEL32 ref: 000001A1CA713809
Part of subcall function 000001A1CA713790: VirtualProtectEx.KERNEL32 ref: 000001A1CA71382A

CreateThread.KERNEL32 ref: 000001A1CA71330B

Part of subcall function 000001A1CA711D14: GetCurrentThread.KERNEL32 ref: 000001A1CA711D1F

Memory Dump Source

Source File: 0000001A.00000002.3389691458.000001A1CA710000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001A1CA710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_1a1ca710000_svchost.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction ID: 01a97fa1f14185cb65b09edfe152e9b73a0a9025bf2d4a57ba3f89ac3fec9d12
Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction Fuzzy Hash: B411E533793360A1FBA297A1F4057D912DBB766734F40512597CE4199DEF3BE0488207

Function 000001A1CA711ABC Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000001A1CA711628: GetProcessHeap.KERNEL32 ref: 000001A1CA711633
Part of subcall function 000001A1CA711628: HeapAlloc.KERNEL32 ref: 000001A1CA711642
Part of subcall function 000001A1CA711628: RegOpenKeyExW.ADVAPI32 ref: 000001A1CA7116B2
Part of subcall function 000001A1CA711628: RegOpenKeyExW.ADVAPI32 ref: 000001A1CA7116DF
Part of subcall function 000001A1CA711628: RegCloseKey.ADVAPI32 ref: 000001A1CA7116F9
Part of subcall function 000001A1CA711628: RegOpenKeyExW.ADVAPI32 ref: 000001A1CA711719
Part of subcall function 000001A1CA711628: RegCloseKey.ADVAPI32 ref: 000001A1CA711734
Part of subcall function 000001A1CA711628: RegOpenKeyExW.ADVAPI32 ref: 000001A1CA711754
Part of subcall function 000001A1CA711628: RegCloseKey.ADVAPI32 ref: 000001A1CA71176F
Part of subcall function 000001A1CA711628: RegOpenKeyExW.ADVAPI32 ref: 000001A1CA71178F
Part of subcall function 000001A1CA711628: RegCloseKey.ADVAPI32 ref: 000001A1CA7117AA
Part of subcall function 000001A1CA711628: RegOpenKeyExW.ADVAPI32 ref: 000001A1CA7117CA

Sleep.KERNEL32 ref: 000001A1CA711AD7
SleepEx.KERNELBASE ref: 000001A1CA711ADD

Part of subcall function 000001A1CA711628: RegCloseKey.ADVAPI32 ref: 000001A1CA7117E5
Part of subcall function 000001A1CA711628: RegOpenKeyExW.ADVAPI32 ref: 000001A1CA711805
Part of subcall function 000001A1CA711628: RegCloseKey.ADVAPI32 ref: 000001A1CA711820
Part of subcall function 000001A1CA711628: RegOpenKeyExW.ADVAPI32 ref: 000001A1CA711840
Part of subcall function 000001A1CA711628: RegCloseKey.ADVAPI32 ref: 000001A1CA71185B
Part of subcall function 000001A1CA711628: RegOpenKeyExW.ADVAPI32 ref: 000001A1CA71187B
Part of subcall function 000001A1CA711628: RegCloseKey.ADVAPI32 ref: 000001A1CA711896
Part of subcall function 000001A1CA711628: RegCloseKey.ADVAPI32 ref: 000001A1CA7118A0

Memory Dump Source

Source File: 0000001A.00000002.3389691458.000001A1CA710000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001A1CA710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_1a1ca710000_svchost.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction ID: f150d557e6744ddef69d6657b32e82edc97fae00e09d38a4107afbb374f367cd
Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction Fuzzy Hash: DF314473382724A1EB629762D6813E913D7B746BE0F0444294F8D8B29DEE16E451C312

Function 000001A1CA713844 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpNIW.SHLWAPI ref: 000001A1CA71385C

Strings

dialer, xrefs: 000001A1CA713855

Memory Dump Source

Source File: 0000001A.00000002.3389691458.000001A1CA710000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001A1CA710000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_1a1ca710000_svchost.jbxd

Similarity

API ID:
String ID: dialer
API String ID: 0-3528709123
Opcode ID: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
Instruction ID: fb475bca5c5a6d412fbda8410bbabf47ec9d7b489fddd15ee2bbd074882d5245
Opcode Fuzzy Hash: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
Instruction Fuzzy Hash: C9D05EB6392355EAFB669FE688C46E02393FB09764F8841208A4401558DB1A998D9621

Function 000001A1CA6E273C Relevance: 1.7, APIs: 1, Instructions: 187
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 000001A1CA6E285E

Memory Dump Source

Source File: 0000001A.00000002.3388721328.000001A1CA6E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001A1CA6E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_1a1ca6e0000_svchost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction ID: a47786bb87ca2bd87961d5bbacfabd6ee9655fa78d7282d5136b735cdc61d28c
Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction Fuzzy Hash: 73610F73B426A09BEF568F2690407ADB3A3FB55BA4F189121DF590778CDA38DC62C701

Non-executed Functions

Function 000001A1CA6E6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001A1CA6E6938
__scrt_acquire_startup_lock.LIBCMT ref: 000001A1CA6E698A
_RTC_Initialize.LIBCMT ref: 000001A1CA6E69B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001A1CA6E69DE
__scrt_release_startup_lock.LIBCMT ref: 000001A1CA6E6A09

Strings

`eh vector vbase copy constructor iterator', xrefs: 000001A1CA6E69EE
scriptor', xrefs: 000001A1CA6E6B39, 000001A1CA6E6BB2, 000001A1CA6E6BEC
`eh vector copy constructor iterator', xrefs: 000001A1CA6E6A3B
`dynamic initializer for ', xrefs: 000001A1CA6E69C7

Memory Dump Source

Source File: 0000001A.00000002.3388721328.000001A1CA6E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001A1CA6E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_1a1ca6e0000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
API String ID: 190073905-1786718095
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: 039e8d9811416d387a6c32b42b75de2d4594fd3f57fa495e321c2590bd5045e3
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: 2481F17B7C2221A6FA53AB2598413D96293E787BB0F548025AB454739EEF38CC46C702

Function 000001A1CA6E9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001A1CA6E99A1

Part of subcall function 000001A1CA6EA814: __GetUnwindTryBlock.LIBCMT ref: 000001A1CA6EA857
Part of subcall function 000001A1CA6EA814: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001A1CA6EA87C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001A1CA6E9A79
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001A1CA6E9CCE
std::bad_alloc::bad_alloc.LIBCMT ref: 000001A1CA6E9DDA

Strings

csm, xrefs: 000001A1CA6E99BB
csm, xrefs: 000001A1CA6E9A22
csm, xrefs: 000001A1CA6E9A9C

Memory Dump Source

Source File: 0000001A.00000002.3388721328.000001A1CA6E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001A1CA6E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_1a1ca6e0000_svchost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction ID: a33b61f7252c48a8ff5deff85b341fb991715874bd0d5d4cd81d52545042a901
Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction Fuzzy Hash: 19E1AF73742B6096EB62DBA5D4403DDBBA2FB46BA8F100115EF4A47B99CB34C491C702

Function 000001A1CA6F3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000001A1CA6F352C
_set_statfp.LIBCMT ref: 000001A1CA6F3547
_set_statfp.LIBCMT ref: 000001A1CA6F3563
_set_statfp.LIBCMT ref: 000001A1CA6F359F

Memory Dump Source

Source File: 0000001A.00000002.3388721328.000001A1CA6E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001A1CA6E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_1a1ca6e0000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: 8c7b11ddc80ccfc1c98d7406fca644481f95fcd76dba989a6670564aaad9392c
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: 8211A7337E6A3131FB961528EC4A3ED118B6BDB374FC84638AB76072DECA34C8455212

Function 000001A1CA6EF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000001A1CA6EF124

Strings

Tuesday, xrefs: 000001A1CA6EF0F4
or copy constructor iterator', xrefs: 000001A1CA6EF25A, 000001A1CA6EF275
Wednesday, xrefs: 000001A1CA6EF1ED

Memory Dump Source

Source File: 0000001A.00000002.3388721328.000001A1CA6E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001A1CA6E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_1a1ca6e0000_svchost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: Tuesday$Wednesday$or copy constructor iterator'
API String ID: 3215553584-4202648911
Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction ID: 4c0cbab14a7f6e7d52f8b7fb1f5b1ad98ec1a7fdcff429646b330f84139264da
Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction Fuzzy Hash: 5061C03778366467FA6B8B68E5543EA6AA3E7837B4F914415DB0A077ACDB34C841C303

Function 000001A1CA6EA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001A1CA6EA1A0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001A1CA6EA288

Strings

csm, xrefs: 000001A1CA6EA1C2
csm, xrefs: 000001A1CA6EA2DA

Memory Dump Source

Source File: 0000001A.00000002.3388721328.000001A1CA6E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001A1CA6E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_1a1ca6e0000_svchost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: 18d07b32e9db3f301f191715a40212ea1b42970719aec1d811589bdbfb8c7d3a
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: 5651C1333413A4DAEB768F1595443D877A2F767BA6F184215DB9987BC9CB38C450CB02

Function 000001A1CA6E8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001A1CA6E8413
_IsNonwritableInCurrentImage.LIBCMT ref: 000001A1CA6E84A8

Strings

csm, xrefs: 000001A1CA6E848E
f, xrefs: 000001A1CA6E8426

Memory Dump Source

Source File: 0000001A.00000002.3388721328.000001A1CA6E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001A1CA6E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_1a1ca6e0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: 6f5331e060d5103dc2375ec47878150fe940775a08f328f03ff687d6810533a2
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: 2251DD33753620AAEB96CF25E408B9C3796F356BA8F518124DB164378CEB34CC41CB06

Function 000001A1CA6E83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001A1CA6E8413
_IsNonwritableInCurrentImage.LIBCMT ref: 000001A1CA6E84A8

Strings

csm, xrefs: 000001A1CA6E848E
f, xrefs: 000001A1CA6E8426

Memory Dump Source

Source File: 0000001A.00000002.3388721328.000001A1CA6E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001A1CA6E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_1a1ca6e0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction ID: b88cda04af8e2256953701f3fb8467a64d7e1f1677ebc28f90424d96db1c36b4
Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction Fuzzy Hash: DD317A33342660EAE756DF25E848B9977AAF342BA8F558414EF5A0778CDB38C940C706

Function 000001A1CA6E73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000001A1CA6E73D8

Strings

Locator', xrefs: 000001A1CA6E73DD
riptor at (, xrefs: 000001A1CA6E73C0

Memory Dump Source

Source File: 0000001A.00000002.3388721328.000001A1CA6E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001A1CA6E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_1a1ca6e0000_svchost.jbxd

Similarity

API ID: __std_exception_copy
String ID: Locator'$riptor at (
API String ID: 592178966-4215709766
Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction ID: 38a32f0ec5988e23dc970de0174968705f9a9aefe4ef577489d3ef5a2710b884
Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction Fuzzy Hash: 55E08672741B4490DF078F21D8402DC7365E759B64FC89122CA4C07355EA38D5E5C301

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	Drive: Drive Modification, File: File Modification, Firmware: Firmware Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report setup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Operating System Destruction

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\Google\Chrome\updater.exe

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eydvvihl.5mn.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h51hc0b1.nqj.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hfz2w2dg.myg.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pxg3x2ib.s0n.psm1

C:\Users\user\AppData\Local\Temp\wxyubnjmnlae.tmp

C:\Users\user\AppData\Local\Temp\yntnomxcupkb.xml

C:\Windows\System32\winevt\Logs\Application.evtx

C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx

C:\Windows\System32\winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx

C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx

Windows Analysis Report
setup.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre