Edit tour

Windows Analysis Report
services64.exe

Overview

General Information

Sample name:	services64.exe
Analysis ID:	1575187
MD5:	a36aa640215e6e609fb942ff79c5adb5
SHA1:	dc636f4de97d4b948d0abfbfa37ebeca08b5da55
SHA256:	ff0a72d1860c9cad62aa4e48afe58831edc35ef4947661c7335dd08e5f26e05b
Tags:	exeuser-sa6ta6ni6c
Infos:

Detection

Xmrig

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Disable power options

Sigma detected: Stop EventLog

Yara detected Xmrig cryptocurrency miner

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Found direct / indirect Syscall (likely to bypass EDR)

Hides threads from debuggers

Hooks files or directories query functions (used to hide files and directories)

Hooks processes query functions (used to hide processes)

Hooks registry keys query functions (used to hide registry keys)

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Installs new ROOT certificates

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies power options to not sleep / hibernate

Modifies the context of a thread in another process (thread injection)

Modifies the hosts file

Modifies the prolog of user mode functions (user mode inline hooks)

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

Protects its processes via BreakOnTermination flag

Query firmware table information (likely to detect VMs)

Sample is not signed and drops a device driver

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect debuggers (CloseHandle check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to evade analysis by execution special instruction (VM detection)

Uses powercfg.exe to modify the power settings

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after accessing registry keys)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Powershell Defender Exclusion

Sigma detected: Uncommon Svchost Parent Process

Stores large binary data to the registry

Suricata IDS alerts with low severity for network traffic

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

services64.exe (PID: 7432 cmdline: "C:\Users\user\Desktop\services64.exe" MD5: A36AA640215E6E609FB942FF79C5ADB5)

powershell.exe (PID: 7496 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7700 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wusa.exe (PID: 7784 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)

sc.exe (PID: 7708 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 7800 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 7848 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 7896 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 7944 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 8004 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 8020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 8012 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 8040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 8028 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 8072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 8064 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 8104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

dialer.exe (PID: 8136 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)

winlogon.exe (PID: 552 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)

lsass.exe (PID: 628 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)

svchost.exe (PID: 920 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

dwm.exe (PID: 988 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)

svchost.exe (PID: 364 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 356 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 696 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 592 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1044 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

sc.exe (PID: 8168 cmdline: C:\Windows\system32\sc.exe delete "WindowsAutHost" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 2056 cmdline: C:\Windows\system32\sc.exe create "WindowsAutHost" binpath= "C:\ProgramData\WindowsServices\WindowsAutHost" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 2140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 2260 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 3384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 180 cmdline: C:\Windows\system32\sc.exe start "WindowsAutHost" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WindowsAutHost (PID: 2696 cmdline: C:\ProgramData\WindowsServices\WindowsAutHost MD5: A36AA640215E6E609FB942FF79C5ADB5)

powershell.exe (PID: 404 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7536 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wusa.exe (PID: 7528 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)

sc.exe (PID: 7548 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 7496 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 7792 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 7720 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 7860 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 7908 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 7920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 7900 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 7924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 7928 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 7976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 7972 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 8048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

dialer.exe (PID: 8052 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)

dialer.exe (PID: 8184 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Sigma Signatures

Change of critical system settings

Sigma detected: Disable power options

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine|base64offset|contains: , Image: C:\Windows\System32\powercfg.exe, NewProcessName: C:\Windows\System32\powercfg.exe, OriginalFileName: C:\Windows\System32\powercfg.exe, ParentCommandLine: "C:\Users\user\Desktop\services64.exe", ParentImage: C:\Users\user\Desktop\services64.exe, ParentProcessId: 7432, ParentProcessName: services64.exe, ProcessCommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, ProcessId: 8004, ProcessName: powercfg.exe

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\services64.exe", ParentImage: C:\Users\user\Desktop\services64.exe, ParentProcessId: 7432, ParentProcessName: services64.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 7496, ProcessName: powershell.exe

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\ProgramData\WindowsServices\WindowsAutHost, CommandLine: C:\ProgramData\WindowsServices\WindowsAutHost, CommandLine|base64offset|contains: , Image: C:\ProgramData\WindowsServices\WindowsAutHost, NewProcessName: C:\ProgramData\WindowsServices\WindowsAutHost, OriginalFileName: C:\ProgramData\WindowsServices\WindowsAutHost, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\ProgramData\WindowsServices\WindowsAutHost, ProcessId: 2696, ProcessName: WindowsAutHost

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\system32\dialer.exe, ParentImage: C:\Windows\System32\dialer.exe, ParentProcessId: 8136, ParentProcessName: dialer.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, ProcessId: 920, ProcessName: svchost.exe

Sigma detected: New Service Creation Using Sc.EXE

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "WindowsAutHost" binpath= "C:\ProgramData\WindowsServices\WindowsAutHost" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "WindowsAutHost" binpath= "C:\ProgramData\WindowsServices\WindowsAutHost" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\services64.exe", ParentImage: C:\Users\user\Desktop\services64.exe, ParentProcessId: 7432, ParentProcessName: services64.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "WindowsAutHost" binpath= "C:\ProgramData\WindowsServices\WindowsAutHost" start= "auto", ProcessId: 2056, ProcessName: sc.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\services64.exe", ParentImage: C:\Users\user\Desktop\services64.exe, ParentProcessId: 7432, ParentProcessName: services64.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 7496, ProcessName: powershell.exe

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Stop EventLog

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\services64.exe", ParentImage: C:\Users\user\Desktop\services64.exe, ParentProcessId: 7432, ParentProcessName: services64.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 2260, ProcessName: sc.exe

Suricata Signatures

ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-14T17:57:24.241066+0100	2036289	2	Crypto Currency Mining Activity Detected	192.168.2.4	58069	1.1.1.1	53	UDP

ETPRO COINMINER XMR CoinMiner Usage

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-14T17:57:07.739578+0100	2826930	2	Crypto Currency Mining Activity Detected	192.168.2.4	49734	37.203.243.102	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\WindowsServices\WindowsAutHost

ReversingLabs: Detection: 47%

Multi AV Scanner detection for submitted file

Source: services64.exe

ReversingLabs: Detection: 47%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\ProgramData\WindowsServices\WindowsAutHost

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: services64.exe

Joe Sandbox ML: detected

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match

File source: dump.pcap, type: PCAP

Source: services64.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: WindowsAutHost, 00000025.00000003.1882707628.0000016F8FAF0000.00000004.00000001.00020000.00000000.sdmp, ybmcltmshprh.sys.37.dr

Source: C:\Windows\System32\winlogon.exe	Code function: 30_2_00000225DC64DCE0 FindFirstFileExW,	30_2_00000225DC64DCE0
Source: C:\Windows\System32\winlogon.exe	Code function: 30_2_00000225DC6ADCE0 FindFirstFileExW,	30_2_00000225DC6ADCE0
Source: C:\Windows\System32\lsass.exe	Code function: 31_2_00000202C0AEDCE0 FindFirstFileExW,	31_2_00000202C0AEDCE0
Source: C:\Windows\System32\lsass.exe	Code function: 31_2_00000202C0B4DCE0 FindFirstFileExW,	31_2_00000202C0B4DCE0
Source: C:\Windows\System32\sc.exe	Code function: 33_2_000001BCD1C5DCE0 FindFirstFileExW,	33_2_000001BCD1C5DCE0
Source: C:\Windows\System32\conhost.exe	Code function: 35_2_000001AFBC54DCE0 FindFirstFileExW,	35_2_000001AFBC54DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000002A66130DCE0 FindFirstFileExW,	36_2_000002A66130DCE0
Source: C:\Windows\System32\dwm.exe	Code function: 38_2_000002BAAEDDDCE0 FindFirstFileExW,	38_2_000002BAAEDDDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 42_2_0000026A879CDCE0 FindFirstFileExW,	42_2_0000026A879CDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_00000179537ADCE0 FindFirstFileExW,	43_2_00000179537ADCE0
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_000002295D56DCE0 FindFirstFileExW,	44_2_000002295D56DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 45_2_0000025306E6DCE0 FindFirstFileExW,	45_2_0000025306E6DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 45_2_0000025306ECDCE0 FindFirstFileExW,	45_2_0000025306ECDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 53_2_000001845B94DCE0 FindFirstFileExW,	53_2_000001845B94DCE0

Source: Network traffic	Suricata IDS: 2036289 - Severity 2 - ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) : 192.168.2.4:58069 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2826930 - Severity 2 - ETPRO COINMINER XMR CoinMiner Usage : 192.168.2.4:49734 -> 37.203.243.102:80

Source: unknown

DNS traffic detected: query: slkpanel3458647.site replaycode: Name error (3)

Source: lsass.exe, 0000001F.00000002.3242305511.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821977863.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821977863.00000202C03B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: lsass.exe, 0000001F.00000000.1821977863.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: lsass.exe, 0000001F.00000002.3238221679.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821473498.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3242305511.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821977863.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: lsass.exe, 0000001F.00000000.1821977863.00000202C03BA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821473498.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821977863.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821977863.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: lsass.exe, 0000001F.00000003.2271906692.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821838171.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3242305511.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821977863.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821977863.00000202C03B5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3242123112.00000202C0379000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: lsass.exe, 0000001F.00000000.1821977863.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: WindowsAutHost, 00000025.00000003.1882707628.0000016F8FAF0000.00000004.00000001.00020000.00000000.sdmp, ybmcltmshprh.sys.37.dr	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: WindowsAutHost, 00000025.00000003.1882707628.0000016F8FAF0000.00000004.00000001.00020000.00000000.sdmp, ybmcltmshprh.sys.37.dr	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: WindowsAutHost, 00000025.00000003.1882707628.0000016F8FAF0000.00000004.00000001.00020000.00000000.sdmp, ybmcltmshprh.sys.37.dr	String found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
Source: WindowsAutHost, 00000025.00000003.1882707628.0000016F8FAF0000.00000004.00000001.00020000.00000000.sdmp, ybmcltmshprh.sys.37.dr	String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: lsass.exe, 0000001F.00000002.3242305511.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821977863.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821977863.00000202C03B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: lsass.exe, 0000001F.00000000.1821977863.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: lsass.exe, 0000001F.00000000.1821977863.00000202C03BA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821473498.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821977863.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821977863.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 0000001F.00000002.3238221679.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821473498.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3242305511.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821977863.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: lsass.exe, 0000001F.00000000.1821977863.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: lsass.exe, 0000001F.00000003.2271906692.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821838171.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3242305511.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821977863.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821977863.00000202C03B5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3242123112.00000202C0379000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: lsass.exe, 0000001F.00000002.3239359444.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3242305511.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821660332.00000202C024B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1822282202.00000202C043D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821977863.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000003.2281801480.00000202C0249000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: lsass.exe, 0000001F.00000002.3242305511.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821977863.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821977863.00000202C03B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: lsass.exe, 0000001F.00000002.3238221679.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821473498.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3242305511.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821977863.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 0000001F.00000000.1821977863.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: lsass.exe, 0000001F.00000003.2271906692.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821838171.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3242305511.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821977863.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821977863.00000202C03B5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3242123112.00000202C0379000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: lsass.exe, 0000001F.00000002.3238221679.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821473498.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: lsass.exe, 0000001F.00000002.3239359444.00000202C0200000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821631460.00000202C0200000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: lsass.exe, 0000001F.00000002.3237726005.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821333455.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
Source: lsass.exe, 0000001F.00000000.1821371502.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3237848048.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
Source: lsass.exe, 0000001F.00000002.3237726005.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821333455.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: lsass.exe, 0000001F.00000002.3238221679.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821977863.00000202C03BA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821473498.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821977863.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3242305511.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821977863.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821977863.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821977863.00000202C03B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: lsass.exe, 0000001F.00000002.3239359444.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3242305511.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821660332.00000202C024B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1822282202.00000202C043D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821977863.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000003.2281801480.00000202C0249000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: lsass.exe, 0000001F.00000003.2271906692.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821838171.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3242305511.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821977863.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821977863.00000202C03B5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3242123112.00000202C0379000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: lsass.exe, 0000001F.00000000.1821977863.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: lsass.exe, 0000001F.00000000.1821977863.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.msocsp.
Source: lsass.exe, 0000001F.00000003.2271906692.00000202C038E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000003.2271906692.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3239359444.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821838171.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3242305511.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821660332.00000202C024B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821977863.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000003.2281801480.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3242123112.00000202C0379000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: lsass.exe, 0000001F.00000002.3237726005.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821333455.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: lsass.exe, 0000001F.00000002.3237726005.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821333455.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: lsass.exe, 0000001F.00000002.3237726005.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821333455.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821371502.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3237848048.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
Source: lsass.exe, 0000001F.00000002.3237726005.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821333455.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: lsass.exe, 0000001F.00000002.3237726005.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821333455.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
Source: lsass.exe, 0000001F.00000002.3237726005.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821333455.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
Source: lsass.exe, 0000001F.00000000.1821977863.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: lsass.exe, 0000001F.00000003.2271906692.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821838171.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3242305511.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821977863.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821977863.00000202C03B5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3242123112.00000202C0379000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0~

Spam, unwanted Advertisements and Ransom Demands

Modifies the hosts file

Source: C:\Users\user\Desktop\services64.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\ProgramData\WindowsServices\WindowsAutHost	Process information set: 01 00 00 00			Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Process information set: 01 00 00 00			Jump to behavior

System Summary

PE file contains section with special chars

Source: services64.exe	Static PE information: section name: .:ja
Source: services64.exe	Static PE information: section name: ."8l
Source: WindowsAutHost.0.dr	Static PE information: section name: .:ja
Source: WindowsAutHost.0.dr	Static PE information: section name: ."8l

Uses powercfg.exe to modify the power settings

Source: C:\Users\user\Desktop\services64.exe

Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

Source: C:\Windows\System32\dialer.exe	Code function: 25_2_00000001400010C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,	25_2_00000001400010C0
Source: C:\Windows\System32\winlogon.exe	Code function: 30_2_00000225DC6428C8 NtEnumerateValueKey,NtEnumerateValueKey,	30_2_00000225DC6428C8
Source: C:\Windows\System32\lsass.exe	Code function: 31_2_00000202C0AE202C NtQuerySystemInformation,StrCmpNIW,	31_2_00000202C0AE202C
Source: C:\Windows\System32\lsass.exe	Code function: 31_2_00000202C0AE253C NtQueryDirectoryFileEx,GetFileType,StrCpyW,	31_2_00000202C0AE253C
Source: C:\Windows\System32\sc.exe	Code function: 33_2_000001BCD1C52B2C NtDeviceIoControlFile,GetModuleHandleA,GetProcAddress,StrCmpNIW,lstrlenW,lstrlenW,	33_2_000001BCD1C52B2C
Source: C:\Windows\System32\sc.exe	Code function: 33_2_000001BCD1C528C8 NtEnumerateValueKey,NtEnumerateValueKey,	33_2_000001BCD1C528C8
Source: C:\Windows\System32\dwm.exe	Code function: 38_2_000002BAAEDD28C8 NtEnumerateValueKey,NtEnumerateValueKey,	38_2_000002BAAEDD28C8

Source: C:\Windows\System32\sc.exe

Code function: 33_2_000001BCD1C52B2C: NtDeviceIoControlFile,GetModuleHandleA,GetProcAddress,StrCmpNIW,lstrlenW,lstrlenW,

33_2_000001BCD1C52B2C

Source: C:\ProgramData\WindowsServices\WindowsAutHost

File created: C:\Windows\TEMP\ybmcltmshprh.sys

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File deleted: C:\Windows\Temp\__PSScriptPolicyTest_ygdwurri.usj.ps1

Jump to behavior

Source: C:\Windows\System32\dialer.exe	Code function: 25_2_000000014000226C	25_2_000000014000226C
Source: C:\Windows\System32\dialer.exe	Code function: 25_2_00000001400014D8	25_2_00000001400014D8
Source: C:\Windows\System32\dialer.exe	Code function: 25_2_0000000140002560	25_2_0000000140002560
Source: C:\Windows\System32\winlogon.exe	Code function: 30_2_00000225DC611F2C	30_2_00000225DC611F2C
Source: C:\Windows\System32\winlogon.exe	Code function: 30_2_00000225DC61D0E0	30_2_00000225DC61D0E0
Source: C:\Windows\System32\winlogon.exe	Code function: 30_2_00000225DC6238A8	30_2_00000225DC6238A8
Source: C:\Windows\System32\winlogon.exe	Code function: 30_2_00000225DC642B2C	30_2_00000225DC642B2C
Source: C:\Windows\System32\winlogon.exe	Code function: 30_2_00000225DC64DCE0	30_2_00000225DC64DCE0
Source: C:\Windows\System32\winlogon.exe	Code function: 30_2_00000225DC6544A8	30_2_00000225DC6544A8
Source: C:\Windows\System32\winlogon.exe	Code function: 30_2_00000225DC671F2C	30_2_00000225DC671F2C
Source: C:\Windows\System32\winlogon.exe	Code function: 30_2_00000225DC67D0E0	30_2_00000225DC67D0E0
Source: C:\Windows\System32\winlogon.exe	Code function: 30_2_00000225DC6838A8	30_2_00000225DC6838A8
Source: C:\Windows\System32\winlogon.exe	Code function: 30_2_00000225DC6A2B2C	30_2_00000225DC6A2B2C
Source: C:\Windows\System32\winlogon.exe	Code function: 30_2_00000225DC6ADCE0	30_2_00000225DC6ADCE0
Source: C:\Windows\System32\winlogon.exe	Code function: 30_2_00000225DC6B44A8	30_2_00000225DC6B44A8
Source: C:\Windows\System32\lsass.exe	Code function: 31_2_00000202C0AB1F2C	31_2_00000202C0AB1F2C
Source: C:\Windows\System32\lsass.exe	Code function: 31_2_00000202C0AC38A8	31_2_00000202C0AC38A8
Source: C:\Windows\System32\lsass.exe	Code function: 31_2_00000202C0ABD0E0	31_2_00000202C0ABD0E0
Source: C:\Windows\System32\lsass.exe	Code function: 31_2_00000202C0AE2B2C	31_2_00000202C0AE2B2C
Source: C:\Windows\System32\lsass.exe	Code function: 31_2_00000202C0AF44A8	31_2_00000202C0AF44A8
Source: C:\Windows\System32\lsass.exe	Code function: 31_2_00000202C0AEDCE0	31_2_00000202C0AEDCE0
Source: C:\Windows\System32\lsass.exe	Code function: 31_2_00000202C0B42B2C	31_2_00000202C0B42B2C
Source: C:\Windows\System32\lsass.exe	Code function: 31_2_00000202C0B544A8	31_2_00000202C0B544A8
Source: C:\Windows\System32\lsass.exe	Code function: 31_2_00000202C0B4DCE0	31_2_00000202C0B4DCE0
Source: C:\Windows\System32\sc.exe	Code function: 33_2_000001BCD1A41F2C	33_2_000001BCD1A41F2C
Source: C:\Windows\System32\sc.exe	Code function: 33_2_000001BCD1A4D0E0	33_2_000001BCD1A4D0E0
Source: C:\Windows\System32\sc.exe	Code function: 33_2_000001BCD1A538A8	33_2_000001BCD1A538A8
Source: C:\Windows\System32\sc.exe	Code function: 33_2_000001BCD1C52B2C	33_2_000001BCD1C52B2C
Source: C:\Windows\System32\sc.exe	Code function: 33_2_000001BCD1C5DCE0	33_2_000001BCD1C5DCE0
Source: C:\Windows\System32\sc.exe	Code function: 33_2_000001BCD1C644A8	33_2_000001BCD1C644A8
Source: C:\Windows\System32\conhost.exe	Code function: 35_2_000001AFBC5238A8	35_2_000001AFBC5238A8
Source: C:\Windows\System32\conhost.exe	Code function: 35_2_000001AFBC51D0E0	35_2_000001AFBC51D0E0
Source: C:\Windows\System32\conhost.exe	Code function: 35_2_000001AFBC511F2C	35_2_000001AFBC511F2C
Source: C:\Windows\System32\conhost.exe	Code function: 35_2_000001AFBC5544A8	35_2_000001AFBC5544A8
Source: C:\Windows\System32\conhost.exe	Code function: 35_2_000001AFBC54DCE0	35_2_000001AFBC54DCE0
Source: C:\Windows\System32\conhost.exe	Code function: 35_2_000001AFBC542B2C	35_2_000001AFBC542B2C
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000002A6612D1F2C	36_2_000002A6612D1F2C
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000002A6612DD0E0	36_2_000002A6612DD0E0
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000002A6612E38A8	36_2_000002A6612E38A8
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000002A661302B2C	36_2_000002A661302B2C
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000002A66131AEC5	36_2_000002A66131AEC5
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000002A66130DCE0	36_2_000002A66130DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000002A6613144A8	36_2_000002A6613144A8
Source: C:\Windows\System32\dwm.exe	Code function: 38_2_000002BAAEDA1F2C	38_2_000002BAAEDA1F2C
Source: C:\Windows\System32\dwm.exe	Code function: 38_2_000002BAAEDAD0E0	38_2_000002BAAEDAD0E0
Source: C:\Windows\System32\dwm.exe	Code function: 38_2_000002BAAEDB38A8	38_2_000002BAAEDB38A8
Source: C:\Windows\System32\dwm.exe	Code function: 38_2_000002BAAEDD2B2C	38_2_000002BAAEDD2B2C
Source: C:\Windows\System32\dwm.exe	Code function: 38_2_000002BAAEDDDCE0	38_2_000002BAAEDDDCE0
Source: C:\Windows\System32\dwm.exe	Code function: 38_2_000002BAAEDE44A8	38_2_000002BAAEDE44A8
Source: C:\Windows\System32\dwm.exe	Code function: 38_2_000002BAAEE01F2C	38_2_000002BAAEE01F2C
Source: C:\Windows\System32\dwm.exe	Code function: 38_2_000002BAAEE0D0E0	38_2_000002BAAEE0D0E0
Source: C:\Windows\System32\dwm.exe	Code function: 38_2_000002BAAEE138A8	38_2_000002BAAEE138A8
Source: C:\Windows\System32\svchost.exe	Code function: 42_2_0000026A8799D0E0	42_2_0000026A8799D0E0
Source: C:\Windows\System32\svchost.exe	Code function: 42_2_0000026A879A38A8	42_2_0000026A879A38A8
Source: C:\Windows\System32\svchost.exe	Code function: 42_2_0000026A87991F2C	42_2_0000026A87991F2C
Source: C:\Windows\System32\svchost.exe	Code function: 42_2_0000026A879CDCE0	42_2_0000026A879CDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 42_2_0000026A879D44A8	42_2_0000026A879D44A8
Source: C:\Windows\System32\svchost.exe	Code function: 42_2_0000026A879C2B2C	42_2_0000026A879C2B2C
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_00000179537838A8	43_2_00000179537838A8
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_000001795377D0E0	43_2_000001795377D0E0
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000017953771F2C	43_2_0000017953771F2C
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_00000179537B44A8	43_2_00000179537B44A8
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_00000179537ADCE0	43_2_00000179537ADCE0
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_00000179537A2B2C	43_2_00000179537A2B2C
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_000002295D53D0E0	44_2_000002295D53D0E0
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_000002295D5438A8	44_2_000002295D5438A8
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_000002295D531F2C	44_2_000002295D531F2C
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_000002295D56DCE0	44_2_000002295D56DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_000002295D5744A8	44_2_000002295D5744A8
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_000002295D562B2C	44_2_000002295D562B2C
Source: C:\Windows\System32\svchost.exe	Code function: 45_2_00000253067D1F2C	45_2_00000253067D1F2C
Source: C:\Windows\System32\svchost.exe	Code function: 45_2_00000253067DD0E0	45_2_00000253067DD0E0
Source: C:\Windows\System32\svchost.exe	Code function: 45_2_00000253067E38A8	45_2_00000253067E38A8
Source: C:\Windows\System32\svchost.exe	Code function: 45_2_0000025306E62B2C	45_2_0000025306E62B2C
Source: C:\Windows\System32\svchost.exe	Code function: 45_2_0000025306E6DCE0	45_2_0000025306E6DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 45_2_0000025306E744A8	45_2_0000025306E744A8
Source: C:\Windows\System32\svchost.exe	Code function: 45_2_0000025306EC2B2C	45_2_0000025306EC2B2C
Source: C:\Windows\System32\svchost.exe	Code function: 45_2_0000025306ECDCE0	45_2_0000025306ECDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 45_2_0000025306ED44A8	45_2_0000025306ED44A8
Source: C:\Windows\System32\svchost.exe	Code function: 53_2_000001845B9544A8	53_2_000001845B9544A8
Source: C:\Windows\System32\svchost.exe	Code function: 53_2_000001845B94DCE0	53_2_000001845B94DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 53_2_000001845B942B2C	53_2_000001845B942B2C

Source: Joe Sandbox View

Dropped File: C:\Windows\Temp\ybmcltmshprh.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5

Source: ybmcltmshprh.sys.37.dr

Binary string: \Device\WinRing0_1_2_0

Source: classification engine

Classification label: mal100.adwa.spyw.evad.mine.winEXE@91/14@0/0

Source: C:\Windows\System32\dialer.exe

Code function: 25_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,

25_2_000000014000226C

Source: C:\Windows\System32\dialer.exe

Code function: 25_2_00000001400019C4 SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString,

25_2_00000001400019C4

Source: C:\Windows\System32\dialer.exe

25_2_000000014000226C

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7920:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7716:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:8048:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7952:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8104:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7852:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7784:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7904:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7580:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8072:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:864:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7808:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7584:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7976:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6596:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7924:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8020:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2140:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7780:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7844:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7724:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7184:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3384:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7856:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7504:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8040:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gokxv2ys.3jg.ps1

Jump to behavior

Source: C:\Users\user\Desktop\services64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\services64.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: services64.exe

ReversingLabs: Detection: 47%

Source: C:\Users\user\Desktop\services64.exe

File read: C:\Users\user\Desktop\services64.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\services64.exe "C:\Users\user\Desktop\services64.exe"
Source: C:\Users\user\Desktop\services64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\services64.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\Desktop\services64.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\Desktop\services64.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\services64.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\services64.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\services64.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\services64.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\Desktop\services64.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\services64.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\services64.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\services64.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
Source: C:\Users\user\Desktop\services64.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "WindowsAutHost"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\services64.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "WindowsAutHost" binpath= "C:\ProgramData\WindowsServices\WindowsAutHost" start= "auto"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\services64.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
Source: C:\Users\user\Desktop\services64.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "WindowsAutHost"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\WindowsServices\WindowsAutHost C:\ProgramData\WindowsServices\WindowsAutHost
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Process created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Process created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
Source: C:\Users\user\Desktop\services64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\services64.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart	Jump to behavior
Source: C:\Users\user\Desktop\services64.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc	Jump to behavior
Source: C:\Users\user\Desktop\services64.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc	Jump to behavior
Source: C:\Users\user\Desktop\services64.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv	Jump to behavior
Source: C:\Users\user\Desktop\services64.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits	Jump to behavior
Source: C:\Users\user\Desktop\services64.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc	Jump to behavior
Source: C:\Users\user\Desktop\services64.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0	Jump to behavior
Source: C:\Users\user\Desktop\services64.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0	Jump to behavior
Source: C:\Users\user\Desktop\services64.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0	Jump to behavior
Source: C:\Users\user\Desktop\services64.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0	Jump to behavior
Source: C:\Users\user\Desktop\services64.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe	Jump to behavior
Source: C:\Users\user\Desktop\services64.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "WindowsAutHost"	Jump to behavior
Source: C:\Users\user\Desktop\services64.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "WindowsAutHost" binpath= "C:\ProgramData\WindowsServices\WindowsAutHost" start= "auto"	Jump to behavior
Source: C:\Users\user\Desktop\services64.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog	Jump to behavior
Source: C:\Users\user\Desktop\services64.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "WindowsAutHost"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Process created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Process created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart

Source: C:\Users\user\Desktop\services64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: dpx.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: dpx.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: ntmarta.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: services64.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: services64.exe

Static file information: File size 17878016 > 1048576

Source: services64.exe

Static PE information: Raw size of ."8l is bigger than: 0x100000 < 0x110bc00

Source: services64.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Source: initial sample

Static PE information: section where entry point is pointing to: ."8l

Source: services64.exe	Static PE information: section name: .00cfg
Source: services64.exe	Static PE information: section name: .:ja
Source: services64.exe	Static PE information: section name: .J4v
Source: services64.exe	Static PE information: section name: ."8l
Source: WindowsAutHost.0.dr	Static PE information: section name: .00cfg
Source: WindowsAutHost.0.dr	Static PE information: section name: .:ja
Source: WindowsAutHost.0.dr	Static PE information: section name: .J4v
Source: WindowsAutHost.0.dr	Static PE information: section name: ."8l

Source: C:\Windows\System32\winlogon.exe	Code function: 30_2_00000225DC62ACDD push rcx; retf 003Fh	30_2_00000225DC62ACDE
Source: C:\Windows\System32\winlogon.exe	Code function: 30_2_00000225DC65C6DD push rcx; retf 003Fh	30_2_00000225DC65C6DE
Source: C:\Windows\System32\winlogon.exe	Code function: 30_2_00000225DC68ACDD push rcx; retf 003Fh	30_2_00000225DC68ACDE
Source: C:\Windows\System32\winlogon.exe	Code function: 30_2_00000225DC6BC6DD push rcx; retf 003Fh	30_2_00000225DC6BC6DE
Source: C:\Windows\System32\lsass.exe	Code function: 31_2_00000202C0ACACDD push rcx; retf 003Fh	31_2_00000202C0ACACDE
Source: C:\Windows\System32\lsass.exe	Code function: 31_2_00000202C0AFC6DD push rcx; retf 003Fh	31_2_00000202C0AFC6DE
Source: C:\Windows\System32\lsass.exe	Code function: 31_2_00000202C0B5C6DD push rcx; retf 003Fh	31_2_00000202C0B5C6DE
Source: C:\Windows\System32\sc.exe	Code function: 33_2_000001BCD1A5ACDD push rcx; retf 003Fh	33_2_000001BCD1A5ACDE
Source: C:\Windows\System32\sc.exe	Code function: 33_2_000001BCD1C6C6DD push rcx; retf 003Fh	33_2_000001BCD1C6C6DE
Source: C:\Windows\System32\conhost.exe	Code function: 35_2_000001AFBC52ACDD push rcx; retf 003Fh	35_2_000001AFBC52ACDE
Source: C:\Windows\System32\conhost.exe	Code function: 35_2_000001AFBC55C6DD push rcx; retf 003Fh	35_2_000001AFBC55C6DE
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000002A6612EACDD push rcx; retf 003Fh	36_2_000002A6612EACDE
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000002A66131C6DD push rcx; retf 003Fh	36_2_000002A66131C6DE
Source: C:\Windows\System32\dwm.exe	Code function: 38_2_000002BAAEDBACDD push rcx; retf 003Fh	38_2_000002BAAEDBACDE
Source: C:\Windows\System32\dwm.exe	Code function: 38_2_000002BAAEDEC6DD push rcx; retf 003Fh	38_2_000002BAAEDEC6DE
Source: C:\Windows\System32\dwm.exe	Code function: 38_2_000002BAAEE1ACDD push rcx; retf 003Fh	38_2_000002BAAEE1ACDE
Source: C:\Windows\System32\svchost.exe	Code function: 42_2_0000026A879AACDD push rcx; retf 003Fh	42_2_0000026A879AACDE
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_000001795378ACDD push rcx; retf 003Fh	43_2_000001795378ACDE
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_00000179537BC6DD push rcx; retf 003Fh	43_2_00000179537BC6DE
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_000002295D54ACDD push rcx; retf 003Fh	44_2_000002295D54ACDE
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_000002295D57C6DD push rcx; retf 003Fh	44_2_000002295D57C6DE
Source: C:\Windows\System32\svchost.exe	Code function: 45_2_00000253067EACDD push rcx; retf 003Fh	45_2_00000253067EACDE
Source: C:\Windows\System32\svchost.exe	Code function: 45_2_0000025306E7C6DD push rcx; retf 003Fh	45_2_0000025306E7C6DE
Source: C:\Windows\System32\svchost.exe	Code function: 45_2_0000025306EDC6DD push rcx; retf 003Fh	45_2_0000025306EDC6DE
Source: C:\Windows\System32\svchost.exe	Code function: 53_2_000001845B95C6DD push rcx; retf 003Fh	53_2_000001845B95C6DE

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\System32\lsass.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior
Source: C:\Windows\System32\lsass.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior

Sample is not signed and drops a device driver

Source: C:\ProgramData\WindowsServices\WindowsAutHost

File created: C:\Windows\TEMP\ybmcltmshprh.sys

Jump to behavior

Source: C:\Users\user\Desktop\services64.exe	File created: C:\ProgramData\WindowsServices\WindowsAutHost			Jump to dropped file
Source: C:\ProgramData\WindowsServices\WindowsAutHost	File created: C:\Windows\Temp\ybmcltmshprh.sys			Jump to dropped file

Source: C:\Users\user\Desktop\services64.exe

File created: C:\ProgramData\WindowsServices\WindowsAutHost

Jump to dropped file

Source: C:\ProgramData\WindowsServices\WindowsAutHost

File created: C:\Windows\Temp\ybmcltmshprh.sys

Jump to dropped file

Source: C:\Users\user\Desktop\services64.exe

File created: C:\ProgramData\WindowsServices\WindowsAutHost

Jump to dropped file

Source: C:\Users\user\Desktop\services64.exe

Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc

Hooking and other Techniques for Hiding and Protection

Hooks files or directories query functions (used to hide files and directories)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile

Hooks processes query functions (used to hide processes)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation

Hooks registry keys query functions (used to hide registry keys)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\services64.exe	Memory written: PID: 7432 base: 7FFE22370008 value: E9 EB D9 E9 FF	Jump to behavior
Source: C:\Users\user\Desktop\services64.exe	Memory written: PID: 7432 base: 7FFE2220D9F0 value: E9 20 26 16 00	Jump to behavior
Source: C:\Users\user\Desktop\services64.exe	Memory written: PID: 7432 base: 7FFE2238000D value: E9 BB CB EB FF	Jump to behavior
Source: C:\Users\user\Desktop\services64.exe	Memory written: PID: 7432 base: 7FFE2223CBC0 value: E9 5A 34 14 00	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Memory written: PID: 2696 base: 7FFE22370008 value: E9 EB D9 E9 FF	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Memory written: PID: 2696 base: 7FFE2220D9F0 value: E9 20 26 16 00	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Memory written: PID: 2696 base: 7FFE2238000D value: E9 BB CB EB FF	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Memory written: PID: 2696 base: 7FFE2223CBC0 value: E9 5A 34 14 00	Jump to behavior

Source: C:\Windows\System32\lsass.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Windows\System32\dialer.exe

Code function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,

25_2_00000001400010C0

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\services64.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\Desktop\services64.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	System information queried: FirmwareTableInformation	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: WindowsAutHost, 00000025.00000002.1884994228.0000016F8F90B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: services64.exe, 00000000.00000002.1824302661.00000225232BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLLQ

Tries to evade analysis by execution special instruction (VM detection)

Source: C:\Users\user\Desktop\services64.exe	Special instruction interceptor: First address: 7FF79BBCC165 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\Desktop\services64.exe	Special instruction interceptor: First address: 7FF79BBCC1AF instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Special instruction interceptor: First address: 7FF74E64C165 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Special instruction interceptor: First address: 7FF74E64C1AF instructions rdtsc caused by: RDTSC with Trap Flag (TF)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7084	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2670	Jump to behavior
Source: C:\Windows\System32\winlogon.exe	Window / User API: threadDelayed 9611	Jump to behavior
Source: C:\Windows\System32\winlogon.exe	Window / User API: threadDelayed 388	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Window / User API: threadDelayed 9868	Jump to behavior
Source: C:\Windows\System32\dwm.exe	Window / User API: threadDelayed 9846	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7144
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2478
Source: C:\Windows\System32\dialer.exe	Window / User API: threadDelayed 1802
Source: C:\Windows\System32\dialer.exe	Window / User API: threadDelayed 608

Source: C:\ProgramData\WindowsServices\WindowsAutHost

Dropped PE file which has not been started: C:\Windows\Temp\ybmcltmshprh.sys

Jump to dropped file

Source: C:\Windows\System32\lsass.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep	graph_31-22441
Source: C:\Windows\System32\conhost.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep	graph_35-14906
Source: C:\Windows\System32\sc.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep	graph_33-15231
Source: C:\Windows\System32\svchost.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep	graph_36-14869

Source: C:\Windows\System32\dialer.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_25-480

Source: C:\Windows\System32\winlogon.exe	API coverage: 6.8 %
Source: C:\Windows\System32\lsass.exe	API coverage: 3.9 %
Source: C:\Windows\System32\conhost.exe	API coverage: 4.9 %
Source: C:\Windows\System32\svchost.exe	API coverage: 4.9 %
Source: C:\Windows\System32\svchost.exe	API coverage: 4.7 %
Source: C:\Windows\System32\svchost.exe	API coverage: 5.1 %
Source: C:\Windows\System32\svchost.exe	API coverage: 4.9 %
Source: C:\Windows\System32\svchost.exe	API coverage: 3.5 %
Source: C:\Windows\System32\svchost.exe	API coverage: 4.4 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7576	Thread sleep count: 7084 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7576	Thread sleep count: 2670 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7624	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\System32\dialer.exe TID: 8140	Thread sleep count: 51 > 30	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 2304	Thread sleep count: 9611 > 30	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 2304	Thread sleep time: -9611000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 2304	Thread sleep count: 388 > 30	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 2304	Thread sleep time: -388000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 4080	Thread sleep count: 9868 > 30	Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 4080	Thread sleep time: -9868000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1928	Thread sleep count: 277 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1928	Thread sleep time: -277000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\dwm.exe TID: 5236	Thread sleep count: 9846 > 30	Jump to behavior
Source: C:\Windows\System32\dwm.exe TID: 5236	Thread sleep time: -9846000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5868	Thread sleep count: 7144 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1196	Thread sleep count: 2478 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6172	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2180	Thread sleep count: 251 > 30
Source: C:\Windows\System32\svchost.exe TID: 2180	Thread sleep time: -251000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5800	Thread sleep count: 251 > 30
Source: C:\Windows\System32\svchost.exe TID: 5800	Thread sleep time: -251000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7540	Thread sleep count: 251 > 30
Source: C:\Windows\System32\svchost.exe TID: 7540	Thread sleep time: -251000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7744	Thread sleep count: 245 > 30
Source: C:\Windows\System32\svchost.exe TID: 7744	Thread sleep time: -245000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 8160	Thread sleep count: 201 > 30
Source: C:\Windows\System32\svchost.exe TID: 8160	Thread sleep time: -201000s >= -30000s
Source: C:\Windows\System32\dialer.exe TID: 8004	Thread sleep count: 1802 > 30
Source: C:\Windows\System32\dialer.exe TID: 8004	Thread sleep time: -180200s >= -30000s
Source: C:\Windows\System32\dialer.exe TID: 7216	Thread sleep count: 608 > 30
Source: C:\Windows\System32\dialer.exe TID: 7216	Thread sleep time: -60800s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\dialer.exe	Last function: Thread delayed
Source: C:\Windows\System32\dialer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe	Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\winlogon.exe	Code function: 30_2_00000225DC64DCE0 FindFirstFileExW,	30_2_00000225DC64DCE0
Source: C:\Windows\System32\winlogon.exe	Code function: 30_2_00000225DC6ADCE0 FindFirstFileExW,	30_2_00000225DC6ADCE0
Source: C:\Windows\System32\lsass.exe	Code function: 31_2_00000202C0AEDCE0 FindFirstFileExW,	31_2_00000202C0AEDCE0
Source: C:\Windows\System32\lsass.exe	Code function: 31_2_00000202C0B4DCE0 FindFirstFileExW,	31_2_00000202C0B4DCE0
Source: C:\Windows\System32\sc.exe	Code function: 33_2_000001BCD1C5DCE0 FindFirstFileExW,	33_2_000001BCD1C5DCE0
Source: C:\Windows\System32\conhost.exe	Code function: 35_2_000001AFBC54DCE0 FindFirstFileExW,	35_2_000001AFBC54DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000002A66130DCE0 FindFirstFileExW,	36_2_000002A66130DCE0
Source: C:\Windows\System32\dwm.exe	Code function: 38_2_000002BAAEDDDCE0 FindFirstFileExW,	38_2_000002BAAEDDDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 42_2_0000026A879CDCE0 FindFirstFileExW,	42_2_0000026A879CDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_00000179537ADCE0 FindFirstFileExW,	43_2_00000179537ADCE0
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_000002295D56DCE0 FindFirstFileExW,	44_2_000002295D56DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 45_2_0000025306E6DCE0 FindFirstFileExW,	45_2_0000025306E6DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 45_2_0000025306ECDCE0 FindFirstFileExW,	45_2_0000025306ECDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 53_2_000001845B94DCE0 FindFirstFileExW,	53_2_000001845B94DCE0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: lsass.exe, 0000001F.00000000.1821473498.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicshutdownNT SERVICE
Source: lsass.exe, 0000001F.00000000.1821473498.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicvssNT SERVICE
Source: lsass.exe, 0000001F.00000002.3242123112.00000202C0379000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: svchost.exe, 00000035.00000002.3237678926.000001845AC2B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
Source: svchost.exe, 00000024.00000003.1981429941.000002A660660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: svchost.exe, 0000002C.00000002.3235814438.000002295CE00000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: lsass.exe, 0000001F.00000000.1821473498.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicheartbeatNT SERVICE
Source: dwm.exe, 00000026.00000002.3255074106.000002BAAA00C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000S
Source: dwm.exe, 00000026.00000002.3255074106.000002BAAA00C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: lsass.exe, 0000001F.00000000.1821300760.00000202BFC13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3237591657.00000202BFC13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000024.00000000.1824949099.000002A660613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.3235343888.000002A660613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002B.00000000.1866520559.000001795302B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002B.00000002.3253941405.000001795302B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002C.00000000.1869478403.000002295CE2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002C.00000002.3236324857.000002295CE2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000035.00000000.1876474783.000001845AC3F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000035.00000002.3237906650.000001845AC3F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000024.00000002.3235463820.000002A66062A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: WindowsAutHost.0.dr	Binary or memory string: N~Vmci

Source: C:\Windows\System32\dialer.exe

API call chain: ExitProcess graph end node

graph_25-413

Source: C:\Users\user\Desktop\services64.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\services64.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\services64.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\services64.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Thread information set: HideFromDebugger	Jump to behavior

Tries to detect debuggers (CloseHandle check)

Source: C:\Users\user\Desktop\services64.exe	Handle closed: DEADC0DE
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Handle closed: DEADC0DE

Source: C:\Users\user\Desktop\services64.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\services64.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\services64.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\services64.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\services64.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\System32\winlogon.exe

Code function: 30_2_00000225DC647D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

30_2_00000225DC647D90

Source: C:\Windows\System32\dialer.exe

Code function: 25_2_00000001400017EC GetProcessHeap,HeapAlloc,OpenProcess,TerminateProcess,CloseHandle,GetProcessHeap,HeapFree,

25_2_00000001400017EC

Source: C:\Users\user\Desktop\services64.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\dialer.exe	Process token adjusted: Debug

Source: C:\Windows\System32\winlogon.exe	Code function: 30_2_00000225DC647D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	30_2_00000225DC647D90
Source: C:\Windows\System32\winlogon.exe	Code function: 30_2_00000225DC64D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	30_2_00000225DC64D2A4
Source: C:\Windows\System32\winlogon.exe	Code function: 30_2_00000225DC6A7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	30_2_00000225DC6A7D90
Source: C:\Windows\System32\winlogon.exe	Code function: 30_2_00000225DC6AD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	30_2_00000225DC6AD2A4
Source: C:\Windows\System32\lsass.exe	Code function: 31_2_00000202C0AED2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	31_2_00000202C0AED2A4
Source: C:\Windows\System32\lsass.exe	Code function: 31_2_00000202C0AE7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	31_2_00000202C0AE7D90
Source: C:\Windows\System32\lsass.exe	Code function: 31_2_00000202C0B4D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	31_2_00000202C0B4D2A4
Source: C:\Windows\System32\lsass.exe	Code function: 31_2_00000202C0B47D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	31_2_00000202C0B47D90
Source: C:\Windows\System32\sc.exe	Code function: 33_2_000001BCD1C5D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	33_2_000001BCD1C5D2A4
Source: C:\Windows\System32\sc.exe	Code function: 33_2_000001BCD1C57D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	33_2_000001BCD1C57D90
Source: C:\Windows\System32\conhost.exe	Code function: 35_2_000001AFBC547D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	35_2_000001AFBC547D90
Source: C:\Windows\System32\conhost.exe	Code function: 35_2_000001AFBC54D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	35_2_000001AFBC54D2A4
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000002A66130D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	36_2_000002A66130D2A4
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000002A661307D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	36_2_000002A661307D90
Source: C:\Windows\System32\dwm.exe	Code function: 38_2_000002BAAEDD7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	38_2_000002BAAEDD7D90
Source: C:\Windows\System32\dwm.exe	Code function: 38_2_000002BAAEDDD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	38_2_000002BAAEDDD2A4
Source: C:\Windows\System32\svchost.exe	Code function: 42_2_0000026A879CD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	42_2_0000026A879CD2A4
Source: C:\Windows\System32\svchost.exe	Code function: 42_2_0000026A879C7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	42_2_0000026A879C7D90
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_00000179537A7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	43_2_00000179537A7D90
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_00000179537AD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	43_2_00000179537AD2A4
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_000002295D56D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	44_2_000002295D56D2A4
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_000002295D567D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	44_2_000002295D567D90
Source: C:\Windows\System32\svchost.exe	Code function: 45_2_0000025306E6D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	45_2_0000025306E6D2A4
Source: C:\Windows\System32\svchost.exe	Code function: 45_2_0000025306E67D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	45_2_0000025306E67D90
Source: C:\Windows\System32\svchost.exe	Code function: 45_2_0000025306ECD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	45_2_0000025306ECD2A4
Source: C:\Windows\System32\svchost.exe	Code function: 45_2_0000025306EC7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	45_2_0000025306EC7D90
Source: C:\Windows\System32\svchost.exe	Code function: 53_2_000001845B94D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	53_2_000001845B94D2A4
Source: C:\Windows\System32\svchost.exe	Code function: 53_2_000001845B947D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	53_2_000001845B947D90

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\services64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Users\user\Desktop\services64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior

Allocates memory in foreign processes

Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\winlogon.exe base: 225DC610000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\lsass.exe base: 202C0AB0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2A6612D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dwm.exe base: 2BAAEDA0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 26A87990000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 17953770000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2295D530000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 253067D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1845B390000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\winlogon.exe base: 225DC670000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\lsass.exe base: 202C0B10000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2A661330000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dwm.exe base: 2BAAEE00000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 26A87F40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 179537D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2295D590000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 25306E90000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1845B3C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1D559040000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 241A9E70000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1CD73160000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2824E860000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 21B473C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2086F9D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 17183BC0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 23FD3F70000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1D2A4150000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 275BDF30000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1AAC0260000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 203C9F30000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1B5644B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1C004F60000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 24E2AB40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2644ADB0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\spoolsv.exe base: 1990000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20D25DA0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 26EF5350000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2A7F0D60000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 23D0FFB0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1B1C2570000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2108B940000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 29166940000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1988D570000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 13869B40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1E1CC740000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2855DA70000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2BF199D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 15AF3890000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 21A03B80000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\sihost.exe base: 1CD40E40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 151A6530000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 19E27BC0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 17D7B150000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1BE621A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2252F480000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 184683D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\explorer.exe base: 7D80000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1972E260000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dasHost.exe base: 2246C5E0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 221D5930000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1D178740000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1A633B40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2928D0A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dllhost.exe base: 13DAB4C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\smartscreen.exe base: 1A22A640000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 21C6CF30000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EF64500000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\audiodg.exe base: 1D349350000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 23B60D80000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1F22F7C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1B7733C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 27076D90000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 171DB7C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dllhost.exe base: 2D1856F0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 1BC980F0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1F38C3F0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 200AC5B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1D079160000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1E9C6BB0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 28CE63D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\sc.exe base: 1BCD1A40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 1AFBC510000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\ProgramData\WindowsServices\WindowsAutHost base: 16F8FB60000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Windows Defender\MpCmdRun.exe base: 1D849410000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 1A7540D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 1E5BE130000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 1E5BE160000 protect: page execute and read and write

Contains functionality to inject code into remote processes

Source: C:\Windows\System32\dialer.exe

Code function: 25_2_0000000140001C88 CreateProcessW,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,OpenProcess,TerminateProcess,

25_2_0000000140001C88

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\winlogon.exe EIP: DC61273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\lsass.exe EIP: C0AB273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 612D273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\dwm.exe EIP: AEDA273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 8799273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 5377273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 5D53273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 67D273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: DC67273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C0B1273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6133273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: AEE0273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 87F4273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 537D273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5D59273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6E9273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5B3C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: EBFD273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5904273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A9E7273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7316273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4E86273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 473C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6F9D273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 83BC273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D3F7273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A415273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: BDF3273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C026273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C9F3273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 644B273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7B2A273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4F6273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2AB4273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4ADB273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 199273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 25DA273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F535273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F0D6273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: FFB273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C257273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8B94273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6694273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 13EF273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8D57273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 69B4273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: CC74273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5DA7273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 199D273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F389273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 3B8273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 40E4273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A653273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 27BC273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7B15273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 621A273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2F48273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8B4B273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 683D273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7D8273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2E26273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6C5E273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D593273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: FC65273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7874273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 33B4273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8D0A273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: AB4C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2A64273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6CF3273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6450273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4935273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 60D8273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5E7B273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2F7C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: E815273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5234273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 9DA9273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 602E273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 733C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 76D9273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: DB7C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 856F273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 980F273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8C3F273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: AC5B273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7916273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C6BB273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: E63D273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D1A4273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: BC51273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4941273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 540D273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: BE13273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: BE16273C

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\ProgramData\WindowsServices\WindowsAutHost	NtQueryInformationProcess: Direct from: 0x7FF74E634835	Jump to behavior
Source: C:\Users\user\Desktop\services64.exe	NtQuerySystemInformation: Direct from: 0x7FF79AEBA2EB	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	NtOpenFile: Direct from: 0x7FF74E5E0D15	Jump to behavior
Source: C:\Users\user\Desktop\services64.exe	NtQueryInformationProcess: Direct from: 0x7FF79AEC5690	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	NtQuerySystemInformation: Direct from: 0x7FF74E6395C3	Jump to behavior
Source: C:\Users\user\Desktop\services64.exe	NtQuerySystemInformation: Direct from: 0x7FF79B4EDE4E	Jump to behavior
Source: C:\Users\user\Desktop\services64.exe	NtSetInformationThread: Direct from: 0x7FF79AF0F997	Jump to behavior
Source: C:\Users\user\Desktop\services64.exe	NtQueryInformationProcess: Direct from: 0x7FF79BB4925A	Jump to behavior
Source: C:\Users\user\Desktop\services64.exe	NtProtectVirtualMemory: Direct from: 0x7FF79BB644FB	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	NtQuerySystemInformation: Direct from: 0x7FF74DB2FAC8	Jump to behavior
Source: C:\Users\user\Desktop\services64.exe	NtQueryInformationProcess: Direct from: 0x7FF79BB70A74	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	NtQueryInformationProcess: Direct from: 0x7FF74D97C620	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	NtProtectVirtualMemory: Indirect: 0x7FF74D92DB0D	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	NtQuerySystemInformation: Direct from: 0x7FF74D9487D6	Jump to behavior
Source: C:\Users\user\Desktop\services64.exe	NtProtectVirtualMemory: Direct from: 0x7FF79B078272	Jump to behavior
Source: C:\Users\user\Desktop\services64.exe	NtProtectVirtualMemory: Direct from: 0x7FF79AEE7F25	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	NtQueryInformationProcess: Direct from: 0x7FF74DAF2ED6	Jump to behavior
Source: C:\Users\user\Desktop\services64.exe	NtClose: Direct from: 0x7FF79AEC40E5
Source: C:\ProgramData\WindowsServices\WindowsAutHost	NtSetInformationProcess: Direct from: 0x7FF74DAF8272	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	NtProtectVirtualMemory: Direct from: 0x7FF74D9618AE	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	NtProtectVirtualMemory: Direct from: 0x7FF74E5E9C17	Jump to behavior
Source: C:\Users\user\Desktop\services64.exe	NtProtectVirtualMemory: Indirect: 0x7FF79AEADB0D	Jump to behavior
Source: C:\Users\user\Desktop\services64.exe	NtProtectVirtualMemory: Direct from: 0x7FF79B570E83	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	NtSetInformationThread: Direct from: 0x7FF74E60396D	Jump to behavior
Source: C:\Users\user\Desktop\services64.exe	NtProtectVirtualMemory: Direct from: 0x7FF79AECA771	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	NtQueryInformationProcess: Direct from: 0x7FF74D93E62D	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	NtProtectVirtualMemory: Direct from: 0x7FF74E5F0A74	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	NtQueryInformationProcess: Direct from: 0x7FF74DFE733E	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	NtProtectVirtualMemory: Direct from: 0x7FF74DF65BAC	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	NtMapViewOfSection: Direct from: 0x7FF74D9A4128	Jump to behavior
Source: C:\Users\user\Desktop\services64.exe	NtQueryInformationProcess: Direct from: 0x7FF79AF29773	Jump to behavior
Source: C:\Users\user\Desktop\services64.exe	NtProtectVirtualMemory: Direct from: 0x7FF79B56EBE3	Jump to behavior
Source: C:\Users\user\Desktop\services64.exe	NtProtectVirtualMemory: Direct from: 0x7FF79B072ED6	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	NtProtectVirtualMemory: Direct from: 0x7FF74E63DECB	Jump to behavior
Source: C:\Users\user\Desktop\services64.exe	NtMapViewOfSection: Direct from: 0x7FF79B525F28	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	NtProtectVirtualMemory: Direct from: 0x7FF74D94E257	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	NtProtectVirtualMemory: Direct from: 0x7FF74DFEB966	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	NtProtectVirtualMemory: Direct from: 0x7FF74DB17075	Jump to behavior
Source: C:\Users\user\Desktop\services64.exe	NtQuerySystemInformation: Direct from: 0x7FF79AEBE62D	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	NtUnmapViewOfSection: Direct from: 0x7FF74E5C925A	Jump to behavior
Source: C:\Users\user\Desktop\services64.exe	NtQueryInformationProcess: Direct from: 0x7FF79B506531	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	NtSetInformationThread: Direct from: 0x7FF74D9A1621	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	NtQuerySystemInformation: Direct from: 0x7FF74D946775	Jump to behavior
Source: C:\Users\user\Desktop\services64.exe	NtQuerySystemInformation: Direct from: 0x7FF79BBBDECB	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	NtProtectVirtualMemory: Direct from: 0x7FF74DB24C63	Jump to behavior
Source: C:\Users\user\Desktop\services64.exe	NtUnmapViewOfSection: Direct from: 0x7FF79B0B34D2	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	NtQuerySystemInformation: Direct from: 0x7FF74D99B66B	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	NtProtectVirtualMemory: Direct from: 0x7FF74DF9854B	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 225DC610000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 202C0AB0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A6612D0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 2BAAEDA0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26A87990000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17953770000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2295D530000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 253067D0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845B390000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 225DC670000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 202C0B10000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A661330000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 2BAAEE00000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26A87F40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 179537D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2295D590000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 25306E90000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845B3C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D559040000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 241A9E70000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD73160000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2824E860000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21B473C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2086F9D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17183BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23FD3F70000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2A4150000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 275BDF30000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1AAC0260000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 203C9F30000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B5644B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C004F60000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 24E2AB40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2644ADB0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\spoolsv.exe base: 1990000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20D25DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26EF5350000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B1C2570000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2108B940000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 29166940000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1988D570000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 13869B40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E1CC740000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2855DA70000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2BF199D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 15AF3890000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21A03B80000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\sihost.exe base: 1CD40E40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 151A6530000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 19E27BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17D7B150000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BE621A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2252F480000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 184683D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\explorer.exe base: 7D80000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1972E260000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 221D5930000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D178740000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A633B40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2928D0A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21C6CF30000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EF64500000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\audiodg.exe base: 1D349350000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60D80000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1B7733C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 27076D90000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 171DB7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 2D1856F0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1BC980F0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1F38C3F0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 200AC5B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D079160000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E9C6BB0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 28CE63D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\sc.exe base: 1BCD1A40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1AFBC510000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\ProgramData\WindowsServices\WindowsAutHost base: 16F8FB60000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Windows Defender\MpCmdRun.exe base: 1D849410000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1A7540D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1E5BE130000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1E5BE160000 value starts with: 4D5A

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\dialer.exe

Memory written: PID: 2580 base: 7D80000 value: 4D

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\services64.exe	Thread register set: target process: 8136	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Thread register set: target process: 8052	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Thread register set: target process: 8184	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Thread register set: target process: 732	Jump to behavior

Modifies the hosts file

Source: C:\Users\user\Desktop\services64.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 225DC610000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 202C0AB0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A6612D0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 2BAAEDA0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26A87990000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17953770000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2295D530000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 253067D0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845B390000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 28CE5850000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 225DC670000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 202C0B10000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A661330000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 2BAAEE00000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26A87F40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 179537D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2295D590000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 25306E90000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845B3C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D559040000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 241A9E70000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD73160000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2824E860000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21B473C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2086F9D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17183BC0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23FD3F70000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2A4150000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 275BDF30000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1AAC0260000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 203C9F30000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B5644B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C004F60000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 24E2AB40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2644ADB0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\spoolsv.exe base: 1990000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20D25DA0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26EF5350000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B1C2570000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2108B940000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 29166940000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1988D570000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 13869B40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E1CC740000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2855DA70000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2BF199D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 15AF3890000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21A03B80000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\sihost.exe base: 1CD40E40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 151A6530000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 19E27BC0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17D7B150000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BE621A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2252F480000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 184683D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\explorer.exe base: 7D80000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1972E260000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 221D5930000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D178740000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A633B40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2928D0A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21C6CF30000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EF64500000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\audiodg.exe base: 1D349350000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60D80000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1B7733C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 27076D90000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 171DB7C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 2D1856F0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1BC980F0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1F38C3F0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 200AC5B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D079160000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E9C6BB0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 28CE63D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\sc.exe base: 1BCD1A40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1AFBC510000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\ProgramData\WindowsServices\WindowsAutHost base: 16F8FB60000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Windows Defender\MpCmdRun.exe base: 1D849410000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1A7540D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1E5BE130000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1E5BE160000

Source: C:\Users\user\Desktop\services64.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Process created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Process created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart

Source: C:\Windows\System32\dialer.exe

Code function: 25_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

25_2_0000000140001B54

Source: C:\Windows\System32\dialer.exe

Code function: 25_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

25_2_0000000140001B54

Source: dwm.exe, 00000026.00000002.3252360297.000002BAA7B6D000.00000004.00000020.00020000.00000000.sdmp, dwm.exe, 00000026.00000000.1828789854.000002BAA7B6D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: winlogon.exe, 0000001E.00000002.3240659299.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000001E.00000000.1817457345.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000026.00000000.1830778922.000002BAA8050000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: winlogon.exe, 0000001E.00000002.3240659299.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000001E.00000000.1817457345.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000026.00000000.1830778922.000002BAA8050000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: winlogon.exe, 0000001E.00000002.3240659299.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000001E.00000000.1817457345.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000026.00000000.1830778922.000002BAA8050000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: winlogon.exe, 0000001E.00000002.3240659299.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000001E.00000000.1817457345.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000026.00000000.1830778922.000002BAA8050000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Windows\System32\winlogon.exe

Code function: 30_2_00000225DC6236F0 cpuid

30_2_00000225DC6236F0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior

Source: C:\Windows\System32\dialer.exe

Code function: 25_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

25_2_0000000140001B54

Source: C:\Windows\System32\winlogon.exe

Code function: 30_2_00000225DC647960 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

30_2_00000225DC647960

Lowering of HIPS / PFW / Operating System Security Settings

Modifies power options to not sleep / hibernate

Source: C:\Users\user\Desktop\services64.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\Desktop\services64.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\Users\user\Desktop\services64.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0	Jump to behavior
Source: C:\Users\user\Desktop\services64.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0	Jump to behavior
Source: C:\ProgramData\WindowsServices\WindowsAutHost	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0	Jump to behavior

Modifies the hosts file

Source: C:\Users\user\Desktop\services64.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 File and Directory Permissions Modification	2 Credential API Hooking	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Service Execution	11 Windows Service	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	2 Credential API Hooking	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Access Token Manipulation	1 Abuse Elevation Control Mechanism	Security Account Manager	123 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	11 Windows Service	1 Obfuscated Files or Information	NTDS	731 Security Software Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	713 Process Injection	1 Install Root Certificate	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	231 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	4 Rootkit	Proc Filesystem	1 Remote System Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Masquerading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Modify Registry	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	231 Virtualization/Sandbox Evasion	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Access Token Manipulation	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	713 Process Injection	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service
Business Relationships	Server	Trusted Relationship	Visual Basic	Container Orchestration Job	Container Orchestration Job	1 Hidden Files and Directories	Web Portal Capture	Local Groups	Component Object Model and Distributed COM	Local Email Collection	Internal Proxy	Commonly Used Port	Direct Network Flood

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
services64.exe	47%	ReversingLabs	Win64.Adware.RedCap
services64.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\ProgramData\WindowsServices\WindowsAutHost	100%	Joe Sandbox ML
C:\ProgramData\WindowsServices\WindowsAutHost	47%	ReversingLabs	Win64.Adware.RedCap
C:\Windows\Temp\ybmcltmshprh.sys	5%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://ocsp.msocsp.	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy	lsass.exe, 0000001F.00000002.3237726005.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821333455.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821371502.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3237848048.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702	lsass.exe, 0000001F.00000002.3237726005.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821333455.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust	lsass.exe, 0000001F.00000002.3237726005.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821333455.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/ws-sx/ws-trust/200512	lsass.exe, 0000001F.00000000.1821371502.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3237848048.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	lsass.exe, 0000001F.00000002.3237726005.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821333455.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/09/policy	lsass.exe, 0000001F.00000002.3237726005.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821333455.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/erties	lsass.exe, 0000001F.00000002.3237726005.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821333455.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/soap12/	lsass.exe, 0000001F.00000002.3237726005.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821333455.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	lsass.exe, 0000001F.00000002.3237726005.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.1821333455.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	false		high
http://ocsp.msocsp.	lsass.exe, 0000001F.00000000.1821977863.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1575187
Start date and time:	2024-12-14 17:56:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	61
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	9
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	services64.exe
Detection:	MAL
Classification:	mal100.adwa.spyw.evad.mine.winEXE@91/14@0/0
EGA Information:	Successful, ratio: 92.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 62 Number of non-executed functions: 356
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): SIHClient.exe, WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 20.190.177.146, 20.190.177.20, 20.190.177.85, 20.190.177.22, 20.190.177.147, 20.190.177.83, 20.190.147.10, 20.190.177.23, 20.12.23.50, 13.107.246.63
Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, login.live.com, slkpanel3458647.site, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, pool.hashvault.pro, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
Execution Graph export aborted for target services64.exe, PID 7432 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: services64.exe

Simulations

Behavior and APIs

Time	Type	Description
11:57:12	API Interceptor	30x Sleep call for process: powershell.exe modified
11:57:48	API Interceptor	579137x Sleep call for process: winlogon.exe modified
11:57:49	API Interceptor	479582x Sleep call for process: lsass.exe modified
11:57:49	API Interceptor	1372x Sleep call for process: svchost.exe modified
11:57:53	API Interceptor	551576x Sleep call for process: dwm.exe modified
11:57:58	API Interceptor	1859x Sleep call for process: dialer.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows\Temp\ybmcltmshprh.sys	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	5EZLEXDveC.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	6R0yrvM8Hk.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	Step 3 - Setup_Install.exe	Get hash	malicious	Xmrig	Browse
	Step 3 - Setup_Install.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	DarkVision Rat, Xmrig	Browse

Created / dropped Files

C:\ProgramData\WindowsServices\WindowsAutHost

Download File

Process:	C:\Users\user\Desktop\services64.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	17878016
Entropy (8bit):	7.9016694571881345
Encrypted:	false
SSDEEP:	393216:7KmaIQfcS5boKvqDG/mCSq20y8/qDvnEkWX:7x/GborG/46gHW
MD5:	A36AA640215E6E609FB942FF79C5ADB5
SHA1:	DC636F4DE97D4B948D0ABFBFA37EBECA08B5DA55
SHA-256:	FF0A72D1860C9CAD62AA4E48AFE58831EDC35EF4947661C7335DD08E5F26E05B
SHA-512:	546948EF0C7E29D0F92EBA004BE271A8A93375B1D1B934C643E7C963E3B2095D40368CBDA8FEB79CC342F88F7199016A6D2EB715B0E4E0516097E57787B9DB98
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 47%
Preview:	MZx.....................@...................................x...hr......!..L.!This program cannot be run in DOS mode.$..PE..d...3.3g.........."...........S................@.............................p............`.....................................................d............/.. +...........`...............................L..(.......8...............h............................text............................... ..`.rdata...\..........................@..@.data...X.R..@......................@....pdata.......@T.....................@..@.00cfg.......PT.....................@..@.tls.........`T.....................@....:ja......y..pT..................... ..`.J4v....h...........................@...."8l................................`..h.reloc.......`......................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Vault\UserProfileRoaming\Latest.dat

Download File

Process:	C:\Windows\System32\lsass.exe
File Type:	very short file (no magic)
Category:	modified
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	93B885ADFE0DA089CDF634904FD59F71
SHA1:	5BA93C9DB0CFF93F52B521D7420E43F6EDA2784F
SHA-256:	6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D
SHA-512:	B8244D028981D693AF7B456AF8EFA4CAD63D282E19FF14942C246E50D9351D22704A802A71C3580B6370DE4CEB293C324A8423342557D4E5C38438F0E36910EE
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1510207563435464
Encrypted:	false
SSDEEP:	3:Nlllullkv/tz:NllU+v/
MD5:	6442F277E58B3984BA5EEE0C15C0C6AD
SHA1:	5343ADC2E7F102EC8FB6A101508730898CB14F57
SHA-256:	36B765624FCA82C57E4C5D3706FBD81B5419F18FC3DD7B77CD185E6E3483382D
SHA-512:	F9E62F510D5FB788F40EBA13287C282444607D2E0033D2233BC6C39CA3E1F5903B65A07F85FA0942BEDDCE2458861073772ACA06F291FA68F23C765B0CA5CA17
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_celngssp.xza.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gokxv2ys.3jg.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mab1rsfs.ubo.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zcj001dt.dmy.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1510207563435464
Encrypted:	false
SSDEEP:	3:NlllulvX/Z:NllUvX
MD5:	E55E6E0E1AB6A345A7BCC5FD9C39F70C
SHA1:	E5344BE0ED383244752DD96C35183014062EB114
SHA-256:	9635856D4CAE632D612BDD5736CEA8F6B6AEEBD6FE3AEB04A842FBDB386BCC91
SHA-512:	74908F7F2D21452483A47A25A5728B9211215C6DB2591E94806E477B6B870C92BCE7E11D64A6E9B4AB225927869AD5440ED2995CCA42FD6C8612B027F994A2A5
Malicious:	false
Preview:	@...e................................................@..........

C:\Windows\System32\drivers\etc\hosts

Download File

Process:	C:\Users\user\Desktop\services64.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1117
Entropy (8bit):	4.596294141775527
Encrypted:	false
SSDEEP:	24:QWDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTthGCRfRBKJy:vDZhyoZWM9rU5fFc2RfRH
MD5:	D6F07B2DF0BD08AECA44B6AA714A3F6B
SHA1:	FEC1A6EE587A5166BD760CF66C36B691EEEDF8F9
SHA-256:	D77E1765CC5BE66A783E1C82FAAA325134911DA899903D74D14588D345497C7D
SHA-512:	23E92EBF5DEFFC8E42F7D4CE5BD43F793F77DE433EB1BA8A6EE0F03C004CB1E39A334F8441F44AEEF313DA3051C803348A363F2F7F853A716F56877DC7741CBB
Malicious:	true
Preview:	# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....0.0.0.0 kaspersky.com..0.0.0.0 drweb.com..0.0.0.0 360totalsecurity.com..0.0.0.0 emsisoftware.com..0.0.0.0 bitdefender.com..0.0.0.0 bitdefe

C:\Windows\Temp\__PSScriptPolicyTest_4vm5bhut.hui.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_hg044cae.wfc.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_lbdh3gie.v3h.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_ygdwurri.usj.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\ybmcltmshprh.sys

Download File

Process:	C:\ProgramData\WindowsServices\WindowsAutHost
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14544
Entropy (8bit):	6.2660301556221185
Encrypted:	false
SSDEEP:	192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
MD5:	0C0195C48B6B8582FA6F6373032118DA
SHA1:	D25340AE8E92A6D29F599FEF426A2BC1B5217299
SHA-256:	11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
SHA-512:	AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: 5EZLEXDveC.exe, Detection: malicious, Browse Filename: 6R0yrvM8Hk.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: Step 3 - Setup_Install.exe, Detection: malicious, Browse Filename: Step 3 - Setup_Install.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.\|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..\|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.9016694571881345
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	services64.exe
File size:	17'878'016 bytes
MD5:	a36aa640215e6e609fb942ff79c5adb5
SHA1:	dc636f4de97d4b948d0abfbfa37ebeca08b5da55
SHA256:	ff0a72d1860c9cad62aa4e48afe58831edc35ef4947661c7335dd08e5f26e05b
SHA512:	546948ef0c7e29d0f92eba004be271a8a93375b1d1b934c643e7c963e3b2095d40368cbda8feb79cc342f88f7199016a6d2eb715b0e4e0516097e57787b9db98
SSDEEP:	393216:7KmaIQfcS5boKvqDG/mCSq20y8/qDvnEkWX:7x/GborG/46gHW
TLSH:	AA0723C3E19E99BCE5C75704984023CF38D8A1B65DADD95C3ACD0C03EA56EAD81CA772
File Content Preview:	MZx.....................@...................................x...hr......!..L.!This program cannot be run in DOS mode.$..PE..d...3.3g.........."...........S................@.............................p............`........................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x140d28a90
Entrypoint Section:	."8l
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x67339933 [Tue Nov 12 18:06:43 2024 UTC]
TLS Callbacks:	0x4130bcdc, 0x1, 0x40001760, 0x1, 0x400017e0, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	c7b7b517cf49febe9724e1b897a98881

Entrypoint Preview

Instruction
call 00007F876C9BA5AFh
inc ecx
push edx
pushfd
dec ecx
mov edx, 69829627h
stosd
push eax
mov ch, 71h
dec esp
mov edx, dword ptr [esp+08h]
dec eax
mov dword ptr [esp+08h], 8542B56Fh
push dword ptr [esp+00h]
popfd
dec eax
lea esp, dword ptr [esp+08h]
call 00007F876D87E574h
jnle 00007F876C9E7B46h
insb
mov edi, D9455D45h
scasb
fiadd dword ptr [eax-73h]
std
and eax, 40DAAE59h
inc ebp
aad C5h
mov al, 3Ch
sbb edi, dword ptr [edi+22F222E7h]
bound esp, dword ptr [edi+esi*8]
push ecx
dec ecx
adc dword ptr [ebp+11BF2550h], ecx
cmp dword ptr [ecx], esi
lodsb
mov eax, dword ptr [12EA408Ah]
push esi
in eax, dx
clc
inc eax
push ebx
and eax, E37A043Ch
cld
scasb
xor al, 44h
outsd
push edx
mov edx, 35EF315Ah
inc esp
outsd
push edx
fild qword ptr [edx]
sub ch, byte ptr [eax+476BBEC3h]
jbe 00007F876C9E7AC6h
fistp dword ptr [edi-0Eh]
xor dword ptr [esi], eax
mov cl, B5h
mov si, fs
scasd
xchg eax, esp
jnp 00007F876C9E7A9Ah
int1
pop ebp
ror dword ptr [edi+35h], 68h
sbb dword ptr [eax+6Bh], edx
mov bh, BCh
push cs
mov byte ptr [3EF56B3Eh], al
jmp far B186h : 912594C9h
fbld [edi-71535257h]
hlt
push 00000070h
jne 00007F876C9E7B02h
pushad
in eax, dx

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xea8110	0x64	."8l
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x1de2ff0	0x2b20	."8l
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1de6000	0x114	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xd54c10	0x28	."8l
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1de2eb0	0x138	."8l
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xcd9000	0x68	.J4v
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xc4b6	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xe000	0x5cfc	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x14000	0x52f458	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x544000	0x1bc	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.00cfg	0x545000	0x10	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x546000	0x10	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.:ja	0x547000	0x791b0c	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.J4v	0xcd9000	0x868	0xa00	078cb98bf66c3e6750dee49e01543a36	False	0.026953125	data	0.14899665250988958	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
."8l	0xcda000	0x110bb10	0x110bc00	4590cb074bb125fe5bc68e5a6107c0d9	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0x1de6000	0x114	0x200	17dc5c669d5136a7c8f36f4e065f8da8	False	0.3984375	data	2.6297198380486444	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
msvcrt.dll	__C_specific_handler
KERNEL32.dll	DeleteCriticalSection
KERNEL32.dll	GetSystemTimeAsFileTime
KERNEL32.dll	HeapAlloc, HeapFree, ExitProcess, LoadLibraryA, GetModuleHandleA, GetProcAddress

Network Behavior

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 14, 2024 17:57:25.520035028 CET	53	52894	1.1.1.1	192.168.2.4
Dec 14, 2024 17:57:38.964623928 CET	53	62815	1.1.1.1	192.168.2.4
Dec 14, 2024 17:58:24.437958002 CET	53	57784	1.1.1.1	192.168.2.4
Dec 14, 2024 17:59:40.884392977 CET	53	51880	1.1.1.1	192.168.2.4

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 14, 2024 17:57:25.520035028 CET	1.1.1.1	192.168.2.4	0xfa96	Name error (3)	slkpanel3458647.site	none	none	A (IP address)	IN (0x0001)	false
Dec 14, 2024 17:57:38.964623928 CET	1.1.1.1	192.168.2.4	0xf58d	Name error (3)	slkpanel3458647.site	none	none	A (IP address)	IN (0x0001)	false
Dec 14, 2024 17:58:24.437958002 CET	1.1.1.1	192.168.2.4	0x33cf	Name error (3)	slkpanel3458647.site	none	none	A (IP address)	IN (0x0001)	false
Dec 14, 2024 17:59:40.884392977 CET	1.1.1.1	192.168.2.4	0x2ebe	Name error (3)	slkpanel3458647.site	none	none	A (IP address)	IN (0x0001)	false

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
ZwEnumerateKey	INLINE	explorer.exe, winlogon.exe
NtQuerySystemInformation	INLINE	explorer.exe, winlogon.exe
ZwResumeThread	INLINE	explorer.exe, winlogon.exe
NtDeviceIoControlFile	INLINE	explorer.exe, winlogon.exe
ZwDeviceIoControlFile	INLINE	explorer.exe, winlogon.exe
NtEnumerateKey	INLINE	explorer.exe, winlogon.exe
NtQueryDirectoryFile	INLINE	explorer.exe, winlogon.exe
ZwEnumerateValueKey	INLINE	explorer.exe, winlogon.exe
ZwQuerySystemInformation	INLINE	explorer.exe, winlogon.exe
NtResumeThread	INLINE	explorer.exe, winlogon.exe
RtlGetNativeSystemInformation	INLINE	explorer.exe, winlogon.exe
NtQueryDirectoryFileEx	INLINE	explorer.exe, winlogon.exe
NtEnumerateValueKey	INLINE	explorer.exe, winlogon.exe
ZwQueryDirectoryFileEx	INLINE	explorer.exe, winlogon.exe
ZwQueryDirectoryFile	INLINE	explorer.exe, winlogon.exe

Processes

Process: explorer.exe, Module: ntdll.dll

Function Name	Hook Type	New Data
ZwEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
ZwResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
NtDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
ZwDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
NtEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF
ZwEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
RtlGetNativeSystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
NtEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
ZwQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF

Process: winlogon.exe, Module: ntdll.dll

Function Name	Hook Type	New Data
ZwEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
ZwResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
NtDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
ZwDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
NtEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF
ZwEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
RtlGetNativeSystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
NtEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
ZwQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF

Target ID:	0
Start time:	11:57:05
Start date:	14/12/2024
Path:	C:\Users\user\Desktop\services64.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\services64.exe"
Imagebase:	0x7ff79a1e0000
File size:	17'878'016 bytes
MD5 hash:	A36AA640215E6E609FB942FF79C5ADB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:57:11
Start date:	14/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:57:11
Start date:	14/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:57:14
Start date:	14/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff7c7d40000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:57:14
Start date:	14/12/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop UsoSvc
Imagebase:	0x7ff645470000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:57:14
Start date:	14/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	11:57:14
Start date:	14/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	11:57:14
Start date:	14/12/2024
Path:	C:\Windows\System32\wusa.exe
Wow64 process (32bit):	false
Commandline:	wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff6aca30000
File size:	345'088 bytes
MD5 hash:	FBDA2B8987895780375FE0E6254F6198
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	11:57:14
Start date:	14/12/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop WaaSMedicSvc
Imagebase:	0x7ff645470000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	11:57:14
Start date:	14/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	11:57:14
Start date:	14/12/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop wuauserv
Imagebase:	0x7ff645470000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	11:57:15
Start date:	14/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	11:57:15
Start date:	14/12/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop bits
Imagebase:	0x7ff645470000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	11:57:15
Start date:	14/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	11:57:15
Start date:	14/12/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop dosvc
Imagebase:	0x7ff645470000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	11:57:15
Start date:	14/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	11:57:15
Start date:	14/12/2024
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Imagebase:	0x7ff7f4b40000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	11:57:15
Start date:	14/12/2024
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
Imagebase:	0x7ff7f4b40000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	11:57:15
Start date:	14/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	11:57:15
Start date:	14/12/2024
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Imagebase:	0x7ff7f4b40000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	11:57:15
Start date:	14/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	11:57:15
Start date:	14/12/2024
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
Imagebase:	0x7ff7f4b40000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	11:57:15
Start date:	14/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	11:57:15
Start date:	14/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	11:57:15
Start date:	14/12/2024
Path:	C:\Windows\System32\dialer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\dialer.exe
Imagebase:	0x7ff720e40000
File size:	39'936 bytes
MD5 hash:	B2626BDCF079C6516FC016AC5646DF93
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	11:57:15
Start date:	14/12/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe delete "WindowsAutHost"
Imagebase:	0x7ff645470000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	11:57:15
Start date:	14/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	11:57:16
Start date:	14/12/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe create "WindowsAutHost" binpath= "C:\ProgramData\WindowsServices\WindowsAutHost" start= "auto"
Imagebase:	0x7ff645470000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	11:57:16
Start date:	14/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	11:57:16
Start date:	14/12/2024
Path:	C:\Windows\System32\winlogon.exe
Wow64 process (32bit):	false
Commandline:	winlogon.exe
Imagebase:	0x7ff7cd660000
File size:	906'240 bytes
MD5 hash:	F8B41A1B3E569E7E6F990567F21DCE97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	31
Start time:	11:57:16
Start date:	14/12/2024
Path:	C:\Windows\System32\lsass.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\lsass.exe
Imagebase:	0x7ff7a2ae0000
File size:	59'456 bytes
MD5 hash:	A1CC00332BBF370654EE3DC8CDC8C95A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	32
Start time:	11:57:16
Start date:	14/12/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop eventlog
Imagebase:	0x7ff645470000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	11:57:16
Start date:	14/12/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe start "WindowsAutHost"
Imagebase:	0x7ff645470000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	11:57:16
Start date:	14/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	11:57:16
Start date:	14/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	11:57:16
Start date:	14/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	37
Start time:	11:57:17
Start date:	14/12/2024
Path:	C:\ProgramData\WindowsServices\WindowsAutHost
Wow64 process (32bit):	false
Commandline:	C:\ProgramData\WindowsServices\WindowsAutHost
Imagebase:	0x7ff74cc60000
File size:	17'878'016 bytes
MD5 hash:	A36AA640215E6E609FB942FF79C5ADB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 47%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	11:57:17
Start date:	14/12/2024
Path:	C:\Windows\System32\dwm.exe
Wow64 process (32bit):	false
Commandline:	"dwm.exe"
Imagebase:	0x7ff74e710000
File size:	94'720 bytes
MD5 hash:	5C27608411832C5B39BA04E33D53536C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	40
Start time:	11:57:19
Start date:	14/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	11:57:19
Start date:	14/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	11:57:20
Start date:	14/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	43
Start time:	11:57:21
Start date:	14/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	44
Start time:	11:57:21
Start date:	14/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	45
Start time:	11:57:21
Start date:	14/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	46
Start time:	11:57:21
Start date:	14/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff7c7d40000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	11:57:21
Start date:	14/12/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop UsoSvc
Imagebase:	0x7ff645470000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	11:57:21
Start date:	14/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	11:57:21
Start date:	14/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	11:57:21
Start date:	14/12/2024
Path:	C:\Windows\System32\wusa.exe
Wow64 process (32bit):	false
Commandline:	wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff6aca30000
File size:	345'088 bytes
MD5 hash:	FBDA2B8987895780375FE0E6254F6198
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	11:57:21
Start date:	14/12/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop WaaSMedicSvc
Imagebase:	0x7ff645470000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	11:57:21
Start date:	14/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	11:57:21
Start date:	14/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	54
Start time:	11:57:21
Start date:	14/12/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop wuauserv
Imagebase:	0x7ff645470000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	11:57:22
Start date:	14/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	11:57:22
Start date:	14/12/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop bits
Imagebase:	0x7ff645470000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	11:57:22
Start date:	14/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	11:57:22
Start date:	14/12/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop dosvc
Imagebase:	0x7ff645470000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	11:57:22
Start date:	14/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	60
Start time:	11:57:22
Start date:	14/12/2024
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Imagebase:	0x7ff7f4b40000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	61
Start time:	11:57:22
Start date:	14/12/2024
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
Imagebase:	0x7ff7f4b40000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	62
Start time:	11:57:22
Start date:	14/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	63
Start time:	11:57:22
Start date:	14/12/2024
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Imagebase:	0x7ff7f4b40000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	64
Start time:	11:57:22
Start date:	14/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	65
Start time:	11:57:22
Start date:	14/12/2024
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
Imagebase:	0x7ff7f4b40000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	66
Start time:	11:57:22
Start date:	14/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	67
Start time:	11:57:22
Start date:	14/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	68
Start time:	11:57:22
Start date:	14/12/2024
Path:	C:\Windows\System32\dialer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\dialer.exe
Imagebase:	0x7ff720e40000
File size:	39'936 bytes
MD5 hash:	B2626BDCF079C6516FC016AC5646DF93
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	69
Start time:	11:57:22
Start date:	14/12/2024
Path:	C:\Windows\System32\dialer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\dialer.exe
Imagebase:	0x7ff720e40000
File size:	39'936 bytes
MD5 hash:	B2626BDCF079C6516FC016AC5646DF93
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	45.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	67%
Total number of Nodes:	227
Total number of Limit Nodes:	25

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 000000014000226C Relevance: 61.4, APIs: 27, Strings: 8, Instructions: 165
registrymemorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140001F2C: StrCpyW.SHLWAPI ref: 0000000140001F5D
Part of subcall function 0000000140001F2C: StrCatW.SHLWAPI ref: 0000000140001F6B
Part of subcall function 0000000140001F2C: GetModuleHandleW.KERNEL32 ref: 0000000140001F74
Part of subcall function 0000000140001F2C: GetCurrentProcess.KERNEL32 ref: 0000000140001F94
Part of subcall function 0000000140001F2C: K32GetModuleInformation.KERNEL32 ref: 0000000140001FA8
Part of subcall function 0000000140001F2C: CreateFileW.KERNELBASE ref: 0000000140001FD8
Part of subcall function 0000000140001F2C: CreateFileMappingW.KERNELBASE ref: 0000000140002002
Part of subcall function 0000000140001F2C: MapViewOfFile.KERNELBASE ref: 0000000140002025
Part of subcall function 0000000140001F2C: lstrcmpiA.KERNEL32 ref: 000000014000207B
Part of subcall function 0000000140001F2C: CloseHandle.KERNELBASE ref: 00000001400020E7
Part of subcall function 0000000140001F2C: CloseHandle.KERNEL32 ref: 00000001400020F0
Part of subcall function 0000000140001F2C: FreeLibrary.KERNEL32 ref: 00000001400020F9

Part of subcall function 0000000140001F2C: VirtualProtect.KERNELBASE ref: 00000001400020AE
Part of subcall function 0000000140001F2C: VirtualProtect.KERNELBASE ref: 00000001400020DE

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000228F
OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000229F
OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 00000001400022B9
LookupPrivilegeValueW.ADVAPI32 ref: 00000001400022D0
AdjustTokenPrivileges.KERNELBASE ref: 0000000140002308
GetLastError.KERNEL32 ref: 0000000140002312
CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000231B
FindResourceExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000232F
SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002346
LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000235F
LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002371
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000237E
RegCreateKeyExW.KERNELBASE ref: 00000001400023BE
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00000001400023E5
RegSetKeySecurity.KERNELBASE ref: 00000001400023FE
LocalFree.KERNEL32 ref: 0000000140002408
RegCreateKeyExW.KERNELBASE ref: 000000014000243E
GetCurrentProcessId.KERNEL32 ref: 0000000140002448
RegSetValueExW.KERNELBASE ref: 000000014000246F
RegCloseKey.KERNELBASE ref: 0000000140002479
RegCloseKey.ADVAPI32 ref: 0000000140002483
CreateThread.KERNELBASE ref: 00000001400024A4
GetProcessHeap.KERNEL32 ref: 00000001400024AA
HeapAlloc.KERNEL32 ref: 00000001400024B9
CreateThread.KERNELBASE ref: 00000001400024E8
CreateThread.KERNELBASE ref: 0000000140002509
SleepEx.KERNELBASE ref: 0000000140002511

Strings

D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA), xrefs: 00000001400023DE
kernel32.dll, xrefs: 0000000140002283
ntdll.dll, xrefs: 0000000140002277
SeDebugPrivilege, xrefs: 00000001400022C9
svc64, xrefs: 0000000140002452
pid, xrefs: 000000014000241B
SOFTWARE\dialerconfig, xrefs: 0000000140002399
DLL, xrefs: 0000000140002321

Memory Dump Source

Source File: 00000019.00000002.1888117862.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000019.00000002.1888083299.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000019.00000002.1888155697.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000019.00000002.1888186496.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_140000000_dialer.jbxd

Similarity

API ID: CreateProcess$Close$CurrentHandleResource$FileSecurityThread$DescriptorFreeHeapModuleOpenProtectTokenValueVirtual$AdjustAllocConvertErrorFindInformationLastLibraryLoadLocalLockLookupMappingPrivilegePrivilegesSizeofSleepStringViewlstrcmpi
String ID: D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$DLL$SOFTWARE\dialerconfig$SeDebugPrivilege$kernel32.dll$ntdll.dll$pid$svc64
API String ID: 4177739653-1130149537
Opcode ID: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
Instruction ID: c2e61514e361dd61edc66d1a85693de1d2c237bf329a5b31df93bef4cff25afe
Opcode Fuzzy Hash: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
Instruction Fuzzy Hash: B781E4B6200B4196EB26CF62F8547D977A9F78CBD8F44512AEB4A43A78DF38C148C740

Function 00000001400010C0 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 257
memorystringnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000001400018AC: OpenProcess.KERNEL32(?,?,?,000000014000110E), ref: 00000001400018CA
Part of subcall function 00000001400018AC: IsWow64Process.KERNEL32(?,?,?,000000014000110E), ref: 00000001400018E0
Part of subcall function 00000001400018AC: CloseHandle.KERNELBASE(?,?,?,000000014000110E), ref: 00000001400018FB

OpenProcess.KERNEL32 ref: 000000014000112C
OpenProcess.KERNEL32 ref: 000000014000114B
K32GetModuleFileNameExW.KERNEL32 ref: 0000000140001170
PathFindFileNameW.SHLWAPI ref: 000000014000117E
lstrlenW.KERNEL32 ref: 000000014000118A
StrCpyW.SHLWAPI ref: 00000001400011A1
CloseHandle.KERNEL32 ref: 00000001400011AD
StrCmpIW.SHLWAPI ref: 00000001400011E2
NtQueryInformationProcess.NTDLL ref: 0000000140001216
OpenProcessToken.ADVAPI32 ref: 0000000140001240
GetTokenInformation.KERNELBASE ref: 000000014000126C
GetLastError.KERNEL32 ref: 0000000140001276
LocalAlloc.KERNEL32 ref: 0000000140001289
GetTokenInformation.KERNELBASE ref: 00000001400012B5
GetSidSubAuthorityCount.ADVAPI32 ref: 00000001400012C2
GetSidSubAuthority.ADVAPI32 ref: 00000001400012D1
LocalFree.KERNEL32 ref: 00000001400012E9
CloseHandle.KERNEL32 ref: 00000001400012FD
StrStrA.SHLWAPI ref: 00000001400013A7
VirtualAllocEx.KERNELBASE ref: 000000014000140E
WriteProcessMemory.KERNELBASE ref: 0000000140001431
WaitForSingleObject.KERNEL32 ref: 000000014000147D
GetExitCodeThread.KERNEL32 ref: 0000000140001493
CloseHandle.KERNELBASE ref: 00000001400014AB
CloseHandle.KERNEL32 ref: 00000001400014B4

Strings

@, xrefs: 0000000140001401
MSBuild.exe, xrefs: 00000001400011B8
dialer.exe, xrefs: 00000001400011CC
ReflectiveDllMain, xrefs: 000000014000139D

Memory Dump Source

Source File: 00000019.00000002.1888117862.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000019.00000002.1888083299.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000019.00000002.1888155697.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000019.00000002.1888186496.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_140000000_dialer.jbxd

Similarity

API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileLocalName$CodeCountErrorExitFindFreeLastMemoryModuleObjectPathQuerySingleThreadVirtualWaitWow64Writelstrlen
String ID: @$MSBuild.exe$ReflectiveDllMain$dialer.exe
API String ID: 2561231171-3753927220
Opcode ID: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
Instruction ID: 2175fd9260984ecd3e092ef955109d5d50fbfcc0bf213717558b1eb8b1c9701c
Opcode Fuzzy Hash: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
Instruction Fuzzy Hash: 40B138B260468186EB26DF27F8947E927A9FB8CBC4F404125AF4A477B4EF38C645C740

Function 00000001400014D8 Relevance: 19.6, APIs: 13, Instructions: 130
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000000014000150B
HeapAlloc.KERNEL32 ref: 000000014000151E
GetProcessHeap.KERNEL32 ref: 000000014000152C
HeapAlloc.KERNEL32 ref: 000000014000153D
K32EnumProcesses.KERNEL32 ref: 0000000140001557
OpenProcess.KERNEL32 ref: 0000000140001585
K32EnumProcessModules.KERNEL32 ref: 00000001400015AA
ReadProcessMemory.KERNELBASE ref: 00000001400015E1
CloseHandle.KERNELBASE ref: 000000014000161D
GetProcessHeap.KERNEL32 ref: 000000014000162F
HeapFree.KERNEL32 ref: 000000014000163D
GetProcessHeap.KERNEL32 ref: 0000000140001643
HeapFree.KERNEL32 ref: 0000000140001651

Memory Dump Source

Source File: 00000019.00000002.1888117862.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000019.00000002.1888083299.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000019.00000002.1888155697.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000019.00000002.1888186496.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_140000000_dialer.jbxd

Similarity

API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
String ID:
API String ID: 4084875642-0
Opcode ID: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
Instruction ID: 4858e5a3d965c592fcd1f5951e26bd94c88d4916acf90710a0b336d1aa1e032e
Opcode Fuzzy Hash: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
Instruction Fuzzy Hash: E6519DB2711A819AEB66CF63E8587EA22A5F78DBC4F444025EF4947764DF38C545C700

Function 0000000140001B54 Relevance: 9.1, APIs: 6, Instructions: 82
memorypipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32 ref: 0000000140001BA3
SetEntriesInAclW.ADVAPI32 ref: 0000000140001BEB
LocalAlloc.KERNEL32 ref: 0000000140001BFB
InitializeSecurityDescriptor.ADVAPI32 ref: 0000000140001C0F
SetSecurityDescriptorDacl.ADVAPI32 ref: 0000000140001C26
CreateNamedPipeW.KERNELBASE ref: 0000000140001C67

Memory Dump Source

Source File: 00000019.00000002.1888117862.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000019.00000002.1888083299.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000019.00000002.1888155697.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000019.00000002.1888186496.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_140000000_dialer.jbxd

Similarity

API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
String ID:
API String ID: 3197395349-0
Opcode ID: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
Instruction ID: 21eaad2a8fcaa81d39f01622d1c01d05a8059e075f91819b3ade9b41c51f013a
Opcode Fuzzy Hash: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
Instruction Fuzzy Hash: FA318D72215691CAE761CF25F490BDE77A5F748B98F40521AFB4947FA8EB78C208CB40

Function 00000001400017EC Relevance: 9.1, APIs: 6, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001801
HeapAlloc.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001812

Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000150B
Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000151E
Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000152C
Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000153D
Part of subcall function 00000001400014D8: K32EnumProcesses.KERNEL32 ref: 0000000140001557
Part of subcall function 00000001400014D8: OpenProcess.KERNEL32 ref: 0000000140001585
Part of subcall function 00000001400014D8: K32EnumProcessModules.KERNEL32 ref: 00000001400015AA
Part of subcall function 00000001400014D8: ReadProcessMemory.KERNELBASE ref: 00000001400015E1
Part of subcall function 00000001400014D8: CloseHandle.KERNELBASE ref: 000000014000161D
Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000162F
Part of subcall function 00000001400014D8: HeapFree.KERNEL32 ref: 000000014000163D
Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 0000000140001643
Part of subcall function 00000001400014D8: HeapFree.KERNEL32 ref: 0000000140001651

OpenProcess.KERNEL32 ref: 0000000140001859
TerminateProcess.KERNEL32 ref: 000000014000186C
CloseHandle.KERNEL32 ref: 0000000140001875
GetProcessHeap.KERNEL32 ref: 0000000140001885

Memory Dump Source

Source File: 00000019.00000002.1888117862.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000019.00000002.1888083299.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000019.00000002.1888155697.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000019.00000002.1888186496.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_140000000_dialer.jbxd

Similarity

API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
String ID:
API String ID: 1323846700-0
Opcode ID: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
Instruction ID: e8e8f15008253283e0d5a10c8ea57e573901c1344bffe788f1ea91b5e390c365
Opcode Fuzzy Hash: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
Instruction Fuzzy Hash: C8115BB1B05A4186FB1ADF27F8443D966A6ABCDBC4F188038EF09037B5DE38C5868700

Function 0000000140001F2C Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 124
filememorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCpyW.SHLWAPI ref: 0000000140001F5D
StrCatW.SHLWAPI ref: 0000000140001F6B
GetModuleHandleW.KERNEL32 ref: 0000000140001F74
GetCurrentProcess.KERNEL32 ref: 0000000140001F94
K32GetModuleInformation.KERNEL32 ref: 0000000140001FA8
CreateFileW.KERNELBASE ref: 0000000140001FD8
CreateFileMappingW.KERNELBASE ref: 0000000140002002
MapViewOfFile.KERNELBASE ref: 0000000140002025
lstrcmpiA.KERNEL32 ref: 000000014000207B
VirtualProtect.KERNELBASE ref: 00000001400020AE
VirtualProtect.KERNELBASE ref: 00000001400020DE
CloseHandle.KERNELBASE ref: 00000001400020E7
CloseHandle.KERNEL32 ref: 00000001400020F0
FreeLibrary.KERNEL32 ref: 00000001400020F9

Strings

C:\Windows\System32\, xrefs: 0000000140001F4F
.text, xrefs: 0000000140002074

Memory Dump Source

Source File: 00000019.00000002.1888117862.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000019.00000002.1888083299.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000019.00000002.1888155697.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000019.00000002.1888186496.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_140000000_dialer.jbxd

Similarity

API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
String ID: .text$C:\Windows\System32\
API String ID: 2721474350-832442975
Opcode ID: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
Instruction ID: 0b364bd3c89a37fdd3fa7b369e4888cbeb1e5b170dc00cf86e963973e9165d3d
Opcode Fuzzy Hash: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
Instruction Fuzzy Hash: CC518BB2204B8096EB62CF16F8587DAB3A5F78CBD4F444525AF4A03B68DF38C549C700

Function 0000000140002BF8 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40
sleepfilepipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140001B54: AllocateAndInitializeSid.ADVAPI32 ref: 0000000140001BA3
Part of subcall function 0000000140001B54: SetEntriesInAclW.ADVAPI32 ref: 0000000140001BEB
Part of subcall function 0000000140001B54: LocalAlloc.KERNEL32 ref: 0000000140001BFB
Part of subcall function 0000000140001B54: InitializeSecurityDescriptor.ADVAPI32 ref: 0000000140001C0F
Part of subcall function 0000000140001B54: SetSecurityDescriptorDacl.ADVAPI32 ref: 0000000140001C26
Part of subcall function 0000000140001B54: CreateNamedPipeW.KERNELBASE ref: 0000000140001C67

Sleep.KERNEL32 ref: 0000000140002C1D
ConnectNamedPipe.KERNELBASE ref: 0000000140002C2A
ReadFile.KERNEL32 ref: 0000000140002C4D
WriteFile.KERNEL32 ref: 0000000140002C7B
Sleep.KERNEL32 ref: 0000000140002C88
DisconnectNamedPipe.KERNEL32 ref: 0000000140002C91

Strings

M, xrefs: 0000000140002C6E
\\.\pipe\dialerchildproc64, xrefs: 0000000140002C05

Memory Dump Source

Source File: 00000019.00000002.1888117862.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000019.00000002.1888083299.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000019.00000002.1888155697.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000019.00000002.1888186496.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_140000000_dialer.jbxd

Similarity

API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
String ID: M$\\.\pipe\dialerchildproc64
API String ID: 2203880229-3489460547
Opcode ID: cb78decc689e444f168c8ecd1fa7ab696948f8a3ff5b9be1a13ae3c23ba91d6c
Instruction ID: 6dc3dc8c0bd617ca7cbe615ebfcb02ed857a87361961821bc60a1768ee808972
Opcode Fuzzy Hash: cb78decc689e444f168c8ecd1fa7ab696948f8a3ff5b9be1a13ae3c23ba91d6c
Instruction Fuzzy Hash: C01139B1218A8492F716DB22F8047EE6764A78DBE0F444225BB66036F4DF7CC548C700

Function 00000001400021D0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36
sleeppipefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140001B54: AllocateAndInitializeSid.ADVAPI32 ref: 0000000140001BA3
Part of subcall function 0000000140001B54: SetEntriesInAclW.ADVAPI32 ref: 0000000140001BEB
Part of subcall function 0000000140001B54: LocalAlloc.KERNEL32 ref: 0000000140001BFB
Part of subcall function 0000000140001B54: InitializeSecurityDescriptor.ADVAPI32 ref: 0000000140001C0F
Part of subcall function 0000000140001B54: SetSecurityDescriptorDacl.ADVAPI32 ref: 0000000140001C26
Part of subcall function 0000000140001B54: CreateNamedPipeW.KERNELBASE ref: 0000000140001C67

Sleep.KERNEL32 ref: 00000001400021F5
ConnectNamedPipe.KERNELBASE ref: 0000000140002202
ReadFile.KERNEL32 ref: 0000000140002225
Sleep.KERNEL32 ref: 0000000140002246
DisconnectNamedPipe.KERNEL32 ref: 000000014000224F

Strings

\\.\pipe\dialercontrol_redirect64, xrefs: 00000001400021DD

Memory Dump Source

Source File: 00000019.00000002.1888117862.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000019.00000002.1888083299.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000019.00000002.1888155697.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000019.00000002.1888186496.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_140000000_dialer.jbxd

Similarity

API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
String ID: \\.\pipe\dialercontrol_redirect64
API String ID: 2071455217-3440882674
Opcode ID: 0eadeefac485689016ee7cb8901f6413b977b23d4cbf2cacf1e5db6f82192be8
Instruction ID: d66e41e89491d3fe39127ed5f8ff24c46c9ecc4af95d447005e5476a51c55f6d
Opcode Fuzzy Hash: 0eadeefac485689016ee7cb8901f6413b977b23d4cbf2cacf1e5db6f82192be8
Instruction Fuzzy Hash: 42014BB1204A40A2EA17EB63F8443E9B365A79DBE0F144235FB66476F4DF78C488C700

Function 0000000140002B38 Relevance: 9.1, APIs: 6, Instructions: 58
memorysleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000000140002B53
HeapAlloc.KERNEL32 ref: 0000000140002B67
GetProcessHeap.KERNEL32 ref: 0000000140002B70
HeapAlloc.KERNEL32 ref: 0000000140002B7E
K32EnumProcesses.KERNEL32 ref: 0000000140002B99
Sleep.KERNEL32 ref: 0000000140002BEE

Memory Dump Source

Source File: 00000019.00000002.1888117862.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000019.00000002.1888083299.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000019.00000002.1888155697.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000019.00000002.1888186496.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_140000000_dialer.jbxd

Similarity

API ID: Heap$AllocProcess$EnumProcessesSleep
String ID:
API String ID: 3676546796-0
Opcode ID: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
Instruction ID: 9c67988e037e7d22bad9650836966df18df348572cafe7f0e6f30b42da554bff
Opcode Fuzzy Hash: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
Instruction Fuzzy Hash: 3A115CB26006518AE72ACF17F85579A77A6F78DBC1F154028EB4607B68CF39D881CB40

Function 00000001400018AC Relevance: 4.5, APIs: 3, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(?,?,?,000000014000110E), ref: 00000001400018CA
IsWow64Process.KERNEL32(?,?,?,000000014000110E), ref: 00000001400018E0
CloseHandle.KERNELBASE(?,?,?,000000014000110E), ref: 00000001400018FB

Memory Dump Source

Source File: 00000019.00000002.1888117862.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000019.00000002.1888083299.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000019.00000002.1888155697.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000019.00000002.1888186496.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_140000000_dialer.jbxd

Similarity

API ID: Process$CloseHandleOpenWow64
String ID:
API String ID: 10462204-0
Opcode ID: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
Instruction ID: a864651f2e5c17a125c4a55b2f5ca9b47fcd1256b8d640ad9fe9232b2a40a049
Opcode Fuzzy Hash: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
Instruction Fuzzy Hash: 77F01D7170578192EB56CF17B584399A665E78CBC0F449039EB8943768DF39C4858700

Function 0000000140002258 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000228F
Part of subcall function 000000014000226C: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000229F
Part of subcall function 000000014000226C: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 00000001400022B9
Part of subcall function 000000014000226C: LookupPrivilegeValueW.ADVAPI32 ref: 00000001400022D0
Part of subcall function 000000014000226C: AdjustTokenPrivileges.KERNELBASE ref: 0000000140002308
Part of subcall function 000000014000226C: GetLastError.KERNEL32 ref: 0000000140002312
Part of subcall function 000000014000226C: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000231B
Part of subcall function 000000014000226C: FindResourceExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000232F
Part of subcall function 000000014000226C: SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002346
Part of subcall function 000000014000226C: LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000235F
Part of subcall function 000000014000226C: LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002371
Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000237E
Part of subcall function 000000014000226C: RegCreateKeyExW.KERNELBASE ref: 00000001400023BE
Part of subcall function 000000014000226C: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00000001400023E5
Part of subcall function 000000014000226C: RegSetKeySecurity.KERNELBASE ref: 00000001400023FE
Part of subcall function 000000014000226C: LocalFree.KERNEL32 ref: 0000000140002408

ExitProcess.KERNEL32 ref: 0000000140002263

Memory Dump Source

Source File: 00000019.00000002.1888117862.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000019.00000002.1888083299.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000019.00000002.1888155697.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000019.00000002.1888186496.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_140000000_dialer.jbxd

Similarity

API ID: Process$Resource$Security$CurrentDescriptorOpenToken$AdjustCloseConvertCreateErrorExitFindFreeHandleLastLoadLocalLockLookupPrivilegePrivilegesSizeofStringValue
String ID:
API String ID: 3836936051-0
Opcode ID: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
Instruction ID: 542f07df19912b07f19d0c3647b83d0aa38d4f887fbb8c9b09a79fc57a6ac5cd
Opcode Fuzzy Hash: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
Instruction Fuzzy Hash: 84A002B1F1794096FA0BB7F7785E3DC21656B9CB82F500415B242472B2DD3C44558716

Non-executed Functions

Function 0000000140002560 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 296
memoryregistryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNEL32 ref: 00000001400025E7

Part of subcall function 00000001400018AC: OpenProcess.KERNEL32(?,?,?,000000014000110E), ref: 00000001400018CA
Part of subcall function 00000001400018AC: IsWow64Process.KERNEL32(?,?,?,000000014000110E), ref: 00000001400018E0
Part of subcall function 00000001400018AC: CloseHandle.KERNELBASE(?,?,?,000000014000110E), ref: 00000001400018FB

Part of subcall function 00000001400010C0: OpenProcess.KERNEL32 ref: 000000014000112C
Part of subcall function 00000001400010C0: OpenProcess.KERNEL32 ref: 000000014000114B
Part of subcall function 00000001400010C0: K32GetModuleFileNameExW.KERNEL32 ref: 0000000140001170
Part of subcall function 00000001400010C0: PathFindFileNameW.SHLWAPI ref: 000000014000117E
Part of subcall function 00000001400010C0: lstrlenW.KERNEL32 ref: 000000014000118A
Part of subcall function 00000001400010C0: StrCpyW.SHLWAPI ref: 00000001400011A1
Part of subcall function 00000001400010C0: CloseHandle.KERNEL32 ref: 00000001400011AD
Part of subcall function 00000001400010C0: StrCmpIW.SHLWAPI ref: 00000001400011E2
Part of subcall function 00000001400010C0: NtQueryInformationProcess.NTDLL ref: 0000000140001216
Part of subcall function 00000001400010C0: OpenProcessToken.ADVAPI32 ref: 0000000140001240

RegOpenKeyExW.ADVAPI32 ref: 0000000140002683
RegDeleteValueW.ADVAPI32 ref: 000000014000269B
ExitProcess.KERNEL32 ref: 00000001400026BF
GetProcessHeap.KERNEL32 ref: 00000001400026C6
HeapAlloc.KERNEL32 ref: 00000001400026D9
K32EnumProcesses.KERNEL32 ref: 00000001400026F6
ExitProcess.KERNEL32 ref: 0000000140002796

Strings

open, xrefs: 0000000140002960
dialerstager, xrefs: 0000000140002694
SOFTWARE, xrefs: 0000000140002675

Memory Dump Source

Source File: 00000019.00000002.1888117862.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000019.00000002.1888083299.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000019.00000002.1888155697.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000019.00000002.1888186496.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_140000000_dialer.jbxd

Similarity

API ID: Process$Open$File$CloseExitHandleHeapName$AllocDeleteEnumFindInformationModulePathProcessesQueryReadTokenValueWow64lstrlen
String ID: SOFTWARE$dialerstager$open
API String ID: 3276259517-3931493855
Opcode ID: 3c799c4d4b717077f969037001029e391788172767dfb7e3a3364a0c1608c947
Instruction ID: ae65b9042581f7dc9e2ee581e3d1b52dcddb088aa692a5b8ad70e1a65f9de3a1
Opcode Fuzzy Hash: 3c799c4d4b717077f969037001029e391788172767dfb7e3a3364a0c1608c947
Instruction Fuzzy Hash: 91D14DB13046818BEB7BDF26B8143E92269F74DBC8F404125BB4A47AB9DE78C605C741

Function 0000000140001C88 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 154
injectionthreadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNEL32 ref: 0000000140001D1D
VirtualAllocEx.KERNEL32 ref: 0000000140001D4C
WriteProcessMemory.KERNEL32 ref: 0000000140001D73
WriteProcessMemory.KERNEL32 ref: 0000000140001DB2
VirtualAlloc.KERNEL32 ref: 0000000140001DE3
GetThreadContext.KERNEL32 ref: 0000000140001DFF
WriteProcessMemory.KERNEL32 ref: 0000000140001E26
SetThreadContext.KERNEL32 ref: 0000000140001E44
ResumeThread.KERNEL32 ref: 0000000140001E52
OpenProcess.KERNEL32 ref: 0000000140001E6A
TerminateProcess.KERNEL32 ref: 0000000140001E7D

Strings

@, xrefs: 0000000140001D44

Memory Dump Source

Source File: 00000019.00000002.1888117862.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000019.00000002.1888083299.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000019.00000002.1888155697.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000019.00000002.1888186496.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_140000000_dialer.jbxd

Similarity

API ID: Process$MemoryThreadWrite$AllocContextVirtual$CreateOpenResumeTerminate
String ID: @
API String ID: 3462610200-2766056989
Opcode ID: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
Instruction ID: 5c16bc39e07cf5e776479c29415d8ab36f8b64b080a4e80c067f24e51f003d21
Opcode Fuzzy Hash: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
Instruction Fuzzy Hash: B55122B2700A808AEB52CF66E8447DE77A5FB88BD8F054125EF4997B68DF38C855C700

Function 00000001400019C4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 102
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32 ref: 00000001400019E6
SysAllocString.OLEAUT32 ref: 00000001400019F6
CoInitializeEx.OLE32 ref: 0000000140001A03
CoInitializeSecurity.OLE32 ref: 0000000140001A3A
CoCreateInstance.OLE32 ref: 0000000140001A7A
VariantInit.OLEAUT32 ref: 0000000140001A8C
CoUninitialize.OLE32 ref: 0000000140001B26
SysFreeString.OLEAUT32 ref: 0000000140001B2F
SysFreeString.OLEAUT32 ref: 0000000140001B38

Strings

dialersvc64, xrefs: 00000001400019DD

Memory Dump Source

Source File: 00000019.00000002.1888117862.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000019.00000002.1888083299.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000019.00000002.1888155697.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000019.00000002.1888186496.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_140000000_dialer.jbxd

Similarity

API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
String ID: dialersvc64
API String ID: 4184240511-3881820561
Opcode ID: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
Instruction ID: f04b9e4fe08d72b668f3c34f73b3c63bb96ebc933f76805d9c48aa5d26f439e8
Opcode Fuzzy Hash: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
Instruction Fuzzy Hash: 69415A72704A819AE712CF6AE8543DD73B5FB89B89F044125EF4E47A64DF38D149C300

Function 0000000140001000 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 0000000140001034
RegDeleteKeyW.ADVAPI32 ref: 0000000140001045
RegEnumKeyExW.ADVAPI32 ref: 0000000140001082
RegCloseKey.ADVAPI32 ref: 0000000140001093
RegDeleteKeyExW.ADVAPI32 ref: 00000001400010B0

Strings

SOFTWARE\dialerconfig, xrefs: 0000000140001026, 000000014000109C

Memory Dump Source

Source File: 00000019.00000002.1888117862.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000019.00000002.1888083299.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000019.00000002.1888155697.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000019.00000002.1888186496.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_140000000_dialer.jbxd

Similarity

API ID: Delete$CloseEnumOpen
String ID: SOFTWARE\dialerconfig
API String ID: 3013565938-461861421
Opcode ID: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
Instruction ID: 8f4ace04a6ff3505bb025a84b088d585f414f6eddbaae7ea6d4a7c6b6057ac94
Opcode Fuzzy Hash: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
Instruction Fuzzy Hash: 2F1186B2714A8486E762CF26F8557E92378F78C7D8F404215A74D0BAA8DF7CC248CB54

Function 0000000140002A90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 0000000140002ACB
WriteFile.KERNEL32 ref: 0000000140002AF3
WriteFile.KERNEL32 ref: 0000000140002B16
CloseHandle.KERNEL32 ref: 0000000140002B1F

Strings

\\.\pipe\dialercontrol_redirect64, xrefs: 0000000140002AA8

Memory Dump Source

Source File: 00000019.00000002.1888117862.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000019.00000002.1888083299.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000019.00000002.1888155697.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000019.00000002.1888186496.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_140000000_dialer.jbxd

Similarity

API ID: File$Write$CloseCreateHandle
String ID: \\.\pipe\dialercontrol_redirect64
API String ID: 148219782-3440882674
Opcode ID: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
Instruction ID: c657f3a7a6ba8077c0f3fca19c98ae9a251d12aa6ce49f65425284bb78429f7a
Opcode Fuzzy Hash: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
Instruction Fuzzy Hash: AE1139B6720B5082EB16CF16F818399A764F78DFE4F544215AB6907BA4CF78C549CB40

Function 0000000140001914 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,0000000140002138), ref: 0000000140001924
GetProcAddress.KERNEL32(?,?,00000000,0000000140002138), ref: 0000000140001937

Strings

ntdll.dll, xrefs: 000000014000191A

Memory Dump Source

Source File: 00000019.00000002.1888117862.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000019.00000002.1888083299.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000019.00000002.1888155697.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000019.00000002.1888186496.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_140000000_dialer.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: ntdll.dll
API String ID: 1646373207-2227199552
Opcode ID: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
Instruction ID: 7108e587e86fbdef38877cdd133235ae9a077454219746bc209a409130a8dfa8
Opcode Fuzzy Hash: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
Instruction Fuzzy Hash: 5BD0C9F471260582EE1BDBA378643E552996B5CBC5F884020AE164B360DA38C1998600

Analysis Process: winlogon.exePID: 552, Parent PID: 8136COMMON

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	94.6%
Signature Coverage:	0%
Total number of Nodes:	112
Total number of Limit Nodes:	18

Executed Functions

Function 00000225DC641628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00000225DC641633
HeapAlloc.KERNEL32 ref: 00000225DC641642

Part of subcall function 00000225DC641268: GetProcessHeap.KERNEL32 ref: 00000225DC64126E
Part of subcall function 00000225DC641268: HeapAlloc.KERNEL32 ref: 00000225DC64127D
Part of subcall function 00000225DC641268: GetProcessHeap.KERNEL32 ref: 00000225DC641297
Part of subcall function 00000225DC641268: HeapAlloc.KERNEL32 ref: 00000225DC6412A8

RegOpenKeyExW.ADVAPI32 ref: 00000225DC6416B2
RegOpenKeyExW.ADVAPI32 ref: 00000225DC6416DF
RegCloseKey.ADVAPI32 ref: 00000225DC6416F9
RegOpenKeyExW.ADVAPI32 ref: 00000225DC641719
RegCloseKey.ADVAPI32 ref: 00000225DC641734
RegOpenKeyExW.ADVAPI32 ref: 00000225DC641754
RegCloseKey.ADVAPI32 ref: 00000225DC64176F
RegOpenKeyExW.ADVAPI32 ref: 00000225DC64178F
RegCloseKey.ADVAPI32 ref: 00000225DC6417AA
RegOpenKeyExW.ADVAPI32 ref: 00000225DC6417CA
RegCloseKey.ADVAPI32 ref: 00000225DC6417E5
RegOpenKeyExW.ADVAPI32 ref: 00000225DC641805
RegCloseKey.ADVAPI32 ref: 00000225DC641820
RegOpenKeyExW.ADVAPI32 ref: 00000225DC641840
RegCloseKey.ADVAPI32 ref: 00000225DC64185B
RegOpenKeyExW.ADVAPI32 ref: 00000225DC64187B
RegCloseKey.ADVAPI32 ref: 00000225DC641896
RegCloseKey.ADVAPI32 ref: 00000225DC6418A0

Part of subcall function 00000225DC6412BC: RegQueryInfoKeyW.ADVAPI32 ref: 00000225DC641319
Part of subcall function 00000225DC6412BC: GetProcessHeap.KERNEL32 ref: 00000225DC641327
Part of subcall function 00000225DC6412BC: HeapAlloc.KERNEL32 ref: 00000225DC641338
Part of subcall function 00000225DC6412BC: RegEnumValueW.ADVAPI32 ref: 00000225DC641397
Part of subcall function 00000225DC6412BC: GetProcessHeap.KERNEL32 ref: 00000225DC6413DF
Part of subcall function 00000225DC6412BC: HeapAlloc.KERNEL32 ref: 00000225DC6413ED
Part of subcall function 00000225DC6412BC: GetProcessHeap.KERNEL32 ref: 00000225DC64140A
Part of subcall function 00000225DC6412BC: HeapFree.KERNEL32 ref: 00000225DC641418
Part of subcall function 00000225DC6412BC: lstrlenW.KERNEL32 ref: 00000225DC641421
Part of subcall function 00000225DC6412BC: GetProcessHeap.KERNEL32 ref: 00000225DC64142F
Part of subcall function 00000225DC6412BC: HeapAlloc.KERNEL32 ref: 00000225DC64143D

Strings

service_names, xrefs: 00000225DC6417C3
udp, xrefs: 00000225DC641874
tcp_local, xrefs: 00000225DC6417FE
tcp_remote, xrefs: 00000225DC641839
process_names, xrefs: 00000225DC64174D
paths, xrefs: 00000225DC641788
startup, xrefs: 00000225DC6416D5
pid, xrefs: 00000225DC641712
SOFTWARE\dialerconfig, xrefs: 00000225DC641692

Memory Dump Source

Source File: 0000001E.00000002.3237984363.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction ID: 406a7c028b3c229bdc1c75f8301e19e1701b13e4dfdd540bc7c265abecc9bc67
Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction Fuzzy Hash: 47712D7E328E60A6EB109FA9E85869D33B4F784F9AF509111DE4E47B69EF34C444C740

Function 00000225DC643790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 00000225DC64379E
GetCurrentProcess.KERNEL32 ref: 00000225DC6437CC
VirtualProtectEx.KERNEL32 ref: 00000225DC6437EE
GetCurrentProcess.KERNEL32 ref: 00000225DC643809
VirtualProtectEx.KERNEL32 ref: 00000225DC64382A

Strings

wr, xrefs: 00000225DC6437FF

Memory Dump Source

Source File: 0000001E.00000002.3237984363.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID: wr
API String ID: 1092925422-2678910430
Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction ID: 5b5ece5b16f05410ef88fc7334ca4b30fcb2165cfe8f9a178b0778bd0effcbe9
Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction Fuzzy Hash: 96118B2A318F5493EF549BA9E408269B2A0FB88F86F148038DF8A03B94EF3DC505C704

Function 00000225DC645B30 Relevance: 9.2, APIs: 6, Instructions: 240
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 00000225DC645B6B
GetThreadContext.KERNEL32 ref: 00000225DC645CD5

Part of subcall function 00000225DC645960: GetCurrentThreadId.KERNEL32 ref: 00000225DC645964

Memory Dump Source

Source File: 0000001E.00000002.3237984363.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 1583aff86c60747e20c7fd7e292354d5b69db1aa669fd640e36c9be7a05cd15b
Instruction ID: f245da02ec037058e9828f5728e6f8f7909b60f63258dcba4de34453af5a61e8
Opcode Fuzzy Hash: 1583aff86c60747e20c7fd7e292354d5b69db1aa669fd640e36c9be7a05cd15b
Instruction Fuzzy Hash: B9D1997A20CF9896DA70DB4AE49835A7BA0F7C8B85F104156EACE47BA5DF3CC541CB40

Function 00000225DC6450D0 Relevance: 7.8, APIs: 5, Instructions: 318
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 00000225DC645156

Memory Dump Source

Source File: 0000001E.00000002.3237984363.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 6db5c12ccb82f3d6f97d4eb5dd3bfd24aa6d026fde54f3ba11af0dc7faceaf78
Instruction ID: ca8f9a462bd9996edb27ee4ecd3a9b3d43bbe2f9124c1ca87dd336038b8394af
Opcode Fuzzy Hash: 6db5c12ccb82f3d6f97d4eb5dd3bfd24aa6d026fde54f3ba11af0dc7faceaf78
Instruction Fuzzy Hash: 1102C83661DF9496EB60CB99E49436AB7A1F3C4795F104056EA8E87BA8DF7CC444CF00

Function 00000225DC6439E0 Relevance: 4.6, APIs: 3, Instructions: 64
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32 ref: 00000225DC643A66
VirtualAlloc.KERNEL32 ref: 00000225DC643AA0

Memory Dump Source

Source File: 0000001E.00000002.3237984363.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd

Similarity

API ID: Virtual$AllocQuery
String ID:
API String ID: 31662377-0
Opcode ID: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
Instruction ID: 3d7c28a49f1379a387e1eab8d3c47744672dc9424a01523034e22865a73a9f88
Opcode Fuzzy Hash: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
Instruction Fuzzy Hash: 7F31302625DE98A1EA30DB9DE05835E76A1F388B85F108575F6CF46BA8DF7CC180CB04

Function 00000225DC64328C Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 00000225DC6432AE
PathFindFileNameW.SHLWAPI ref: 00000225DC6432BD

Part of subcall function 00000225DC643844: StrCmpNIW.SHLWAPI ref: 00000225DC64385C

Part of subcall function 00000225DC643790: GetModuleHandleW.KERNEL32 ref: 00000225DC64379E
Part of subcall function 00000225DC643790: GetCurrentProcess.KERNEL32 ref: 00000225DC6437CC
Part of subcall function 00000225DC643790: VirtualProtectEx.KERNEL32 ref: 00000225DC6437EE
Part of subcall function 00000225DC643790: GetCurrentProcess.KERNEL32 ref: 00000225DC643809
Part of subcall function 00000225DC643790: VirtualProtectEx.KERNEL32 ref: 00000225DC64382A

CreateThread.KERNEL32 ref: 00000225DC64330B

Part of subcall function 00000225DC641D14: GetCurrentThread.KERNEL32 ref: 00000225DC641D1F

Memory Dump Source

Source File: 0000001E.00000002.3237984363.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction ID: 7d3d60018f90cf45d3bc6b126cf75a44508ad4678cf0a9f52ef5460c3c2565a3
Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction Fuzzy Hash: 7011C07C62CEA8B2FB619BE8F90C3993295AB54B47F50C1B4EB0781690EF78C044C240

Function 00000225DC644DF0 Relevance: 4.5, APIs: 3, Instructions: 23
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00000225DC644DF4
VirtualProtect.KERNEL32 ref: 00000225DC644E37
FlushInstructionCache.KERNEL32 ref: 00000225DC644E4C

Memory Dump Source

Source File: 0000001E.00000002.3237984363.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd

Similarity

API ID: CacheCurrentFlushInstructionProcessProtectVirtual
String ID:
API String ID: 3733156554-0
Opcode ID: b4082a11bd8fc7a0e50fa8074e04b9b5eee935061857b93c3988384488003b51
Instruction ID: 7e590623df8fc7209075b22fdaf8685971673eb90f371bc8902be2096d1f9670
Opcode Fuzzy Hash: b4082a11bd8fc7a0e50fa8074e04b9b5eee935061857b93c3988384488003b51
Instruction Fuzzy Hash: 9FF03A2A21CF24D0D630DB89E44976ABBA0F788BD5F148151FA8E43B69CE3CC681CF00

Function 00000225DC61273C Relevance: 3.2, APIs: 2, Instructions: 187
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00000225DC6127DB
LoadLibraryA.KERNELBASE ref: 00000225DC61285E

Memory Dump Source

Source File: 0000001E.00000002.3237826612.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc610000_winlogon.jbxd

Similarity

API ID: AllocLibraryLoadVirtual
String ID:
API String ID: 3550616410-0
Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction ID: b5a9ffdff3e85ff3f1f12f145a610503c53f3502f35e5ceb3ac916478b11310c
Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction Fuzzy Hash: D261363AB02AA097DF56CF5ED00876DB392F754BA6F18C521CE5907788DA38D852C700

Function 00000225DC641ABC Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000225DC641628: GetProcessHeap.KERNEL32 ref: 00000225DC641633
Part of subcall function 00000225DC641628: HeapAlloc.KERNEL32 ref: 00000225DC641642
Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC6416B2
Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC6416DF
Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC6416F9
Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC641719
Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC641734
Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC641754
Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC64176F
Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC64178F
Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC6417AA
Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC6417CA

Sleep.KERNEL32 ref: 00000225DC641AD7
SleepEx.KERNELBASE ref: 00000225DC641ADD

Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC6417E5
Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC641805
Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC641820
Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC641840
Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC64185B
Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC64187B
Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC641896
Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC6418A0

Memory Dump Source

Source File: 0000001E.00000002.3237984363.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction ID: b89290e72799dd3975187c06206b195ef9f7eec7f326f7ac498d84b976088364
Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction Fuzzy Hash: 0731356921CE61B2FF509BAED6593A933A4AB54BC6F04D4A19E0F873E5FF30C451C210

Function 00000225DC67273C Relevance: 1.4, APIs: 1, Instructions: 187
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00000225DC6727DB

Memory Dump Source

Source File: 0000001E.00000002.3238224914.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc670000_winlogon.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction ID: c822286e1b467df8a310eb99b0d592360f537eec13a50740bd2f5dfddf19021e
Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction Fuzzy Hash: A561483AB01AA0D7DB56CF9AD00876DB3A2F754BA5F18C921CF5907BC8DA38D852C700

Function 00000225DC6AD6CC Relevance: 1.3, APIs: 1, Instructions: 36
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapAlloc.KERNEL32 ref: 00000225DC6AD721

Memory Dump Source

Source File: 0000001E.00000002.3238457753.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: dd9fd347fe8d251c64e9f03e0b9c8ce045e185238ab486bcf6df9ff2ab176017
Instruction ID: d48ce241fd5c6b57c9d66a3839ec59588558f897ab86195e616c0656e38ee758
Opcode Fuzzy Hash: dd9fd347fe8d251c64e9f03e0b9c8ce045e185238ab486bcf6df9ff2ab176017
Instruction Fuzzy Hash: 21F05E6C301E2161FE6DDBEE995D3A552955F89B82F6CE4344D0AC67E2EE3CC481C620

Non-executed Functions

Function 00000225DC642B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00000225DC642BD0
lstrlenW.KERNEL32 ref: 00000225DC642E0A

Part of subcall function 00000225DC64199C: OpenProcess.KERNEL32 ref: 00000225DC6419C2
Part of subcall function 00000225DC64199C: K32GetModuleFileNameExW.KERNEL32 ref: 00000225DC6419E0
Part of subcall function 00000225DC64199C: PathFindFileNameW.SHLWAPI ref: 00000225DC6419EF
Part of subcall function 00000225DC64199C: lstrlenW.KERNEL32 ref: 00000225DC6419FB
Part of subcall function 00000225DC64199C: StrCpyW.SHLWAPI ref: 00000225DC641A0E
Part of subcall function 00000225DC64199C: CloseHandle.KERNEL32 ref: 00000225DC641A1C

GetProcAddress.KERNEL32 ref: 00000225DC642BE5

Part of subcall function 00000225DC64152C: StrCmpIW.SHLWAPI ref: 00000225DC64155D

Part of subcall function 00000225DC643844: StrCmpNIW.SHLWAPI ref: 00000225DC64385C

StrCmpNIW.SHLWAPI ref: 00000225DC642C28
lstrlenW.KERNEL32 ref: 00000225DC642D50

Strings

NtQueryObject, xrefs: 00000225DC642BDB
ntdll.dll, xrefs: 00000225DC642BC9
\Device\Nsi, xrefs: 00000225DC642C1B

Memory Dump Source

Source File: 0000001E.00000002.3237984363.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction ID: 02e5d621d8295eb5dd385e75f9606a0c78f62cf6da70878d64f9e7b1c174dd69
Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction Fuzzy Hash: DCB1B47A21CE60A6EB968FEDC4487A973A5F744B8AF24D056DE0A53B94DF34CC41C340

Function 00000225DC6A2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00000225DC6A2BD0
lstrlenW.KERNEL32 ref: 00000225DC6A2E0A

Part of subcall function 00000225DC6A199C: OpenProcess.KERNEL32 ref: 00000225DC6A19C2
Part of subcall function 00000225DC6A199C: K32GetModuleFileNameExW.KERNEL32 ref: 00000225DC6A19E0
Part of subcall function 00000225DC6A199C: PathFindFileNameW.SHLWAPI ref: 00000225DC6A19EF
Part of subcall function 00000225DC6A199C: lstrlenW.KERNEL32 ref: 00000225DC6A19FB
Part of subcall function 00000225DC6A199C: StrCpyW.SHLWAPI ref: 00000225DC6A1A0E
Part of subcall function 00000225DC6A199C: CloseHandle.KERNEL32 ref: 00000225DC6A1A1C

GetProcAddress.KERNEL32 ref: 00000225DC6A2BE5

Part of subcall function 00000225DC6A152C: StrCmpIW.SHLWAPI ref: 00000225DC6A155D

Part of subcall function 00000225DC6A3844: StrCmpNIW.SHLWAPI ref: 00000225DC6A385C

StrCmpNIW.SHLWAPI ref: 00000225DC6A2C28
lstrlenW.KERNEL32 ref: 00000225DC6A2D50

Strings

NtQueryObject, xrefs: 00000225DC6A2BDB
\Device\Nsi, xrefs: 00000225DC6A2C1B
ntdll.dll, xrefs: 00000225DC6A2BC9

Memory Dump Source

Source File: 0000001E.00000002.3238457753.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction ID: 8b409eee056ac65ba81e46254c59d85845063fb26c80b4bd130284c66f771075
Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction Fuzzy Hash: 96B1B37A290E60A2EBAADFADC44876963A5F744B86F24D016DE0DD3B95DF35CC81C340

Function 00000225DC647D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00000225DC647DAC
RtlCaptureContext.NTDLL ref: 00000225DC647DD9
RtlLookupFunctionEntry.NTDLL ref: 00000225DC647DF3
RtlVirtualUnwind.NTDLL ref: 00000225DC647E34
IsDebuggerPresent.KERNEL32 ref: 00000225DC647E88
SetUnhandledExceptionFilter.KERNEL32 ref: 00000225DC647EA9
UnhandledExceptionFilter.KERNEL32 ref: 00000225DC647EB4

Memory Dump Source

Source File: 0000001E.00000002.3237984363.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction ID: a0dd4a3191c2f22ec65cd5f9c7d8c34c65d38d6a3a9ca6151c6be4ce44add157
Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction Fuzzy Hash: 29318376219F909AEB609FA4E8447ED73A0F784745F44812ADB4E57B94EF38C548CB10

Function 00000225DC6A7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00000225DC6A7DAC
RtlCaptureContext.NTDLL ref: 00000225DC6A7DD9
RtlLookupFunctionEntry.NTDLL ref: 00000225DC6A7DF3
RtlVirtualUnwind.NTDLL ref: 00000225DC6A7E34
IsDebuggerPresent.KERNEL32 ref: 00000225DC6A7E88
SetUnhandledExceptionFilter.KERNEL32 ref: 00000225DC6A7EA9
UnhandledExceptionFilter.KERNEL32 ref: 00000225DC6A7EB4

Memory Dump Source

Source File: 0000001E.00000002.3238457753.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction ID: 3b87e895a044953073a839ffa4b4feaece301703ffc135d08af6657be6a0d668
Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction Fuzzy Hash: 14317276205F9099EB64DFA4E8443EE73A1F78474AF448029DB4E57B94EF38C548CB10

Function 00000225DC64D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 00000225DC64D31D
RtlLookupFunctionEntry.NTDLL ref: 00000225DC64D335
RtlVirtualUnwind.NTDLL ref: 00000225DC64D370
IsDebuggerPresent.KERNEL32 ref: 00000225DC64D3A9
SetUnhandledExceptionFilter.KERNEL32 ref: 00000225DC64D3B3
UnhandledExceptionFilter.KERNEL32 ref: 00000225DC64D3BE

Memory Dump Source

Source File: 0000001E.00000002.3237984363.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction ID: f4e1f7a423249601853f9bf4c02ae152ed9a85bcd9bd447fde6e0ecec31a17ad
Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction Fuzzy Hash: 1531C73A218F90A6DB60DFA9E8443EE73A0F789755F504126EB9E43B94DF38C145CB00

Function 00000225DC6AD2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 00000225DC6AD31D
RtlLookupFunctionEntry.NTDLL ref: 00000225DC6AD335
RtlVirtualUnwind.NTDLL ref: 00000225DC6AD370
IsDebuggerPresent.KERNEL32 ref: 00000225DC6AD3A9
SetUnhandledExceptionFilter.KERNEL32 ref: 00000225DC6AD3B3
UnhandledExceptionFilter.KERNEL32 ref: 00000225DC6AD3BE

Memory Dump Source

Source File: 0000001E.00000002.3238457753.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction ID: 4dbdfab791ea173b22a2c1feee1540d37dae8e72db698209205baee473c09c96
Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction Fuzzy Hash: 7631C93A214F90A6EB64CFA9E8443DE73A0F789756F504126EB9D43B54DF38C145CB00

Function 00000225DC647960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00000225DC64798C
GetCurrentThreadId.KERNEL32 ref: 00000225DC64799A
GetCurrentProcessId.KERNEL32 ref: 00000225DC6479A6
QueryPerformanceCounter.KERNEL32 ref: 00000225DC6479B6

Memory Dump Source

Source File: 0000001E.00000002.3237984363.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction ID: d33dc497d620ec2850d47fa6d7599d0f75ef197f864d2f2ea1a1538dcd62ba05
Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction Fuzzy Hash: 54113026714F119AEF50CFE8E8593A833A4F719759F440E21DB6D467A4DF78C1A8C380

Function 00000225DC64DCE0 Relevance: 1.6, APIs: 1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.3237984363.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
Instruction ID: 712154813c46b612020be7a143dde11e41283ee14142f5bab4be78c3f0fa479c
Opcode Fuzzy Hash: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
Instruction Fuzzy Hash: 11511A26B0CBA0A9FB20DBBAE84879E7BA1F740BD5F148155EE5927B95DB38C001C700

Function 00000225DC6ADCE0 Relevance: 1.6, APIs: 1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.3238457753.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
Instruction ID: da0f1b53d22c38e7f028f1682345193667a56556076439a06e8349e4d1e3cf91
Opcode Fuzzy Hash: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
Instruction Fuzzy Hash: 3C510926700FE0A9FB20DFBAA84879E7BA5F7447D5F248114EE58A7B95DB38C411C700

Function 00000225DC6236F0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.3237826612.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc610000_winlogon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06df2142d5dd0183fd0e01b7d5608ecb5bc0210788fa76ce78b9fbce82fbb0aa
Instruction ID: fee74b632db8da7adfbcef3e822971e4130eb4171b3ad2da802a4781d9383549
Opcode Fuzzy Hash: 06df2142d5dd0183fd0e01b7d5608ecb5bc0210788fa76ce78b9fbce82fbb0aa
Instruction Fuzzy Hash: EAF062B57146A49EDBA98F6CA80671A77E1F308381FD4C029D68983B04D33C8061CF04

Function 00000225DC6A1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00000225DC6A1633
HeapAlloc.KERNEL32 ref: 00000225DC6A1642

Part of subcall function 00000225DC6A1268: GetProcessHeap.KERNEL32 ref: 00000225DC6A126E
Part of subcall function 00000225DC6A1268: HeapAlloc.KERNEL32 ref: 00000225DC6A127D
Part of subcall function 00000225DC6A1268: GetProcessHeap.KERNEL32 ref: 00000225DC6A1297
Part of subcall function 00000225DC6A1268: HeapAlloc.KERNEL32 ref: 00000225DC6A12A8

RegOpenKeyExW.ADVAPI32 ref: 00000225DC6A16B2
RegOpenKeyExW.ADVAPI32 ref: 00000225DC6A16DF
RegCloseKey.ADVAPI32 ref: 00000225DC6A16F9
RegOpenKeyExW.ADVAPI32 ref: 00000225DC6A1719
RegCloseKey.ADVAPI32 ref: 00000225DC6A1734
RegOpenKeyExW.ADVAPI32 ref: 00000225DC6A1754
RegCloseKey.ADVAPI32 ref: 00000225DC6A176F
RegOpenKeyExW.ADVAPI32 ref: 00000225DC6A178F
RegCloseKey.ADVAPI32 ref: 00000225DC6A17AA
RegOpenKeyExW.ADVAPI32 ref: 00000225DC6A17CA
RegCloseKey.ADVAPI32 ref: 00000225DC6A17E5
RegOpenKeyExW.ADVAPI32 ref: 00000225DC6A1805
RegCloseKey.ADVAPI32 ref: 00000225DC6A1820
RegOpenKeyExW.ADVAPI32 ref: 00000225DC6A1840
RegCloseKey.ADVAPI32 ref: 00000225DC6A185B
RegOpenKeyExW.ADVAPI32 ref: 00000225DC6A187B
RegCloseKey.ADVAPI32 ref: 00000225DC6A1896
RegCloseKey.ADVAPI32 ref: 00000225DC6A18A0

Part of subcall function 00000225DC6A12BC: RegQueryInfoKeyW.ADVAPI32 ref: 00000225DC6A1319
Part of subcall function 00000225DC6A12BC: GetProcessHeap.KERNEL32 ref: 00000225DC6A1327
Part of subcall function 00000225DC6A12BC: HeapAlloc.KERNEL32 ref: 00000225DC6A1338
Part of subcall function 00000225DC6A12BC: RegEnumValueW.ADVAPI32 ref: 00000225DC6A1397
Part of subcall function 00000225DC6A12BC: GetProcessHeap.KERNEL32 ref: 00000225DC6A13DF
Part of subcall function 00000225DC6A12BC: HeapAlloc.KERNEL32 ref: 00000225DC6A13ED
Part of subcall function 00000225DC6A12BC: GetProcessHeap.KERNEL32 ref: 00000225DC6A140A
Part of subcall function 00000225DC6A12BC: HeapFree.KERNEL32 ref: 00000225DC6A1418
Part of subcall function 00000225DC6A12BC: lstrlenW.KERNEL32 ref: 00000225DC6A1421
Part of subcall function 00000225DC6A12BC: GetProcessHeap.KERNEL32 ref: 00000225DC6A142F
Part of subcall function 00000225DC6A12BC: HeapAlloc.KERNEL32 ref: 00000225DC6A143D

Strings

tcp_local, xrefs: 00000225DC6A17FE
startup, xrefs: 00000225DC6A16D5
SOFTWARE\dialerconfig, xrefs: 00000225DC6A1692
service_names, xrefs: 00000225DC6A17C3
process_names, xrefs: 00000225DC6A174D
udp, xrefs: 00000225DC6A1874
pid, xrefs: 00000225DC6A1712
paths, xrefs: 00000225DC6A1788
tcp_remote, xrefs: 00000225DC6A1839

Memory Dump Source

Source File: 0000001E.00000002.3238457753.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction ID: 545a197093dbf33f1111aaff3c94dd347963510d91bf182c1d2d2b3e49a62449
Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction Fuzzy Hash: 1B71FE7A314E24E6EB10DFAAE85869D33B5FB84B8AF109111DE4E97B69DF38C444C740

Function 00000225DC6412BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000225DC641319
GetProcessHeap.KERNEL32 ref: 00000225DC641327
HeapAlloc.KERNEL32 ref: 00000225DC641338
RegEnumValueW.ADVAPI32 ref: 00000225DC641397

Part of subcall function 00000225DC64152C: StrCmpIW.SHLWAPI ref: 00000225DC64155D

GetProcessHeap.KERNEL32 ref: 00000225DC6413DF
HeapAlloc.KERNEL32 ref: 00000225DC6413ED
GetProcessHeap.KERNEL32 ref: 00000225DC64140A
HeapFree.KERNEL32 ref: 00000225DC641418
lstrlenW.KERNEL32 ref: 00000225DC641421
GetProcessHeap.KERNEL32 ref: 00000225DC64142F
HeapAlloc.KERNEL32 ref: 00000225DC64143D
StrCpyW.SHLWAPI ref: 00000225DC64145F
GetProcessHeap.KERNEL32 ref: 00000225DC641476
HeapFree.KERNEL32 ref: 00000225DC641484

Strings

d, xrefs: 00000225DC64135A

Memory Dump Source

Source File: 0000001E.00000002.3237984363.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction ID: fb1b484c7ebee393b1b53cdd5cd81ac2c1ca147a5507fda1b24fca473b782784
Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction Fuzzy Hash: 46515E7A214F9496EB64CFAAE54836A77A1F789F9AF148124DF4A07B58DF3CC045C700

Function 00000225DC6A12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000225DC6A1319
GetProcessHeap.KERNEL32 ref: 00000225DC6A1327
HeapAlloc.KERNEL32 ref: 00000225DC6A1338
RegEnumValueW.ADVAPI32 ref: 00000225DC6A1397

Part of subcall function 00000225DC6A152C: StrCmpIW.SHLWAPI ref: 00000225DC6A155D

GetProcessHeap.KERNEL32 ref: 00000225DC6A13DF
HeapAlloc.KERNEL32 ref: 00000225DC6A13ED
GetProcessHeap.KERNEL32 ref: 00000225DC6A140A
HeapFree.KERNEL32 ref: 00000225DC6A1418
lstrlenW.KERNEL32 ref: 00000225DC6A1421
GetProcessHeap.KERNEL32 ref: 00000225DC6A142F
HeapAlloc.KERNEL32 ref: 00000225DC6A143D
StrCpyW.SHLWAPI ref: 00000225DC6A145F
GetProcessHeap.KERNEL32 ref: 00000225DC6A1476
HeapFree.KERNEL32 ref: 00000225DC6A1484

Strings

d, xrefs: 00000225DC6A135A

Memory Dump Source

Source File: 0000001E.00000002.3238457753.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction ID: d2d635d82ad37731a82d28168a5eda6b08545a77464cd3cb2b7161adfafd8aad
Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction Fuzzy Hash: 22516C7A200F94DAEB54CFAAE54835A77A6F789F9AF148124DE4A47728DF3CC049C700

Function 00000225DC641D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00000225DC641D1F

Part of subcall function 00000225DC641FD4: GetModuleHandleA.KERNEL32 ref: 00000225DC641FEC
Part of subcall function 00000225DC641FD4: GetProcAddress.KERNEL32 ref: 00000225DC641FFD

Part of subcall function 00000225DC645B30: GetCurrentThreadId.KERNEL32 ref: 00000225DC645B6B

Strings

NtDeviceIoControlFile, xrefs: 00000225DC641E56
NtQuerySystemInformation, xrefs: 00000225DC641D45
NtQueryDirectoryFileEx, xrefs: 00000225DC641D9C
advapi32.dll, xrefs: 00000225DC641DF7, 00000225DC641E18
NtEnumerateKey, xrefs: 00000225DC641DB9
NtEnumerateValueKey, xrefs: 00000225DC641DD6
NtResumeThread, xrefs: 00000225DC641D62
sechost.dll, xrefs: 00000225DC641E39
NtQueryDirectoryFile, xrefs: 00000225DC641D7F
EnumServiceGroupW, xrefs: 00000225DC641DF0
ntdll.dll, xrefs: 00000225DC641D2D
EnumServicesStatusExW, xrefs: 00000225DC641E11, 00000225DC641E32

Memory Dump Source

Source File: 0000001E.00000002.3237984363.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction ID: 52c27ab1b4cc8d1b0b7a026bbb00d0580f7e8789e5eca17ee175a033894297e0
Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction Fuzzy Hash: 9231B8AC518DAAB0EB46EFEDE9597D43361B70434BF90D093940B025B1AF38828AC350

Function 00000225DC6A1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00000225DC6A1D1F

Part of subcall function 00000225DC6A1FD4: GetModuleHandleA.KERNEL32 ref: 00000225DC6A1FEC
Part of subcall function 00000225DC6A1FD4: GetProcAddress.KERNEL32 ref: 00000225DC6A1FFD

Part of subcall function 00000225DC6A5B30: GetCurrentThreadId.KERNEL32 ref: 00000225DC6A5B6B

Strings

NtEnumerateValueKey, xrefs: 00000225DC6A1DD6
EnumServiceGroupW, xrefs: 00000225DC6A1DF0
NtEnumerateKey, xrefs: 00000225DC6A1DB9
advapi32.dll, xrefs: 00000225DC6A1DF7, 00000225DC6A1E18
EnumServicesStatusExW, xrefs: 00000225DC6A1E11, 00000225DC6A1E32
NtDeviceIoControlFile, xrefs: 00000225DC6A1E56
NtQueryDirectoryFileEx, xrefs: 00000225DC6A1D9C
NtQueryDirectoryFile, xrefs: 00000225DC6A1D7F
ntdll.dll, xrefs: 00000225DC6A1D2D
NtResumeThread, xrefs: 00000225DC6A1D62
sechost.dll, xrefs: 00000225DC6A1E39
NtQuerySystemInformation, xrefs: 00000225DC6A1D45

Memory Dump Source

Source File: 0000001E.00000002.3238457753.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction ID: bae3e35cc23bdf7e795311711b41c652c83ad71068a264824faefe60a6291ab9
Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction Fuzzy Hash: 583195AC240D6AB0EA46EFEDE8697D46361B70474BF94D023D80986675EF3CC249C350

Function 00000225DC616910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000225DC616938
__scrt_acquire_startup_lock.LIBCMT ref: 00000225DC61698A
_RTC_Initialize.LIBCMT ref: 00000225DC6169B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00000225DC6169DE
__scrt_release_startup_lock.LIBCMT ref: 00000225DC616A09

Strings

scriptor', xrefs: 00000225DC616B39, 00000225DC616BB2, 00000225DC616BEC
`eh vector vbase copy constructor iterator', xrefs: 00000225DC6169EE
`eh vector copy constructor iterator', xrefs: 00000225DC616A3B
`dynamic initializer for ', xrefs: 00000225DC6169C7

Memory Dump Source

Source File: 0000001E.00000002.3237826612.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc610000_winlogon.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
API String ID: 190073905-1786718095
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: 7539ecd07ed9e19813cea4b70ed8e4e8e5b401edcb5cd18e99020899339b4ff2
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: DF81122D702E71A6FE60EBED944D35962E0EB95783F18C425AB4983797EF38C946C700

Function 00000225DC676910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000225DC676938
__scrt_acquire_startup_lock.LIBCMT ref: 00000225DC67698A
_RTC_Initialize.LIBCMT ref: 00000225DC6769B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00000225DC6769DE
__scrt_release_startup_lock.LIBCMT ref: 00000225DC676A09

Strings

`eh vector vbase copy constructor iterator', xrefs: 00000225DC6769EE
scriptor', xrefs: 00000225DC676B39, 00000225DC676BB2, 00000225DC676BEC
`dynamic initializer for ', xrefs: 00000225DC6769C7
`eh vector copy constructor iterator', xrefs: 00000225DC676A3B

Memory Dump Source

Source File: 0000001E.00000002.3238224914.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc670000_winlogon.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
API String ID: 190073905-1786718095
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: 22cde9f525fffbeb1c6e8d8417a217ee6af8dab08b44ae11a5e6f92b2a2e472d
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: 5581E26D710E61A6FA54EBEE944D35923D0EB85B82F58C8259B0947FD7EF38C846CB00

Function 00000225DC64CE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00000225DC64CE37
FlsGetValue.KERNEL32(?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CE4C
FlsSetValue.KERNEL32(?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CE6D
FlsSetValue.KERNEL32(?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CE9A
FlsSetValue.KERNEL32(?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CEAB
FlsSetValue.KERNEL32(?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CEBC
SetLastError.KERNEL32 ref: 00000225DC64CED7
FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CF0D
FlsSetValue.KERNEL32(?,?,00000001,00000225DC64ECCC,?,?,?,?,00000225DC64BF9F,?,?,?,?,?,00000225DC647AB0), ref: 00000225DC64CF2C

Part of subcall function 00000225DC64D6CC: HeapAlloc.KERNEL32 ref: 00000225DC64D721

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CF54

Part of subcall function 00000225DC64D744: HeapFree.KERNEL32 ref: 00000225DC64D75A
Part of subcall function 00000225DC64D744: GetLastError.KERNEL32 ref: 00000225DC64D764

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CF65
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CF76

Memory Dump Source

Source File: 0000001E.00000002.3237984363.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd

Similarity

API ID: Value$ErrorLast$Heap$AllocFree
String ID:
API String ID: 570795689-0
Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction ID: c96d39c070731bccc58dc25472949b9c8324ede58aceb138708ddbc32eb2cb43
Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction Fuzzy Hash: 3B41AB2C34CE64B6FE68A7FD955D36932825F857B2F24C7A4A937467E6DF388442C200

Function 00000225DC6ACE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00000225DC6ACE37
FlsGetValue.KERNEL32(?,?,?,00000225DC6B0A6B,?,?,?,00000225DC6B045C,?,?,?,00000225DC6AC84F), ref: 00000225DC6ACE4C
FlsSetValue.KERNEL32(?,?,?,00000225DC6B0A6B,?,?,?,00000225DC6B045C,?,?,?,00000225DC6AC84F), ref: 00000225DC6ACE6D
FlsSetValue.KERNEL32(?,?,?,00000225DC6B0A6B,?,?,?,00000225DC6B045C,?,?,?,00000225DC6AC84F), ref: 00000225DC6ACE9A
FlsSetValue.KERNEL32(?,?,?,00000225DC6B0A6B,?,?,?,00000225DC6B045C,?,?,?,00000225DC6AC84F), ref: 00000225DC6ACEAB
FlsSetValue.KERNEL32(?,?,?,00000225DC6B0A6B,?,?,?,00000225DC6B045C,?,?,?,00000225DC6AC84F), ref: 00000225DC6ACEBC
SetLastError.KERNEL32 ref: 00000225DC6ACED7
FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000225DC6B0A6B,?,?,?,00000225DC6B045C,?,?,?,00000225DC6AC84F), ref: 00000225DC6ACF0D
FlsSetValue.KERNEL32(?,?,00000001,00000225DC6AECCC,?,?,?,?,00000225DC6ABF9F,?,?,?,?,?,00000225DC6A7AB0), ref: 00000225DC6ACF2C

Part of subcall function 00000225DC6AD6CC: HeapAlloc.KERNEL32 ref: 00000225DC6AD721

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000225DC6B0A6B,?,?,?,00000225DC6B045C,?,?,?,00000225DC6AC84F), ref: 00000225DC6ACF54

Part of subcall function 00000225DC6AD744: HeapFree.KERNEL32 ref: 00000225DC6AD75A
Part of subcall function 00000225DC6AD744: GetLastError.KERNEL32 ref: 00000225DC6AD764

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000225DC6B0A6B,?,?,?,00000225DC6B045C,?,?,?,00000225DC6AC84F), ref: 00000225DC6ACF65
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000225DC6B0A6B,?,?,?,00000225DC6B045C,?,?,?,00000225DC6AC84F), ref: 00000225DC6ACF76

Memory Dump Source

Source File: 0000001E.00000002.3238457753.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: Value$ErrorLast$Heap$AllocFree
String ID:
API String ID: 570795689-0
Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction ID: 16b8eac9f94798cf318e2989be29cf1ddfaa1c447e8d99b4c7a956a79ddaff1c
Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction Fuzzy Hash: 47415868300E6472FE68EBFD565D36922826F887B2F34C724A936C77E6DE39D441D201

Function 00000225DC642244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 00000225DC642259
GetCurrentProcessId.KERNEL32 ref: 00000225DC642263

Part of subcall function 00000225DC641934: OpenProcess.KERNEL32 ref: 00000225DC641952
Part of subcall function 00000225DC641934: IsWow64Process.KERNEL32 ref: 00000225DC641968
Part of subcall function 00000225DC641934: CloseHandle.KERNEL32 ref: 00000225DC641983

CreateFileW.KERNEL32 ref: 00000225DC6422BC
WriteFile.KERNEL32 ref: 00000225DC6422E4
ReadFile.KERNEL32 ref: 00000225DC642303
CloseHandle.KERNEL32 ref: 00000225DC64230C

Strings

\\.\pipe\dialerchildproc32, xrefs: 00000225DC642293
\\.\pipe\dialerchildproc64, xrefs: 00000225DC64228C

Memory Dump Source

Source File: 0000001E.00000002.3237984363.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction ID: 1de5ddcc8f1dfc1167620b25f9dc58926eb66b08d3309719a253bb24b32ba1e0
Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction Fuzzy Hash: 8E215679628F5093F710CBA9F54835977A1F785796F608215DB5903BA4CF7CC145CB00

Function 00000225DC6A2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 00000225DC6A2259
GetCurrentProcessId.KERNEL32 ref: 00000225DC6A2263

Part of subcall function 00000225DC6A1934: OpenProcess.KERNEL32 ref: 00000225DC6A1952
Part of subcall function 00000225DC6A1934: IsWow64Process.KERNEL32 ref: 00000225DC6A1968
Part of subcall function 00000225DC6A1934: CloseHandle.KERNEL32 ref: 00000225DC6A1983

CreateFileW.KERNEL32 ref: 00000225DC6A22BC
WriteFile.KERNEL32 ref: 00000225DC6A22E4
ReadFile.KERNEL32 ref: 00000225DC6A2303
CloseHandle.KERNEL32 ref: 00000225DC6A230C

Strings

\\.\pipe\dialerchildproc32, xrefs: 00000225DC6A2293
\\.\pipe\dialerchildproc64, xrefs: 00000225DC6A228C

Memory Dump Source

Source File: 0000001E.00000002.3238457753.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction ID: 123304303fb7c22e5d95d7b69af9060bb35e9dacbc8375ccdc98a975ab60097a
Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction Fuzzy Hash: 71217F7A614B6092FB14CBA9F54835973A1F789BA6F508215EB5943BA8CF7CC149CB00

Function 00000225DC64A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00000225DC64A5A1

Part of subcall function 00000225DC64B414: __GetUnwindTryBlock.LIBCMT ref: 00000225DC64B457
Part of subcall function 00000225DC64B414: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00000225DC64B47C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00000225DC64A679
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00000225DC64A8CE
std::bad_alloc::bad_alloc.LIBCMT ref: 00000225DC64A9DA

Strings

csm, xrefs: 00000225DC64A69C
csm, xrefs: 00000225DC64A5BB
csm, xrefs: 00000225DC64A622

Memory Dump Source

Source File: 0000001E.00000002.3237984363.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction ID: bf4187be2395a619f89a1bc8f3fca4df6631bddcfcdd61a4c67bb6d669326bcb
Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction Fuzzy Hash: 65E1A47A60CF60AAFB60DFA9D44839D77A4F745799F208155EE8A57B9ACB34C082C700

Function 00000225DC619944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00000225DC6199A1

Part of subcall function 00000225DC61A814: __GetUnwindTryBlock.LIBCMT ref: 00000225DC61A857
Part of subcall function 00000225DC61A814: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00000225DC61A87C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00000225DC619A79
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00000225DC619CCE
std::bad_alloc::bad_alloc.LIBCMT ref: 00000225DC619DDA

Strings

csm, xrefs: 00000225DC6199BB
csm, xrefs: 00000225DC619A22
csm, xrefs: 00000225DC619A9C

Memory Dump Source

Source File: 0000001E.00000002.3237826612.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc610000_winlogon.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction ID: ccd8efdbd64409059a3f17658d38d7afc50ea8cd74631e28eb6d2bb9e49f1cd4
Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction Fuzzy Hash: F3E1D37A602F609AEF60DFA9D48839D77E0F749B8BF108115EE8947B99CB34C592C700

Function 00000225DC679944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00000225DC6799A1

Part of subcall function 00000225DC67A814: __GetUnwindTryBlock.LIBCMT ref: 00000225DC67A857
Part of subcall function 00000225DC67A814: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00000225DC67A87C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00000225DC679A79
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00000225DC679CCE
std::bad_alloc::bad_alloc.LIBCMT ref: 00000225DC679DDA

Strings

csm, xrefs: 00000225DC6799BB
csm, xrefs: 00000225DC679A9C
csm, xrefs: 00000225DC679A22

Memory Dump Source

Source File: 0000001E.00000002.3238224914.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc670000_winlogon.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction ID: 79a22f26d4f7f371d14ec50af5f62361132822db574cad1d617c9f743099e6d3
Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction Fuzzy Hash: 18E1C17A600F609AEB60DFA9D48839D77E0F749B9AF108915EE8957FD9CB34C492C700

Function 00000225DC6AA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00000225DC6AA5A1

Part of subcall function 00000225DC6AB414: __GetUnwindTryBlock.LIBCMT ref: 00000225DC6AB457
Part of subcall function 00000225DC6AB414: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00000225DC6AB47C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00000225DC6AA679
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00000225DC6AA8CE
std::bad_alloc::bad_alloc.LIBCMT ref: 00000225DC6AA9DA

Strings

csm, xrefs: 00000225DC6AA622
csm, xrefs: 00000225DC6AA69C
csm, xrefs: 00000225DC6AA5BB

Memory Dump Source

Source File: 0000001E.00000002.3238457753.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction ID: 555fb57b5e2f5e687e313f4fed1146f863cabed64c72fa6e629389c121d24878
Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction Fuzzy Hash: 23E1C77A604F50AAFB60DFADD44839D77A0F745799F309116EE8997B9ACB34C182CB00

Function 00000225DC64F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 00000225DC64F510
GetProcAddress.KERNEL32 ref: 00000225DC64F51C

Strings

api-ms-, xrefs: 00000225DC64F45A
ext-ms-, xrefs: 00000225DC64F46D

Memory Dump Source

Source File: 0000001E.00000002.3237984363.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction ID: 4194e3e7209c85e71950454c05d0e0ffaf74f2fe4e207fa6d649fb1745087b51
Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction Fuzzy Hash: E541F42A32DE20B1EB56CBEEA9087553391BB49BE2F15C125AD0F87785EF38C445C315

Function 00000225DC6AF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 00000225DC6AF510
GetProcAddress.KERNEL32 ref: 00000225DC6AF51C

Strings

ext-ms-, xrefs: 00000225DC6AF46D
api-ms-, xrefs: 00000225DC6AF45A

Memory Dump Source

Source File: 0000001E.00000002.3238457753.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction ID: 17cc71c834340602f80b56e8e75482b2e164db3fe2ea15b9f73ab924f287fe61
Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction Fuzzy Hash: 4A41C22A311F20A5FB16CBAEA9087553391FB45BA2F258129AE0EC7785EF38C445C316

Function 00000225DC64104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000225DC6410B1
RegEnumValueW.ADVAPI32 ref: 00000225DC641117
GetProcessHeap.KERNEL32 ref: 00000225DC64115A
HeapAlloc.KERNEL32 ref: 00000225DC641168
GetProcessHeap.KERNEL32 ref: 00000225DC641185
HeapFree.KERNEL32 ref: 00000225DC641193

Strings

d, xrefs: 00000225DC6410D6

Memory Dump Source

Source File: 0000001E.00000002.3237984363.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction ID: d1ef6154134f3d25a2e3b62082cc3c12da5f52964662e2438e80bc3b6bcb4469
Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction Fuzzy Hash: B6418077218F94D6E760CFA5E44879E77A1F388B99F148129DB8A07B58DF38C449CB00

Function 00000225DC6A104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000225DC6A10B1
RegEnumValueW.ADVAPI32 ref: 00000225DC6A1117
GetProcessHeap.KERNEL32 ref: 00000225DC6A115A
HeapAlloc.KERNEL32 ref: 00000225DC6A1168
GetProcessHeap.KERNEL32 ref: 00000225DC6A1185
HeapFree.KERNEL32 ref: 00000225DC6A1193

Strings

d, xrefs: 00000225DC6A10D6

Memory Dump Source

Source File: 0000001E.00000002.3238457753.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction ID: 5a3c0a9bbafb0f78905138bbf46c57f4a34e7ddab14eac61c3c20f9c737e8ad5
Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction Fuzzy Hash: 9B418077214F94D6E764CFA5E44839E77A1F388B9AF148129DB8947B58DF38C849CB00

Function 00000225DC64D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00000225DC64C7DE,?,?,?,?,?,?,?,?,00000225DC64CF9D,?,?,00000001), ref: 00000225DC64D087
FlsSetValue.KERNEL32(?,?,?,00000225DC64C7DE,?,?,?,?,?,?,?,?,00000225DC64CF9D,?,?,00000001), ref: 00000225DC64D0A6
FlsSetValue.KERNEL32(?,?,?,00000225DC64C7DE,?,?,?,?,?,?,?,?,00000225DC64CF9D,?,?,00000001), ref: 00000225DC64D0CE
FlsSetValue.KERNEL32(?,?,?,00000225DC64C7DE,?,?,?,?,?,?,?,?,00000225DC64CF9D,?,?,00000001), ref: 00000225DC64D0DF
FlsSetValue.KERNEL32(?,?,?,00000225DC64C7DE,?,?,?,?,?,?,?,?,00000225DC64CF9D,?,?,00000001), ref: 00000225DC64D0F0

Strings

Y%, xrefs: 00000225DC64D0A6
1%, xrefs: 00000225DC64D0CE

Memory Dump Source

Source File: 0000001E.00000002.3237984363.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd

Similarity

API ID: Value
String ID: 1%$Y%
API String ID: 3702945584-1395475152
Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction ID: be52c68ba33939f5a848b29d9d21d48e408fdab80177f021fac5a07cf6ddf0ee
Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction Fuzzy Hash: C111B628B0CE64A1FE6897BED55D32971415B557F2F14C3A4A87B477DADE78C442C200

Function 00000225DC6AD068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00000225DC6AC7DE,?,?,?,?,?,?,?,?,00000225DC6ACF9D,?,?,00000001), ref: 00000225DC6AD087
FlsSetValue.KERNEL32(?,?,?,00000225DC6AC7DE,?,?,?,?,?,?,?,?,00000225DC6ACF9D,?,?,00000001), ref: 00000225DC6AD0A6
FlsSetValue.KERNEL32(?,?,?,00000225DC6AC7DE,?,?,?,?,?,?,?,?,00000225DC6ACF9D,?,?,00000001), ref: 00000225DC6AD0CE
FlsSetValue.KERNEL32(?,?,?,00000225DC6AC7DE,?,?,?,?,?,?,?,?,00000225DC6ACF9D,?,?,00000001), ref: 00000225DC6AD0DF
FlsSetValue.KERNEL32(?,?,?,00000225DC6AC7DE,?,?,?,?,?,?,?,?,00000225DC6ACF9D,?,?,00000001), ref: 00000225DC6AD0F0

Strings

1%, xrefs: 00000225DC6AD0CE
Y%, xrefs: 00000225DC6AD0A6

Memory Dump Source

Source File: 0000001E.00000002.3238457753.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: Value
String ID: 1%$Y%
API String ID: 3702945584-1395475152
Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction ID: 2022ee20624ae9fac7997fd3bf5dc1645fffc08433487f268156f8275001b495
Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction Fuzzy Hash: 6911C468700F6461FA68EBFE5A5D36961415F543F2F34D324A83AC77EADE78C842C201

Function 00000225DC647510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000225DC647538
__scrt_acquire_startup_lock.LIBCMT ref: 00000225DC64758A
_RTC_Initialize.LIBCMT ref: 00000225DC6475B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00000225DC6475DE
__scrt_release_startup_lock.LIBCMT ref: 00000225DC647609

Memory Dump Source

Source File: 0000001E.00000002.3237984363.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: a54115b046e8042141df28d7bb05dcfe8318faa30d7cb3b304a9c15ab40c91e6
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: 0281362C61CE31AAFB54ABEDA44C39937D1E785782F14C4A4DA0B877A6DB38C845CF00

Function 00000225DC6A7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000225DC6A7538
__scrt_acquire_startup_lock.LIBCMT ref: 00000225DC6A758A
_RTC_Initialize.LIBCMT ref: 00000225DC6A75B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00000225DC6A75DE
__scrt_release_startup_lock.LIBCMT ref: 00000225DC6A7609

Memory Dump Source

Source File: 0000001E.00000002.3238457753.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: f6d16694de95954a0b883b7a0c824403c85fe028b68c945db90d9150eb585885
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: CF81D22D700E21B6FB54EBEDA84D39966D1AB8578BF34D425DA04C77A6DB38C845CF00

Function 00000225DC649DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 00000225DC649E49
GetLastError.KERNEL32 ref: 00000225DC649E57
LoadLibraryExW.KERNEL32 ref: 00000225DC649E81
FreeLibrary.KERNEL32 ref: 00000225DC649EC7
GetProcAddress.KERNEL32 ref: 00000225DC649ED3

Strings

api-ms-, xrefs: 00000225DC649E69

Memory Dump Source

Source File: 0000001E.00000002.3237984363.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction ID: 1846bb63d11909a53191b25e77548844483a8de6adc9bd3f24389271b0a95010
Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction Fuzzy Hash: 2131E62935EE60F1EE21DBCAA408B653398BB48BA6F5985259D1F0B798DF39C447C300

Function 00000225DC6A9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 00000225DC6A9E49
GetLastError.KERNEL32 ref: 00000225DC6A9E57
LoadLibraryExW.KERNEL32 ref: 00000225DC6A9E81
FreeLibrary.KERNEL32 ref: 00000225DC6A9EC7
GetProcAddress.KERNEL32 ref: 00000225DC6A9ED3

Strings

api-ms-, xrefs: 00000225DC6A9E69

Memory Dump Source

Source File: 0000001E.00000002.3238457753.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction ID: 0f4212df039294fefdde6ff96b437b18f0d6b6311749627e01e145e3100ab471
Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction Fuzzy Hash: F431F429312E20F1EE25DBCAA80875523D4BF48BA2F3985259D1E8B79ADF38C047C300

Function 00000225DC653DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00000225DC653DE5
GetLastError.KERNEL32 ref: 00000225DC653DF1
CloseHandle.KERNEL32 ref: 00000225DC653E09
CreateFileW.KERNEL32 ref: 00000225DC653E34
WriteConsoleW.KERNEL32 ref: 00000225DC653E53

Strings

CONOUT$, xrefs: 00000225DC653E15

Memory Dump Source

Source File: 0000001E.00000002.3237984363.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction ID: 158becd88709c9cbcacd230cd8387edf0a13bed790f97ee48f9835d8b457c441
Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction Fuzzy Hash: 5A119135720F6096E7608BDAE84831977A0F788FE6F248225EB5E877A4CF78C914C740

Function 00000225DC6B3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00000225DC6B3DE5
GetLastError.KERNEL32 ref: 00000225DC6B3DF1
CloseHandle.KERNEL32 ref: 00000225DC6B3E09
CreateFileW.KERNEL32 ref: 00000225DC6B3E34
WriteConsoleW.KERNEL32 ref: 00000225DC6B3E53

Strings

CONOUT$, xrefs: 00000225DC6B3E15

Memory Dump Source

Source File: 0000001E.00000002.3238457753.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction ID: 6e1e93a200b7bd570fa0b190f4c403581b2cb531a58d9972e87f4823fb88df5f
Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction Fuzzy Hash: 1E11BC35310FA096E7508B9AE848319B7A5F388FE7F088225EB1E877A4CF38C805C740

Function 00000225DC6A3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00000225DC6A379E
GetCurrentProcess.KERNEL32 ref: 00000225DC6A37CC
VirtualProtectEx.KERNEL32 ref: 00000225DC6A37EE
GetCurrentProcess.KERNEL32 ref: 00000225DC6A3809
VirtualProtectEx.KERNEL32 ref: 00000225DC6A382A

Strings

wr, xrefs: 00000225DC6A37FF

Memory Dump Source

Source File: 0000001E.00000002.3238457753.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID: wr
API String ID: 1092925422-2678910430
Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction ID: 5626651945d5fb8906f413eb53f91b70d6605e573597d601334c82dde5c84599
Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction Fuzzy Hash: 40118B2A304F6092EF189BAAE40C269B3A5FB88F86F148038DF8943794EF3DC505C704

Function 00000225DC6A5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000225DC6A5B6B
GetThreadContext.KERNEL32 ref: 00000225DC6A5CD5

Part of subcall function 00000225DC6A5960: GetCurrentThreadId.KERNEL32 ref: 00000225DC6A5964

Memory Dump Source

Source File: 0000001E.00000002.3238457753.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
Instruction ID: 0ad3d618e1835294593f6452ab590f590bc81cd41d15a12307719c1f0daf2064
Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
Instruction Fuzzy Hash: C9D1AC7A208F9895DB70DB4AE49435A7BA0F7C8B89F104116EACD87BA9DF3CC551CB40

Function 00000225DC642F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000225DC642F27
HeapAlloc.KERNEL32 ref: 00000225DC642F3A
StrCmpNIW.SHLWAPI ref: 00000225DC642FAF
GetProcessHeap.KERNEL32 ref: 00000225DC643015
HeapFree.KERNEL32 ref: 00000225DC643023

Strings

dialer, xrefs: 00000225DC642FA8

Memory Dump Source

Source File: 0000001E.00000002.3237984363.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction ID: 2e98920b3895b546e8cfee93848436d20f1d91fbd890dc42e4983bef65e91d92
Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction Fuzzy Hash: 9131CE2A309F65A2EB52CFDEE54872A77A0FB44B86F18C1209F4A47B55EF34C4A1C300

Function 00000225DC6A2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000225DC6A2F27
HeapAlloc.KERNEL32 ref: 00000225DC6A2F3A
StrCmpNIW.SHLWAPI ref: 00000225DC6A2FAF
GetProcessHeap.KERNEL32 ref: 00000225DC6A3015
HeapFree.KERNEL32 ref: 00000225DC6A3023

Strings

dialer, xrefs: 00000225DC6A2FA8

Memory Dump Source

Source File: 0000001E.00000002.3238457753.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction ID: 6d0a1707391fcb5c153528b149007a8a8c9fe1f40df049437015618af4cf0edf
Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction Fuzzy Hash: 5E31B23A781F61A2EA15CF9EE54876967A1FB48B86F18C0309F4C87B55EF34D4A1C300

Function 00000225DC64CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00000225DC64CFAF
FlsSetValue.KERNEL32(?,?,?,00000225DC64D6B5,?,?,?,?,00000225DC64D778), ref: 00000225DC64CFE5
FlsSetValue.KERNEL32(?,?,?,00000225DC64D6B5,?,?,?,?,00000225DC64D778), ref: 00000225DC64D012
FlsSetValue.KERNEL32(?,?,?,00000225DC64D6B5,?,?,?,?,00000225DC64D778), ref: 00000225DC64D023
FlsSetValue.KERNEL32(?,?,?,00000225DC64D6B5,?,?,?,?,00000225DC64D778), ref: 00000225DC64D034
SetLastError.KERNEL32 ref: 00000225DC64D04F

Memory Dump Source

Source File: 0000001E.00000002.3237984363.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction ID: 4157702fcb9233f49a77c46e803b27685ba528657f510afb3a862d3f666b09f6
Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction Fuzzy Hash: B3119D2874CE6071FE64ABFE954D32932426B95BB6F10C3A4A837477EADE78C441C200

Function 00000225DC6ACFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00000225DC6ACFAF
FlsSetValue.KERNEL32(?,?,?,00000225DC6AD6B5,?,?,?,?,00000225DC6AD778), ref: 00000225DC6ACFE5
FlsSetValue.KERNEL32(?,?,?,00000225DC6AD6B5,?,?,?,?,00000225DC6AD778), ref: 00000225DC6AD012
FlsSetValue.KERNEL32(?,?,?,00000225DC6AD6B5,?,?,?,?,00000225DC6AD778), ref: 00000225DC6AD023
FlsSetValue.KERNEL32(?,?,?,00000225DC6AD6B5,?,?,?,?,00000225DC6AD778), ref: 00000225DC6AD034
SetLastError.KERNEL32 ref: 00000225DC6AD04F

Memory Dump Source

Source File: 0000001E.00000002.3238457753.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction ID: 6f9918c3cbd4a8341a5960baa032c6c80083ab5fabd7ed8650c6535314c37da2
Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction Fuzzy Hash: B9119D68300E6061FA68EBFE564D32922426F987B6F30C324A836C77EADE78C441C201

Function 00000225DC64199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 00000225DC6419C2
K32GetModuleFileNameExW.KERNEL32 ref: 00000225DC6419E0
PathFindFileNameW.SHLWAPI ref: 00000225DC6419EF
lstrlenW.KERNEL32 ref: 00000225DC6419FB
StrCpyW.SHLWAPI ref: 00000225DC641A0E
CloseHandle.KERNEL32 ref: 00000225DC641A1C

Memory Dump Source

Source File: 0000001E.00000002.3237984363.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction ID: c75f4c628c11a50a5007a532dfe706c93d8ee4e04b1e1be502c9ae2a36d6589c
Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction Fuzzy Hash: 0E016929314E5092EB60DB9AA84C35963A1F788BC6F988075DF8A43754DF3CC989C740

Function 00000225DC6A199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 00000225DC6A19C2
K32GetModuleFileNameExW.KERNEL32 ref: 00000225DC6A19E0
PathFindFileNameW.SHLWAPI ref: 00000225DC6A19EF
lstrlenW.KERNEL32 ref: 00000225DC6A19FB
StrCpyW.SHLWAPI ref: 00000225DC6A1A0E
CloseHandle.KERNEL32 ref: 00000225DC6A1A1C

Memory Dump Source

Source File: 0000001E.00000002.3238457753.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction ID: cb2a63c83e44a23da2db583fd32e9b754654e1e9db48b59022d394c89ab082b1
Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction Fuzzy Hash: 99016929300E5092EB18DB9AA89C35963A6FB88BC6F988035DF4D83754DF3CC989C740

Function 00000225DC6436C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00000225DC6436E4
GetCurrentProcess.KERNEL32 ref: 00000225DC6436F2
VirtualProtectEx.KERNEL32 ref: 00000225DC643714
GetCurrentProcess.KERNEL32 ref: 00000225DC643732
VirtualProtectEx.KERNEL32 ref: 00000225DC643753
TerminateThread.KERNEL32 ref: 00000225DC643762

Memory Dump Source

Source File: 0000001E.00000002.3237984363.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction ID: 5377c2d080006a4fe2cd119959f91c4f1597db279fc077c9b970d2bb0f292206
Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction Fuzzy Hash: E101296D325F6492FB649BAAE80C71A73A0BB49B87F148464CE4A07765EF3DC158C704

Function 00000225DC6A36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00000225DC6A36E4
GetCurrentProcess.KERNEL32 ref: 00000225DC6A36F2
VirtualProtectEx.KERNEL32 ref: 00000225DC6A3714
GetCurrentProcess.KERNEL32 ref: 00000225DC6A3732
VirtualProtectEx.KERNEL32 ref: 00000225DC6A3753
TerminateThread.KERNEL32 ref: 00000225DC6A3762

Memory Dump Source

Source File: 0000001E.00000002.3238457753.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction ID: 3adde3a003b7029c84831e13eabd217eaefc6f8cdf697e4629c9387f833a695b
Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction Fuzzy Hash: FB012969211F60A2EB289BAAE91C71977A1BB59B87F188424CE4947764EF3DC148C704

Function 00000225DC648FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000225DC649013
_IsNonwritableInCurrentImage.LIBCMT ref: 00000225DC6490A8
RtlUnwindEx.NTDLL ref: 00000225DC6490F7

Strings

csm, xrefs: 00000225DC64908E
f, xrefs: 00000225DC649026

Memory Dump Source

Source File: 0000001E.00000002.3237984363.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
Instruction ID: b166926d79cf74f009588074e3820990c0fc1e07a97fa4e01069ba2e3ee14553
Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
Instruction Fuzzy Hash: 6651BF3A75DA20EAEB14DF99E84CB5937AAF344B8AF10C5A4DA174778CDB35C842C700

Function 00000225DC6A8FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000225DC6A9013
_IsNonwritableInCurrentImage.LIBCMT ref: 00000225DC6A90A8
RtlUnwindEx.NTDLL ref: 00000225DC6A90F7

Strings

f, xrefs: 00000225DC6A9026
csm, xrefs: 00000225DC6A908E

Memory Dump Source

Source File: 0000001E.00000002.3238457753.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
Instruction ID: 599e737887705c3809ce4680662d838ae3905f4783b37dc68dc1ccc8eae22418
Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
Instruction Fuzzy Hash: 78519F3A701A20AAEB14DFA9E84CB5937A6F344BCAF30C524DA568778DDB75DD42C700

Function 00000225DC641A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 00000225DC641A60
StrCmpNIW.SHLWAPI ref: 00000225DC641A7A
lstrlenW.KERNEL32 ref: 00000225DC641A89
StrCpyW.SHLWAPI ref: 00000225DC641A9E

Strings

\\?\, xrefs: 00000225DC641A6E

Memory Dump Source

Source File: 0000001E.00000002.3237984363.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction ID: e535c0649dfb5c656df934673802aa2881829a80634b4f76755b7f08d64bed47
Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction Fuzzy Hash: 69F04466718E51A2E7608BE9F9887596761F748BC9F94C020DB4A46654DF3CC68DCB00

Function 00000225DC6A1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 00000225DC6A1A60
StrCmpNIW.SHLWAPI ref: 00000225DC6A1A7A
lstrlenW.KERNEL32 ref: 00000225DC6A1A89
StrCpyW.SHLWAPI ref: 00000225DC6A1A9E

Strings

\\?\, xrefs: 00000225DC6A1A6E

Memory Dump Source

Source File: 0000001E.00000002.3238457753.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction ID: 2a81db31a951e5e259a4acc7b5a595b85a3b479c602b75ed73f30d03813019d1
Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction Fuzzy Hash: BBF06866304E51A2EB60CFE9F9C87597762F748B8AF94C020DB4946654DF3CC64DCB00

Function 00000225DC643044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 00000225DC643066
StrCpyW.SHLWAPI ref: 00000225DC643076
StrCatW.SHLWAPI ref: 00000225DC643082
PathCombineW.SHLWAPI ref: 00000225DC643090

Strings

\\.\pipe\, xrefs: 00000225DC64305C

Memory Dump Source

Source File: 0000001E.00000002.3237984363.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction ID: 05bf48fb40d5b317a8235632c964cef6d02a25c8f7691d3038dd68194b884147
Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction Fuzzy Hash: 51F08C28328FA4A2FA448FDBB90C1196260AB48FD2F18E170EF4A07B58DF3CC485C700

Function 00000225DC64BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00000225DC64BCBD
GetProcAddress.KERNEL32 ref: 00000225DC64BCD3
FreeLibrary.KERNEL32 ref: 00000225DC64BCFA

Strings

mscoree.dll, xrefs: 00000225DC64BCB4
CorExitProcess, xrefs: 00000225DC64BCCC

Memory Dump Source

Source File: 0000001E.00000002.3237984363.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction ID: 44bd982de87b7b9a06009664450f2777bab72fc188efb7fa02744482d7f49e87
Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction Fuzzy Hash: 72F09669329F14A1EB108FECE44C3596361EB89766F648259DB6A462F4CF3CC044C740

Function 00000225DC6A3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 00000225DC6A3066
StrCpyW.SHLWAPI ref: 00000225DC6A3076
StrCatW.SHLWAPI ref: 00000225DC6A3082
PathCombineW.SHLWAPI ref: 00000225DC6A3090

Strings

\\.\pipe\, xrefs: 00000225DC6A305C

Memory Dump Source

Source File: 0000001E.00000002.3238457753.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction ID: fb1c96070f1bbd8c52466b515c03c742fb3955bbc3562a61c2f5362b02f3ede6
Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction Fuzzy Hash: 5BF05828204FA4A2EA588FDBB9081197262AB48FC2F08E030EF4A47B18DF38C445C700

Function 00000225DC6ABC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00000225DC6ABCBD
GetProcAddress.KERNEL32 ref: 00000225DC6ABCD3
FreeLibrary.KERNEL32 ref: 00000225DC6ABCFA

Strings

mscoree.dll, xrefs: 00000225DC6ABCB4
CorExitProcess, xrefs: 00000225DC6ABCCC

Memory Dump Source

Source File: 0000001E.00000002.3238457753.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction ID: 859cf1714d0438efb9fd229f799e05916821dabd80631214c70755d8405ab38f
Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction Fuzzy Hash: 21F09679311F15A1FB148BEDE84C3596361EB84767F548219CB6A452F4DF3CC444C740

Function 00000225DC6A50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000225DC6A5156

Memory Dump Source

Source File: 0000001E.00000002.3238457753.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
Instruction ID: cc4e45ee1de0211bceb984575181e682b35c92b14fcfce5c930bbfc96d3dc94e
Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
Instruction Fuzzy Hash: EA02C836219F9496EB60CB99F49435AB7A0F3C5795F209015EB8E87BA9DF7CC444CB00

Function 00000225DC645710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000225DC645726

Memory Dump Source

Source File: 0000001E.00000002.3237984363.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 4678552974c2dc3df73a17a4dcf6fd2c3d7689486890f7c1069e8590a64c51b2
Instruction ID: 8f9846ecf6cf7499faee6b5ce6658377365f055e4165f45403509503972279d5
Opcode Fuzzy Hash: 4678552974c2dc3df73a17a4dcf6fd2c3d7689486890f7c1069e8590a64c51b2
Instruction Fuzzy Hash: 6561CD3A51DF94D6E760CB99E44831AB7A0F3C8796F109165EA8E87BA8DB7CC544CF00

Function 00000225DC6A5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000225DC6A5726

Memory Dump Source

Source File: 0000001E.00000002.3238457753.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
Instruction ID: c0f1102daedf8fd83df05dbad566c9dcb67f0f52cae9f12d02fc669b962d21e9
Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
Instruction Fuzzy Hash: DB61EE3A519F94D6E760CB99E54831AB7E0F388786F209115FA8E87BA8DB7CC554CF00

Function 00000225DC654104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00000225DC65412C
_set_statfp.LIBCMT ref: 00000225DC654147
_set_statfp.LIBCMT ref: 00000225DC654163
_set_statfp.LIBCMT ref: 00000225DC65419F

Memory Dump Source

Source File: 0000001E.00000002.3237984363.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: a15945065d89435b6d58080b2ea34464beef53a1596a2d5ce657289fdf07ecc6
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: 5911733EA34E7131F67415ECD45D3751151EB783FAF38C6A4A976076D6DA34C841E200

Function 00000225DC623504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00000225DC62352C
_set_statfp.LIBCMT ref: 00000225DC623547
_set_statfp.LIBCMT ref: 00000225DC623563
_set_statfp.LIBCMT ref: 00000225DC62359F

Memory Dump Source

Source File: 0000001E.00000002.3237826612.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc610000_winlogon.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: 0f0cd1f3b4902091acada321e62a835e8ba03bea7c675b6eead67c7f9176ca24
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: 6B11C63AA60E3131FB6415ECE45D37991C86B58BB6F48C639A97F2E3D6CB34C881C200

Function 00000225DC683504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00000225DC68352C
_set_statfp.LIBCMT ref: 00000225DC683547
_set_statfp.LIBCMT ref: 00000225DC683563
_set_statfp.LIBCMT ref: 00000225DC68359F

Memory Dump Source

Source File: 0000001E.00000002.3238224914.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc670000_winlogon.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: 4770082600421d2f4bb53b6383fc8d4b46f38f5b83b98cacefa30fc3353db637
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: 4111EC3E6A4E3131FA54D5ECE44D37911906F59F76F48C638A976067DACA78C841C203

Function 00000225DC6B4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00000225DC6B412C
_set_statfp.LIBCMT ref: 00000225DC6B4147
_set_statfp.LIBCMT ref: 00000225DC6B4163
_set_statfp.LIBCMT ref: 00000225DC6B419F

Memory Dump Source

Source File: 0000001E.00000002.3238457753.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: 790992d3fedfbb3f0c19deaeddb177f6f54104038671def6cf99952e65a916c8
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: 2711733EE14E7131F66415ECD45D3751243EB783BBF18C624AA7E076D6CA34C841E210

Function 00000225DC61F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000225DC61F124

Strings

Wednesday, xrefs: 00000225DC61F1ED
or copy constructor iterator', xrefs: 00000225DC61F25A, 00000225DC61F275
Tuesday, xrefs: 00000225DC61F0F4

Memory Dump Source

Source File: 0000001E.00000002.3237826612.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc610000_winlogon.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: Tuesday$Wednesday$or copy constructor iterator'
API String ID: 3215553584-4202648911
Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction ID: 944570b48e0c60bc5ad5e959f3b97a539a301ff4876b6c2567b65f1bc9dbc55e
Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction Fuzzy Hash: 2961E27E606E6066FE69CBFCE55D32E66A0F785793F54C415EA0A037A4DB34C842C302

Function 00000225DC67F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000225DC67F124

Strings

or copy constructor iterator', xrefs: 00000225DC67F25A, 00000225DC67F275
Wednesday, xrefs: 00000225DC67F1ED
Tuesday, xrefs: 00000225DC67F0F4

Memory Dump Source

Source File: 0000001E.00000002.3238224914.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc670000_winlogon.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: Tuesday$Wednesday$or copy constructor iterator'
API String ID: 3215553584-4202648911
Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction ID: b809d82d10e30da49faebdcfad985b935ab92b62efaa54905c9af04f2a82b3da
Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction Fuzzy Hash: 6761D63E614E60B2FA65DBFCD55CB2A26A0E785742F51CD15EA1A07FE4DB34C842C382

Function 00000225DC64AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00000225DC64AA68
_CallSETranslator.LIBVCRUNTIME ref: 00000225DC64AAB7

Strings

RCC, xrefs: 00000225DC64AA85
MOC, xrefs: 00000225DC64AA7C

Memory Dump Source

Source File: 0000001E.00000002.3237984363.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 5ee5bc15fcc7ca4683ce8519a978933ac552fc7779cbca0cf07b2e2c35c6d78e
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: 6561CF3B608F94AAEB20DFA9D04439D7BA1F348B8DF148255EF4A17B99DB38C085C700

Function 00000225DC6AAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00000225DC6AAA68
_CallSETranslator.LIBVCRUNTIME ref: 00000225DC6AAAB7

Strings

MOC, xrefs: 00000225DC6AAA7C
RCC, xrefs: 00000225DC6AAA85

Memory Dump Source

Source File: 0000001E.00000002.3238457753.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: aa70c4840d0660077c5495364ee98befc91b92371ab933d55f9a834b1db71008
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: 4761BE3B600F949AEB20DFA9D04439D77A0F748B8DF248216EF4A53B99DB38D085CB00

Function 00000225DC64AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000225DC64ADA0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00000225DC64AE88

Strings

csm, xrefs: 00000225DC64AEDA
csm, xrefs: 00000225DC64ADC2

Memory Dump Source

Source File: 0000001E.00000002.3237984363.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: e2a4ec1541559836ceca0d34c116ae26037d4692d9dd8773577d8c71d6944edc
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: 9C51C37A10CBA0FAEB748F9A948835977A0F354B86F24C159FA5A47BD7CB38C451C700

Function 00000225DC61A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000225DC61A1A0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00000225DC61A288

Strings

csm, xrefs: 00000225DC61A1C2
csm, xrefs: 00000225DC61A2DA

Memory Dump Source

Source File: 0000001E.00000002.3237826612.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc610000_winlogon.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: 4352b4e7d2f757b2eeab07a41cb79b5cce5006a568909e68af21b5ba570d396d
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: 9B51C23A105BA0EAEF748F99944835877A0F355B97F28C215EB89C7BD6CB38C451C700

Function 00000225DC67A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000225DC67A1A0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00000225DC67A288

Strings

csm, xrefs: 00000225DC67A2DA
csm, xrefs: 00000225DC67A1C2

Memory Dump Source

Source File: 0000001E.00000002.3238224914.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc670000_winlogon.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: d8bc5406c68cbc3a3f3e81927d6ca097891e5497fb3224580501911da265d3db
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: 7D51E83A104BA0DAEB748FA9944835C77A0F355B96F28E615FB5987FD6CB38D490CB00

Function 00000225DC6AAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000225DC6AADA0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00000225DC6AAE88

Strings

csm, xrefs: 00000225DC6AADC2
csm, xrefs: 00000225DC6AAEDA

Memory Dump Source

Source File: 0000001E.00000002.3238457753.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: 2e3fcafa7e63c7afecd5eb320568e29d6bc18ccae88d7ce5c4c248ffc38c6f0c
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: 9C51837A100BA0AAEB74CF99958835D77A0F758B86F34C117EA99C7BD6CB34D451CB00

Function 00000225DC618405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000225DC618413
_IsNonwritableInCurrentImage.LIBCMT ref: 00000225DC6184A8

Strings

f, xrefs: 00000225DC618426
csm, xrefs: 00000225DC61848E

Memory Dump Source

Source File: 0000001E.00000002.3237826612.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc610000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: 8a2ee0853dea6fc810b70285cdad8afa924fb268fca63da5ab5c18953c58d14e
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: 9F51BF3A712A20AAEF94CF99E448B1937A5F358B9FF52C224DE0647788EB34CC41C704

Function 00000225DC678405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000225DC678413
_IsNonwritableInCurrentImage.LIBCMT ref: 00000225DC6784A8

Strings

f, xrefs: 00000225DC678426
csm, xrefs: 00000225DC67848E

Memory Dump Source

Source File: 0000001E.00000002.3238224914.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc670000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: 8bc61f57c5687e7a86239f1075434ff38e81a80eea30d95d659fdd3eaf197c62
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: DD51BF3A711A20AAFB94CF69E448B193795F758B9FF51CA24DA0663BC8EB74CC41C704

Function 00000225DC6183E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000225DC618413
_IsNonwritableInCurrentImage.LIBCMT ref: 00000225DC6184A8

Strings

f, xrefs: 00000225DC618426
csm, xrefs: 00000225DC61848E

Memory Dump Source

Source File: 0000001E.00000002.3237826612.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc610000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction ID: a13f22b0c5ddbfd73ffef1e451b0b481ee6602808d75d20c911345d57e3c4186
Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction Fuzzy Hash: A731C03A602B60A6EB64DF5AE84871977A4F748BDFF16C214EE5B47784DB38C940C704

Function 00000225DC6783E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000225DC678413
_IsNonwritableInCurrentImage.LIBCMT ref: 00000225DC6784A8

Strings

f, xrefs: 00000225DC678426
csm, xrefs: 00000225DC67848E

Memory Dump Source

Source File: 0000001E.00000002.3238224914.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc670000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction ID: 7ede24912a818c19e80a806750f1858c6928fd0ae1f237999a321a790690d3dd
Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction Fuzzy Hash: F731BF3A211B60E6EB54DF69E8487193BA4F748B9AF15CA14EE5A13BC8DB38CD40C704

Function 00000225DC652058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00000225DC6520D7
WriteFile.KERNEL32 ref: 00000225DC65239F
WriteFile.KERNEL32 ref: 00000225DC6523E5
GetLastError.KERNEL32 ref: 00000225DC65249B

Memory Dump Source

Source File: 0000001E.00000002.3237984363.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction ID: bfa2cf39ed762a0c864f02a182d0b99d9a486c982741babc9b475573dd9f7606
Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction Fuzzy Hash: F7D1F376724E90A9E712CFB9D44839C3BB1F754799F248216CF5E97B99DA34C406C340

Function 00000225DC6B2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00000225DC6B20D7
WriteFile.KERNEL32 ref: 00000225DC6B239F
WriteFile.KERNEL32 ref: 00000225DC6B23E5
GetLastError.KERNEL32 ref: 00000225DC6B249B

Memory Dump Source

Source File: 0000001E.00000002.3238457753.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction ID: 01741f095c584cdd00ba98e3aa790e67a4177efe8c0c1c6c5439ed656a32a405
Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction Fuzzy Hash: F2D1FF76B14E90A9E712CFA9D44839C7BF2F75479AF108216CF6E97B99DA34C406C340

Function 00000225DC6414A4 Relevance: 6.3, APIs: 5, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000225DC6414C5
HeapFree.KERNEL32 ref: 00000225DC6414D4
GetProcessHeap.KERNEL32 ref: 00000225DC6414E1
HeapFree.KERNEL32 ref: 00000225DC6414F0
GetProcessHeap.KERNEL32 ref: 00000225DC641500

Memory Dump Source

Source File: 0000001E.00000002.3237984363.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
Instruction ID: 6bfd24914fe268a9eaf32d670607eda920269b08af1813506c338134dac0ed3e
Opcode Fuzzy Hash: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
Instruction Fuzzy Hash: E2115E7A524FA0E6E724DFEEA80816977A0FB89F86F148025DB4A53726DE34C451C740

Function 00000225DC652980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32 ref: 00000225DC652A9C
GetLastError.KERNEL32 ref: 00000225DC652B27

Memory Dump Source

Source File: 0000001E.00000002.3237984363.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction ID: 6d7b5b403a3188d3b4841f9fb94707250acf1a7d2d8579f267c512fad794f412
Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction Fuzzy Hash: 7391D67AB20E70A5F766DFAD94883AD3BA0F754B8AF24C109DE0A57795DB34C486C700

Function 00000225DC6B2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32 ref: 00000225DC6B2A9C
GetLastError.KERNEL32 ref: 00000225DC6B2B27

Memory Dump Source

Source File: 0000001E.00000002.3238457753.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction ID: 0effa0560eecda1315c6bac3784fbf95153408d93820f0ff7fe2030bc37eebda
Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction Fuzzy Hash: F991D37A710E70A5FB62DFAD94883AD3BE2B704B8BF148109DE1A57A95DF34C486C700

Function 00000225DC6A7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00000225DC6A798C
GetCurrentThreadId.KERNEL32 ref: 00000225DC6A799A
GetCurrentProcessId.KERNEL32 ref: 00000225DC6A79A6
QueryPerformanceCounter.KERNEL32 ref: 00000225DC6A79B6

Memory Dump Source

Source File: 0000001E.00000002.3238457753.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction ID: 6c068aa945f0ac6dafb2ede45e1116f91dfe096492dd73cd30e6c0fcb5e07c68
Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction Fuzzy Hash: A7111226710F1599EF00CFA8E8593A833A4F75975EF441E25DB6D867A4DF78C1A8C380

Function 00000225DC64253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00000225DC642620
StrCpyW.SHLWAPI ref: 00000225DC642639

Strings

\\.\pipe\, xrefs: 00000225DC64262B

Memory Dump Source

Source File: 0000001E.00000002.3237984363.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction ID: 898a99a824d3708835f2c6571b9ade3bad5d2cda467ec0446c5c9970c4b06ed6
Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction Fuzzy Hash: 6471F63A20CFA166E7269FED98483EA7794F389B86F648066DD0B53B89DE35C541C700

Function 00000225DC6A253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00000225DC6A2620
StrCpyW.SHLWAPI ref: 00000225DC6A2639

Strings

\\.\pipe\, xrefs: 00000225DC6A262B

Memory Dump Source

Source File: 0000001E.00000002.3238457753.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction ID: 5f5e41b068d0f293cc7ef7899fb07c4c471cec35d55f3e32321b6d3ba8d92876
Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction Fuzzy Hash: 0971FB3A280FA166D726DFADD8483AA6794F385B86F648025DD0ED3B89DE35C645C700

Function 00000225DC619E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 00000225DC619EB7

Strings

RCC, xrefs: 00000225DC619E85
MOC, xrefs: 00000225DC619E7C

Memory Dump Source

Source File: 0000001E.00000002.3237826612.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc610000_winlogon.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 1c103488b81b5755e9a858689f9c8f9220dbcbf2f2fcf3c8ea21b2028d61d58d
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: C5619D3B602F549AEB20CFA9D44439D7BA0F748B8EF148215EF4917B99DB38D156C700

Function 00000225DC679E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 00000225DC679EB7

Strings

MOC, xrefs: 00000225DC679E7C
RCC, xrefs: 00000225DC679E85

Memory Dump Source

Source File: 0000001E.00000002.3238224914.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc670000_winlogon.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 9fd3008523d1d31d7ee32bda0e514125121f93270c61e4c83d0e3fe2aa1cbd72
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: 4B61AB3B600F949AEB20DFA9D44439D77A0F748B8DF148A15EF4917B99DB38D496C700

Function 00000225DC642330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00000225DC642416
StrCpyW.SHLWAPI ref: 00000225DC64242D

Strings

\\.\pipe\, xrefs: 00000225DC642421

Memory Dump Source

Source File: 0000001E.00000002.3237984363.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction ID: 46897ffc2cc2630562e995aa3ab88a20c60a5fe9943d3a7bd5f75d2a5dc7dda7
Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction Fuzzy Hash: 8051273A60CFA1A1E6799FEDE05C37A7B51F784B41F648165CE4B03B49CA39C544C740

Function 00000225DC6A2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00000225DC6A2416
StrCpyW.SHLWAPI ref: 00000225DC6A242D

Strings

\\.\pipe\, xrefs: 00000225DC6A2421

Memory Dump Source

Source File: 0000001E.00000002.3238457753.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction ID: a83db0d25de40b44f666c5a5d64bcfc4ffcb5cd7079b315c16954b0aa5d8d6a1
Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction Fuzzy Hash: 0F516B3A284FA1A5F63ADFADE09C3BAA751F785B41F648125CE4D83B49CE39C544C740

Function 00000225DC6526F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00000225DC652807
GetLastError.KERNEL32 ref: 00000225DC652829

Strings

U, xrefs: 00000225DC6527B3

Memory Dump Source

Source File: 0000001E.00000002.3237984363.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction ID: ff598f2dff618ae855125180d135eff0feb50115b417593be16094bb43c2f728
Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction Fuzzy Hash: BC41C476325E90A6DB21CFA9E8483AE77A0F798795F508021EE4E87794EB7CC445C740

Function 00000225DC6B26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00000225DC6B2807
GetLastError.KERNEL32 ref: 00000225DC6B2829

Strings

U, xrefs: 00000225DC6B27B3

Memory Dump Source

Source File: 0000001E.00000002.3238457753.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction ID: 2b7cbdf29e740ea36268c330b496c3bcbbcaca586992bcfa57e7be5236719281
Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction Fuzzy Hash: F0412A76314F90A2EB21DFA9E8483A977A1F398796F508021EE4D87794EF3CC445C740

Function 00000225DC6494A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 00000225DC6494F0
RaiseException.KERNEL32 ref: 00000225DC649531

Strings

csm, xrefs: 00000225DC64951E

Memory Dump Source

Source File: 0000001E.00000002.3237984363.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction ID: 8e6f9ddc8bd4a0050d82363797f3a651ef4e3f91162d625b6a7f86f7e5c4113b
Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction Fuzzy Hash: CF115B36218F9092EB608B59E40435977E4FB88B99F288260EF8D47B68DF3CC552CB00

Function 00000225DC6A94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 00000225DC6A94F0
RaiseException.KERNEL32 ref: 00000225DC6A9531

Strings

csm, xrefs: 00000225DC6A951E

Memory Dump Source

Source File: 0000001E.00000002.3238457753.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction ID: c91e1e86bab824f286d7942031cacff95a827eda15b7eec0a60a9f277f66f1ea
Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction Fuzzy Hash: 54112B3A218F9092EB65CB59E44435977E5FB88B99F688220EF8C47768DF3CC552CB00

Function 00000225DC617356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 00000225DC61737C

Strings

riptor at (, xrefs: 00000225DC617364
ierarchy Descriptor', xrefs: 00000225DC617381

Memory Dump Source

Source File: 0000001E.00000002.3237826612.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc610000_winlogon.jbxd

Similarity

API ID: __std_exception_copy
String ID: ierarchy Descriptor'$riptor at (
API String ID: 592178966-758928094
Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction ID: 40d697394cd767119a46280874914b4daa5d8e9346db535fcc515f98333aa0ca
Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction Fuzzy Hash: 7EE08661A41F84A0DF118F66E8442D873A0DB58B69B48D122995C46311FA38D1E9C300

Function 00000225DC677356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 00000225DC67737C

Strings

riptor at (, xrefs: 00000225DC677364
ierarchy Descriptor', xrefs: 00000225DC677381

Memory Dump Source

Source File: 0000001E.00000002.3238224914.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc670000_winlogon.jbxd

Similarity

API ID: __std_exception_copy
String ID: ierarchy Descriptor'$riptor at (
API String ID: 592178966-758928094
Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction ID: 3bdf3a98a46eddaab18917913d4673d13906e839a3b4fd0dcf7fe39589f613a6
Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction Fuzzy Hash: B2E08661640F84A0EF018F65E8442D833A0DB5CB65B49D122995C06351FA38D1E9C301

Function 00000225DC6173B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 00000225DC6173D8

Strings

riptor at (, xrefs: 00000225DC6173C0
Locator', xrefs: 00000225DC6173DD

Memory Dump Source

Source File: 0000001E.00000002.3237826612.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc610000_winlogon.jbxd

Similarity

API ID: __std_exception_copy
String ID: Locator'$riptor at (
API String ID: 592178966-4215709766
Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction ID: 33387b3a89b0f7cf97b4c9f63ea1e6ce0b438a2dcf969175634c70bf0c094b31
Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction Fuzzy Hash: F9E0CD61A01F44D0DF118F65D4441D87360E75CB69F88D222CD4C47311FB38D1E5C300

Function 00000225DC6773B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 00000225DC6773D8

Strings

riptor at (, xrefs: 00000225DC6773C0
Locator', xrefs: 00000225DC6773DD

Memory Dump Source

Source File: 0000001E.00000002.3238224914.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc670000_winlogon.jbxd

Similarity

API ID: __std_exception_copy
String ID: Locator'$riptor at (
API String ID: 592178966-4215709766
Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction ID: 5795fbfa8a47514ff8c6ddda118d1662a7868f1be9d24305db9b02968eedc405
Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction Fuzzy Hash: 28E08661640F8490EF018F65D4401987360EB5CB55B88D122C95C06351FA38D1E5C301

Function 00000225DC641BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000225DC641C2D
HeapAlloc.KERNEL32 ref: 00000225DC641C3B
GetProcessHeap.KERNEL32 ref: 00000225DC641C77
HeapFree.KERNEL32 ref: 00000225DC641C85

Part of subcall function 00000225DC64152C: StrCmpIW.SHLWAPI ref: 00000225DC64155D

Memory Dump Source

Source File: 0000001E.00000002.3237984363.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction ID: 435233d5cd765dd7833698f1ddb9f59ae8d1156237805913c2fcddc5f4e0a6b6
Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction Fuzzy Hash: B2119129615F5492EB54DFAEA80C26973A1FB89FC2F188065DE4E53765DF38C442C300

Function 00000225DC6A1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000225DC6A1C2D
HeapAlloc.KERNEL32 ref: 00000225DC6A1C3B
GetProcessHeap.KERNEL32 ref: 00000225DC6A1C77
HeapFree.KERNEL32 ref: 00000225DC6A1C85

Part of subcall function 00000225DC6A152C: StrCmpIW.SHLWAPI ref: 00000225DC6A155D

Memory Dump Source

Source File: 0000001E.00000002.3238457753.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction ID: 1420031e885aaf21fcc6fdccc82258bc3790c71e1673b6532d453dab14891ff2
Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction Fuzzy Hash: 95115129601F64E2EA54DFAEA44C22977A5FB89FC2F188025DE4E97765DF38C442C300

Function 00000225DC641268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000225DC64126E
HeapAlloc.KERNEL32 ref: 00000225DC64127D
GetProcessHeap.KERNEL32 ref: 00000225DC641297
HeapAlloc.KERNEL32 ref: 00000225DC6412A8

Memory Dump Source

Source File: 0000001E.00000002.3237984363.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc640000_winlogon.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction ID: 46137aeb2ac080d4014b8e101a3abee4704eba82c5d2520b876412a79b8151bf
Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction Fuzzy Hash: 77E06D39621E1486EB548FEAD80C36A36E1FB89F06F14C024CA0907751DF7DC499C750

Function 00000225DC6A1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000225DC6A126E
HeapAlloc.KERNEL32 ref: 00000225DC6A127D
GetProcessHeap.KERNEL32 ref: 00000225DC6A1297
HeapAlloc.KERNEL32 ref: 00000225DC6A12A8

Memory Dump Source

Source File: 0000001E.00000002.3238457753.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction ID: 5f6bbecbb8621be69b39046fe70b37093b4047639506c31062e86b7116282652
Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction Fuzzy Hash: 3EE03239A01E1486EB088BAAD80834A36E2EB89B07F08C0248A0907361DF7DC499CB90

Analysis Process: lsass.exePID: 628, Parent PID: 8136COMMON

Execution Graph

Execution Coverage:	0.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	94
Total number of Limit Nodes:	12

Executed Functions

Function 00000202C0AE253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNEL32 ref: 00000202C0AE2620
StrCpyW.SHLWAPI ref: 00000202C0AE2639

Strings

\\.\pipe\, xrefs: 00000202C0AE262B

Memory Dump Source

Source File: 0000001F.00000002.3245368518.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction ID: 383afa285ac380fd55eaa2c4cb7d261a7defb1f4293108ecd3c580df2b121f06
Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction Fuzzy Hash: 517190362047C1C6F625DF2998CC3AE7794F389B84F560127DFAA53B8ADA35CA598700

Function 00000202C0AE202C Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpNIW.SHLWAPI ref: 00000202C0AE20C6

Part of subcall function 00000202C0AE2F04: GetProcessHeap.KERNEL32 ref: 00000202C0AE2F27
Part of subcall function 00000202C0AE2F04: HeapAlloc.KERNEL32 ref: 00000202C0AE2F3A
Part of subcall function 00000202C0AE2F04: StrCmpNIW.SHLWAPI ref: 00000202C0AE2FAF
Part of subcall function 00000202C0AE2F04: GetProcessHeap.KERNEL32 ref: 00000202C0AE3015
Part of subcall function 00000202C0AE2F04: HeapFree.KERNEL32 ref: 00000202C0AE3023

Strings

dialer, xrefs: 00000202C0AE20BF
S, xrefs: 00000202C0AE21E7

Memory Dump Source

Source File: 0000001F.00000002.3245368518.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: S$dialer
API String ID: 756756679-3873981283
Opcode ID: 10a6181ad89868b013f95f8d430f86fb0b73c76b57149a1256a42c526e771eaa
Instruction ID: 7d0801e181e7e1027f0f2556f8cd6da4d5c454e321737ababf7947f23bb56196
Opcode Fuzzy Hash: 10a6181ad89868b013f95f8d430f86fb0b73c76b57149a1256a42c526e771eaa
Instruction Fuzzy Hash: 5651AC32B107A4C6FB61CF29E88C6AD63E5F704784F069123DFA512B86DB35C969C300

Function 00000202C0AE1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 00000202C0AE1A60
StrCmpNIW.SHLWAPI ref: 00000202C0AE1A7A
lstrlenW.KERNEL32 ref: 00000202C0AE1A89
StrCpyW.SHLWAPI ref: 00000202C0AE1A9E

Strings

\\?\, xrefs: 00000202C0AE1A6E

Memory Dump Source

Source File: 0000001F.00000002.3245368518.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction ID: 8c3d5dbfacf504bca622ea7f657326f4a67cd1e3c1ec290e5004b19a988dad2d
Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction Fuzzy Hash: BCF01922304781D2FB608B21E8CC76D6765F748BC8F958123DB994B966DA2DC68DCB00

Function 00000202C0AE1268 Relevance: 5.0, APIs: 4, Instructions: 21
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00000202C0AE126E
HeapAlloc.KERNEL32 ref: 00000202C0AE127D
GetProcessHeap.KERNEL32 ref: 00000202C0AE1297
HeapAlloc.KERNEL32 ref: 00000202C0AE12A8

Memory Dump Source

Source File: 0000001F.00000002.3245368518.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction ID: 14bf7bafefd4b55b8bc325b1bb0149ce76066631eeb9ae1ebb85862f094286e6
Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction Fuzzy Hash: 48E03936601704C6FB048B62D84C34A36E5EB89B06F0681268B0907362DF7E8499C750

Function 00000202C0AE328C Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 00000202C0AE32AE
PathFindFileNameW.SHLWAPI ref: 00000202C0AE32BD

Part of subcall function 00000202C0AE3844: StrCmpNIW.SHLWAPI ref: 00000202C0AE385C

Part of subcall function 00000202C0AE3790: GetModuleHandleW.KERNEL32 ref: 00000202C0AE379E
Part of subcall function 00000202C0AE3790: GetCurrentProcess.KERNEL32 ref: 00000202C0AE37CC
Part of subcall function 00000202C0AE3790: VirtualProtectEx.KERNEL32 ref: 00000202C0AE37EE
Part of subcall function 00000202C0AE3790: GetCurrentProcess.KERNEL32 ref: 00000202C0AE3809
Part of subcall function 00000202C0AE3790: VirtualProtectEx.KERNEL32 ref: 00000202C0AE382A

CreateThread.KERNEL32 ref: 00000202C0AE330B

Part of subcall function 00000202C0AE1D14: GetCurrentThread.KERNEL32 ref: 00000202C0AE1D1F

Memory Dump Source

Source File: 0000001F.00000002.3245368518.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction ID: 435a5f88e7c6a6dd218e0f6004eb37f2790bd4aa4d5b291e1e8191fef771e2ad
Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction Fuzzy Hash: A8119672618782D2F760D721F8CDB6D2294BB54748F528127ABB6497A3EF78C46C8240

Function 00000202C0AE1ABC Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000202C0AE1628: GetProcessHeap.KERNEL32 ref: 00000202C0AE1633
Part of subcall function 00000202C0AE1628: HeapAlloc.KERNEL32 ref: 00000202C0AE1642
Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE16B2
Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE16DF
Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE16F9
Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE1719
Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE1734
Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE1754
Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE176F
Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE178F
Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE17AA
Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE17CA

Sleep.KERNEL32 ref: 00000202C0AE1AD7
SleepEx.KERNELBASE ref: 00000202C0AE1ADD

Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE17E5
Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE1805
Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE1820
Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE1840
Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE185B
Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE187B
Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE1896
Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE18A0

Memory Dump Source

Source File: 0000001F.00000002.3245368518.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction ID: 1519724245a59a03f973eddcebe70884a6cccd966baeab2eab41fd8751cf1259
Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction Fuzzy Hash: ED31C071200BE1C1FF509B26DACD3AD53A5AB84FC4F0654239FA987697FE14C879C210

Function 00000202C0AB273C Relevance: 1.7, APIs: 1, Instructions: 187
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00000202C0AB285E

Memory Dump Source

Source File: 0000001F.00000002.3245272060.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ab0000_lsass.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction ID: e9c472418be9705004432d1361e805bb540b7ad58247b10c253449de9ed0d722
Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction Fuzzy Hash: 8161DF72B01790C7EB648F15908C76DB3A2FB54BA4F598127DF5D0778ADA38D86AC700

Function 00000202C0B4D6CC Relevance: 1.3, APIs: 1, Instructions: 36
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapAlloc.KERNEL32 ref: 00000202C0B4D721

Memory Dump Source

Source File: 0000001F.00000002.3245577181.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0b40000_lsass.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: dd9fd347fe8d251c64e9f03e0b9c8ce045e185238ab486bcf6df9ff2ab176017
Instruction ID: 34ca642fddbfa80b98dd7d1e12cd625f7d8416b3242e726ef6993ad470ce53bd
Opcode Fuzzy Hash: dd9fd347fe8d251c64e9f03e0b9c8ce045e185238ab486bcf6df9ff2ab176017
Instruction Fuzzy Hash: 51F03A58301701C1FE68DBE699DD3AD52845BA9B88F0F54374A0A867C3EE2CCE898621

Function 00000202C0AED6CC Relevance: 1.3, APIs: 1, Instructions: 36
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapAlloc.KERNEL32 ref: 00000202C0AED721

Memory Dump Source

Source File: 0000001F.00000002.3245368518.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: dd9fd347fe8d251c64e9f03e0b9c8ce045e185238ab486bcf6df9ff2ab176017
Instruction ID: f1c622e14429a0b520057bbb946f3f429c66e82a7f768f9b6ab0a37ff79ad3e0
Opcode Fuzzy Hash: dd9fd347fe8d251c64e9f03e0b9c8ce045e185238ab486bcf6df9ff2ab176017
Instruction Fuzzy Hash: E4F0E998311780C1FE546B6699CD39D22845F88BC0F0E5437CF9A867D3EE1CC4AC8620

Non-executed Functions

Function 00000202C0B42B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00000202C0B42BD0
lstrlenW.KERNEL32 ref: 00000202C0B42E0A

Part of subcall function 00000202C0B4199C: OpenProcess.KERNEL32 ref: 00000202C0B419C2
Part of subcall function 00000202C0B4199C: K32GetModuleFileNameExW.KERNEL32 ref: 00000202C0B419E0
Part of subcall function 00000202C0B4199C: PathFindFileNameW.SHLWAPI ref: 00000202C0B419EF
Part of subcall function 00000202C0B4199C: lstrlenW.KERNEL32 ref: 00000202C0B419FB
Part of subcall function 00000202C0B4199C: StrCpyW.SHLWAPI ref: 00000202C0B41A0E
Part of subcall function 00000202C0B4199C: CloseHandle.KERNEL32 ref: 00000202C0B41A1C

GetProcAddress.KERNEL32 ref: 00000202C0B42BE5

Part of subcall function 00000202C0B4152C: StrCmpIW.SHLWAPI ref: 00000202C0B4155D

Part of subcall function 00000202C0B43844: StrCmpNIW.SHLWAPI ref: 00000202C0B4385C

StrCmpNIW.SHLWAPI ref: 00000202C0B42C28
lstrlenW.KERNEL32 ref: 00000202C0B42D50

Strings

NtQueryObject, xrefs: 00000202C0B42BDB
ntdll.dll, xrefs: 00000202C0B42BC9
\Device\Nsi, xrefs: 00000202C0B42C1B

Memory Dump Source

Source File: 0000001F.00000002.3245577181.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0b40000_lsass.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction ID: ea49defb10b1f29b0a940c33d04d96a7ecb763d36349eb628f0f926092e888ee
Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction Fuzzy Hash: 49B15B62610F50C2FB68CFA5D48C7AD63A5FB64B88F865027EE0953B96DA34CE48D740

Function 00000202C0AE2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00000202C0AE2BD0
lstrlenW.KERNEL32 ref: 00000202C0AE2E0A

Part of subcall function 00000202C0AE199C: OpenProcess.KERNEL32 ref: 00000202C0AE19C2
Part of subcall function 00000202C0AE199C: K32GetModuleFileNameExW.KERNEL32 ref: 00000202C0AE19E0
Part of subcall function 00000202C0AE199C: PathFindFileNameW.SHLWAPI ref: 00000202C0AE19EF
Part of subcall function 00000202C0AE199C: lstrlenW.KERNEL32 ref: 00000202C0AE19FB
Part of subcall function 00000202C0AE199C: StrCpyW.SHLWAPI ref: 00000202C0AE1A0E
Part of subcall function 00000202C0AE199C: CloseHandle.KERNEL32 ref: 00000202C0AE1A1C

GetProcAddress.KERNEL32 ref: 00000202C0AE2BE5

Part of subcall function 00000202C0AE152C: StrCmpIW.SHLWAPI ref: 00000202C0AE155D

Part of subcall function 00000202C0AE3844: StrCmpNIW.SHLWAPI ref: 00000202C0AE385C

StrCmpNIW.SHLWAPI ref: 00000202C0AE2C28
lstrlenW.KERNEL32 ref: 00000202C0AE2D50

Strings

ntdll.dll, xrefs: 00000202C0AE2BC9
NtQueryObject, xrefs: 00000202C0AE2BDB
\Device\Nsi, xrefs: 00000202C0AE2C1B

Memory Dump Source

Source File: 0000001F.00000002.3245368518.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction ID: 629c2a77cc7c689ebc2a82fae016c29b45818ce3604cad8590d8ad8b42d26791
Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction Fuzzy Hash: 8BB18B62210BA0C6FB688F25C8CC7AD67A5F744B88F565017EF9953796EB35CC68C340

Function 00000202C0B47D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00000202C0B47DAC
RtlCaptureContext.NTDLL ref: 00000202C0B47DD9
RtlLookupFunctionEntry.NTDLL ref: 00000202C0B47DF3
RtlVirtualUnwind.NTDLL ref: 00000202C0B47E34
IsDebuggerPresent.KERNEL32 ref: 00000202C0B47E88
SetUnhandledExceptionFilter.KERNEL32 ref: 00000202C0B47EA9
UnhandledExceptionFilter.KERNEL32 ref: 00000202C0B47EB4

Memory Dump Source

Source File: 0000001F.00000002.3245577181.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0b40000_lsass.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction ID: 074cb2b116bef8104a3ff1e1834ec69d9378fb96776ea096e4a568f3e73522d9
Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction Fuzzy Hash: 7E313A72205B80CAFB60DF64E8883ED6364F794748F45402BDA4D57A96EF38CA48CB10

Function 00000202C0AE7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00000202C0AE7DAC
RtlCaptureContext.NTDLL ref: 00000202C0AE7DD9
RtlLookupFunctionEntry.NTDLL ref: 00000202C0AE7DF3
RtlVirtualUnwind.NTDLL ref: 00000202C0AE7E34
IsDebuggerPresent.KERNEL32 ref: 00000202C0AE7E88
SetUnhandledExceptionFilter.KERNEL32 ref: 00000202C0AE7EA9
UnhandledExceptionFilter.KERNEL32 ref: 00000202C0AE7EB4

Memory Dump Source

Source File: 0000001F.00000002.3245368518.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction ID: 43f65ee015122b04127526cc5c334c21e5a52d8fe7862f76cef395083f707644
Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction Fuzzy Hash: 74311972205B80CAFB609F60E8887ED6364F784744F45442BDB8E57A9AEF39C658C710

Function 00000202C0B4D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 00000202C0B4D31D
RtlLookupFunctionEntry.NTDLL ref: 00000202C0B4D335
RtlVirtualUnwind.NTDLL ref: 00000202C0B4D370
IsDebuggerPresent.KERNEL32 ref: 00000202C0B4D3A9
SetUnhandledExceptionFilter.KERNEL32 ref: 00000202C0B4D3B3
UnhandledExceptionFilter.KERNEL32 ref: 00000202C0B4D3BE

Memory Dump Source

Source File: 0000001F.00000002.3245577181.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0b40000_lsass.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction ID: 20738ec7ba0cd5b3c578590298eade2181db2edcda4be7abefa7008bced66b77
Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction Fuzzy Hash: 36318632214F80D6EB60DF65E88839E73A4F799758F550127EA9D43B56DF38CA49CB00

Function 00000202C0AED2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 00000202C0AED31D
RtlLookupFunctionEntry.NTDLL ref: 00000202C0AED335
RtlVirtualUnwind.NTDLL ref: 00000202C0AED370
IsDebuggerPresent.KERNEL32 ref: 00000202C0AED3A9
SetUnhandledExceptionFilter.KERNEL32 ref: 00000202C0AED3B3
UnhandledExceptionFilter.KERNEL32 ref: 00000202C0AED3BE

Memory Dump Source

Source File: 0000001F.00000002.3245368518.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction ID: 3629953f5db9c1b5f8070e01c3cc1c8c2a667b2e639c3edd282c0df2f16cc2f9
Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction Fuzzy Hash: FF314F36214B80C6EB60CF25E88879E73A4F789758F550127EB9D47BA6EF38C559CB00

Function 00000202C0B41628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00000202C0B41633
HeapAlloc.KERNEL32 ref: 00000202C0B41642

Part of subcall function 00000202C0B41268: GetProcessHeap.KERNEL32 ref: 00000202C0B4126E
Part of subcall function 00000202C0B41268: HeapAlloc.KERNEL32 ref: 00000202C0B4127D
Part of subcall function 00000202C0B41268: GetProcessHeap.KERNEL32 ref: 00000202C0B41297
Part of subcall function 00000202C0B41268: HeapAlloc.KERNEL32 ref: 00000202C0B412A8

RegOpenKeyExW.ADVAPI32 ref: 00000202C0B416B2
RegOpenKeyExW.ADVAPI32 ref: 00000202C0B416DF
RegCloseKey.ADVAPI32 ref: 00000202C0B416F9
RegOpenKeyExW.ADVAPI32 ref: 00000202C0B41719
RegCloseKey.ADVAPI32 ref: 00000202C0B41734
RegOpenKeyExW.ADVAPI32 ref: 00000202C0B41754
RegCloseKey.ADVAPI32 ref: 00000202C0B4176F
RegOpenKeyExW.ADVAPI32 ref: 00000202C0B4178F
RegCloseKey.ADVAPI32 ref: 00000202C0B417AA
RegOpenKeyExW.ADVAPI32 ref: 00000202C0B417CA
RegCloseKey.ADVAPI32 ref: 00000202C0B417E5
RegOpenKeyExW.ADVAPI32 ref: 00000202C0B41805
RegCloseKey.ADVAPI32 ref: 00000202C0B41820
RegOpenKeyExW.ADVAPI32 ref: 00000202C0B41840
RegCloseKey.ADVAPI32 ref: 00000202C0B4185B
RegOpenKeyExW.ADVAPI32 ref: 00000202C0B4187B
RegCloseKey.ADVAPI32 ref: 00000202C0B41896
RegCloseKey.ADVAPI32 ref: 00000202C0B418A0

Part of subcall function 00000202C0B412BC: RegQueryInfoKeyW.ADVAPI32 ref: 00000202C0B41319
Part of subcall function 00000202C0B412BC: GetProcessHeap.KERNEL32 ref: 00000202C0B41327
Part of subcall function 00000202C0B412BC: HeapAlloc.KERNEL32 ref: 00000202C0B41338
Part of subcall function 00000202C0B412BC: RegEnumValueW.ADVAPI32 ref: 00000202C0B41397
Part of subcall function 00000202C0B412BC: GetProcessHeap.KERNEL32 ref: 00000202C0B413DF
Part of subcall function 00000202C0B412BC: HeapAlloc.KERNEL32 ref: 00000202C0B413ED
Part of subcall function 00000202C0B412BC: GetProcessHeap.KERNEL32 ref: 00000202C0B4140A
Part of subcall function 00000202C0B412BC: HeapFree.KERNEL32 ref: 00000202C0B41418
Part of subcall function 00000202C0B412BC: lstrlenW.KERNEL32 ref: 00000202C0B41421
Part of subcall function 00000202C0B412BC: GetProcessHeap.KERNEL32 ref: 00000202C0B4142F
Part of subcall function 00000202C0B412BC: HeapAlloc.KERNEL32 ref: 00000202C0B4143D

Strings

process_names, xrefs: 00000202C0B4174D
tcp_remote, xrefs: 00000202C0B41839
service_names, xrefs: 00000202C0B417C3
startup, xrefs: 00000202C0B416D5
udp, xrefs: 00000202C0B41874
paths, xrefs: 00000202C0B41788
tcp_local, xrefs: 00000202C0B417FE
SOFTWARE\dialerconfig, xrefs: 00000202C0B41692
pid, xrefs: 00000202C0B41712

Memory Dump Source

Source File: 0000001F.00000002.3245577181.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0b40000_lsass.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction ID: 149db328da245b585e47ad4ced1ad46789ec14c8a6fdb7b940b5e9de63c5882f
Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction Fuzzy Hash: 76711826A10B11C6FB20DF65E8DC69D23A8F794B9CF461613DA4E53B6AEE34C948C740

Function 00000202C0AE1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00000202C0AE1633
HeapAlloc.KERNEL32 ref: 00000202C0AE1642

Part of subcall function 00000202C0AE1268: GetProcessHeap.KERNEL32 ref: 00000202C0AE126E
Part of subcall function 00000202C0AE1268: HeapAlloc.KERNEL32 ref: 00000202C0AE127D
Part of subcall function 00000202C0AE1268: GetProcessHeap.KERNEL32 ref: 00000202C0AE1297
Part of subcall function 00000202C0AE1268: HeapAlloc.KERNEL32 ref: 00000202C0AE12A8

RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE16B2
RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE16DF
RegCloseKey.ADVAPI32 ref: 00000202C0AE16F9
RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE1719
RegCloseKey.ADVAPI32 ref: 00000202C0AE1734
RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE1754
RegCloseKey.ADVAPI32 ref: 00000202C0AE176F
RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE178F
RegCloseKey.ADVAPI32 ref: 00000202C0AE17AA
RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE17CA
RegCloseKey.ADVAPI32 ref: 00000202C0AE17E5
RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE1805
RegCloseKey.ADVAPI32 ref: 00000202C0AE1820
RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE1840
RegCloseKey.ADVAPI32 ref: 00000202C0AE185B
RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE187B
RegCloseKey.ADVAPI32 ref: 00000202C0AE1896
RegCloseKey.ADVAPI32 ref: 00000202C0AE18A0

Part of subcall function 00000202C0AE12BC: RegQueryInfoKeyW.ADVAPI32 ref: 00000202C0AE1319
Part of subcall function 00000202C0AE12BC: GetProcessHeap.KERNEL32 ref: 00000202C0AE1327
Part of subcall function 00000202C0AE12BC: HeapAlloc.KERNEL32 ref: 00000202C0AE1338
Part of subcall function 00000202C0AE12BC: RegEnumValueW.ADVAPI32 ref: 00000202C0AE1397
Part of subcall function 00000202C0AE12BC: GetProcessHeap.KERNEL32 ref: 00000202C0AE13DF
Part of subcall function 00000202C0AE12BC: HeapAlloc.KERNEL32 ref: 00000202C0AE13ED
Part of subcall function 00000202C0AE12BC: GetProcessHeap.KERNEL32 ref: 00000202C0AE140A
Part of subcall function 00000202C0AE12BC: HeapFree.KERNEL32 ref: 00000202C0AE1418
Part of subcall function 00000202C0AE12BC: lstrlenW.KERNEL32 ref: 00000202C0AE1421
Part of subcall function 00000202C0AE12BC: GetProcessHeap.KERNEL32 ref: 00000202C0AE142F
Part of subcall function 00000202C0AE12BC: HeapAlloc.KERNEL32 ref: 00000202C0AE143D

Strings

startup, xrefs: 00000202C0AE16D5
udp, xrefs: 00000202C0AE1874
tcp_remote, xrefs: 00000202C0AE1839
tcp_local, xrefs: 00000202C0AE17FE
service_names, xrefs: 00000202C0AE17C3
process_names, xrefs: 00000202C0AE174D
pid, xrefs: 00000202C0AE1712
SOFTWARE\dialerconfig, xrefs: 00000202C0AE1692
paths, xrefs: 00000202C0AE1788

Memory Dump Source

Source File: 0000001F.00000002.3245368518.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction ID: 1d03e476145ce09beb9e97f2b7c5aab0935724522098279c66d9844aa9511552
Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction Fuzzy Hash: F2710636210B50C6FB109F25E8DCA9D23A9FB84F88F425123DB9E47B6ADE39C458C744

Function 00000202C0B412BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000202C0B41319
GetProcessHeap.KERNEL32 ref: 00000202C0B41327
HeapAlloc.KERNEL32 ref: 00000202C0B41338
RegEnumValueW.ADVAPI32 ref: 00000202C0B41397

Part of subcall function 00000202C0B4152C: StrCmpIW.SHLWAPI ref: 00000202C0B4155D

GetProcessHeap.KERNEL32 ref: 00000202C0B413DF
HeapAlloc.KERNEL32 ref: 00000202C0B413ED
GetProcessHeap.KERNEL32 ref: 00000202C0B4140A
HeapFree.KERNEL32 ref: 00000202C0B41418
lstrlenW.KERNEL32 ref: 00000202C0B41421
GetProcessHeap.KERNEL32 ref: 00000202C0B4142F
HeapAlloc.KERNEL32 ref: 00000202C0B4143D
StrCpyW.SHLWAPI ref: 00000202C0B4145F
GetProcessHeap.KERNEL32 ref: 00000202C0B41476
HeapFree.KERNEL32 ref: 00000202C0B41484

Strings

d, xrefs: 00000202C0B4135A

Memory Dump Source

Source File: 0000001F.00000002.3245577181.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0b40000_lsass.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction ID: 2b8714d9082f3f218f4c46e0c3f9fa38d1d4531711b30a527e95a4339a34b327
Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction Fuzzy Hash: 77513836600B85C6EB54CF62E48C36E77A5F798F89F054126DA4A07B5ADF3CC9498B00

Function 00000202C0AE12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000202C0AE1319
GetProcessHeap.KERNEL32 ref: 00000202C0AE1327
HeapAlloc.KERNEL32 ref: 00000202C0AE1338
RegEnumValueW.ADVAPI32 ref: 00000202C0AE1397

Part of subcall function 00000202C0AE152C: StrCmpIW.SHLWAPI ref: 00000202C0AE155D

GetProcessHeap.KERNEL32 ref: 00000202C0AE13DF
HeapAlloc.KERNEL32 ref: 00000202C0AE13ED
GetProcessHeap.KERNEL32 ref: 00000202C0AE140A
HeapFree.KERNEL32 ref: 00000202C0AE1418
lstrlenW.KERNEL32 ref: 00000202C0AE1421
GetProcessHeap.KERNEL32 ref: 00000202C0AE142F
HeapAlloc.KERNEL32 ref: 00000202C0AE143D
StrCpyW.SHLWAPI ref: 00000202C0AE145F
GetProcessHeap.KERNEL32 ref: 00000202C0AE1476
HeapFree.KERNEL32 ref: 00000202C0AE1484

Strings

d, xrefs: 00000202C0AE135A

Memory Dump Source

Source File: 0000001F.00000002.3245368518.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction ID: a5c0dd0dd48098ab404cbb16107d584fe92d72ef17c22032ec6d5acc94b81fb7
Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction Fuzzy Hash: 2C513876200B84C6EB50CF62E48C35EB7A5F788F89F458126DB890776ADF39C059CB00

Function 00000202C0B41D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 00000202C0B41D1F

Part of subcall function 00000202C0B41FD4: GetModuleHandleA.KERNEL32 ref: 00000202C0B41FEC
Part of subcall function 00000202C0B41FD4: GetProcAddress.KERNEL32 ref: 00000202C0B41FFD

Part of subcall function 00000202C0B45B30: GetCurrentThreadId.KERNEL32 ref: 00000202C0B45B6B

Strings

EnumServicesStatusExW, xrefs: 00000202C0B41E11, 00000202C0B41E32
NtQueryDirectoryFile, xrefs: 00000202C0B41D7F
NtEnumerateKey, xrefs: 00000202C0B41DB9
EnumServiceGroupW, xrefs: 00000202C0B41DF0
sechost.dll, xrefs: 00000202C0B41E39
NtQuerySystemInformation, xrefs: 00000202C0B41D45
NtDeviceIoControlFile, xrefs: 00000202C0B41E56
NtResumeThread, xrefs: 00000202C0B41D62
NtQueryDirectoryFileEx, xrefs: 00000202C0B41D9C
NtEnumerateValueKey, xrefs: 00000202C0B41DD6
ntdll.dll, xrefs: 00000202C0B41D2D
advapi32.dll, xrefs: 00000202C0B41DF7, 00000202C0B41E18

Memory Dump Source

Source File: 0000001F.00000002.3245577181.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0b40000_lsass.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction ID: e40b0a0d983c3e5c2f972df2f8d56332244cd6638b8c526d6e2f878550c6667d
Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction Fuzzy Hash: EC316F64600F4AE0FA15EBA5E8DD6EC2321EB2474CFC35553994A02567AE78CF8ED350

Function 00000202C0AE1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 00000202C0AE1D1F

Part of subcall function 00000202C0AE1FD4: GetModuleHandleA.KERNEL32 ref: 00000202C0AE1FEC
Part of subcall function 00000202C0AE1FD4: GetProcAddress.KERNEL32 ref: 00000202C0AE1FFD

Part of subcall function 00000202C0AE5B30: GetCurrentThreadId.KERNEL32 ref: 00000202C0AE5B6B

Strings

EnumServiceGroupW, xrefs: 00000202C0AE1DF0
ntdll.dll, xrefs: 00000202C0AE1D2D
NtResumeThread, xrefs: 00000202C0AE1D62
NtDeviceIoControlFile, xrefs: 00000202C0AE1E56
NtQueryDirectoryFile, xrefs: 00000202C0AE1D7F
advapi32.dll, xrefs: 00000202C0AE1DF7, 00000202C0AE1E18
NtEnumerateValueKey, xrefs: 00000202C0AE1DD6
NtQuerySystemInformation, xrefs: 00000202C0AE1D45
NtQueryDirectoryFileEx, xrefs: 00000202C0AE1D9C
EnumServicesStatusExW, xrefs: 00000202C0AE1E11, 00000202C0AE1E32
NtEnumerateKey, xrefs: 00000202C0AE1DB9
sechost.dll, xrefs: 00000202C0AE1E39

Memory Dump Source

Source File: 0000001F.00000002.3245368518.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction ID: 90a0736ddaf8fe37476ff4478ca91d660d6ffa8bbfea73cfc67e31501e438409
Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction Fuzzy Hash: 5031A2A5100B8AE0FE15EF69E8DD7DC2321F704748F835423D7A9021679F79866ED391

Function 00000202C0AB6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000202C0AB6938
__scrt_acquire_startup_lock.LIBCMT ref: 00000202C0AB698A
_RTC_Initialize.LIBCMT ref: 00000202C0AB69B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00000202C0AB69DE
__scrt_release_startup_lock.LIBCMT ref: 00000202C0AB6A09

Strings

`eh vector copy constructor iterator', xrefs: 00000202C0AB6A3B
scriptor', xrefs: 00000202C0AB6B39, 00000202C0AB6BB2, 00000202C0AB6BEC
`dynamic initializer for ', xrefs: 00000202C0AB69C7
`eh vector vbase copy constructor iterator', xrefs: 00000202C0AB69EE

Memory Dump Source

Source File: 0000001F.00000002.3245272060.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ab0000_lsass.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
API String ID: 190073905-1786718095
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: 14de66892ba18830acab2e245ab1e6cb8a15d62160b2822f01b591de40b948de
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: 1381EE31600701CAFB50AB66A4CD39D66E8EB85780F57842BAB48977B7DF3DC88D8700

Function 00000202C0B4CE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00000202C0B4CE37
FlsGetValue.KERNEL32(?,?,?,00000202C0B50A6B,?,?,?,00000202C0B5045C,?,?,?,00000202C0B4C84F), ref: 00000202C0B4CE4C
FlsSetValue.KERNEL32(?,?,?,00000202C0B50A6B,?,?,?,00000202C0B5045C,?,?,?,00000202C0B4C84F), ref: 00000202C0B4CE6D
FlsSetValue.KERNEL32(?,?,?,00000202C0B50A6B,?,?,?,00000202C0B5045C,?,?,?,00000202C0B4C84F), ref: 00000202C0B4CE9A
FlsSetValue.KERNEL32(?,?,?,00000202C0B50A6B,?,?,?,00000202C0B5045C,?,?,?,00000202C0B4C84F), ref: 00000202C0B4CEAB
FlsSetValue.KERNEL32(?,?,?,00000202C0B50A6B,?,?,?,00000202C0B5045C,?,?,?,00000202C0B4C84F), ref: 00000202C0B4CEBC
SetLastError.KERNEL32 ref: 00000202C0B4CED7
FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000202C0B50A6B,?,?,?,00000202C0B5045C,?,?,?,00000202C0B4C84F), ref: 00000202C0B4CF0D
FlsSetValue.KERNEL32(?,?,00000001,00000202C0B4ECCC,?,?,?,?,00000202C0B4BF9F,?,?,?,?,?,00000202C0B47AB0), ref: 00000202C0B4CF2C

Part of subcall function 00000202C0B4D6CC: HeapAlloc.KERNEL32 ref: 00000202C0B4D721

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000202C0B50A6B,?,?,?,00000202C0B5045C,?,?,?,00000202C0B4C84F), ref: 00000202C0B4CF54

Part of subcall function 00000202C0B4D744: HeapFree.KERNEL32 ref: 00000202C0B4D75A
Part of subcall function 00000202C0B4D744: GetLastError.KERNEL32 ref: 00000202C0B4D764

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000202C0B50A6B,?,?,?,00000202C0B5045C,?,?,?,00000202C0B4C84F), ref: 00000202C0B4CF65
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000202C0B50A6B,?,?,?,00000202C0B5045C,?,?,?,00000202C0B4C84F), ref: 00000202C0B4CF76

Memory Dump Source

Source File: 0000001F.00000002.3245577181.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0b40000_lsass.jbxd

Similarity

API ID: Value$ErrorLast$Heap$AllocFree
String ID:
API String ID: 570795689-0
Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction ID: 2cdc79b8be68d16d60699a1a675998334f4061f55ae4612a1583d38688d983d1
Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction Fuzzy Hash: 7141C121340745C5FEA9E7F155DD32D22429B64FBCF1B0B27A83A476D7DE28AE4D8200

Function 00000202C0AECE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00000202C0AECE37
FlsGetValue.KERNEL32(?,?,?,00000202C0AF0A6B,?,?,?,00000202C0AF045C,?,?,?,00000202C0AEC84F), ref: 00000202C0AECE4C
FlsSetValue.KERNEL32(?,?,?,00000202C0AF0A6B,?,?,?,00000202C0AF045C,?,?,?,00000202C0AEC84F), ref: 00000202C0AECE6D
FlsSetValue.KERNEL32(?,?,?,00000202C0AF0A6B,?,?,?,00000202C0AF045C,?,?,?,00000202C0AEC84F), ref: 00000202C0AECE9A
FlsSetValue.KERNEL32(?,?,?,00000202C0AF0A6B,?,?,?,00000202C0AF045C,?,?,?,00000202C0AEC84F), ref: 00000202C0AECEAB
FlsSetValue.KERNEL32(?,?,?,00000202C0AF0A6B,?,?,?,00000202C0AF045C,?,?,?,00000202C0AEC84F), ref: 00000202C0AECEBC
SetLastError.KERNEL32 ref: 00000202C0AECED7
FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000202C0AF0A6B,?,?,?,00000202C0AF045C,?,?,?,00000202C0AEC84F), ref: 00000202C0AECF0D
FlsSetValue.KERNEL32(?,?,00000001,00000202C0AEECCC,?,?,?,?,00000202C0AEBF9F,?,?,?,?,?,00000202C0AE7AB0), ref: 00000202C0AECF2C

Part of subcall function 00000202C0AED6CC: HeapAlloc.KERNEL32 ref: 00000202C0AED721

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000202C0AF0A6B,?,?,?,00000202C0AF045C,?,?,?,00000202C0AEC84F), ref: 00000202C0AECF54

Part of subcall function 00000202C0AED744: HeapFree.KERNEL32 ref: 00000202C0AED75A
Part of subcall function 00000202C0AED744: GetLastError.KERNEL32 ref: 00000202C0AED764

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000202C0AF0A6B,?,?,?,00000202C0AF045C,?,?,?,00000202C0AEC84F), ref: 00000202C0AECF65
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000202C0AF0A6B,?,?,?,00000202C0AF045C,?,?,?,00000202C0AEC84F), ref: 00000202C0AECF76

Memory Dump Source

Source File: 0000001F.00000002.3245368518.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd

Similarity

API ID: Value$ErrorLast$Heap$AllocFree
String ID:
API String ID: 570795689-0
Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction ID: 4882f9c6545ddba956175daa0b1033055c58a1b9921f799def37e079ec50fdf9
Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction Fuzzy Hash: 754197603013C4D6FE68A73555DD36D2242AB44BB4F174B27ABBB077E7EE38886A4600

Function 00000202C0B42244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 00000202C0B42259
GetCurrentProcessId.KERNEL32 ref: 00000202C0B42263

Part of subcall function 00000202C0B41934: OpenProcess.KERNEL32 ref: 00000202C0B41952
Part of subcall function 00000202C0B41934: IsWow64Process.KERNEL32 ref: 00000202C0B41968
Part of subcall function 00000202C0B41934: CloseHandle.KERNEL32 ref: 00000202C0B41983

CreateFileW.KERNEL32 ref: 00000202C0B422BC
WriteFile.KERNEL32 ref: 00000202C0B422E4
ReadFile.KERNEL32 ref: 00000202C0B42303
CloseHandle.KERNEL32 ref: 00000202C0B4230C

Strings

\\.\pipe\dialerchildproc64, xrefs: 00000202C0B4228C
\\.\pipe\dialerchildproc32, xrefs: 00000202C0B42293

Memory Dump Source

Source File: 0000001F.00000002.3245577181.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0b40000_lsass.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction ID: 008dbc35dcd28df123ba3ecaa6d45c164ec4b741ee261da0caa348c2525fb32f
Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction Fuzzy Hash: 73213832614B41C2FB10DB25E48C36E63A4F799BA9F550217EA9903AA9CF7CC949CB00

Function 00000202C0AE2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 00000202C0AE2259
GetCurrentProcessId.KERNEL32 ref: 00000202C0AE2263

Part of subcall function 00000202C0AE1934: OpenProcess.KERNEL32 ref: 00000202C0AE1952
Part of subcall function 00000202C0AE1934: IsWow64Process.KERNEL32 ref: 00000202C0AE1968
Part of subcall function 00000202C0AE1934: CloseHandle.KERNEL32 ref: 00000202C0AE1983

CreateFileW.KERNEL32 ref: 00000202C0AE22BC
WriteFile.KERNEL32 ref: 00000202C0AE22E4
ReadFile.KERNEL32 ref: 00000202C0AE2303
CloseHandle.KERNEL32 ref: 00000202C0AE230C

Strings

\\.\pipe\dialerchildproc32, xrefs: 00000202C0AE2293
\\.\pipe\dialerchildproc64, xrefs: 00000202C0AE228C

Memory Dump Source

Source File: 0000001F.00000002.3245368518.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction ID: a0d3f3940cedbe8f49a02ff4fcf1ce97ef5dd93de91068aee362f87148ae0ba9
Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction Fuzzy Hash: 31213832614B40C2FB208B25E48C75E67A5F789BA4F514217EB9A03BA9CF3DC54DCB00

Function 00000202C0AB9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00000202C0AB99A1

Part of subcall function 00000202C0ABA814: __GetUnwindTryBlock.LIBCMT ref: 00000202C0ABA857
Part of subcall function 00000202C0ABA814: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00000202C0ABA87C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00000202C0AB9A79
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00000202C0AB9CCE
std::bad_alloc::bad_alloc.LIBCMT ref: 00000202C0AB9DDA

Strings

csm, xrefs: 00000202C0AB99BB
csm, xrefs: 00000202C0AB9A9C
csm, xrefs: 00000202C0AB9A22

Memory Dump Source

Source File: 0000001F.00000002.3245272060.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ab0000_lsass.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction ID: 181cfaa8d1e203509729981359315e3b225e44fdda2c096569e0a7ba0a0bf46d
Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction Fuzzy Hash: E5E17A72604B80CAFB60DB69D48839D7BA4F755B98F12011BEF8957B9ACB34C499C704

Function 00000202C0B4A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00000202C0B4A5A1

Part of subcall function 00000202C0B4B414: __GetUnwindTryBlock.LIBCMT ref: 00000202C0B4B457
Part of subcall function 00000202C0B4B414: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00000202C0B4B47C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00000202C0B4A679
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00000202C0B4A8CE
std::bad_alloc::bad_alloc.LIBCMT ref: 00000202C0B4A9DA

Strings

csm, xrefs: 00000202C0B4A622
csm, xrefs: 00000202C0B4A5BB
csm, xrefs: 00000202C0B4A69C

Memory Dump Source

Source File: 0000001F.00000002.3245577181.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0b40000_lsass.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction ID: fc94518462626f888d8846af3be64f0efb4c56cc64aa87eac9decc31170b97bd
Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction Fuzzy Hash: 38E16B72604780CAFB60DFA5948839D77A4F765B9CF120117EE8967B9ACB34CA89C700

Function 00000202C0AEA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00000202C0AEA5A1

Part of subcall function 00000202C0AEB414: __GetUnwindTryBlock.LIBCMT ref: 00000202C0AEB457
Part of subcall function 00000202C0AEB414: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00000202C0AEB47C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00000202C0AEA679
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00000202C0AEA8CE
std::bad_alloc::bad_alloc.LIBCMT ref: 00000202C0AEA9DA

Strings

csm, xrefs: 00000202C0AEA622
csm, xrefs: 00000202C0AEA69C
csm, xrefs: 00000202C0AEA5BB

Memory Dump Source

Source File: 0000001F.00000002.3245368518.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction ID: dc69ca82dc18b6d9c62c9d97f6a4348578a3add946f7b447ab90ca90604d3949
Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction Fuzzy Hash: 12E16A72600B80CAFB60DB65948C39D77A4F7A6B98F120117EFA957B97CB34D4A9C700

Function 00000202C0B4F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 00000202C0B4F510
GetProcAddress.KERNEL32 ref: 00000202C0B4F51C

Strings

api-ms-, xrefs: 00000202C0B4F45A
ext-ms-, xrefs: 00000202C0B4F46D

Memory Dump Source

Source File: 0000001F.00000002.3245577181.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0b40000_lsass.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction ID: 4d0429e463cdcf790b333bae80d732790b8fc7ae5b9fddcec2d0db7aee47192f
Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction Fuzzy Hash: E741E622311B11D1FA57CBA6A88C75E2395F759BE8F0B45279D0D87786EE38CE4D8310

Function 00000202C0AEF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 00000202C0AEF510
GetProcAddress.KERNEL32 ref: 00000202C0AEF51C

Strings

api-ms-, xrefs: 00000202C0AEF45A
ext-ms-, xrefs: 00000202C0AEF46D

Memory Dump Source

Source File: 0000001F.00000002.3245368518.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction ID: 26dcd2d441800ec49dab0db58e17c16847a3beddbc1f683c45a4dffa8db80317
Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction Fuzzy Hash: 2A41F422311B90D1FA16CB56A88C75E2395F748BA0F0A45279F6E877D6EE3DC45D8300

Function 00000202C0B4104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000202C0B410B1
RegEnumValueW.ADVAPI32 ref: 00000202C0B41117
GetProcessHeap.KERNEL32 ref: 00000202C0B4115A
HeapAlloc.KERNEL32 ref: 00000202C0B41168
GetProcessHeap.KERNEL32 ref: 00000202C0B41185
HeapFree.KERNEL32 ref: 00000202C0B41193

Strings

d, xrefs: 00000202C0B410D6

Memory Dump Source

Source File: 0000001F.00000002.3245577181.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0b40000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction ID: 99df361078cfd39b5a53b450fecf6a20a2520eab45679cb7f8f0db21186f57c2
Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction Fuzzy Hash: 1C414F33614B84C6F760CF61E48879E77A5F388B98F45812ADB8A17B59DF38C949CB40

Function 00000202C0AE104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000202C0AE10B1
RegEnumValueW.ADVAPI32 ref: 00000202C0AE1117
GetProcessHeap.KERNEL32 ref: 00000202C0AE115A
HeapAlloc.KERNEL32 ref: 00000202C0AE1168
GetProcessHeap.KERNEL32 ref: 00000202C0AE1185
HeapFree.KERNEL32 ref: 00000202C0AE1193

Strings

d, xrefs: 00000202C0AE10D6

Memory Dump Source

Source File: 0000001F.00000002.3245368518.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction ID: a80658ec44f4b8303e4c6cbc6e08df687ba0206d03e3ba62d1abb9220ce3f758
Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction Fuzzy Hash: B6415E73214B84C6F760CF21E48879E77A5F388B98F45822ADB8907B59DF39C599CB40

Function 00000202C0B4D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00000202C0B4C7DE,?,?,?,?,?,?,?,?,00000202C0B4CF9D,?,?,00000001), ref: 00000202C0B4D087
FlsSetValue.KERNEL32(?,?,?,00000202C0B4C7DE,?,?,?,?,?,?,?,?,00000202C0B4CF9D,?,?,00000001), ref: 00000202C0B4D0A6
FlsSetValue.KERNEL32(?,?,?,00000202C0B4C7DE,?,?,?,?,?,?,?,?,00000202C0B4CF9D,?,?,00000001), ref: 00000202C0B4D0CE
FlsSetValue.KERNEL32(?,?,?,00000202C0B4C7DE,?,?,?,?,?,?,?,?,00000202C0B4CF9D,?,?,00000001), ref: 00000202C0B4D0DF
FlsSetValue.KERNEL32(?,?,?,00000202C0B4C7DE,?,?,?,?,?,?,?,?,00000202C0B4CF9D,?,?,00000001), ref: 00000202C0B4D0F0

Strings

1%, xrefs: 00000202C0B4D0CE
Y%, xrefs: 00000202C0B4D0A6

Memory Dump Source

Source File: 0000001F.00000002.3245577181.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0b40000_lsass.jbxd

Similarity

API ID: Value
String ID: 1%$Y%
API String ID: 3702945584-1395475152
Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction ID: d231aa1d353db854b018b057b1d8bd56a7c0a04610d8b0695e9d3c6f40d33619
Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction Fuzzy Hash: F9119020704744C1FE69E7A559DE33E61419B647FCF1A4727A839477EBDE28CE4A8200

Function 00000202C0AED068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00000202C0AEC7DE,?,?,?,?,?,?,?,?,00000202C0AECF9D,?,?,00000001), ref: 00000202C0AED087
FlsSetValue.KERNEL32(?,?,?,00000202C0AEC7DE,?,?,?,?,?,?,?,?,00000202C0AECF9D,?,?,00000001), ref: 00000202C0AED0A6
FlsSetValue.KERNEL32(?,?,?,00000202C0AEC7DE,?,?,?,?,?,?,?,?,00000202C0AECF9D,?,?,00000001), ref: 00000202C0AED0CE
FlsSetValue.KERNEL32(?,?,?,00000202C0AEC7DE,?,?,?,?,?,?,?,?,00000202C0AECF9D,?,?,00000001), ref: 00000202C0AED0DF
FlsSetValue.KERNEL32(?,?,?,00000202C0AEC7DE,?,?,?,?,?,?,?,?,00000202C0AECF9D,?,?,00000001), ref: 00000202C0AED0F0

Strings

Y%, xrefs: 00000202C0AED0A6
1%, xrefs: 00000202C0AED0CE

Memory Dump Source

Source File: 0000001F.00000002.3245368518.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd

Similarity

API ID: Value
String ID: 1%$Y%
API String ID: 3702945584-1395475152
Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction ID: 363b9827668d8b761d31e44ad5a3e4dbf29d2bfe1cda884ffc1cc8260375dec9
Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction Fuzzy Hash: D111AB607043C4C6FE68973555DD37D6141AB447F4F1A4727EAFA077DBDE28C86A8600

Function 00000202C0B47510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000202C0B47538
__scrt_acquire_startup_lock.LIBCMT ref: 00000202C0B4758A
_RTC_Initialize.LIBCMT ref: 00000202C0B475B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00000202C0B475DE
__scrt_release_startup_lock.LIBCMT ref: 00000202C0B47609

Memory Dump Source

Source File: 0000001F.00000002.3245577181.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0b40000_lsass.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: 82d5730b3bd781178e04ea6ea214ed563beb6a2d9171056f0756c27a91450d9f
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: 7C81B160690741C6FA54EBEA94DD36D2291EB65B8CF5B48279A0847397DB38CF4DCF00

Function 00000202C0AE7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000202C0AE7538
__scrt_acquire_startup_lock.LIBCMT ref: 00000202C0AE758A
_RTC_Initialize.LIBCMT ref: 00000202C0AE75B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00000202C0AE75DE
__scrt_release_startup_lock.LIBCMT ref: 00000202C0AE7609

Memory Dump Source

Source File: 0000001F.00000002.3245368518.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: 14979f1a24b322753f854ca5a4dead1d4ee237c3b69154d6c2c35d4c8e247c5d
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: CE81F4617007C1C6FB54AB65A8CD39D2390BB85B84F174427EBE9477A7EB38CA6D8700

Function 00000202C0B49DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 00000202C0B49E49
GetLastError.KERNEL32 ref: 00000202C0B49E57
LoadLibraryExW.KERNEL32 ref: 00000202C0B49E81
FreeLibrary.KERNEL32 ref: 00000202C0B49EC7
GetProcAddress.KERNEL32 ref: 00000202C0B49ED3

Strings

api-ms-, xrefs: 00000202C0B49E69

Memory Dump Source

Source File: 0000001F.00000002.3245577181.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0b40000_lsass.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction ID: 87e2d02121405d5361c2b6a95ffff34f0ff5d3ef441214c854b1118af53f8c05
Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction Fuzzy Hash: AD31E621352B40E1FE66DB82A48C76D2398B758BA8F5B05279D2D0B796DF39CA4D8304

Function 00000202C0AE9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 00000202C0AE9E49
GetLastError.KERNEL32 ref: 00000202C0AE9E57
LoadLibraryExW.KERNEL32 ref: 00000202C0AE9E81
FreeLibrary.KERNEL32 ref: 00000202C0AE9EC7
GetProcAddress.KERNEL32 ref: 00000202C0AE9ED3

Strings

api-ms-, xrefs: 00000202C0AE9E69

Memory Dump Source

Source File: 0000001F.00000002.3245368518.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction ID: 93692ba9be4b391852265e8ab40df330be3080cd4f0ad2a801a0759650363b03
Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction Fuzzy Hash: A731A722212B80D1FE15DB42A48C75D2294B748BA0F5B49279FBE07792DF39C5AD8304

Function 00000202C0B53DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00000202C0B53DE5
GetLastError.KERNEL32 ref: 00000202C0B53DF1
CloseHandle.KERNEL32 ref: 00000202C0B53E09
CreateFileW.KERNEL32 ref: 00000202C0B53E34
WriteConsoleW.KERNEL32 ref: 00000202C0B53E53

Strings

CONOUT$, xrefs: 00000202C0B53E15

Memory Dump Source

Source File: 0000001F.00000002.3245577181.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0b40000_lsass.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction ID: cbbbceb24f5ce54632a83b901a10a48b25b1590716be8934f9ae3d7b08fea1b1
Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction Fuzzy Hash: AC115B21614F81C6F750CB52E89C31D66A4F788FE8F094267EA5E877A6CF38CD198740

Function 00000202C0AF3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00000202C0AF3DE5
GetLastError.KERNEL32 ref: 00000202C0AF3DF1
CloseHandle.KERNEL32 ref: 00000202C0AF3E09
CreateFileW.KERNEL32 ref: 00000202C0AF3E34
WriteConsoleW.KERNEL32 ref: 00000202C0AF3E53

Strings

CONOUT$, xrefs: 00000202C0AF3E15

Memory Dump Source

Source File: 0000001F.00000002.3245368518.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction ID: b26ab6e85d4882431b05eb7ffbdc71b03f0f6e90507cbc4b46897213533c190b
Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction Fuzzy Hash: 91116D22314B40C6F7508B52E89C71D77A4F788FE8F154227EA5E877A6CF39C8188744

Function 00000202C0B43790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00000202C0B4379E
GetCurrentProcess.KERNEL32 ref: 00000202C0B437CC
VirtualProtectEx.KERNEL32 ref: 00000202C0B437EE
GetCurrentProcess.KERNEL32 ref: 00000202C0B43809
VirtualProtectEx.KERNEL32 ref: 00000202C0B4382A

Strings

wr, xrefs: 00000202C0B437FF

Memory Dump Source

Source File: 0000001F.00000002.3245577181.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0b40000_lsass.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID: wr
API String ID: 1092925422-2678910430
Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction ID: 3dd9236182729e1c9d45bc30feb16208763638e2466170d7b0defd25a75cf602
Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction Fuzzy Hash: CF113C26704B41C2FF54DB61E48C66DA3A4FB48B99F4A042BDE8907796EF3DCA09C704

Function 00000202C0AE3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00000202C0AE379E
GetCurrentProcess.KERNEL32 ref: 00000202C0AE37CC
VirtualProtectEx.KERNEL32 ref: 00000202C0AE37EE
GetCurrentProcess.KERNEL32 ref: 00000202C0AE3809
VirtualProtectEx.KERNEL32 ref: 00000202C0AE382A

Strings

wr, xrefs: 00000202C0AE37FF

Memory Dump Source

Source File: 0000001F.00000002.3245368518.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID: wr
API String ID: 1092925422-2678910430
Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction ID: bcb637cd16c44afa16a89db43d108bf5c410f3b34640b7b1e1fa2b494dd30d53
Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction Fuzzy Hash: E1115726304B81C2FB149B21E48C26D72B4FB88B85F06412BDF99037AAEF3EC509C704

Function 00000202C0B45B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000202C0B45B6B
GetThreadContext.KERNEL32 ref: 00000202C0B45CD5

Part of subcall function 00000202C0B45960: GetCurrentThreadId.KERNEL32 ref: 00000202C0B45964

Memory Dump Source

Source File: 0000001F.00000002.3245577181.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0b40000_lsass.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
Instruction ID: 082a9d93261c48ee679b36a2734b52a2479ae609a7ebdf301e1be071b0282b61
Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
Instruction Fuzzy Hash: C1D18936205F88C5EA70DB86E49835E77A0F798B88F150517EA8D47BA6DF38CA55CB00

Function 00000202C0AE5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000202C0AE5B6B
GetThreadContext.KERNEL32 ref: 00000202C0AE5CD5

Part of subcall function 00000202C0AE5960: GetCurrentThreadId.KERNEL32 ref: 00000202C0AE5964

Memory Dump Source

Source File: 0000001F.00000002.3245368518.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
Instruction ID: dbc3b65819fd6533e59164d32a3bb8f97f2c88b353aa9b524f2c9543e34d3ae7
Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
Instruction Fuzzy Hash: 30D18776205B88C6EA70DB1AE49835E77A0F388B88F110517EADE47BA6DF3CC555CB40

Function 00000202C0B42F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000202C0B42F27
HeapAlloc.KERNEL32 ref: 00000202C0B42F3A
StrCmpNIW.SHLWAPI ref: 00000202C0B42FAF
GetProcessHeap.KERNEL32 ref: 00000202C0B43015
HeapFree.KERNEL32 ref: 00000202C0B43023

Strings

dialer, xrefs: 00000202C0B42FA8

Memory Dump Source

Source File: 0000001F.00000002.3245577181.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0b40000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction ID: b1ab9f40b1b022d4ca432ff24e07bc5572fa7a11743250ed673a526c4c5375f9
Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction Fuzzy Hash: 3831BD22701F51C2FA54CF96E58C72D67A0FB64B88F4A41239F4847B57EF34C9A98300

Function 00000202C0AE2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000202C0AE2F27
HeapAlloc.KERNEL32 ref: 00000202C0AE2F3A
StrCmpNIW.SHLWAPI ref: 00000202C0AE2FAF
GetProcessHeap.KERNEL32 ref: 00000202C0AE3015
HeapFree.KERNEL32 ref: 00000202C0AE3023

Strings

dialer, xrefs: 00000202C0AE2FA8

Memory Dump Source

Source File: 0000001F.00000002.3245368518.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction ID: 539d7fa312dabe0a02a4a36991552fccd56336bf33b53f387f86ad28829e058b
Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction Fuzzy Hash: 18319D22701B91C2FA14CF16A98C72DA7A0FB44B84F0A41279F9847B67EF35C4B98740

Function 00000202C0B4CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00000202C0B4CFAF
FlsSetValue.KERNEL32(?,?,?,00000202C0B4D6B5,?,?,?,?,00000202C0B4D778), ref: 00000202C0B4CFE5
FlsSetValue.KERNEL32(?,?,?,00000202C0B4D6B5,?,?,?,?,00000202C0B4D778), ref: 00000202C0B4D012
FlsSetValue.KERNEL32(?,?,?,00000202C0B4D6B5,?,?,?,?,00000202C0B4D778), ref: 00000202C0B4D023
FlsSetValue.KERNEL32(?,?,?,00000202C0B4D6B5,?,?,?,?,00000202C0B4D778), ref: 00000202C0B4D034
SetLastError.KERNEL32 ref: 00000202C0B4D04F

Memory Dump Source

Source File: 0000001F.00000002.3245577181.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0b40000_lsass.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction ID: eb53f131f87901231c0a27538f4d99e0b73b6215208e06d7d335de92b87f5561
Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction Fuzzy Hash: E1117F20304790C1FE69E7B155DD32D2252ABA4BFCF170727A836477DBDE289E4D8200

Function 00000202C0AECFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00000202C0AECFAF
FlsSetValue.KERNEL32(?,?,?,00000202C0AED6B5,?,?,?,?,00000202C0AED778), ref: 00000202C0AECFE5
FlsSetValue.KERNEL32(?,?,?,00000202C0AED6B5,?,?,?,?,00000202C0AED778), ref: 00000202C0AED012
FlsSetValue.KERNEL32(?,?,?,00000202C0AED6B5,?,?,?,?,00000202C0AED778), ref: 00000202C0AED023
FlsSetValue.KERNEL32(?,?,?,00000202C0AED6B5,?,?,?,?,00000202C0AED778), ref: 00000202C0AED034
SetLastError.KERNEL32 ref: 00000202C0AED04F

Memory Dump Source

Source File: 0000001F.00000002.3245368518.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction ID: c83c6b407707b4dbc6b3b7b82b2caed50328515e1eb0a43fe36386d7293909be
Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction Fuzzy Hash: 0A1163203013C0C6FE68A73555DD72D6242AB987F4F164727EAB7477E7EE68C86A8700

Function 00000202C0B4199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 00000202C0B419C2
K32GetModuleFileNameExW.KERNEL32 ref: 00000202C0B419E0
PathFindFileNameW.SHLWAPI ref: 00000202C0B419EF
lstrlenW.KERNEL32 ref: 00000202C0B419FB
StrCpyW.SHLWAPI ref: 00000202C0B41A0E
CloseHandle.KERNEL32 ref: 00000202C0B41A1C

Memory Dump Source

Source File: 0000001F.00000002.3245577181.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0b40000_lsass.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction ID: a6561bdb165a881d15422f835cadb1e13ccb21f1502ce777dd17883e3612e1f0
Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction Fuzzy Hash: 8F013521700B41C2FA54DB52A88C36D63A9B788FC8F894477DE5953756DE38C9898700

Function 00000202C0AE199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 00000202C0AE19C2
K32GetModuleFileNameExW.KERNEL32 ref: 00000202C0AE19E0
PathFindFileNameW.SHLWAPI ref: 00000202C0AE19EF
lstrlenW.KERNEL32 ref: 00000202C0AE19FB
StrCpyW.SHLWAPI ref: 00000202C0AE1A0E
CloseHandle.KERNEL32 ref: 00000202C0AE1A1C

Memory Dump Source

Source File: 0000001F.00000002.3245368518.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction ID: c1f12f185a365d98643c548e91b1e72bf4effc7dbd05845da70183f29bcaf82d
Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction Fuzzy Hash: DD010532301B80C2FA649B52A89C75963A9B788FC4F894137DF9A43766DE39C989C740

Function 00000202C0B436C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00000202C0B436E4
GetCurrentProcess.KERNEL32 ref: 00000202C0B436F2
VirtualProtectEx.KERNEL32 ref: 00000202C0B43714
GetCurrentProcess.KERNEL32 ref: 00000202C0B43732
VirtualProtectEx.KERNEL32 ref: 00000202C0B43753
TerminateThread.KERNEL32 ref: 00000202C0B43762

Memory Dump Source

Source File: 0000001F.00000002.3245577181.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0b40000_lsass.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction ID: 74fd01a74412d06a4f1fde6f711d275a3bc9d19be57d7f81b4b0cffb2d4478c7
Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction Fuzzy Hash: 8A012965711B41C2FB24DB62E88C75E63A4BB59B8AF0A0467CE49077A6EF3DC94C8700

Function 00000202C0AE36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00000202C0AE36E4
GetCurrentProcess.KERNEL32 ref: 00000202C0AE36F2
VirtualProtectEx.KERNEL32 ref: 00000202C0AE3714
GetCurrentProcess.KERNEL32 ref: 00000202C0AE3732
VirtualProtectEx.KERNEL32 ref: 00000202C0AE3753
TerminateThread.KERNEL32 ref: 00000202C0AE3762

Memory Dump Source

Source File: 0000001F.00000002.3245368518.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction ID: 164501a6415bffd66fe917e88f769ddc3ad1f1b40aa64bea97b79c9247d2f77e
Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction Fuzzy Hash: B5012DB6611B40C2FB249B21E88C71E73A4BB45B86F154527CF9907766EF3EC55C8704

Function 00000202C0B48FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000202C0B49013
_IsNonwritableInCurrentImage.LIBCMT ref: 00000202C0B490A8
RtlUnwindEx.NTDLL ref: 00000202C0B490F7

Strings

csm, xrefs: 00000202C0B4908E
f, xrefs: 00000202C0B49026

Memory Dump Source

Source File: 0000001F.00000002.3245577181.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0b40000_lsass.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
Instruction ID: cdf4f2fb1187d6a8dcbafb28738f89d68df44d9043d5a640eb90c02eb8421405
Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
Instruction Fuzzy Hash: 2B51BC32201702EAFB14CB55E88CB5D37A6F364B8CF128127DA565378AEB35CE49C708

Function 00000202C0AE8FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000202C0AE9013
_IsNonwritableInCurrentImage.LIBCMT ref: 00000202C0AE90A8
RtlUnwindEx.NTDLL ref: 00000202C0AE90F7

Strings

f, xrefs: 00000202C0AE9026
csm, xrefs: 00000202C0AE908E

Memory Dump Source

Source File: 0000001F.00000002.3245368518.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
Instruction ID: 4b0a6f3e062a47a2f3e77ad4f28d0830188973ba44af3f5408a27d7634b4296d
Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
Instruction Fuzzy Hash: 6751BF32201B81CAFB94CF15E88CB5D3795F344B88F528227DBA64774AEB35C859C708

Function 00000202C0B41A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 00000202C0B41A60
StrCmpNIW.SHLWAPI ref: 00000202C0B41A7A
lstrlenW.KERNEL32 ref: 00000202C0B41A89
StrCpyW.SHLWAPI ref: 00000202C0B41A9E

Strings

\\?\, xrefs: 00000202C0B41A6E

Memory Dump Source

Source File: 0000001F.00000002.3245577181.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0b40000_lsass.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction ID: 020cede8a7a987332edfbf5aca9d92e432b968816ab88e3e30adde122549f28e
Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction Fuzzy Hash: D2F03C22704741D2FB60CBA5E8CC75E6765F758BCCF854023DA4947956DE6CCA8DCB00

Function 00000202C0B43044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 00000202C0B43066
StrCpyW.SHLWAPI ref: 00000202C0B43076
StrCatW.SHLWAPI ref: 00000202C0B43082
PathCombineW.SHLWAPI ref: 00000202C0B43090

Strings

\\.\pipe\, xrefs: 00000202C0B4305C

Memory Dump Source

Source File: 0000001F.00000002.3245577181.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0b40000_lsass.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction ID: 5d9cbfb492b0178b2b911afb72d4c9bd8dfc2e2cf28399869c02c77398260dad
Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction Fuzzy Hash: BBF08220708B81C2FE54CB57B99C21D6264AB48FD8F094173EE4607B1ADF3CC98D8704

Function 00000202C0B4BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00000202C0B4BCBD
GetProcAddress.KERNEL32 ref: 00000202C0B4BCD3
FreeLibrary.KERNEL32 ref: 00000202C0B4BCFA

Strings

mscoree.dll, xrefs: 00000202C0B4BCB4
CorExitProcess, xrefs: 00000202C0B4BCCC

Memory Dump Source

Source File: 0000001F.00000002.3245577181.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0b40000_lsass.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction ID: 645132413f0d5c41dbedb974bd271ef1814a753cdf3104992c7f24d066aaf9fd
Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction Fuzzy Hash: 73F06261311B05C1FB10CB64E4CC75D6320EB88769F55025BDA6A461E6CF2CC94CC740

Function 00000202C0AE3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 00000202C0AE3066
StrCpyW.SHLWAPI ref: 00000202C0AE3076
StrCatW.SHLWAPI ref: 00000202C0AE3082
PathCombineW.SHLWAPI ref: 00000202C0AE3090

Strings

\\.\pipe\, xrefs: 00000202C0AE305C

Memory Dump Source

Source File: 0000001F.00000002.3245368518.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction ID: 748eaec06fdd8304175141e91d7fcb10eea3299cf276c1654e8c92baf0a6311d
Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction Fuzzy Hash: 6DF01C66718B84C2FA148B53B99C11D6665AB48FD0F0A9233EF5A4BB2ADF3DC45D8700

Function 00000202C0AEBC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00000202C0AEBCBD
GetProcAddress.KERNEL32 ref: 00000202C0AEBCD3
FreeLibrary.KERNEL32 ref: 00000202C0AEBCFA

Strings

CorExitProcess, xrefs: 00000202C0AEBCCC
mscoree.dll, xrefs: 00000202C0AEBCB4

Memory Dump Source

Source File: 0000001F.00000002.3245368518.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction ID: b1dae043e590163143f4e82ec39ab210fa29368e4bf0a17308b2a9fdf74dbffb
Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction Fuzzy Hash: 65F06262211B45C1FB108B24E8CC35E6360EB88765F55021BCB6A452F6DF3DC55C8700

Function 00000202C0B450D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000202C0B45156

Memory Dump Source

Source File: 0000001F.00000002.3245577181.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0b40000_lsass.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
Instruction ID: 3fed152e6cff7dccc901cbea7ee32e5366edeb575043839d1dac5842a2deb3ef
Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
Instruction Fuzzy Hash: 9802BB32619B84C6E760CB95E59835EB7A0F3D4794F110417EA8E87B6ADF7CC958CB00

Function 00000202C0AE50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000202C0AE5156

Memory Dump Source

Source File: 0000001F.00000002.3245368518.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
Instruction ID: cdd9b78ec5eaf04cb1b2f14923f4cedba8257b9bf05445ea44050982a578b50b
Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
Instruction Fuzzy Hash: 6C02A432219B84C6EB60CB55F49875EB7A1F384794F110117EBDE87BAADB78C498CB00

Function 00000202C0B45710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000202C0B45726

Memory Dump Source

Source File: 0000001F.00000002.3245577181.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0b40000_lsass.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
Instruction ID: 77d1f7d05a3ad9f64fc2c1a5073131f9b872f7803a0cba496c3396a3ccaf51c6
Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
Instruction Fuzzy Hash: 61619736519B44C6F660CB95E58C31E77A0F398798F111117EA8D47BAADB78CA48CB00

Function 00000202C0AE5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000202C0AE5726

Memory Dump Source

Source File: 0000001F.00000002.3245368518.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
Instruction ID: 76b413ec14e38a6ac9e88e25468b0616ac705ba1cdb0ca70ff7d6d8fad0dbab9
Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
Instruction Fuzzy Hash: 6061B676619B80C6F660CB15F48871E77A0F388794F110517EBDE47BAADB78C968CB40

Function 00000202C0AC3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00000202C0AC352C
_set_statfp.LIBCMT ref: 00000202C0AC3547
_set_statfp.LIBCMT ref: 00000202C0AC3563
_set_statfp.LIBCMT ref: 00000202C0AC359F

Memory Dump Source

Source File: 0000001F.00000002.3245272060.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ab0000_lsass.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: 2438009d4eccd0bfdc5c9a2303f4341fa76b055f83bc79e43529a95e1e4287f6
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: 5B112533A5CF09C9FAA42128E4CE37D10D07B59370F4B863BAB76163E7CA6AC84C4201

Function 00000202C0B54104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00000202C0B5412C
_set_statfp.LIBCMT ref: 00000202C0B54147
_set_statfp.LIBCMT ref: 00000202C0B54163
_set_statfp.LIBCMT ref: 00000202C0B5419F

Memory Dump Source

Source File: 0000001F.00000002.3245577181.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0b40000_lsass.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: a27617d20751772c0d2e6d2b58e970e4ca10ba7ae22a2201759a8aa1afc7c419
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: EB112322A00F5091F6A49128D4DD36D88106B783FCF0B06A7A936276D7CB74CCCD6200

Function 00000202C0AF4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00000202C0AF412C
_set_statfp.LIBCMT ref: 00000202C0AF4147
_set_statfp.LIBCMT ref: 00000202C0AF4163
_set_statfp.LIBCMT ref: 00000202C0AF419F

Memory Dump Source

Source File: 0000001F.00000002.3245368518.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: aadaf6c08f9748136de9f6cbceaa287ca2a5a32013c1ebda6f4ef6558c209bf0
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: EE119E23A10B54A9F7641568E8DE36D11406B683F8F0A0727AB76076EB8B2AC8CD424C

Function 00000202C0ABF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000202C0ABF124

Strings

Tuesday, xrefs: 00000202C0ABF0F4
or copy constructor iterator', xrefs: 00000202C0ABF25A, 00000202C0ABF275
Wednesday, xrefs: 00000202C0ABF1ED

Memory Dump Source

Source File: 0000001F.00000002.3245272060.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ab0000_lsass.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: Tuesday$Wednesday$or copy constructor iterator'
API String ID: 3215553584-4202648911
Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction ID: 26cf979074d90fcf05d85e544fcdcf7579b7cc95cef60043f929738aa5a5c4dc
Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction Fuzzy Hash: F2610536600760C6FA69DB69E5CC76E6AA0F789780F5B8917CB0A177A7DB34C84DC300

Function 00000202C0B4AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00000202C0B4AA68
_CallSETranslator.LIBVCRUNTIME ref: 00000202C0B4AAB7

Strings

MOC, xrefs: 00000202C0B4AA7C
RCC, xrefs: 00000202C0B4AA85

Memory Dump Source

Source File: 0000001F.00000002.3245577181.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0b40000_lsass.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 1082c6acd1cc596f15c131e8822e091c6a91a0a8de98abab672acc75df972cb0
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: EB613B32600B44CAFB50DFA5D48839D77A1F368B8CF154217EE4927B9ADB78DA59C700

Function 00000202C0AEAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00000202C0AEAA68
_CallSETranslator.LIBVCRUNTIME ref: 00000202C0AEAAB7

Strings

MOC, xrefs: 00000202C0AEAA7C
RCC, xrefs: 00000202C0AEAA85

Memory Dump Source

Source File: 0000001F.00000002.3245368518.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 558256b13703980bb35bc78ab76fb44dce15fdc78b8fdb1fb2b32ce49efec02f
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: 36614832600B84CAFB20DF65D48839D77A0F399B88F154217EF9917B9ADB78D5A9C700

Function 00000202C0ABA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000202C0ABA1A0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00000202C0ABA288

Strings

csm, xrefs: 00000202C0ABA2DA
csm, xrefs: 00000202C0ABA1C2

Memory Dump Source

Source File: 0000001F.00000002.3245272060.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ab0000_lsass.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: 19c43cd71e60161d93812c77d0e4ac8737510cff6eeb5711627b4654a467fa8f
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: 44516D36104780CAFB748B25959C39C7BA0F365B94F1A8217DB998BBD7CB39D499C700

Function 00000202C0B4AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000202C0B4ADA0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00000202C0B4AE88

Strings

csm, xrefs: 00000202C0B4AEDA
csm, xrefs: 00000202C0B4ADC2

Memory Dump Source

Source File: 0000001F.00000002.3245577181.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0b40000_lsass.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: 02eca69797dd3fc95978741111c5327d76f7dc405fd09751aa7a5e218e1104e0
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: B2514A72100380CAFB64CF9595CC35D77A0F364B99F164127EA9997AD6CB38DA99CB00

Function 00000202C0AEAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000202C0AEADA0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00000202C0AEAE88

Strings

csm, xrefs: 00000202C0AEADC2
csm, xrefs: 00000202C0AEAEDA

Memory Dump Source

Source File: 0000001F.00000002.3245368518.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: 97304d35c4b486749e002e92b9cf81982149fd581c5d11b448b14438c7f928ed
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: 44514C721007C0CAFB648B2595CC35D77A0F766B95F1A4217DBE947B96CB38E4A9CB00

Function 00000202C0AB8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000202C0AB8413
_IsNonwritableInCurrentImage.LIBCMT ref: 00000202C0AB84A8

Strings

csm, xrefs: 00000202C0AB848E
f, xrefs: 00000202C0AB8426

Memory Dump Source

Source File: 0000001F.00000002.3245272060.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ab0000_lsass.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: 8446a618bbd1140fecb175adc7a255fff733e8375c6260d7fd1f59283cc66251
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: 1151AB32601700CAFB29CF29E48CB5D3795F354B98F568227DB164378AEB35D889C704

Function 00000202C0AB83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000202C0AB8413
_IsNonwritableInCurrentImage.LIBCMT ref: 00000202C0AB84A8

Strings

csm, xrefs: 00000202C0AB848E
f, xrefs: 00000202C0AB8426

Memory Dump Source

Source File: 0000001F.00000002.3245272060.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ab0000_lsass.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction ID: 90803dd6b9b29f9c4154e969358d487dae67566bd5ce1f620f43925fcc542657
Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction Fuzzy Hash: 7F316A32201740D6FB299F29E88C75D7BA4F340B98F168117AF5A07786DB39C948C704

Function 00000202C0B52058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00000202C0B520D7
WriteFile.KERNEL32 ref: 00000202C0B5239F
WriteFile.KERNEL32 ref: 00000202C0B523E5
GetLastError.KERNEL32 ref: 00000202C0B5249B

Memory Dump Source

Source File: 0000001F.00000002.3245577181.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0b40000_lsass.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction ID: 8a758bb2884d5aaedfb3744de96242c17db80bcf3bb398f7e2c9eb2ed4567db6
Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction Fuzzy Hash: 02D1BC32B15B80C9F711CFA9D4882AC3BB2E355B9CF154257CF59A7B9ADA34C90AC340

Function 00000202C0AF2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00000202C0AF20D7
WriteFile.KERNEL32 ref: 00000202C0AF239F
WriteFile.KERNEL32 ref: 00000202C0AF23E5
GetLastError.KERNEL32 ref: 00000202C0AF249B

Memory Dump Source

Source File: 0000001F.00000002.3245368518.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction ID: 5415e984cde6a1f954e745032577872c235aef40fdbcb0d3a10d64624b9653db
Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction Fuzzy Hash: 99D1BC73B14B80C9F721CFA9D48829C3BA1F354B98F158217CF5A97B9ADA39C54AC740

Function 00000202C0AE14A4 Relevance: 6.3, APIs: 5, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000202C0AE14C5
HeapFree.KERNEL32 ref: 00000202C0AE14D4
GetProcessHeap.KERNEL32 ref: 00000202C0AE14E1
HeapFree.KERNEL32 ref: 00000202C0AE14F0
GetProcessHeap.KERNEL32 ref: 00000202C0AE1500

Memory Dump Source

Source File: 0000001F.00000002.3245368518.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: fccdced75e0e166058a65fb9f01cb5bc762ae8e924348a52df6b038ca287fb4d
Instruction ID: e1a4700da16e8d3ef1b17da53b22238d79ed5d8b917823312ea25b365b8a4f34
Opcode Fuzzy Hash: fccdced75e0e166058a65fb9f01cb5bc762ae8e924348a52df6b038ca287fb4d
Instruction Fuzzy Hash: 1E117977500B90C6F714DF62A88C14DB7A4F788F81F0A4127EB4903766DE39C0598744

Function 00000202C0B52980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32 ref: 00000202C0B52A9C
GetLastError.KERNEL32 ref: 00000202C0B52B27

Memory Dump Source

Source File: 0000001F.00000002.3245577181.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0b40000_lsass.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction ID: 4f66446779e12f263f25ce4e9c77a33638de583a08e4096a77af12e6fbb60eb3
Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction Fuzzy Hash: 9A919C22701B50C5FB64DF6594DC3AD2BA0B756B8CF16419BDF0A67A96DA34C88AC700

Function 00000202C0AF2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32 ref: 00000202C0AF2A9C
GetLastError.KERNEL32 ref: 00000202C0AF2B27

Memory Dump Source

Source File: 0000001F.00000002.3245368518.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction ID: 7750c07c3da3ab5777ee1fb19e88fe5ee8ba8c540cdc789170c23b37d6888931
Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction Fuzzy Hash: D9918A73610B50C9FB61DF6594CC7AD2BA0B744B88F56410BDF4A67A96DB3AC88BC700

Function 00000202C0B47960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00000202C0B4798C
GetCurrentThreadId.KERNEL32 ref: 00000202C0B4799A
GetCurrentProcessId.KERNEL32 ref: 00000202C0B479A6
QueryPerformanceCounter.KERNEL32 ref: 00000202C0B479B6

Memory Dump Source

Source File: 0000001F.00000002.3245577181.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0b40000_lsass.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction ID: 479f58a84b1af8cc552df62d3a1eb5b2e5cfb4fc25200f2b708c8a573a58311b
Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction Fuzzy Hash: 7F110A22710F418AFB40CBA0E8992AC33A4E719B58F451E22DA6D477A5DB78C5988280

Function 00000202C0AE7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00000202C0AE798C
GetCurrentThreadId.KERNEL32 ref: 00000202C0AE799A
GetCurrentProcessId.KERNEL32 ref: 00000202C0AE79A6
QueryPerformanceCounter.KERNEL32 ref: 00000202C0AE79B6

Memory Dump Source

Source File: 0000001F.00000002.3245368518.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction ID: c1e121f40b66a15715f8d269b70c98ee374ca54bb48e74cdb6f3174d14493375
Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction Fuzzy Hash: 34111C22710B01C9FB00CB60E8983AC33A4F719B58F450E22DB6D467A5DB78C5988380

Function 00000202C0B4253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00000202C0B42620
StrCpyW.SHLWAPI ref: 00000202C0B42639

Strings

\\.\pipe\, xrefs: 00000202C0B4262B

Memory Dump Source

Source File: 0000001F.00000002.3245577181.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0b40000_lsass.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction ID: 7d93dc7456e3ad94e783113e8cd02d63737e867bede78650b2f336d940fa284c
Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction Fuzzy Hash: 0171C236200B81C5F764DFA5A8CC3AE6794F7A9B88F960117DE0953B8BDA35CF499700

Function 00000202C0AB9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 00000202C0AB9EB7

Strings

MOC, xrefs: 00000202C0AB9E7C
RCC, xrefs: 00000202C0AB9E85

Memory Dump Source

Source File: 0000001F.00000002.3245272060.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ab0000_lsass.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: f3028f0bacb26f4c6116040a1e45f79bacc9d5a175de68b6d573a429fff7c7f3
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: B7614532A00B84CAFB24DF65D4883AD77A0F748B98F154217EF4917B9ADB38D599C704

Function 00000202C0B42330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00000202C0B42416
StrCpyW.SHLWAPI ref: 00000202C0B4242D

Strings

\\.\pipe\, xrefs: 00000202C0B42421

Memory Dump Source

Source File: 0000001F.00000002.3245577181.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0b40000_lsass.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction ID: 5f314875d0c3bc3841964ba540442de661241415e68cd2692db0ecf16478f177
Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction Fuzzy Hash: D651D322604B81C1F664DBA9A5EC3BE6651F7B5788F860127DF5903B4BDA39CE0C9740

Function 00000202C0AE2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00000202C0AE2416
StrCpyW.SHLWAPI ref: 00000202C0AE242D

Strings

\\.\pipe\, xrefs: 00000202C0AE2421

Memory Dump Source

Source File: 0000001F.00000002.3245368518.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction ID: 3514571e2c1d6cd3889b28a5e79674fb4b07f5075b2e224e86b20f94a4d05b12
Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction Fuzzy Hash: 2B5180322087C1C1F6649B29A5DC3BEA791F385B80F560127DFEA03B9BDA39C52D8750

Function 00000202C0B526F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00000202C0B52807
GetLastError.KERNEL32 ref: 00000202C0B52829

Strings

U, xrefs: 00000202C0B527B3

Memory Dump Source

Source File: 0000001F.00000002.3245577181.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0b40000_lsass.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction ID: 33d0f85bed8054878330e124cb41046c1196a38989f2ae81037b8b67b1af0991
Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction Fuzzy Hash: DC419132215B80C6EB20DF65E88C3AE67A0F799798F554023EE4D87795DB3CC945CB40

Function 00000202C0AF26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00000202C0AF2807
GetLastError.KERNEL32 ref: 00000202C0AF2829

Strings

U, xrefs: 00000202C0AF27B3

Memory Dump Source

Source File: 0000001F.00000002.3245368518.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction ID: b84669cd5d919c91a09ffca97e8587df6a0950af1a2baa035680203c31bd1311
Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction Fuzzy Hash: 93418E63614B80C6EB209F25E8883AEA7A0F798794F524023EF4D87795EB39C44AC740

Function 00000202C0B494A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 00000202C0B494F0
RaiseException.KERNEL32 ref: 00000202C0B49531

Strings

csm, xrefs: 00000202C0B4951E

Memory Dump Source

Source File: 0000001F.00000002.3245577181.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0b40000_lsass.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction ID: 08f9c71afd5e9278f51d521f771f4a89ae9865d7b896ade5cf211a61c0145b66
Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction Fuzzy Hash: A0112B32214B8082FB61CB15E48835DB7E5F798B98F594262EE8C47B59DF3CC955CB04

Function 00000202C0AE94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 00000202C0AE94F0
RaiseException.KERNEL32 ref: 00000202C0AE9531

Strings

csm, xrefs: 00000202C0AE951E

Memory Dump Source

Source File: 0000001F.00000002.3245368518.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction ID: 149d407967b934cd8ed689359ce0485475af0033eaf3f8f7976efa754672e473
Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction Fuzzy Hash: 8F112B36214B8082EB618B15E48835D77E5F788B94F594222EFCC077A9DF3DC569CB04

Function 00000202C0AB7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 00000202C0AB737C

Strings

riptor at (, xrefs: 00000202C0AB7364
ierarchy Descriptor', xrefs: 00000202C0AB7381

Memory Dump Source

Source File: 0000001F.00000002.3245272060.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ab0000_lsass.jbxd

Similarity

API ID: __std_exception_copy
String ID: ierarchy Descriptor'$riptor at (
API String ID: 592178966-758928094
Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction ID: 8da40ad284d153a9b89d1544e12ba7a913fe1935213764a8cba5128ad5ea2d85
Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction Fuzzy Hash: A1E08661641B44D0EF018F31E88829C33A4DB58B64F9A91239A5C06312FA38D1EDC300

Function 00000202C0AB73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 00000202C0AB73D8

Strings

riptor at (, xrefs: 00000202C0AB73C0
Locator', xrefs: 00000202C0AB73DD

Memory Dump Source

Source File: 0000001F.00000002.3245272060.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ab0000_lsass.jbxd

Similarity

API ID: __std_exception_copy
String ID: Locator'$riptor at (
API String ID: 592178966-4215709766
Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction ID: 5205816057d34bf06f4ea810c880042c8f0231ff55e9ce8539c58bb0b426eeb2
Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction Fuzzy Hash: 30E08661601F44C0EF058F31D88419C73A4E758B54F8A9123DA4C06312EA38D1E9C300

Function 00000202C0B41BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000202C0B41C2D
HeapAlloc.KERNEL32 ref: 00000202C0B41C3B
GetProcessHeap.KERNEL32 ref: 00000202C0B41C77
HeapFree.KERNEL32 ref: 00000202C0B41C85

Part of subcall function 00000202C0B4152C: StrCmpIW.SHLWAPI ref: 00000202C0B4155D

Memory Dump Source

Source File: 0000001F.00000002.3245577181.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0b40000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction ID: f7db78db4812f02fdb92ec06a4f81ca507783c67906b6739e6c27fb9885f9b4a
Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction Fuzzy Hash: 9D119D25A01F45C1FA44CBA6A88C22D63A0FB98FC8F0A4027CE4D57767DE38C8469300

Function 00000202C0AE1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000202C0AE1C2D
HeapAlloc.KERNEL32 ref: 00000202C0AE1C3B
GetProcessHeap.KERNEL32 ref: 00000202C0AE1C77
HeapFree.KERNEL32 ref: 00000202C0AE1C85

Part of subcall function 00000202C0AE152C: StrCmpIW.SHLWAPI ref: 00000202C0AE155D

Memory Dump Source

Source File: 0000001F.00000002.3245368518.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction ID: 0bfdd2f4f70d0c77588d297d632a834cc4e271defd7936f82574c36193d19b8d
Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction Fuzzy Hash: 6C119A26601B94C1FA44CB66A88C22D63A0FBC8FC0F1A412BDF8D83766DF39C45AC300

Function 00000202C0B41268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000202C0B4126E
HeapAlloc.KERNEL32 ref: 00000202C0B4127D
GetProcessHeap.KERNEL32 ref: 00000202C0B41297
HeapAlloc.KERNEL32 ref: 00000202C0B412A8

Memory Dump Source

Source File: 0000001F.00000002.3245577181.00000202C0B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0B40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_202c0b40000_lsass.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction ID: 06db176155879b138fcd680d50a070c95727c6bf2d194cd39e0c05b7c35e898b
Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction Fuzzy Hash: FAE03935601B05C6FB44CB62D84C36E36E5EB99B0AF069026890907752DF7D889AC750

Analysis Process: sc.exePID: 180, Parent PID: 7432COMMON

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	98.5%
Signature Coverage:	3.3%
Total number of Nodes:	400
Total number of Limit Nodes:	19

Executed Functions

Function 000001BCD1C52B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 000001BCD1C52BD0
lstrlenW.KERNEL32 ref: 000001BCD1C52E0A

Part of subcall function 000001BCD1C5199C: OpenProcess.KERNEL32 ref: 000001BCD1C519C2
Part of subcall function 000001BCD1C5199C: K32GetModuleFileNameExW.KERNEL32 ref: 000001BCD1C519E0
Part of subcall function 000001BCD1C5199C: PathFindFileNameW.SHLWAPI ref: 000001BCD1C519EF
Part of subcall function 000001BCD1C5199C: lstrlenW.KERNEL32 ref: 000001BCD1C519FB
Part of subcall function 000001BCD1C5199C: StrCpyW.SHLWAPI ref: 000001BCD1C51A0E
Part of subcall function 000001BCD1C5199C: CloseHandle.KERNEL32 ref: 000001BCD1C51A1C

GetProcAddress.KERNEL32 ref: 000001BCD1C52BE5

Part of subcall function 000001BCD1C5152C: StrCmpIW.SHLWAPI ref: 000001BCD1C5155D

Part of subcall function 000001BCD1C53844: StrCmpNIW.SHLWAPI ref: 000001BCD1C5385C

StrCmpNIW.SHLWAPI ref: 000001BCD1C52C28
lstrlenW.KERNEL32 ref: 000001BCD1C52D50

Strings

\Device\Nsi, xrefs: 000001BCD1C52C1B
NtQueryObject, xrefs: 000001BCD1C52BDB
ntdll.dll, xrefs: 000001BCD1C52BC9

Memory Dump Source

Source File: 00000021.00000002.1900153222.000001BCD1C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCD1C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1c50000_sc.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction ID: d05a333c982ba5fba3f97a043a40714a25d828f198d9ab4ed3c54d8747d491cb
Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction Fuzzy Hash: 3AB1577A210A9082FB698FA7D4407E97BE5FBC4B85F845026EE8953B94EB74C840C7C0

Function 000001BCD1C51628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000001BCD1C51633
HeapAlloc.KERNEL32 ref: 000001BCD1C51642

Part of subcall function 000001BCD1C51268: GetProcessHeap.KERNEL32 ref: 000001BCD1C5126E
Part of subcall function 000001BCD1C51268: HeapAlloc.KERNEL32 ref: 000001BCD1C5127D
Part of subcall function 000001BCD1C51268: GetProcessHeap.KERNEL32 ref: 000001BCD1C51297
Part of subcall function 000001BCD1C51268: HeapAlloc.KERNEL32 ref: 000001BCD1C512A8

RegOpenKeyExW.ADVAPI32 ref: 000001BCD1C516B2
RegOpenKeyExW.ADVAPI32 ref: 000001BCD1C516DF
RegCloseKey.ADVAPI32 ref: 000001BCD1C516F9
RegOpenKeyExW.ADVAPI32 ref: 000001BCD1C51719
RegCloseKey.ADVAPI32 ref: 000001BCD1C51734
RegOpenKeyExW.ADVAPI32 ref: 000001BCD1C51754
RegCloseKey.ADVAPI32 ref: 000001BCD1C5176F
RegOpenKeyExW.ADVAPI32 ref: 000001BCD1C5178F
RegCloseKey.ADVAPI32 ref: 000001BCD1C517AA
RegOpenKeyExW.ADVAPI32 ref: 000001BCD1C517CA
RegCloseKey.ADVAPI32 ref: 000001BCD1C517E5
RegOpenKeyExW.ADVAPI32 ref: 000001BCD1C51805
RegCloseKey.ADVAPI32 ref: 000001BCD1C51820
RegOpenKeyExW.ADVAPI32 ref: 000001BCD1C51840
RegCloseKey.ADVAPI32 ref: 000001BCD1C5185B
RegOpenKeyExW.ADVAPI32 ref: 000001BCD1C5187B
RegCloseKey.ADVAPI32 ref: 000001BCD1C51896
RegCloseKey.ADVAPI32 ref: 000001BCD1C518A0

Part of subcall function 000001BCD1C512BC: RegQueryInfoKeyW.ADVAPI32 ref: 000001BCD1C51319
Part of subcall function 000001BCD1C512BC: GetProcessHeap.KERNEL32 ref: 000001BCD1C51327
Part of subcall function 000001BCD1C512BC: HeapAlloc.KERNEL32 ref: 000001BCD1C51338
Part of subcall function 000001BCD1C512BC: RegEnumValueW.ADVAPI32 ref: 000001BCD1C51397
Part of subcall function 000001BCD1C512BC: GetProcessHeap.KERNEL32 ref: 000001BCD1C513DF
Part of subcall function 000001BCD1C512BC: HeapAlloc.KERNEL32 ref: 000001BCD1C513ED
Part of subcall function 000001BCD1C512BC: GetProcessHeap.KERNEL32 ref: 000001BCD1C5140A
Part of subcall function 000001BCD1C512BC: HeapFree.KERNEL32 ref: 000001BCD1C51418
Part of subcall function 000001BCD1C512BC: lstrlenW.KERNEL32 ref: 000001BCD1C51421
Part of subcall function 000001BCD1C512BC: GetProcessHeap.KERNEL32 ref: 000001BCD1C5142F
Part of subcall function 000001BCD1C512BC: HeapAlloc.KERNEL32 ref: 000001BCD1C5143D

Strings

startup, xrefs: 000001BCD1C516D5
udp, xrefs: 000001BCD1C51874
SOFTWARE\dialerconfig, xrefs: 000001BCD1C51692
paths, xrefs: 000001BCD1C51788
service_names, xrefs: 000001BCD1C517C3
tcp_remote, xrefs: 000001BCD1C51839
tcp_local, xrefs: 000001BCD1C517FE
process_names, xrefs: 000001BCD1C5174D
pid, xrefs: 000001BCD1C51712

Memory Dump Source

Source File: 00000021.00000002.1900153222.000001BCD1C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCD1C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1c50000_sc.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction ID: 01ac2c5092134dd36096d5d295ad76fba24dd1a466cb41b18abb95811e5f58e3
Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction Fuzzy Hash: ED71C67A310A1186EB109FA7E89469937B4FBC4B88F801131DA8E57B69EF38C444C7C4

Function 000001BCD1C53790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 000001BCD1C5379E
GetCurrentProcess.KERNEL32 ref: 000001BCD1C537CC
VirtualProtectEx.KERNEL32 ref: 000001BCD1C537EE
GetCurrentProcess.KERNEL32 ref: 000001BCD1C53809
VirtualProtectEx.KERNEL32 ref: 000001BCD1C5382A

Strings

wr, xrefs: 000001BCD1C537FF

Memory Dump Source

Source File: 00000021.00000002.1900153222.000001BCD1C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCD1C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1c50000_sc.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID: wr
API String ID: 1092925422-2678910430
Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction ID: 90d3a28f007a741cfcb336b6dcc52933a31de7d0d37ccf4c6b343569d7c401b3
Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction Fuzzy Hash: 6711153A704B5182FB149FA3E4082A976A0FBC8B85F840439DEC9077A4EF2DC505C784

Function 000001BCD1C55B30 Relevance: 9.2, APIs: 6, Instructions: 240
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 000001BCD1C55B6B
GetThreadContext.KERNEL32 ref: 000001BCD1C55CD5

Part of subcall function 000001BCD1C55960: GetCurrentThreadId.KERNEL32 ref: 000001BCD1C55964

Memory Dump Source

Source File: 00000021.00000002.1900153222.000001BCD1C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCD1C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1c50000_sc.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: aba7c51250b0bd2785b454d2868164715ffdc60c22b63475f1bba81942d6465a
Instruction ID: 6066c0b7d61f9d60e1fb712472e23cb5fc6b4c2d72e6d37ea41e167f286e5204
Opcode Fuzzy Hash: aba7c51250b0bd2785b454d2868164715ffdc60c22b63475f1bba81942d6465a
Instruction Fuzzy Hash: 7BD19E7A214B8881EA709F47E49539A7BA0F3C8B94F904126EACD47B65DF7CC551CB80

Function 000001BCD1C550D0 Relevance: 7.8, APIs: 5, Instructions: 318
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 000001BCD1C55156

Memory Dump Source

Source File: 00000021.00000002.1900153222.000001BCD1C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCD1C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1c50000_sc.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: a9eeae0eee8a65d3360f20c0190c6c2044be682fe56af66e10426f66e33a6bd7
Instruction ID: c36acf949604b211d6fdf21c196f4e1029cc02e02fa3d194f74c7b027f7c6640
Opcode Fuzzy Hash: a9eeae0eee8a65d3360f20c0190c6c2044be682fe56af66e10426f66e33a6bd7
Instruction Fuzzy Hash: 4C029836619B8486E760CF97E49439ABBA1F3C4794F504025EACE87BA9DF7CC454CB80

Function 000001BCD1C539E0 Relevance: 4.6, APIs: 3, Instructions: 64
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32 ref: 000001BCD1C53A66
VirtualAlloc.KERNEL32 ref: 000001BCD1C53AA0

Memory Dump Source

Source File: 00000021.00000002.1900153222.000001BCD1C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCD1C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1c50000_sc.jbxd

Similarity

API ID: Virtual$AllocQuery
String ID:
API String ID: 31662377-0
Opcode ID: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
Instruction ID: f6796d86e4e77f949a4a4fe2faf169f0bcf4ae90639d134cfbe91b85a3c0a92b
Opcode Fuzzy Hash: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
Instruction Fuzzy Hash: 1C31213A619A8481FA319E97E45639E7AA0F3C8784F901935F5CD06B98DF7CC1808BC4

Function 000001BCD1C5328C Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 000001BCD1C532AE
PathFindFileNameW.SHLWAPI ref: 000001BCD1C532BD

Part of subcall function 000001BCD1C53844: StrCmpNIW.SHLWAPI ref: 000001BCD1C5385C

Part of subcall function 000001BCD1C53790: GetModuleHandleW.KERNEL32 ref: 000001BCD1C5379E
Part of subcall function 000001BCD1C53790: GetCurrentProcess.KERNEL32 ref: 000001BCD1C537CC
Part of subcall function 000001BCD1C53790: VirtualProtectEx.KERNEL32 ref: 000001BCD1C537EE
Part of subcall function 000001BCD1C53790: GetCurrentProcess.KERNEL32 ref: 000001BCD1C53809
Part of subcall function 000001BCD1C53790: VirtualProtectEx.KERNEL32 ref: 000001BCD1C5382A

CreateThread.KERNEL32 ref: 000001BCD1C5330B

Part of subcall function 000001BCD1C51D14: GetCurrentThread.KERNEL32 ref: 000001BCD1C51D1F

Memory Dump Source

Source File: 00000021.00000002.1900153222.000001BCD1C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCD1C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1c50000_sc.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction ID: afe75270ec2b5700c406a9c603355c3aa0c1f2bf2f33749aad1568d7fec7976c
Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction Fuzzy Hash: CC11967961464082F760AFE3F9093D93A94B7D4B44FD06935E9C6416A2EF78C045C2D4

Function 000001BCD1C54DF0 Relevance: 4.5, APIs: 3, Instructions: 23
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 000001BCD1C54DF4
VirtualProtect.KERNEL32 ref: 000001BCD1C54E37
FlushInstructionCache.KERNEL32 ref: 000001BCD1C54E4C

Memory Dump Source

Source File: 00000021.00000002.1900153222.000001BCD1C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCD1C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1c50000_sc.jbxd

Similarity

API ID: CacheCurrentFlushInstructionProcessProtectVirtual
String ID:
API String ID: 3733156554-0
Opcode ID: efc513032ac2f8104d68ff6d1779eae6f51007478eb3e1ac0120cc0a77f626c8
Instruction ID: 3c0994ed2f5c1428a120dda46a0ada8af2aff89624e5c937bf4c9a805fe57d09
Opcode Fuzzy Hash: efc513032ac2f8104d68ff6d1779eae6f51007478eb3e1ac0120cc0a77f626c8
Instruction Fuzzy Hash: 4DF0A97A218B4480E620AF47E45179ABFA0E3C8BD4F945125BACD47B6ADB78C5908BC0

Function 000001BCD1A4273C Relevance: 3.2, APIs: 2, Instructions: 187
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 000001BCD1A427DB
LoadLibraryA.KERNELBASE ref: 000001BCD1A4285E

Memory Dump Source

Source File: 00000021.00000002.1899796319.000001BCD1A40000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001BCD1A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1a40000_sc.jbxd

Similarity

API ID: AllocLibraryLoadVirtual
String ID:
API String ID: 3550616410-0
Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction ID: 542a02d16f05ed6dca357980163005bdb995391078f2596e142568b4dd5fa407
Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction Fuzzy Hash: 0861F33AB0169087EB588FD7A0007ADB792FB94B94F58813ADE5D47789DB38D852C7C0

Function 000001BCD1C5F948 Relevance: 3.1, APIs: 2, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32 ref: 000001BCD1C5F9C1
GetFileType.KERNEL32 ref: 000001BCD1C5F9D7

Memory Dump Source

Source File: 00000021.00000002.1900153222.000001BCD1C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCD1C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1c50000_sc.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: a07d0c2e6d1ea39fb6922406f7202b79799826504b1902530f517849248bbcbd
Instruction ID: 1f7a93c3bd0e00c7360ea21c0203bb61c51183da59c877c46574c5fcb55319d5
Opcode Fuzzy Hash: a07d0c2e6d1ea39fb6922406f7202b79799826504b1902530f517849248bbcbd
Instruction Fuzzy Hash: 67318136624F8491FB648F5795802A87A60F3C5BA0FA41319DBEA077E0CB34D491C3C1

Function 000001BCD1C51ABC Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000001BCD1C51628: GetProcessHeap.KERNEL32 ref: 000001BCD1C51633
Part of subcall function 000001BCD1C51628: HeapAlloc.KERNEL32 ref: 000001BCD1C51642
Part of subcall function 000001BCD1C51628: RegOpenKeyExW.ADVAPI32 ref: 000001BCD1C516B2
Part of subcall function 000001BCD1C51628: RegOpenKeyExW.ADVAPI32 ref: 000001BCD1C516DF
Part of subcall function 000001BCD1C51628: RegCloseKey.ADVAPI32 ref: 000001BCD1C516F9
Part of subcall function 000001BCD1C51628: RegOpenKeyExW.ADVAPI32 ref: 000001BCD1C51719
Part of subcall function 000001BCD1C51628: RegCloseKey.ADVAPI32 ref: 000001BCD1C51734
Part of subcall function 000001BCD1C51628: RegOpenKeyExW.ADVAPI32 ref: 000001BCD1C51754
Part of subcall function 000001BCD1C51628: RegCloseKey.ADVAPI32 ref: 000001BCD1C5176F
Part of subcall function 000001BCD1C51628: RegOpenKeyExW.ADVAPI32 ref: 000001BCD1C5178F
Part of subcall function 000001BCD1C51628: RegCloseKey.ADVAPI32 ref: 000001BCD1C517AA
Part of subcall function 000001BCD1C51628: RegOpenKeyExW.ADVAPI32 ref: 000001BCD1C517CA

Sleep.KERNEL32 ref: 000001BCD1C51AD7
SleepEx.KERNELBASE ref: 000001BCD1C51ADD

Part of subcall function 000001BCD1C51628: RegCloseKey.ADVAPI32 ref: 000001BCD1C517E5
Part of subcall function 000001BCD1C51628: RegOpenKeyExW.ADVAPI32 ref: 000001BCD1C51805
Part of subcall function 000001BCD1C51628: RegCloseKey.ADVAPI32 ref: 000001BCD1C51820
Part of subcall function 000001BCD1C51628: RegOpenKeyExW.ADVAPI32 ref: 000001BCD1C51840
Part of subcall function 000001BCD1C51628: RegCloseKey.ADVAPI32 ref: 000001BCD1C5185B
Part of subcall function 000001BCD1C51628: RegOpenKeyExW.ADVAPI32 ref: 000001BCD1C5187B
Part of subcall function 000001BCD1C51628: RegCloseKey.ADVAPI32 ref: 000001BCD1C51896
Part of subcall function 000001BCD1C51628: RegCloseKey.ADVAPI32 ref: 000001BCD1C518A0

Memory Dump Source

Source File: 00000021.00000002.1900153222.000001BCD1C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCD1C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1c50000_sc.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction ID: aa44d2e9bf4104a99935bb868d9f216829476e3a0dfbabf6647c771211f225d0
Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction Fuzzy Hash: 3C31DFF920064151FF50AFA7DA493E93BA4EBC4BC4F8854319E8A87A95FF24C851C2D1

Function 000001BCD1C53844 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpNIW.SHLWAPI ref: 000001BCD1C5385C

Strings

dialer, xrefs: 000001BCD1C53855

Memory Dump Source

Source File: 00000021.00000002.1900153222.000001BCD1C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCD1C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1c50000_sc.jbxd

Similarity

API ID:
String ID: dialer
API String ID: 0-3528709123
Opcode ID: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
Instruction ID: cf09333a5a1bb853909f47eb0244b9b2e33e9836de0207be7d95d7a633cfd6d8
Opcode Fuzzy Hash: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
Instruction Fuzzy Hash: 95D0A77831120696FF18DFE788C46E03750EBD4B44FC85031D99005160EB18898D97D0

Function 000001BCD1C5D6CC Relevance: 1.3, APIs: 1, Instructions: 36
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapAlloc.KERNEL32 ref: 000001BCD1C5D721

Memory Dump Source

Source File: 00000021.00000002.1900153222.000001BCD1C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCD1C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1c50000_sc.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: dd9fd347fe8d251c64e9f03e0b9c8ce045e185238ab486bcf6df9ff2ab176017
Instruction ID: 467119edc39383a683c3b1100c135098ee0a066a19dfbe254b1e0c50e1f488f4
Opcode Fuzzy Hash: dd9fd347fe8d251c64e9f03e0b9c8ce045e185238ab486bcf6df9ff2ab176017
Instruction Fuzzy Hash: 09F0677C3013C181FE686EE399113F53A805BC9BC0F8C5434698A863DAFF2CC48186E1

Non-executed Functions

Function 000001BCD1C57D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000001BCD1C57DAC
RtlCaptureContext.NTDLL ref: 000001BCD1C57DD9
RtlLookupFunctionEntry.NTDLL ref: 000001BCD1C57DF3
RtlVirtualUnwind.NTDLL ref: 000001BCD1C57E34
IsDebuggerPresent.KERNEL32 ref: 000001BCD1C57E88
SetUnhandledExceptionFilter.KERNEL32 ref: 000001BCD1C57EA9
UnhandledExceptionFilter.KERNEL32 ref: 000001BCD1C57EB4

Memory Dump Source

Source File: 00000021.00000002.1900153222.000001BCD1C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCD1C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1c50000_sc.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction ID: cb7c50271cf18f6e7caa7520c162003a4316df937d386e31c32c41dcbd150944
Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction Fuzzy Hash: 94313D76305B808AEB609FA2E8407ED7764F7C4744F84443ADA8D57B98EF38C548C790

Function 000001BCD1C5D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000001BCD1C5D31D
RtlLookupFunctionEntry.NTDLL ref: 000001BCD1C5D335
RtlVirtualUnwind.NTDLL ref: 000001BCD1C5D370
IsDebuggerPresent.KERNEL32 ref: 000001BCD1C5D3A9
SetUnhandledExceptionFilter.KERNEL32 ref: 000001BCD1C5D3B3
UnhandledExceptionFilter.KERNEL32 ref: 000001BCD1C5D3BE

Memory Dump Source

Source File: 00000021.00000002.1900153222.000001BCD1C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCD1C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1c50000_sc.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction ID: 5cece4ac7da146059bd2600a1027b5ec39b1adf4d0a11915291de3d456e545cb
Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction Fuzzy Hash: 33314F3A214B8096EB60DF67E8403EE77A4F7C9794F900125EA9D43B69EF38C555CB80

Function 000001BCD1C512BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001BCD1C51319
GetProcessHeap.KERNEL32 ref: 000001BCD1C51327
HeapAlloc.KERNEL32 ref: 000001BCD1C51338
RegEnumValueW.ADVAPI32 ref: 000001BCD1C51397

Part of subcall function 000001BCD1C5152C: StrCmpIW.SHLWAPI ref: 000001BCD1C5155D

GetProcessHeap.KERNEL32 ref: 000001BCD1C513DF
HeapAlloc.KERNEL32 ref: 000001BCD1C513ED
GetProcessHeap.KERNEL32 ref: 000001BCD1C5140A
HeapFree.KERNEL32 ref: 000001BCD1C51418
lstrlenW.KERNEL32 ref: 000001BCD1C51421
GetProcessHeap.KERNEL32 ref: 000001BCD1C5142F
HeapAlloc.KERNEL32 ref: 000001BCD1C5143D
StrCpyW.SHLWAPI ref: 000001BCD1C5145F
GetProcessHeap.KERNEL32 ref: 000001BCD1C51476
HeapFree.KERNEL32 ref: 000001BCD1C51484

Strings

d, xrefs: 000001BCD1C5135A

Memory Dump Source

Source File: 00000021.00000002.1900153222.000001BCD1C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCD1C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1c50000_sc.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction ID: 0cd94084df6b064f79f368a6586d4c1202fe616d19133fcdbfcfc11aafce0af3
Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction Fuzzy Hash: 5B513A7A204B94C6EB54CFA3E54839ABBA1F7C9B99F844134DA8A47768DF38C045C780

Function 000001BCD1C51D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 000001BCD1C51D1F

Part of subcall function 000001BCD1C51FD4: GetModuleHandleA.KERNEL32 ref: 000001BCD1C51FEC
Part of subcall function 000001BCD1C51FD4: GetProcAddress.KERNEL32 ref: 000001BCD1C51FFD

Part of subcall function 000001BCD1C55B30: GetCurrentThreadId.KERNEL32 ref: 000001BCD1C55B6B

Strings

NtDeviceIoControlFile, xrefs: 000001BCD1C51E56
NtQueryDirectoryFile, xrefs: 000001BCD1C51D7F
advapi32.dll, xrefs: 000001BCD1C51DF7, 000001BCD1C51E18
NtEnumerateKey, xrefs: 000001BCD1C51DB9
sechost.dll, xrefs: 000001BCD1C51E39
EnumServicesStatusExW, xrefs: 000001BCD1C51E11, 000001BCD1C51E32
ntdll.dll, xrefs: 000001BCD1C51D2D
NtResumeThread, xrefs: 000001BCD1C51D62
NtQueryDirectoryFileEx, xrefs: 000001BCD1C51D9C
NtEnumerateValueKey, xrefs: 000001BCD1C51DD6
NtQuerySystemInformation, xrefs: 000001BCD1C51D45
EnumServiceGroupW, xrefs: 000001BCD1C51DF0

Memory Dump Source

Source File: 00000021.00000002.1900153222.000001BCD1C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCD1C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1c50000_sc.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction ID: a514b04ed950f135d6c7cf665c84b250e4d695d3b28148c32f7b947a3af317fe
Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction Fuzzy Hash: B4316FBC610A4AA0FA04EFEBE8557E87761B7E4344FC05133E4C91697AAF788649C3D0

Function 000001BCD1A46910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001BCD1A46938
__scrt_acquire_startup_lock.LIBCMT ref: 000001BCD1A4698A
_RTC_Initialize.LIBCMT ref: 000001BCD1A469B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001BCD1A469DE
__scrt_release_startup_lock.LIBCMT ref: 000001BCD1A46A09

Strings

scriptor', xrefs: 000001BCD1A46B39, 000001BCD1A46BB2, 000001BCD1A46BEC
`dynamic initializer for ', xrefs: 000001BCD1A469C7
`eh vector vbase copy constructor iterator', xrefs: 000001BCD1A469EE
`eh vector copy constructor iterator', xrefs: 000001BCD1A46A3B

Memory Dump Source

Source File: 00000021.00000002.1899796319.000001BCD1A40000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001BCD1A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1a40000_sc.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
API String ID: 190073905-1786718095
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: f3ad53c2c43eebfc49edee9ed4f98041e5eb84a8c79eed8ea17f4e783725c732
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: 4E81EDBD7046418AFB60ABE798413D972E1EFC5B80F54843D9A4D83797DB78C88687C0

Function 000001BCD1C5CE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000001BCD1C5CE37
FlsGetValue.KERNEL32(?,?,?,000001BCD1C60A6B,?,?,?,000001BCD1C6045C,?,?,?,000001BCD1C5C84F), ref: 000001BCD1C5CE4C
FlsSetValue.KERNEL32(?,?,?,000001BCD1C60A6B,?,?,?,000001BCD1C6045C,?,?,?,000001BCD1C5C84F), ref: 000001BCD1C5CE6D
FlsSetValue.KERNEL32(?,?,?,000001BCD1C60A6B,?,?,?,000001BCD1C6045C,?,?,?,000001BCD1C5C84F), ref: 000001BCD1C5CE9A
FlsSetValue.KERNEL32(?,?,?,000001BCD1C60A6B,?,?,?,000001BCD1C6045C,?,?,?,000001BCD1C5C84F), ref: 000001BCD1C5CEAB
FlsSetValue.KERNEL32(?,?,?,000001BCD1C60A6B,?,?,?,000001BCD1C6045C,?,?,?,000001BCD1C5C84F), ref: 000001BCD1C5CEBC
SetLastError.KERNEL32 ref: 000001BCD1C5CED7
FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000001BCD1C60A6B,?,?,?,000001BCD1C6045C,?,?,?,000001BCD1C5C84F), ref: 000001BCD1C5CF0D
FlsSetValue.KERNEL32(?,?,00000001,000001BCD1C5ECCC,?,?,?,?,000001BCD1C5BF9F,?,?,?,?,?,000001BCD1C57AB0), ref: 000001BCD1C5CF2C

Part of subcall function 000001BCD1C5D6CC: HeapAlloc.KERNEL32 ref: 000001BCD1C5D721

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001BCD1C60A6B,?,?,?,000001BCD1C6045C,?,?,?,000001BCD1C5C84F), ref: 000001BCD1C5CF54

Part of subcall function 000001BCD1C5D744: HeapFree.KERNEL32 ref: 000001BCD1C5D75A
Part of subcall function 000001BCD1C5D744: GetLastError.KERNEL32 ref: 000001BCD1C5D764

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001BCD1C60A6B,?,?,?,000001BCD1C6045C,?,?,?,000001BCD1C5C84F), ref: 000001BCD1C5CF65
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001BCD1C60A6B,?,?,?,000001BCD1C6045C,?,?,?,000001BCD1C5C84F), ref: 000001BCD1C5CF76

Memory Dump Source

Source File: 00000021.00000002.1900153222.000001BCD1C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCD1C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1c50000_sc.jbxd

Similarity

API ID: Value$ErrorLast$Heap$AllocFree
String ID:
API String ID: 570795689-0
Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction ID: cd5d6e8f0fad67b358bacb70bcfd8487f712e5326794a84e057654ee6b5aa618
Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction Fuzzy Hash: AC41917C30168441FA69AFF365553FD3A8A6BC57B0FD40734A8B646AE6EF688401D2C4

Function 000001BCD1C52244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 000001BCD1C52259
GetCurrentProcessId.KERNEL32 ref: 000001BCD1C52263

Part of subcall function 000001BCD1C51934: OpenProcess.KERNEL32 ref: 000001BCD1C51952
Part of subcall function 000001BCD1C51934: IsWow64Process.KERNEL32 ref: 000001BCD1C51968
Part of subcall function 000001BCD1C51934: CloseHandle.KERNEL32 ref: 000001BCD1C51983

CreateFileW.KERNEL32 ref: 000001BCD1C522BC
WriteFile.KERNEL32 ref: 000001BCD1C522E4
ReadFile.KERNEL32 ref: 000001BCD1C52303
CloseHandle.KERNEL32 ref: 000001BCD1C5230C

Strings

\\.\pipe\dialerchildproc64, xrefs: 000001BCD1C5228C
\\.\pipe\dialerchildproc32, xrefs: 000001BCD1C52293

Memory Dump Source

Source File: 00000021.00000002.1900153222.000001BCD1C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCD1C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1c50000_sc.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction ID: 87ab544991aa0c7d3b919c88fb863f1e25f6e682031baa33495b26f21cc7bae2
Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction Fuzzy Hash: B7214F7A614750D3FB108B67F44439977A0F7C9BA4F900225EA9903BA8DF7CC149CB80

Function 000001BCD1A49944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001BCD1A499A1

Part of subcall function 000001BCD1A4A814: __GetUnwindTryBlock.LIBCMT ref: 000001BCD1A4A857
Part of subcall function 000001BCD1A4A814: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001BCD1A4A87C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001BCD1A49A79
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001BCD1A49CCE
std::bad_alloc::bad_alloc.LIBCMT ref: 000001BCD1A49DDA

Strings

csm, xrefs: 000001BCD1A49A22
csm, xrefs: 000001BCD1A49A9C
csm, xrefs: 000001BCD1A499BB

Memory Dump Source

Source File: 00000021.00000002.1899796319.000001BCD1A40000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001BCD1A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1a40000_sc.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction ID: dc3ffedd7be6135a8f84524b875be16d075b61f901a1e0accb126579295e3a62
Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction Fuzzy Hash: 60E15D7A704B408AEB60DBA7E4813DD77A0FB99798F100129EE8D57B99CB34C5A5C7C0

Function 000001BCD1C5A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001BCD1C5A5A1

Part of subcall function 000001BCD1C5B414: __GetUnwindTryBlock.LIBCMT ref: 000001BCD1C5B457
Part of subcall function 000001BCD1C5B414: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001BCD1C5B47C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001BCD1C5A679
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001BCD1C5A8CE
std::bad_alloc::bad_alloc.LIBCMT ref: 000001BCD1C5A9DA

Strings

csm, xrefs: 000001BCD1C5A69C
csm, xrefs: 000001BCD1C5A622
csm, xrefs: 000001BCD1C5A5BB

Memory Dump Source

Source File: 00000021.00000002.1900153222.000001BCD1C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCD1C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1c50000_sc.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction ID: dda4581b91390d50fd505f312e6ce950d8bf0113295912c3ed4c669a5070e927
Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction Fuzzy Hash: FBE15A7A604B808AFB609FA794813DD7BB0F7C5B98F901126EE8957B99CB34D581C7C0

Function 000001BCD1C5F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 000001BCD1C5F510
GetProcAddress.KERNEL32 ref: 000001BCD1C5F51C

Strings

ext-ms-, xrefs: 000001BCD1C5F46D
api-ms-, xrefs: 000001BCD1C5F45A

Memory Dump Source

Source File: 00000021.00000002.1900153222.000001BCD1C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCD1C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1c50000_sc.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction ID: bd7468ecc3075ae6703e5c0e396d292525452fa1392328e77e73dac6b2595531
Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction Fuzzy Hash: 8F41D23A311A1091FB1ADF97A8047DA3B95B7C5BE0F8941399D8A87B94EF38C44583D4

Function 000001BCD1C5104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001BCD1C510B1
RegEnumValueW.ADVAPI32 ref: 000001BCD1C51117
GetProcessHeap.KERNEL32 ref: 000001BCD1C5115A
HeapAlloc.KERNEL32 ref: 000001BCD1C51168
GetProcessHeap.KERNEL32 ref: 000001BCD1C51185
HeapFree.KERNEL32 ref: 000001BCD1C51193

Strings

d, xrefs: 000001BCD1C510D6

Memory Dump Source

Source File: 00000021.00000002.1900153222.000001BCD1C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCD1C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1c50000_sc.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction ID: 98dee0f894475cc11224a75294316e954d586124f76d55c0334b949f66a8bf41
Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction Fuzzy Hash: F0416177214B84D6E760CFA3E44879EB7A1F3C9B98F448129DA8A47758DF38C545CB80

Function 000001BCD1C5D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,000001BCD1C5C7DE,?,?,?,?,?,?,?,?,000001BCD1C5CF9D,?,?,00000001), ref: 000001BCD1C5D087
FlsSetValue.KERNEL32(?,?,?,000001BCD1C5C7DE,?,?,?,?,?,?,?,?,000001BCD1C5CF9D,?,?,00000001), ref: 000001BCD1C5D0A6
FlsSetValue.KERNEL32(?,?,?,000001BCD1C5C7DE,?,?,?,?,?,?,?,?,000001BCD1C5CF9D,?,?,00000001), ref: 000001BCD1C5D0CE
FlsSetValue.KERNEL32(?,?,?,000001BCD1C5C7DE,?,?,?,?,?,?,?,?,000001BCD1C5CF9D,?,?,00000001), ref: 000001BCD1C5D0DF
FlsSetValue.KERNEL32(?,?,?,000001BCD1C5C7DE,?,?,?,?,?,?,?,?,000001BCD1C5CF9D,?,?,00000001), ref: 000001BCD1C5D0F0

Strings

1%, xrefs: 000001BCD1C5D0CE
Y%, xrefs: 000001BCD1C5D0A6

Memory Dump Source

Source File: 00000021.00000002.1900153222.000001BCD1C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCD1C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1c50000_sc.jbxd

Similarity

API ID: Value
String ID: 1%$Y%
API String ID: 3702945584-1395475152
Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction ID: aa9fd13002c91e3e5443b91cf8a9b501dc5c707d52d4c24a7b571156d9d911db
Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction Fuzzy Hash: B0115E787043C441FA69AFF769513FA7A456BC47F0F944335B8B946AEAEF68C40282C0

Function 000001BCD1C57510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001BCD1C57538
__scrt_acquire_startup_lock.LIBCMT ref: 000001BCD1C5758A
_RTC_Initialize.LIBCMT ref: 000001BCD1C575B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001BCD1C575DE
__scrt_release_startup_lock.LIBCMT ref: 000001BCD1C57609

Memory Dump Source

Source File: 00000021.00000002.1900153222.000001BCD1C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCD1C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1c50000_sc.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: 89809f20474930eea10c375e54a862b82fa1e7374107c0d0cc97752a0fe43581
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: FB81B17D70874186FB50AFE7A8413D93A90A7C5B80FD48435EAC8577A6EB78C8C587D0

Function 000001BCD1C59DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 000001BCD1C59E49
GetLastError.KERNEL32 ref: 000001BCD1C59E57
LoadLibraryExW.KERNEL32 ref: 000001BCD1C59E81
FreeLibrary.KERNEL32 ref: 000001BCD1C59EC7
GetProcAddress.KERNEL32 ref: 000001BCD1C59ED3

Strings

api-ms-, xrefs: 000001BCD1C59E69

Memory Dump Source

Source File: 00000021.00000002.1900153222.000001BCD1C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCD1C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1c50000_sc.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction ID: 754351f774d391fa4bc8b6c2fb333c2db4e586ed2ae7462568f5d3ced677ad3b
Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction Fuzzy Hash: 82319039212A40E1FE129F83A8407E576A4B7C8BA0F990535DD9E4B795EF79C445D3C0

Function 000001BCD1C63DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000001BCD1C63DE5
GetLastError.KERNEL32 ref: 000001BCD1C63DF1
CloseHandle.KERNEL32 ref: 000001BCD1C63E09
CreateFileW.KERNEL32 ref: 000001BCD1C63E34
WriteConsoleW.KERNEL32 ref: 000001BCD1C63E53

Strings

CONOUT$, xrefs: 000001BCD1C63E15

Memory Dump Source

Source File: 00000021.00000002.1900153222.000001BCD1C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCD1C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1c50000_sc.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction ID: dbf7ec4c39588342bf5d8ab45c4a258394197e66eac7007fc86242a1a95836e9
Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction Fuzzy Hash: 19118F35314B9086E7909B93E84439976A0F7C8FE5F844234EA9E877A4CF78C814C7C4

Function 000001BCD1C52F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001BCD1C52F27
HeapAlloc.KERNEL32 ref: 000001BCD1C52F3A
StrCmpNIW.SHLWAPI ref: 000001BCD1C52FAF
GetProcessHeap.KERNEL32 ref: 000001BCD1C53015
HeapFree.KERNEL32 ref: 000001BCD1C53023

Strings

dialer, xrefs: 000001BCD1C52FA8

Memory Dump Source

Source File: 00000021.00000002.1900153222.000001BCD1C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCD1C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1c50000_sc.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction ID: edf77c70241982b1f7d5d7dfe79faed16f854eda5b1519b9a32a24e3e211bc8c
Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction Fuzzy Hash: D4318F3A701B61C2FA14DF97A5407AD7BA0FBC4B80F8841309E8847B65EB34C46183C0

Function 000001BCD1C5CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000001BCD1C5CFAF
FlsSetValue.KERNEL32(?,?,?,000001BCD1C5D6B5,?,?,?,?,000001BCD1C5D778), ref: 000001BCD1C5CFE5
FlsSetValue.KERNEL32(?,?,?,000001BCD1C5D6B5,?,?,?,?,000001BCD1C5D778), ref: 000001BCD1C5D012
FlsSetValue.KERNEL32(?,?,?,000001BCD1C5D6B5,?,?,?,?,000001BCD1C5D778), ref: 000001BCD1C5D023
FlsSetValue.KERNEL32(?,?,?,000001BCD1C5D6B5,?,?,?,?,000001BCD1C5D778), ref: 000001BCD1C5D034
SetLastError.KERNEL32 ref: 000001BCD1C5D04F

Memory Dump Source

Source File: 00000021.00000002.1900153222.000001BCD1C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCD1C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1c50000_sc.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction ID: dc349978f5670bfa46ec08554c66a0873461c150422d846f5a3977b034fcd8c1
Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction Fuzzy Hash: DD11727830178041FA69ABF365553FD39456BC47F0F940734A8B647BEAEF68840282C0

Function 000001BCD1C5199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000001BCD1C519C2
K32GetModuleFileNameExW.KERNEL32 ref: 000001BCD1C519E0
PathFindFileNameW.SHLWAPI ref: 000001BCD1C519EF
lstrlenW.KERNEL32 ref: 000001BCD1C519FB
StrCpyW.SHLWAPI ref: 000001BCD1C51A0E
CloseHandle.KERNEL32 ref: 000001BCD1C51A1C

Memory Dump Source

Source File: 00000021.00000002.1900153222.000001BCD1C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCD1C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1c50000_sc.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction ID: c386474787aa6933925b8a5438cd3ec1fdd67d329e267e130f116d0aab976197
Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction Fuzzy Hash: 22011779304A5082EA54DB93A85879977A5F7C8FC4F884035DE9943765DF38C989C7C0

Function 000001BCD1C536C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000001BCD1C536E4
GetCurrentProcess.KERNEL32 ref: 000001BCD1C536F2
VirtualProtectEx.KERNEL32 ref: 000001BCD1C53714
GetCurrentProcess.KERNEL32 ref: 000001BCD1C53732
VirtualProtectEx.KERNEL32 ref: 000001BCD1C53753
TerminateThread.KERNEL32 ref: 000001BCD1C53762

Memory Dump Source

Source File: 00000021.00000002.1900153222.000001BCD1C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCD1C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1c50000_sc.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction ID: 7f82c2a2bf44ab52d68f4d3963c77eea973b3d15bf33db869bf70c498a2b648e
Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction Fuzzy Hash: 90011779711B5082FB24AFA3E80879976B0BBD9B86F840435CA8907765EF3DC508C7C4

Function 000001BCD1C58FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001BCD1C59013
_IsNonwritableInCurrentImage.LIBCMT ref: 000001BCD1C590A8
RtlUnwindEx.NTDLL ref: 000001BCD1C590F7

Strings

f, xrefs: 000001BCD1C59026
csm, xrefs: 000001BCD1C5908E

Memory Dump Source

Source File: 00000021.00000002.1900153222.000001BCD1C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCD1C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1c50000_sc.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
Instruction ID: 1268771c1cdeac38a1c60cd09911352a94d6d2a4eff7dfe164bef70a5efdc432
Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
Instruction Fuzzy Hash: B951B13A70162086FB14CFA7E848B9A3BB6F3C5B88F908578DA8647748DB35D841C7C0

Function 000001BCD1C51A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000001BCD1C51A60
StrCmpNIW.SHLWAPI ref: 000001BCD1C51A7A
lstrlenW.KERNEL32 ref: 000001BCD1C51A89
StrCpyW.SHLWAPI ref: 000001BCD1C51A9E

Strings

\\?\, xrefs: 000001BCD1C51A6E

Memory Dump Source

Source File: 00000021.00000002.1900153222.000001BCD1C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCD1C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1c50000_sc.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction ID: 7166b35ec4381c27a8016a5a6b8b7d3d8f50b00352c217060b318a3188eca9b3
Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction Fuzzy Hash: 4AF03C7630464192FB608FA3E99879977A4F7C8B88FC44030DA8946968DB2CC68DCB80

Function 000001BCD1C5BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000001BCD1C5BCBD
GetProcAddress.KERNEL32 ref: 000001BCD1C5BCD3
FreeLibrary.KERNEL32 ref: 000001BCD1C5BCFA

Strings

CorExitProcess, xrefs: 000001BCD1C5BCCC
mscoree.dll, xrefs: 000001BCD1C5BCB4

Memory Dump Source

Source File: 00000021.00000002.1900153222.000001BCD1C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCD1C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1c50000_sc.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction ID: a41697689ce1db07d849de8d0b7d09a9c9585c3a570d8621b9886e153cce2b92
Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction Fuzzy Hash: 7DF06D79315B0481FB108FA7E8443A97761EBC8BA1F940639CAAA462F4DF2CC44883C0

Function 000001BCD1C53044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 000001BCD1C53066
StrCpyW.SHLWAPI ref: 000001BCD1C53076
StrCatW.SHLWAPI ref: 000001BCD1C53082
PathCombineW.SHLWAPI ref: 000001BCD1C53090

Strings

\\.\pipe\, xrefs: 000001BCD1C5305C

Memory Dump Source

Source File: 00000021.00000002.1900153222.000001BCD1C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCD1C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1c50000_sc.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction ID: ec359e8c3c4444a04fcb2136c1c6143eed156079988b0994e9e1dd23490aa72b
Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction Fuzzy Hash: 6AF01C79718B9492FA148F93B9141A9B765ABC8FD0F889530EECA47B28DF3CC44587C0

Function 000001BCD1C55710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001BCD1C55726

Memory Dump Source

Source File: 00000021.00000002.1900153222.000001BCD1C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCD1C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1c50000_sc.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 0c7f3a11ae4e5ff47235e902b7b6ce7055ed727b420134bb2449cab27e882fd8
Instruction ID: d628f06bde31bb536df89e2d6ff08988130edc6fd31b399efeb5242da1f24985
Opcode Fuzzy Hash: 0c7f3a11ae4e5ff47235e902b7b6ce7055ed727b420134bb2449cab27e882fd8
Instruction Fuzzy Hash: 2F61967A629B84C6E6609F97E44535ABBE0F3C8794F901125EACD47BA8DB7CC540CB80

Function 000001BCD1A53504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000001BCD1A5352C
_set_statfp.LIBCMT ref: 000001BCD1A53547
_set_statfp.LIBCMT ref: 000001BCD1A53563
_set_statfp.LIBCMT ref: 000001BCD1A5359F

Memory Dump Source

Source File: 00000021.00000002.1899796319.000001BCD1A40000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001BCD1A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1a40000_sc.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: 3b635bc33490eb704288c27dd4b0567c774bf5fea7b6f2755d2882dbc5ec9097
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: 6B11A33AB1CA1119FA641FFBE4413F931916FD8378F589E38A96E062D6CB64C84541C0

Function 000001BCD1C64104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000001BCD1C6412C
_set_statfp.LIBCMT ref: 000001BCD1C64147
_set_statfp.LIBCMT ref: 000001BCD1C64163
_set_statfp.LIBCMT ref: 000001BCD1C6419F

Memory Dump Source

Source File: 00000021.00000002.1900153222.000001BCD1C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCD1C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1c50000_sc.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: 2f756b5d1dab308e2be03f7f1780f4d4bd4eb1bdf2a6ca241fc008834a17543b
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: A411733EB10A5195F66415EBD4553E931416BFC3B8FD80635EAF6476F7CB24C84182C0

Function 000001BCD1A4F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000001BCD1A4F124

Strings

or copy constructor iterator', xrefs: 000001BCD1A4F25A, 000001BCD1A4F275
Tuesday, xrefs: 000001BCD1A4F0F4
Wednesday, xrefs: 000001BCD1A4F1ED

Memory Dump Source

Source File: 00000021.00000002.1899796319.000001BCD1A40000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001BCD1A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1a40000_sc.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: Tuesday$Wednesday$or copy constructor iterator'
API String ID: 3215553584-4202648911
Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction ID: 670aac7ff2739436ab79071742e5fd9beb135b43e6854523b0722b135d802227
Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction Fuzzy Hash: 8261A03E70464082FA699BEFE5447EA77A1EFC6790F55643ECA0E137A5DB34C84182C0

Function 000001BCD1C5AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 000001BCD1C5AA68
_CallSETranslator.LIBVCRUNTIME ref: 000001BCD1C5AAB7

Strings

RCC, xrefs: 000001BCD1C5AA85
MOC, xrefs: 000001BCD1C5AA7C

Memory Dump Source

Source File: 00000021.00000002.1900153222.000001BCD1C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCD1C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1c50000_sc.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 433bdf2299ba3c16a6f8e1b87e578c31a00048dbdd6840f16e6794cb1e064cdd
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: BB61493A600B848AFB10DFA7D4403DD7BA0F3D4B88F544225EE8917B98DB38D595C780

Function 000001BCD1A4A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001BCD1A4A1A0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001BCD1A4A288

Strings

csm, xrefs: 000001BCD1A4A2DA
csm, xrefs: 000001BCD1A4A1C2

Memory Dump Source

Source File: 00000021.00000002.1899796319.000001BCD1A40000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001BCD1A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1a40000_sc.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: 2847a346a743ad894c02e16c16aa94a450984056b91805539ee9976e8136bb06
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: BA517D3A304780CAEB648F97944439877A0FBD5B98F18412EDA9E87B95DB78D450C7C0

Function 000001BCD1C5AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001BCD1C5ADA0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001BCD1C5AE88

Strings

csm, xrefs: 000001BCD1C5ADC2
csm, xrefs: 000001BCD1C5AEDA

Memory Dump Source

Source File: 00000021.00000002.1900153222.000001BCD1C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCD1C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1c50000_sc.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: 3c3500babf2e6c1bc49e4afd37c9242dabe8e97b22d3b642fa4921ec8c538219
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: D7517C7A1002808BFB648FA7A58439D7BA0F3D4B85F984226DAD947BD5CB38D4A1C7C1

Function 000001BCD1A48405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001BCD1A48413
_IsNonwritableInCurrentImage.LIBCMT ref: 000001BCD1A484A8

Strings

f, xrefs: 000001BCD1A48426
csm, xrefs: 000001BCD1A4848E

Memory Dump Source

Source File: 00000021.00000002.1899796319.000001BCD1A40000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001BCD1A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1a40000_sc.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: f849cf96769beae90525c500df3fd892d5e6e67addcf8fa5bfde38ab2d7aebfa
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: 7351AA3A7016008AEB14DFE7F444B9937A5FB94B98F508138DA1E4B78CEB34D94187C5

Function 000001BCD1A483E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001BCD1A48413
_IsNonwritableInCurrentImage.LIBCMT ref: 000001BCD1A484A8

Strings

f, xrefs: 000001BCD1A48426
csm, xrefs: 000001BCD1A4848E

Memory Dump Source

Source File: 00000021.00000002.1899796319.000001BCD1A40000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001BCD1A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1a40000_sc.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction ID: 61920456fc05d40141ad69a206ee7df6182a9df0eb17a53c0cd6ed4d15f2dcd6
Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction Fuzzy Hash: 3831893A301640D6E714DFA3F844B9977A4FB81B98F158028EE5E4B78ADB38C940C7C5

Function 000001BCD1C62058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000001BCD1C620D7
WriteFile.KERNEL32 ref: 000001BCD1C6239F
WriteFile.KERNEL32 ref: 000001BCD1C623E5
GetLastError.KERNEL32 ref: 000001BCD1C6249B

Memory Dump Source

Source File: 00000021.00000002.1900153222.000001BCD1C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCD1C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1c50000_sc.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction ID: a7b4dc228e714544a523453acd45d5901d7d55963ebe3be6d7d988616df8c095
Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction Fuzzy Hash: BFD1AE36714A8089E711CFABD4403EC3BB5E7D4798F944226DE99A7BA9DB34C506C3C0

Function 000001BCD1C514A4 Relevance: 6.3, APIs: 5, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001BCD1C514C5
HeapFree.KERNEL32 ref: 000001BCD1C514D4
GetProcessHeap.KERNEL32 ref: 000001BCD1C514E1
HeapFree.KERNEL32 ref: 000001BCD1C514F0
GetProcessHeap.KERNEL32 ref: 000001BCD1C51500

Memory Dump Source

Source File: 00000021.00000002.1900153222.000001BCD1C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCD1C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1c50000_sc.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
Instruction ID: 8775c5f926e1f505e1b6e6cda5386908513c62e785b971431f5d18ed21c11495
Opcode Fuzzy Hash: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
Instruction Fuzzy Hash: 0211397A605AA0D6E714DFE7A8041897BA0F7C9F85F484039EA8953726DF38C45187C0

Function 000001BCD1C62980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32 ref: 000001BCD1C62A9C
GetLastError.KERNEL32 ref: 000001BCD1C62B27

Memory Dump Source

Source File: 00000021.00000002.1900153222.000001BCD1C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCD1C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1c50000_sc.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction ID: ca0ce9996baaff330da1e53df5d8565370f87feaaa8350a3055108761943fcd7
Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction Fuzzy Hash: CC91D37A71065095F760DFE794803ED3BA0F7C4B88F944129DE8A67AA5DB35C482C7C0

Function 000001BCD1C57960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000001BCD1C5798C
GetCurrentThreadId.KERNEL32 ref: 000001BCD1C5799A
GetCurrentProcessId.KERNEL32 ref: 000001BCD1C579A6
QueryPerformanceCounter.KERNEL32 ref: 000001BCD1C579B6

Memory Dump Source

Source File: 00000021.00000002.1900153222.000001BCD1C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCD1C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1c50000_sc.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction ID: 5a456b094f7aa9961e2d30b1efa271ae25bb3750d13dbcef16db914297969ccb
Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction Fuzzy Hash: AD11F136710F558AEB00DFA2E8553A833A4F799768F841E35DAAD467A4DF78C19483C0

Function 000001BCD1C5253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001BCD1C52620
StrCpyW.SHLWAPI ref: 000001BCD1C52639

Strings

\\.\pipe\, xrefs: 000001BCD1C5262B

Memory Dump Source

Source File: 00000021.00000002.1900153222.000001BCD1C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCD1C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1c50000_sc.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction ID: 06eb67675ddcb6b688bd96a6737b65d5e075df80e6ebe714ed00dbbc85cc9470
Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction Fuzzy Hash: 8071493A20078186F665DEABD8543EE7AE4F3C9B84F940036DE8A53B99DF35C64587C0

Function 000001BCD1A49E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 000001BCD1A49EB7

Strings

RCC, xrefs: 000001BCD1A49E85
MOC, xrefs: 000001BCD1A49E7C

Memory Dump Source

Source File: 00000021.00000002.1899796319.000001BCD1A40000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001BCD1A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1a40000_sc.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 7621f11ec4b82eb0b9b88a2f1633353eb926fb48888cacc37e74c0432fddc889
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: 7761497A704B848AEB20DFA6D4403DD77A0FB88B98F144229EF4D17B99DB38D555C780

Function 000001BCD1C52330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001BCD1C52416
StrCpyW.SHLWAPI ref: 000001BCD1C5242D

Strings

\\.\pipe\, xrefs: 000001BCD1C52421

Memory Dump Source

Source File: 00000021.00000002.1900153222.000001BCD1C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCD1C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1c50000_sc.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction ID: 9ac073f59158b3e311a714802218aa4bcaa05ae54c646f602c4069b6be08b812
Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction Fuzzy Hash: B1519B3A208781C1F6659EABA4583EEBEA1F3D5784FC50135DEDA03B99DB39C50587C0

Function 000001BCD1C626F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000001BCD1C62807
GetLastError.KERNEL32 ref: 000001BCD1C62829

Strings

U, xrefs: 000001BCD1C627B3

Memory Dump Source

Source File: 00000021.00000002.1900153222.000001BCD1C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCD1C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1c50000_sc.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction ID: 99f1cd211d0daf3aed4a0f1ba7825464446bba2b73d8ad5350d0e14e54517ab8
Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction Fuzzy Hash: 14418E36615A8082EB209FA7E8447EA77A0F7D8794F804031EE8D87794EB7CC541C7C0

Function 000001BCD1C594A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000001BCD1C594F0
RaiseException.KERNEL32 ref: 000001BCD1C59531

Strings

csm, xrefs: 000001BCD1C5951E

Memory Dump Source

Source File: 00000021.00000002.1900153222.000001BCD1C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCD1C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1c50000_sc.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction ID: 211e18fc2e298a42b0e5179e3e94b04c5711369d6f1f8bea9e5615c415c63c6a
Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction Fuzzy Hash: 49112B36215B8082EB618F16E4403997BE5F7C8B98F984264EECD07768DF3CC551CB80

Function 000001BCD1A47356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000001BCD1A4737C

Strings

ierarchy Descriptor', xrefs: 000001BCD1A47381
riptor at (, xrefs: 000001BCD1A47364

Memory Dump Source

Source File: 00000021.00000002.1899796319.000001BCD1A40000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001BCD1A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1a40000_sc.jbxd

Similarity

API ID: __std_exception_copy
String ID: ierarchy Descriptor'$riptor at (
API String ID: 592178966-758928094
Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction ID: 84601581766406e4103af2e752caa392bd9f2e546794b2924008d1afd2920d6e
Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction Fuzzy Hash: 79E04F61741B44D0EB018FA2E8502D833A09FA9B64B489122995C46311EB3CD1E9C380

Function 000001BCD1A473B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000001BCD1A473D8

Strings

Locator', xrefs: 000001BCD1A473DD
riptor at (, xrefs: 000001BCD1A473C0

Memory Dump Source

Source File: 00000021.00000002.1899796319.000001BCD1A40000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001BCD1A40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1a40000_sc.jbxd

Similarity

API ID: __std_exception_copy
String ID: Locator'$riptor at (
API String ID: 592178966-4215709766
Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction ID: e2940e26e5169b26626d92a68424b96ffc768aab94a2daa79b8947f8330aec09
Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction Fuzzy Hash: F6E08671701B44D0EF018FA2E4501D87360EB99B54B889132D94C46311EB3CD1E5C380

Function 000001BCD1C51BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001BCD1C51C2D
HeapAlloc.KERNEL32 ref: 000001BCD1C51C3B
GetProcessHeap.KERNEL32 ref: 000001BCD1C51C77
HeapFree.KERNEL32 ref: 000001BCD1C51C85

Part of subcall function 000001BCD1C5152C: StrCmpIW.SHLWAPI ref: 000001BCD1C5155D

Memory Dump Source

Source File: 00000021.00000002.1900153222.000001BCD1C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCD1C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1c50000_sc.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction ID: 6fd7da8fd15465ed27910d1843c648c4532b220a094719aab574ed57b121e072
Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction Fuzzy Hash: 5E112879601B5481FA549FA7A8082A977A1FBC9FC0F984038DE8D97766DF79D44283C0

Function 000001BCD1C51268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001BCD1C5126E
HeapAlloc.KERNEL32 ref: 000001BCD1C5127D
GetProcessHeap.KERNEL32 ref: 000001BCD1C51297
HeapAlloc.KERNEL32 ref: 000001BCD1C512A8

Memory Dump Source

Source File: 00000021.00000002.1900153222.000001BCD1C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BCD1C50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_1bcd1c50000_sc.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction ID: 9384612523e30859452afdf899b1ea860597f00ab0cc630df4abd722d2feffce
Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction Fuzzy Hash: D9E03939601614C6EB048BA3D80838A36E1EBC9B06F848024C98947361DF7D8499C7D0

Analysis Process: conhost.exePID: 864, Parent PID: 180COMMON

Execution Graph

Execution Coverage:	0.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	73
Total number of Limit Nodes:	2

Executed Functions

Function 000001AFBC54328C Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 000001AFBC5432AE
PathFindFileNameW.SHLWAPI ref: 000001AFBC5432BD

Part of subcall function 000001AFBC543844: StrCmpNIW.SHLWAPI ref: 000001AFBC54385C

Part of subcall function 000001AFBC543790: GetModuleHandleW.KERNEL32 ref: 000001AFBC54379E
Part of subcall function 000001AFBC543790: GetCurrentProcess.KERNEL32 ref: 000001AFBC5437CC
Part of subcall function 000001AFBC543790: VirtualProtectEx.KERNEL32 ref: 000001AFBC5437EE
Part of subcall function 000001AFBC543790: GetCurrentProcess.KERNEL32 ref: 000001AFBC543809
Part of subcall function 000001AFBC543790: VirtualProtectEx.KERNEL32 ref: 000001AFBC54382A

CreateThread.KERNEL32 ref: 000001AFBC54330B

Part of subcall function 000001AFBC541D14: GetCurrentThread.KERNEL32 ref: 000001AFBC541D1F

Memory Dump Source

Source File: 00000023.00000002.1910671563.000001AFBC540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001AFBC540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc540000_conhost.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction ID: 8bc18eb3f378c8033c2140373a5bee38b5749a0c5978ce05d5ead36886f497f0
Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction Fuzzy Hash: 8011797072224182FB64DBA1E8093FB22B5AB5E747F50413CE946836B8EF78C047C232

Function 000001AFBC541ABC Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000001AFBC541628: GetProcessHeap.KERNEL32 ref: 000001AFBC541633
Part of subcall function 000001AFBC541628: HeapAlloc.KERNEL32 ref: 000001AFBC541642
Part of subcall function 000001AFBC541628: RegOpenKeyExW.ADVAPI32 ref: 000001AFBC5416B2
Part of subcall function 000001AFBC541628: RegOpenKeyExW.ADVAPI32 ref: 000001AFBC5416DF
Part of subcall function 000001AFBC541628: RegCloseKey.ADVAPI32 ref: 000001AFBC5416F9
Part of subcall function 000001AFBC541628: RegOpenKeyExW.ADVAPI32 ref: 000001AFBC541719
Part of subcall function 000001AFBC541628: RegCloseKey.ADVAPI32 ref: 000001AFBC541734
Part of subcall function 000001AFBC541628: RegOpenKeyExW.ADVAPI32 ref: 000001AFBC541754
Part of subcall function 000001AFBC541628: RegCloseKey.ADVAPI32 ref: 000001AFBC54176F
Part of subcall function 000001AFBC541628: RegOpenKeyExW.ADVAPI32 ref: 000001AFBC54178F
Part of subcall function 000001AFBC541628: RegCloseKey.ADVAPI32 ref: 000001AFBC5417AA
Part of subcall function 000001AFBC541628: RegOpenKeyExW.ADVAPI32 ref: 000001AFBC5417CA

Sleep.KERNEL32 ref: 000001AFBC541AD7
SleepEx.KERNELBASE ref: 000001AFBC541ADD

Part of subcall function 000001AFBC541628: RegCloseKey.ADVAPI32 ref: 000001AFBC5417E5
Part of subcall function 000001AFBC541628: RegOpenKeyExW.ADVAPI32 ref: 000001AFBC541805
Part of subcall function 000001AFBC541628: RegCloseKey.ADVAPI32 ref: 000001AFBC541820
Part of subcall function 000001AFBC541628: RegOpenKeyExW.ADVAPI32 ref: 000001AFBC541840
Part of subcall function 000001AFBC541628: RegCloseKey.ADVAPI32 ref: 000001AFBC54185B
Part of subcall function 000001AFBC541628: RegOpenKeyExW.ADVAPI32 ref: 000001AFBC54187B
Part of subcall function 000001AFBC541628: RegCloseKey.ADVAPI32 ref: 000001AFBC541896
Part of subcall function 000001AFBC541628: RegCloseKey.ADVAPI32 ref: 000001AFBC5418A0

Memory Dump Source

Source File: 00000023.00000002.1910671563.000001AFBC540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001AFBC540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc540000_conhost.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction ID: 6791f70440dd9c85b212411f21da8e6c93542044ccda2571d40173d2ccca872d
Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction Fuzzy Hash: B7310F7131264151FB54DBA6DA423FB13B4AB4EBC6F045439DE0A876A9EE20C453C632

Function 000001AFBC543844 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpNIW.SHLWAPI ref: 000001AFBC54385C

Strings

dialer, xrefs: 000001AFBC543855

Memory Dump Source

Source File: 00000023.00000002.1910671563.000001AFBC540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001AFBC540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc540000_conhost.jbxd

Similarity

API ID:
String ID: dialer
API String ID: 0-3528709123
Opcode ID: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
Instruction ID: c13be4a4ba17b8363e8091d55159ce93ea0a86808251f92e4153da023aab8e61
Opcode Fuzzy Hash: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
Instruction Fuzzy Hash: 01D05E7531324586FB54DFE6C8C47B26370EB1D746F884038C90003264DB18C98F9621

Function 000001AFBC51273C Relevance: 1.7, APIs: 1, Instructions: 187
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 000001AFBC51285E

Memory Dump Source

Source File: 00000023.00000002.1910632317.000001AFBC510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AFBC510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc510000_conhost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction ID: c0aca677dcff362fc04514436721e0fd69b939fc757799e7d7fd64fb2f618a83
Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction Fuzzy Hash: 85611232B0229887DB54CF59D8447BEB3A2F759F96F188139CE5903788DA38D893C721

Non-executed Functions

Function 000001AFBC542B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 000001AFBC542BD0
lstrlenW.KERNEL32 ref: 000001AFBC542E0A

Part of subcall function 000001AFBC54199C: OpenProcess.KERNEL32 ref: 000001AFBC5419C2
Part of subcall function 000001AFBC54199C: K32GetModuleFileNameExW.KERNEL32 ref: 000001AFBC5419E0
Part of subcall function 000001AFBC54199C: PathFindFileNameW.SHLWAPI ref: 000001AFBC5419EF
Part of subcall function 000001AFBC54199C: lstrlenW.KERNEL32 ref: 000001AFBC5419FB
Part of subcall function 000001AFBC54199C: StrCpyW.SHLWAPI ref: 000001AFBC541A0E
Part of subcall function 000001AFBC54199C: CloseHandle.KERNEL32 ref: 000001AFBC541A1C

GetProcAddress.KERNEL32 ref: 000001AFBC542BE5

Part of subcall function 000001AFBC54152C: StrCmpIW.SHLWAPI ref: 000001AFBC54155D

Part of subcall function 000001AFBC543844: StrCmpNIW.SHLWAPI ref: 000001AFBC54385C

StrCmpNIW.SHLWAPI ref: 000001AFBC542C28
lstrlenW.KERNEL32 ref: 000001AFBC542D50

Strings

\Device\Nsi, xrefs: 000001AFBC542C1B
NtQueryObject, xrefs: 000001AFBC542BDB
ntdll.dll, xrefs: 000001AFBC542BC9

Memory Dump Source

Source File: 00000023.00000002.1910671563.000001AFBC540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001AFBC540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc540000_conhost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: cc1c2f5be02bb854c6362e19e3c2d8aa9963211729cf9709ea9c23d7fce6e41e
Instruction ID: efccf160133ec07a6e3387ab76690a951d92aaf2863204c9b36cefdade2eae8c
Opcode Fuzzy Hash: cc1c2f5be02bb854c6362e19e3c2d8aa9963211729cf9709ea9c23d7fce6e41e
Instruction Fuzzy Hash: 95B18E72312A6882EB54CFA5C8407FA63B5F74AB87F44503ADE0953B98DE34C843C761

Function 000001AFBC547D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000001AFBC547DAC
RtlCaptureContext.NTDLL ref: 000001AFBC547DD9
RtlLookupFunctionEntry.NTDLL ref: 000001AFBC547DF3
RtlVirtualUnwind.NTDLL ref: 000001AFBC547E34
IsDebuggerPresent.KERNEL32 ref: 000001AFBC547E88
SetUnhandledExceptionFilter.KERNEL32 ref: 000001AFBC547EA9
UnhandledExceptionFilter.KERNEL32 ref: 000001AFBC547EB4

Memory Dump Source

Source File: 00000023.00000002.1910671563.000001AFBC540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001AFBC540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc540000_conhost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction ID: baceb06ff1686b3e21e352b0d99ecbcbc7972f2b7545da8f50287eeeca3c8b25
Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction Fuzzy Hash: 24311A76316A808AEB60DFA0E8407EE7374F789745F44442ADA4E57B98EF38C54AC721

Function 000001AFBC54D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000001AFBC54D31D
RtlLookupFunctionEntry.NTDLL ref: 000001AFBC54D335
RtlVirtualUnwind.NTDLL ref: 000001AFBC54D370
IsDebuggerPresent.KERNEL32 ref: 000001AFBC54D3A9
SetUnhandledExceptionFilter.KERNEL32 ref: 000001AFBC54D3B3
UnhandledExceptionFilter.KERNEL32 ref: 000001AFBC54D3BE

Memory Dump Source

Source File: 00000023.00000002.1910671563.000001AFBC540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001AFBC540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc540000_conhost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction ID: c61dd33efdd194d987f966bac02ce37e44d7be129a668e2b20a0abe7bf703067
Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction Fuzzy Hash: 95313836315B8086EB60DB65E8403EE73B4F78A795F50012AEA9D43B99DF38C547CB11

Function 000001AFBC541628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000001AFBC541633
HeapAlloc.KERNEL32 ref: 000001AFBC541642

Part of subcall function 000001AFBC541268: GetProcessHeap.KERNEL32 ref: 000001AFBC54126E
Part of subcall function 000001AFBC541268: HeapAlloc.KERNEL32 ref: 000001AFBC54127D
Part of subcall function 000001AFBC541268: GetProcessHeap.KERNEL32 ref: 000001AFBC541297
Part of subcall function 000001AFBC541268: HeapAlloc.KERNEL32 ref: 000001AFBC5412A8

RegOpenKeyExW.ADVAPI32 ref: 000001AFBC5416B2
RegOpenKeyExW.ADVAPI32 ref: 000001AFBC5416DF
RegCloseKey.ADVAPI32 ref: 000001AFBC5416F9
RegOpenKeyExW.ADVAPI32 ref: 000001AFBC541719
RegCloseKey.ADVAPI32 ref: 000001AFBC541734
RegOpenKeyExW.ADVAPI32 ref: 000001AFBC541754
RegCloseKey.ADVAPI32 ref: 000001AFBC54176F
RegOpenKeyExW.ADVAPI32 ref: 000001AFBC54178F
RegCloseKey.ADVAPI32 ref: 000001AFBC5417AA
RegOpenKeyExW.ADVAPI32 ref: 000001AFBC5417CA
RegCloseKey.ADVAPI32 ref: 000001AFBC5417E5
RegOpenKeyExW.ADVAPI32 ref: 000001AFBC541805
RegCloseKey.ADVAPI32 ref: 000001AFBC541820
RegOpenKeyExW.ADVAPI32 ref: 000001AFBC541840
RegCloseKey.ADVAPI32 ref: 000001AFBC54185B
RegOpenKeyExW.ADVAPI32 ref: 000001AFBC54187B
RegCloseKey.ADVAPI32 ref: 000001AFBC541896
RegCloseKey.ADVAPI32 ref: 000001AFBC5418A0

Part of subcall function 000001AFBC5412BC: RegQueryInfoKeyW.ADVAPI32 ref: 000001AFBC541319
Part of subcall function 000001AFBC5412BC: GetProcessHeap.KERNEL32 ref: 000001AFBC541327
Part of subcall function 000001AFBC5412BC: HeapAlloc.KERNEL32 ref: 000001AFBC541338
Part of subcall function 000001AFBC5412BC: RegEnumValueW.ADVAPI32 ref: 000001AFBC541397
Part of subcall function 000001AFBC5412BC: GetProcessHeap.KERNEL32 ref: 000001AFBC5413DF
Part of subcall function 000001AFBC5412BC: HeapAlloc.KERNEL32 ref: 000001AFBC5413ED
Part of subcall function 000001AFBC5412BC: GetProcessHeap.KERNEL32 ref: 000001AFBC54140A
Part of subcall function 000001AFBC5412BC: HeapFree.KERNEL32 ref: 000001AFBC541418
Part of subcall function 000001AFBC5412BC: lstrlenW.KERNEL32 ref: 000001AFBC541421
Part of subcall function 000001AFBC5412BC: GetProcessHeap.KERNEL32 ref: 000001AFBC54142F
Part of subcall function 000001AFBC5412BC: HeapAlloc.KERNEL32 ref: 000001AFBC54143D

Strings

tcp_remote, xrefs: 000001AFBC541839
SOFTWARE\dialerconfig, xrefs: 000001AFBC541692
startup, xrefs: 000001AFBC5416D5
pid, xrefs: 000001AFBC541712
process_names, xrefs: 000001AFBC54174D
udp, xrefs: 000001AFBC541874
paths, xrefs: 000001AFBC541788
tcp_local, xrefs: 000001AFBC5417FE
service_names, xrefs: 000001AFBC5417C3

Memory Dump Source

Source File: 00000023.00000002.1910671563.000001AFBC540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001AFBC540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc540000_conhost.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction ID: 7afa28960a6d2a9bcc99902a637516fabffadb1fc1bdf78b9965389f22877181
Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction Fuzzy Hash: 66712C7A312A5086EB10DFA2E8417EB2374F78AB9AF401129DD4E47B28EF34C447C351

Function 000001AFBC5412BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001AFBC541319
GetProcessHeap.KERNEL32 ref: 000001AFBC541327
HeapAlloc.KERNEL32 ref: 000001AFBC541338
RegEnumValueW.ADVAPI32 ref: 000001AFBC541397

Part of subcall function 000001AFBC54152C: StrCmpIW.SHLWAPI ref: 000001AFBC54155D

GetProcessHeap.KERNEL32 ref: 000001AFBC5413DF
HeapAlloc.KERNEL32 ref: 000001AFBC5413ED
GetProcessHeap.KERNEL32 ref: 000001AFBC54140A
HeapFree.KERNEL32 ref: 000001AFBC541418
lstrlenW.KERNEL32 ref: 000001AFBC541421
GetProcessHeap.KERNEL32 ref: 000001AFBC54142F
HeapAlloc.KERNEL32 ref: 000001AFBC54143D
StrCpyW.SHLWAPI ref: 000001AFBC54145F
GetProcessHeap.KERNEL32 ref: 000001AFBC541476
HeapFree.KERNEL32 ref: 000001AFBC541484

Strings

d, xrefs: 000001AFBC54135A

Memory Dump Source

Source File: 00000023.00000002.1910671563.000001AFBC540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001AFBC540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc540000_conhost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction ID: 3afbc655a34272a428efe205737c69884a1f52e911e7506b55e34058cb9b6a84
Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction Fuzzy Hash: F7512A76311B8486EB54CFA2E5483AB77B1F78AB9AF044128DA4A07B58DF3CC0478B11

Function 000001AFBC541D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 000001AFBC541D1F

Part of subcall function 000001AFBC541FD4: GetModuleHandleA.KERNEL32 ref: 000001AFBC541FEC
Part of subcall function 000001AFBC541FD4: GetProcAddress.KERNEL32 ref: 000001AFBC541FFD

Part of subcall function 000001AFBC545B30: GetCurrentThreadId.KERNEL32 ref: 000001AFBC545B6B

Strings

sechost.dll, xrefs: 000001AFBC541E39
NtEnumerateValueKey, xrefs: 000001AFBC541DD6
EnumServicesStatusExW, xrefs: 000001AFBC541E11, 000001AFBC541E32
NtEnumerateKey, xrefs: 000001AFBC541DB9
NtQuerySystemInformation, xrefs: 000001AFBC541D45
NtDeviceIoControlFile, xrefs: 000001AFBC541E56
NtQueryDirectoryFile, xrefs: 000001AFBC541D7F
NtResumeThread, xrefs: 000001AFBC541D62
EnumServiceGroupW, xrefs: 000001AFBC541DF0
advapi32.dll, xrefs: 000001AFBC541DF7, 000001AFBC541E18
NtQueryDirectoryFileEx, xrefs: 000001AFBC541D9C
ntdll.dll, xrefs: 000001AFBC541D2D

Memory Dump Source

Source File: 00000023.00000002.1910671563.000001AFBC540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001AFBC540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc540000_conhost.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction ID: 38780d9e275decb6f7e3629786390a6c342e927e0320f4316570c73c2a372ae6
Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction Fuzzy Hash: BD3162B970294AA0FA04EBE5ED517F76331A71E39BF80503BD44A035699E78824BC772

Function 000001AFBC516910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001AFBC516938
__scrt_acquire_startup_lock.LIBCMT ref: 000001AFBC51698A
_RTC_Initialize.LIBCMT ref: 000001AFBC5169B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001AFBC5169DE
__scrt_release_startup_lock.LIBCMT ref: 000001AFBC516A09

Strings

`eh vector copy constructor iterator', xrefs: 000001AFBC516A3B
`dynamic initializer for ', xrefs: 000001AFBC5169C7
`eh vector vbase copy constructor iterator', xrefs: 000001AFBC5169EE
scriptor', xrefs: 000001AFBC516B39, 000001AFBC516BB2, 000001AFBC516BEC

Memory Dump Source

Source File: 00000023.00000002.1910632317.000001AFBC510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AFBC510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc510000_conhost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
API String ID: 190073905-1786718095
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: 9356bc4a8a526faad4d80347390502cc071dd5f6295710e752788fcfcdb77c87
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: FC818C3171224186F650EBE5D8493FB22F0E79FF82F58813DDA454769ADF38C9478622

Function 000001AFBC54CE28 Relevance: 18.1, APIs: 12, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 000001AFBC54CE37
FlsGetValue.KERNEL32(?,?,?,000001AFBC550A6B,?,?,?,000001AFBC55045C,?,?,?,000001AFBC54C84F), ref: 000001AFBC54CE4C
FlsSetValue.KERNEL32(?,?,?,000001AFBC550A6B,?,?,?,000001AFBC55045C,?,?,?,000001AFBC54C84F), ref: 000001AFBC54CE6D
FlsSetValue.KERNEL32(?,?,?,000001AFBC550A6B,?,?,?,000001AFBC55045C,?,?,?,000001AFBC54C84F), ref: 000001AFBC54CE9A
FlsSetValue.KERNEL32(?,?,?,000001AFBC550A6B,?,?,?,000001AFBC55045C,?,?,?,000001AFBC54C84F), ref: 000001AFBC54CEAB
FlsSetValue.KERNEL32(?,?,?,000001AFBC550A6B,?,?,?,000001AFBC55045C,?,?,?,000001AFBC54C84F), ref: 000001AFBC54CEBC
SetLastError.KERNEL32 ref: 000001AFBC54CED7
FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000001AFBC550A6B,?,?,?,000001AFBC55045C,?,?,?,000001AFBC54C84F), ref: 000001AFBC54CF0D
FlsSetValue.KERNEL32(?,?,00000001,000001AFBC54ECCC,?,?,?,?,000001AFBC54BF9F,?,?,?,?,?,000001AFBC547AB0), ref: 000001AFBC54CF2C

Part of subcall function 000001AFBC54D6CC: HeapAlloc.KERNEL32 ref: 000001AFBC54D721

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001AFBC550A6B,?,?,?,000001AFBC55045C,?,?,?,000001AFBC54C84F), ref: 000001AFBC54CF54

Part of subcall function 000001AFBC54D744: HeapFree.KERNEL32 ref: 000001AFBC54D75A
Part of subcall function 000001AFBC54D744: GetLastError.KERNEL32 ref: 000001AFBC54D764

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001AFBC550A6B,?,?,?,000001AFBC55045C,?,?,?,000001AFBC54C84F), ref: 000001AFBC54CF65
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001AFBC550A6B,?,?,?,000001AFBC55045C,?,?,?,000001AFBC54C84F), ref: 000001AFBC54CF76

Memory Dump Source

Source File: 00000023.00000002.1910671563.000001AFBC540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001AFBC540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc540000_conhost.jbxd

Similarity

API ID: Value$ErrorLast$Heap$AllocFree
String ID:
API String ID: 570795689-0
Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction ID: 9ede5e17a133d8cdd443798b43a5455692ac10fb17c7b844fd534250ebeaf30f
Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction Fuzzy Hash: B9414C3030324446FA69E7E5D9513FB21715F8F7B2F24073CE8A6476DEDA28A4439222

Function 000001AFBC542244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessIdOfThread.KERNEL32 ref: 000001AFBC542259
GetCurrentProcessId.KERNEL32 ref: 000001AFBC542263

Part of subcall function 000001AFBC541934: OpenProcess.KERNEL32 ref: 000001AFBC541952
Part of subcall function 000001AFBC541934: IsWow64Process.KERNEL32 ref: 000001AFBC541968
Part of subcall function 000001AFBC541934: CloseHandle.KERNEL32 ref: 000001AFBC541983

CreateFileW.KERNEL32 ref: 000001AFBC5422BC
WriteFile.KERNEL32 ref: 000001AFBC5422E4
ReadFile.KERNEL32 ref: 000001AFBC542303
CloseHandle.KERNEL32 ref: 000001AFBC54230C

Strings

\\.\pipe\dialerchildproc64, xrefs: 000001AFBC54228C
\\.\pipe\dialerchildproc32, xrefs: 000001AFBC542293

Memory Dump Source

Source File: 00000023.00000002.1910671563.000001AFBC540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001AFBC540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc540000_conhost.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction ID: 90a8a70573f0f178612f4669759f69e3701d181fc140a2367f235691bcf0b889
Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction Fuzzy Hash: 1B21307671565482F710CB65E5443BB63B1F78ABA6F500229DA5903BA8CF3CC14BCB11

Function 000001AFBC519944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001AFBC5199A1

Part of subcall function 000001AFBC51A814: __GetUnwindTryBlock.LIBCMT ref: 000001AFBC51A857
Part of subcall function 000001AFBC51A814: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001AFBC51A87C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001AFBC519A79
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001AFBC519CCE
std::bad_alloc::bad_alloc.LIBCMT ref: 000001AFBC519DDA

Strings

csm, xrefs: 000001AFBC5199BB
csm, xrefs: 000001AFBC519A22
csm, xrefs: 000001AFBC519A9C

Memory Dump Source

Source File: 00000023.00000002.1910632317.000001AFBC510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AFBC510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc510000_conhost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction ID: d9cc8d4e2ffe881de6f64b1d9088dc66281cbb7892283cd6c056b1c0b83efee0
Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction Fuzzy Hash: 94E1A0727067408AEB60DBA5D4883EE77B0F75AF9AF000129DE9957B59CB34C193C722

Function 000001AFBC54A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001AFBC54A5A1

Part of subcall function 000001AFBC54B414: __GetUnwindTryBlock.LIBCMT ref: 000001AFBC54B457
Part of subcall function 000001AFBC54B414: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001AFBC54B47C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001AFBC54A679
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001AFBC54A8CE
std::bad_alloc::bad_alloc.LIBCMT ref: 000001AFBC54A9DA

Strings

csm, xrefs: 000001AFBC54A5BB
csm, xrefs: 000001AFBC54A69C
csm, xrefs: 000001AFBC54A622

Memory Dump Source

Source File: 00000023.00000002.1910671563.000001AFBC540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001AFBC540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc540000_conhost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: aafa923bcba82b6be8ae00af4d8b5db3ec9649b79742a36e3fcc25e1c44b9e43
Instruction ID: 576db2d50c6e80d86bf80a81f27f825a650e1082b246601f807f7de4570e6378
Opcode Fuzzy Hash: aafa923bcba82b6be8ae00af4d8b5db3ec9649b79742a36e3fcc25e1c44b9e43
Instruction Fuzzy Hash: 47E15C72706B8086EB60DBA6D4813EE77B4F75A799F100129EE8957B99CB34C483C712

Function 000001AFBC54F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32 ref: 000001AFBC54F510
GetProcAddress.KERNEL32 ref: 000001AFBC54F51C

Strings

ext-ms-, xrefs: 000001AFBC54F46D
api-ms-, xrefs: 000001AFBC54F45A

Memory Dump Source

Source File: 00000023.00000002.1910671563.000001AFBC540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001AFBC540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc540000_conhost.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 38dcbd5a2a2d0ec7fa1d86277db557ef3bef89b38fead37e513f868cac2f4410
Instruction ID: 8fd665ad3d6a43e79665574afa831bb785300a6f9772e5c33205258536be721d
Opcode Fuzzy Hash: 38dcbd5a2a2d0ec7fa1d86277db557ef3bef89b38fead37e513f868cac2f4410
Instruction Fuzzy Hash: AE419332313A4051EA55CB9AEC047F722A5B74EBA2F55423DDD0A87798EE38C4478326

Function 000001AFBC54104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99
memoryregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001AFBC5410B1
RegEnumValueW.ADVAPI32 ref: 000001AFBC541117
GetProcessHeap.KERNEL32 ref: 000001AFBC54115A
HeapAlloc.KERNEL32 ref: 000001AFBC541168
GetProcessHeap.KERNEL32 ref: 000001AFBC541185
HeapFree.KERNEL32 ref: 000001AFBC541193

Strings

d, xrefs: 000001AFBC5410D6

Memory Dump Source

Source File: 00000023.00000002.1910671563.000001AFBC540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001AFBC540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc540000_conhost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction ID: 04181c2e7f66b8c3f70104f866a28de6053adefb728d7090c5dfecc15bcdf0c4
Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction Fuzzy Hash: 17416D77215B84C6E760CF61E4457AB77B1F389B99F048129DA8A07B58DF38C44ACB11

Function 000001AFBC54D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,000001AFBC54C7DE,?,?,?,?,?,?,?,?,000001AFBC54CF9D,?,?,00000001), ref: 000001AFBC54D087
FlsSetValue.KERNEL32(?,?,?,000001AFBC54C7DE,?,?,?,?,?,?,?,?,000001AFBC54CF9D,?,?,00000001), ref: 000001AFBC54D0A6
FlsSetValue.KERNEL32(?,?,?,000001AFBC54C7DE,?,?,?,?,?,?,?,?,000001AFBC54CF9D,?,?,00000001), ref: 000001AFBC54D0CE
FlsSetValue.KERNEL32(?,?,?,000001AFBC54C7DE,?,?,?,?,?,?,?,?,000001AFBC54CF9D,?,?,00000001), ref: 000001AFBC54D0DF
FlsSetValue.KERNEL32(?,?,?,000001AFBC54C7DE,?,?,?,?,?,?,?,?,000001AFBC54CF9D,?,?,00000001), ref: 000001AFBC54D0F0

Strings

1%, xrefs: 000001AFBC54D0CE
Y%, xrefs: 000001AFBC54D0A6

Memory Dump Source

Source File: 00000023.00000002.1910671563.000001AFBC540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001AFBC540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc540000_conhost.jbxd

Similarity

API ID: Value
String ID: 1%$Y%
API String ID: 3702945584-1395475152
Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction ID: b4fb10e0bd821bb90d771797cd825dec259d757af549efa02600a6ec217a53ee
Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction Fuzzy Hash: F2114FB070624441FE68D7A6D9513FB61715B4E7F2F14533CD869476DEEE28C4439222

Function 000001AFBC547510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001AFBC547538
__scrt_acquire_startup_lock.LIBCMT ref: 000001AFBC54758A
_RTC_Initialize.LIBCMT ref: 000001AFBC5475B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001AFBC5475DE
__scrt_release_startup_lock.LIBCMT ref: 000001AFBC547609

Memory Dump Source

Source File: 00000023.00000002.1910671563.000001AFBC540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001AFBC540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc540000_conhost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: 4c276401e6b07849e28d725c5ae24e27cf9fe6cc4b029f8c515fdfe5c7574d1b
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: 8B816C317126414AFA50EBE6D8413FB26B9A74F7C2F54443DD944877AAEA28C847C722

Function 000001AFBC549DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 000001AFBC549E49
GetLastError.KERNEL32 ref: 000001AFBC549E57
LoadLibraryExW.KERNEL32 ref: 000001AFBC549E81
FreeLibrary.KERNEL32 ref: 000001AFBC549EC7
GetProcAddress.KERNEL32 ref: 000001AFBC549ED3

Strings

api-ms-, xrefs: 000001AFBC549E69

Memory Dump Source

Source File: 00000023.00000002.1910671563.000001AFBC540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001AFBC540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc540000_conhost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 9a692e6453de9d4801212d2d0819b84da1bdd69154ddd7f321b39c2fb227d254
Instruction ID: 1bf297185459e1f3749083b5b94245ac2559e7d542d06831f3353b28b8811062
Opcode Fuzzy Hash: 9a692e6453de9d4801212d2d0819b84da1bdd69154ddd7f321b39c2fb227d254
Instruction Fuzzy Hash: 79318331313A40A1EE51DB82E441BF622B8B74EBA2F590539DD2D07798EF39C4578322

Function 000001AFBC553DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000001AFBC553DE5
GetLastError.KERNEL32 ref: 000001AFBC553DF1
CloseHandle.KERNEL32 ref: 000001AFBC553E09
CreateFileW.KERNEL32 ref: 000001AFBC553E34
WriteConsoleW.KERNEL32 ref: 000001AFBC553E53

Strings

CONOUT$, xrefs: 000001AFBC553E15

Memory Dump Source

Source File: 00000023.00000002.1910671563.000001AFBC540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001AFBC540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc540000_conhost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction ID: 45b764daeb888eda74b040fe41895a6ac71cf6c072de84bcaec88c86bd5a56f6
Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction Fuzzy Hash: 88114C35721A8086E750CB92E84437A76B0B78EFE6F044238EA5A877A4CF38C5168751

Function 000001AFBC543790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000001AFBC54379E
GetCurrentProcess.KERNEL32 ref: 000001AFBC5437CC
VirtualProtectEx.KERNEL32 ref: 000001AFBC5437EE
GetCurrentProcess.KERNEL32 ref: 000001AFBC543809
VirtualProtectEx.KERNEL32 ref: 000001AFBC54382A

Strings

wr, xrefs: 000001AFBC5437FF

Memory Dump Source

Source File: 00000023.00000002.1910671563.000001AFBC540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001AFBC540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc540000_conhost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID: wr
API String ID: 1092925422-2678910430
Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction ID: 61de933238f85d0120607603ebe1d371eff6c87b6cd979c0a610ae74ff4f9cd7
Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction Fuzzy Hash: 73113C3A716B8182EF54DB61E4043BAA6B0F74AB96F440039DE8907768EF3DC507C715

Function 000001AFBC545B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001AFBC545B6B
GetThreadContext.KERNEL32 ref: 000001AFBC545CD5

Part of subcall function 000001AFBC545960: GetCurrentThreadId.KERNEL32 ref: 000001AFBC545964

Memory Dump Source

Source File: 00000023.00000002.1910671563.000001AFBC540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001AFBC540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc540000_conhost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
Instruction ID: ee4c367193eeb8418473a595f6046abae3a775b9afc04da9853d15902fd05d41
Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
Instruction Fuzzy Hash: 6CD19D76209B4882DA70DB46E4943AB77B0F38DB85F500126EACD47BA9DF3CC552CB51

Function 000001AFBC542F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001AFBC542F27
HeapAlloc.KERNEL32 ref: 000001AFBC542F3A
StrCmpNIW.SHLWAPI ref: 000001AFBC542FAF
GetProcessHeap.KERNEL32 ref: 000001AFBC543015
HeapFree.KERNEL32 ref: 000001AFBC543023

Strings

dialer, xrefs: 000001AFBC542FA8

Memory Dump Source

Source File: 00000023.00000002.1910671563.000001AFBC540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001AFBC540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc540000_conhost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction ID: 4140b7d931e0c5ed277f044a265121a65c03bfa699d793ea4e115ad75e9f9e94
Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction Fuzzy Hash: DD31B536302B6592EA10CF96E9417BB67B0FB49B82F444138DE4847B59EF34C4638311

Function 000001AFBC54CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000001AFBC54CFAF
FlsSetValue.KERNEL32(?,?,?,000001AFBC54D6B5,?,?,?,?,000001AFBC54D778), ref: 000001AFBC54CFE5
FlsSetValue.KERNEL32(?,?,?,000001AFBC54D6B5,?,?,?,?,000001AFBC54D778), ref: 000001AFBC54D012
FlsSetValue.KERNEL32(?,?,?,000001AFBC54D6B5,?,?,?,?,000001AFBC54D778), ref: 000001AFBC54D023
FlsSetValue.KERNEL32(?,?,?,000001AFBC54D6B5,?,?,?,?,000001AFBC54D778), ref: 000001AFBC54D034
SetLastError.KERNEL32 ref: 000001AFBC54D04F

Memory Dump Source

Source File: 00000023.00000002.1910671563.000001AFBC540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001AFBC540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc540000_conhost.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction ID: 6eb9f7a10ede253d45269cc48ffbd4be9eba02ea75b88bccfb7b55ae7cab28de
Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction Fuzzy Hash: 13115E7030728042FA64D7A6D9453FB21715B8F7B6F14073CE876877DEEE2894439222

Function 000001AFBC54199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000001AFBC5419C2
K32GetModuleFileNameExW.KERNEL32 ref: 000001AFBC5419E0
PathFindFileNameW.SHLWAPI ref: 000001AFBC5419EF
lstrlenW.KERNEL32 ref: 000001AFBC5419FB
StrCpyW.SHLWAPI ref: 000001AFBC541A0E
CloseHandle.KERNEL32 ref: 000001AFBC541A1C

Memory Dump Source

Source File: 00000023.00000002.1910671563.000001AFBC540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001AFBC540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc540000_conhost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction ID: 7cb8a45a0f8ffe53df7c687f10f47adbb6d67c071ef118e5a30d78d6c4ba2319
Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction Fuzzy Hash: 8A015B35311A8082EA54DB92E4483AA63B1F78DBC6F884039DE4943758DE38C58BC751

Function 000001AFBC5436C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000001AFBC5436E4
GetCurrentProcess.KERNEL32 ref: 000001AFBC5436F2
VirtualProtectEx.KERNEL32 ref: 000001AFBC543714
GetCurrentProcess.KERNEL32 ref: 000001AFBC543732
VirtualProtectEx.KERNEL32 ref: 000001AFBC543753
TerminateThread.KERNEL32 ref: 000001AFBC543762

Memory Dump Source

Source File: 00000023.00000002.1910671563.000001AFBC540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001AFBC540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc540000_conhost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction ID: 84b6c92ac97b01b76a403ce7041411f165ef8f6caaa89668629a18f4f44d0d53
Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction Fuzzy Hash: 27010C79312B4482EB24DBA2E8187A763B0BB4EB87F040438C98907765EF3DC1178721

Function 000001AFBC549005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001AFBC549013
_IsNonwritableInCurrentImage.LIBCMT ref: 000001AFBC5490A8
RtlUnwindEx.NTDLL ref: 000001AFBC5490F7

Strings

f, xrefs: 000001AFBC549026
csm, xrefs: 000001AFBC54908E

Memory Dump Source

Source File: 00000023.00000002.1910671563.000001AFBC540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001AFBC540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc540000_conhost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: bde4ae17a06f1c21a5807440f81e3cf83b19292b6f9d6931ed4a1e5efad905b0
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: 7151A232712240C6EB54CB55D489BAA37B9F34AB8AF509138DA264374CDB35D843C721

Function 000001AFBC548FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001AFBC549013
_IsNonwritableInCurrentImage.LIBCMT ref: 000001AFBC5490A8
RtlUnwindEx.NTDLL ref: 000001AFBC5490F7

Strings

f, xrefs: 000001AFBC549026
csm, xrefs: 000001AFBC54908E

Memory Dump Source

Source File: 00000023.00000002.1910671563.000001AFBC540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001AFBC540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc540000_conhost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 7550f7cb3c90e2bac6ea7802eb6f9839cfb23e206c2073458cd822806bf14f5d
Instruction ID: 7b414e32bc95e162ec7b813e6091acb3032debe58da9ea5744e29a65715b14f6
Opcode Fuzzy Hash: 7550f7cb3c90e2bac6ea7802eb6f9839cfb23e206c2073458cd822806bf14f5d
Instruction Fuzzy Hash: 9631C431312640C6E714DF51E8897AB3779F74AB8AF158028EE6A0374DDB39C943C716

Function 000001AFBC541A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000001AFBC541A60
StrCmpNIW.SHLWAPI ref: 000001AFBC541A7A
lstrlenW.KERNEL32 ref: 000001AFBC541A89
StrCpyW.SHLWAPI ref: 000001AFBC541A9E

Strings

\\?\, xrefs: 000001AFBC541A6E

Memory Dump Source

Source File: 00000023.00000002.1910671563.000001AFBC540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001AFBC540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc540000_conhost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction ID: 9875e12be1a28ff14ed11a25232195a671b96306df28fd09e35e957b5f509c07
Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction Fuzzy Hash: 6FF08C7631068082EB60CBE1E8843AB6370F74DBCAF844038CA4947A58DE2CC68FCB11

Function 000001AFBC543044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 000001AFBC543066
StrCpyW.SHLWAPI ref: 000001AFBC543076
StrCatW.SHLWAPI ref: 000001AFBC543082
PathCombineW.SHLWAPI ref: 000001AFBC543090

Strings

\\.\pipe\, xrefs: 000001AFBC54305C

Memory Dump Source

Source File: 00000023.00000002.1910671563.000001AFBC540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001AFBC540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc540000_conhost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction ID: 98cd117f518929e7db9a3c1b5315de463b7d5cfe370886d7f821df8df70a5819
Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction Fuzzy Hash: 06F05E79315B8082EA44CB92F9043AA6270AB4EFD2F044138EE4A07B28DE38C4478711

Function 000001AFBC54BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000001AFBC54BCBD
GetProcAddress.KERNEL32 ref: 000001AFBC54BCD3
FreeLibrary.KERNEL32 ref: 000001AFBC54BCFA

Strings

mscoree.dll, xrefs: 000001AFBC54BCB4
CorExitProcess, xrefs: 000001AFBC54BCCC

Memory Dump Source

Source File: 00000023.00000002.1910671563.000001AFBC540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001AFBC540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc540000_conhost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction ID: 030b13cbbb586005c3adcab8bf6ddf69cbe916194aa6293c8c81c10c949b4b2a
Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction Fuzzy Hash: BBF06275323A4581EB10CBA4E4443BB6330EB8E7A2F54022DDA6A472F8CF2CC147C361

Function 000001AFBC5450D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001AFBC545156

Memory Dump Source

Source File: 00000023.00000002.1910671563.000001AFBC540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001AFBC540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc540000_conhost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
Instruction ID: b3ffb37520aa90a03c10ad5403646a29fa74a25be47446f452726e418fe57be9
Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
Instruction Fuzzy Hash: 5E02CC3261AB8486D760CB95E4903ABB7B1F3C9795F500029EACE87B69DF7CC446CB11

Function 000001AFBC545710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001AFBC545726

Memory Dump Source

Source File: 00000023.00000002.1910671563.000001AFBC540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001AFBC540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc540000_conhost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
Instruction ID: 9ee89d190ae5b26bbd75afa1570b9b4297942b909c95eb7ce50df435aa40012d
Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
Instruction Fuzzy Hash: 4361C83661AA44C6E760CB95E44436BB7B0F38D785F500139EA8E87BA8DB7CC446CB51

Function 000001AFBC523504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000001AFBC52352C
_set_statfp.LIBCMT ref: 000001AFBC523547
_set_statfp.LIBCMT ref: 000001AFBC523563
_set_statfp.LIBCMT ref: 000001AFBC52359F

Memory Dump Source

Source File: 00000023.00000002.1910632317.000001AFBC510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AFBC510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc510000_conhost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: 2eccfab791a2323a28eea42f9ca667b2766b336540767e57cc3107b603dfc5d8
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: B011C432751A0141FA54B2E8EC513FB96E86F5F372F48463DE96A0F2D78B24C8834122

Function 000001AFBC554104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000001AFBC55412C
_set_statfp.LIBCMT ref: 000001AFBC554147
_set_statfp.LIBCMT ref: 000001AFBC554163
_set_statfp.LIBCMT ref: 000001AFBC55419F

Memory Dump Source

Source File: 00000023.00000002.1910671563.000001AFBC540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001AFBC540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc540000_conhost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: 073a4c6c139a00953d544ac2eb5f282305392b39a4c142a4764b6aa6d429663a
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: 4411913AB12B5013F76495E8D4533F711716B6F3FAF08063CE976176D68B24E8436222

Function 000001AFBC51F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000001AFBC51F124

Strings

Wednesday, xrefs: 000001AFBC51F1ED
or copy constructor iterator', xrefs: 000001AFBC51F25A, 000001AFBC51F275
Tuesday, xrefs: 000001AFBC51F0F4

Memory Dump Source

Source File: 00000023.00000002.1910632317.000001AFBC510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AFBC510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc510000_conhost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: Tuesday$Wednesday$or copy constructor iterator'
API String ID: 3215553584-4202648911
Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction ID: b05ddbdf4e7a49f3530e99aa290f304562eb3485e737d55d85aa1f5dfc45e2ab
Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction Fuzzy Hash: 1D61B13670264042F665DBE5DC483BB26B1A38FB52F54463DCA5A877ACDB34CC438222

Function 000001AFBC54AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 000001AFBC54AA68
_CallSETranslator.LIBVCRUNTIME ref: 000001AFBC54AAB7

Strings

RCC, xrefs: 000001AFBC54AA85
MOC, xrefs: 000001AFBC54AA7C

Memory Dump Source

Source File: 00000023.00000002.1910671563.000001AFBC540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001AFBC540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc540000_conhost.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 666acc49fd6df01ba370cb9f51a420fe53debf1fde292996eb6e5d688c21119e
Instruction ID: faf49b8fb85dd8da4f3bbecd2b60e4e99bf2dbdecf8756fc322c4ea21005ffce
Opcode Fuzzy Hash: 666acc49fd6df01ba370cb9f51a420fe53debf1fde292996eb6e5d688c21119e
Instruction Fuzzy Hash: 40614C32702B848AEB50DFA6D4803EE77B1F359B89F044229EF4917B98DB38D556C711

Function 000001AFBC51A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001AFBC51A1A0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001AFBC51A288

Strings

csm, xrefs: 000001AFBC51A1C2
csm, xrefs: 000001AFBC51A2DA

Memory Dump Source

Source File: 00000023.00000002.1910632317.000001AFBC510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AFBC510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc510000_conhost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: 2eb407240e46380409709e1726eec131107a872abf67eceae5b77a1f15ee6f6d
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: D6518232301280CAEB75CB95D4483FA77B0FB5AF96F184229DA5987B99CB38D453C712

Function 000001AFBC54AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001AFBC54ADA0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001AFBC54AE88

Strings

csm, xrefs: 000001AFBC54AEDA
csm, xrefs: 000001AFBC54ADC2

Memory Dump Source

Source File: 00000023.00000002.1910671563.000001AFBC540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001AFBC540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc540000_conhost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: e16e2cd26f24e852673171b2f66219316a1fcdf926a659ba5630509cc0e42f08
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: B45173763012808AEBA4CF96D5843AA77B0F35AB86F14412DDA5947BDDCB34D493C722

Function 000001AFBC518405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001AFBC518413
_IsNonwritableInCurrentImage.LIBCMT ref: 000001AFBC5184A8

Strings

csm, xrefs: 000001AFBC51848E
f, xrefs: 000001AFBC518426

Memory Dump Source

Source File: 00000023.00000002.1910632317.000001AFBC510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AFBC510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc510000_conhost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: e0c054d97faa6edbc4841fa3f85e5d9518017c4d18cfa532d6d829d1adc85917
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: A1519C3270260096DB24DF55D448BEA33A5F34AF9AF578038DA164778DEB75C8438736

Function 000001AFBC5183E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001AFBC518413
_IsNonwritableInCurrentImage.LIBCMT ref: 000001AFBC5184A8

Strings

csm, xrefs: 000001AFBC51848E
f, xrefs: 000001AFBC518426

Memory Dump Source

Source File: 00000023.00000002.1910632317.000001AFBC510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AFBC510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc510000_conhost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction ID: 3af01c53112a4f18b4bf9744a639de11df991fd06fccdd96dcf019f908026aca
Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction Fuzzy Hash: D831813230264096E724DF52E8487EA77B4F34AFDAF568028EE5607749DB39C943C726

Function 000001AFBC552058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000001AFBC5520D7
WriteFile.KERNEL32 ref: 000001AFBC55239F
WriteFile.KERNEL32 ref: 000001AFBC5523E5
GetLastError.KERNEL32 ref: 000001AFBC55249B

Memory Dump Source

Source File: 00000023.00000002.1910671563.000001AFBC540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001AFBC540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc540000_conhost.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: ea223cb16a8c30a4614ff2808b6cc602d8108756aca582718aba659200e53d04
Instruction ID: 122f1443d1a30da828dd6dd873c7367498cc7d5139547da0beb8a3928fe2235e
Opcode Fuzzy Hash: ea223cb16a8c30a4614ff2808b6cc602d8108756aca582718aba659200e53d04
Instruction Fuzzy Hash: 78D11276716A8489E711CFB9D8403EE3BB1F35A79AF00422ACE5997B99DA34C407C351

Function 000001AFBC5414A4 Relevance: 6.3, APIs: 5, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001AFBC5414C5
HeapFree.KERNEL32 ref: 000001AFBC5414D4
GetProcessHeap.KERNEL32 ref: 000001AFBC5414E1
HeapFree.KERNEL32 ref: 000001AFBC5414F0
GetProcessHeap.KERNEL32 ref: 000001AFBC541500

Memory Dump Source

Source File: 00000023.00000002.1910671563.000001AFBC540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001AFBC540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc540000_conhost.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
Instruction ID: 3b4f3e5eeaf6afdc6464d4d0202cb678f8a09187cc3b3f5f26219c9ed3a6adfb
Opcode Fuzzy Hash: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
Instruction Fuzzy Hash: A7115A3A622ED086E714DBA2E8043AA77B0F78EB82F044039DA491371ADE34C0538751

Function 000001AFBC552980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32 ref: 000001AFBC552A9C
GetLastError.KERNEL32 ref: 000001AFBC552B27

Memory Dump Source

Source File: 00000023.00000002.1910671563.000001AFBC540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001AFBC540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc540000_conhost.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 132266061ff4b9b8da68bf4eb15db926e852afbe6260eee4876dca9e3c8d8076
Instruction ID: 43a7c73b401edeb2feb0827fa99b71d66ef2f60fdcc1f0638bbbb9ca1108b469
Opcode Fuzzy Hash: 132266061ff4b9b8da68bf4eb15db926e852afbe6260eee4876dca9e3c8d8076
Instruction Fuzzy Hash: 7591C07AB0265885F760DFA5C8403FE2BB0B71AB9BF14412DDE4A57A95DA34C483C722

Function 000001AFBC547960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000001AFBC54798C
GetCurrentThreadId.KERNEL32 ref: 000001AFBC54799A
GetCurrentProcessId.KERNEL32 ref: 000001AFBC5479A6
QueryPerformanceCounter.KERNEL32 ref: 000001AFBC5479B6

Memory Dump Source

Source File: 00000023.00000002.1910671563.000001AFBC540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001AFBC540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc540000_conhost.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction ID: 23fd18487dfea4e020b36d3caaeec8ad81f7baa6a80db754529c19864615c8df
Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction Fuzzy Hash: 60113A36711F418AEB40CBA0E8553BA33B4E31A769F440E35DAAD437A4DF78C19A8290

Function 000001AFBC54253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001AFBC542620
StrCpyW.SHLWAPI ref: 000001AFBC542639

Strings

\\.\pipe\, xrefs: 000001AFBC54262B

Memory Dump Source

Source File: 00000023.00000002.1910671563.000001AFBC540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001AFBC540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc540000_conhost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: f9ae2ac97f4d715802434cfbd0ca4b9e1963434c5062de052308e56cf21b1c36
Instruction ID: 967e1665751afcdaf2a40daa377e334ca8dccd4ac4c8fa35d5a3213e35443bee
Opcode Fuzzy Hash: f9ae2ac97f4d715802434cfbd0ca4b9e1963434c5062de052308e56cf21b1c36
Instruction Fuzzy Hash: 8D71CE36302B9586E624DEA5EC443FB66B0F38EB86F44003ADD0A53B9DDE34C6438711

Function 000001AFBC519E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 000001AFBC519EB7

Strings

RCC, xrefs: 000001AFBC519E85
MOC, xrefs: 000001AFBC519E7C

Memory Dump Source

Source File: 00000023.00000002.1910632317.000001AFBC510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AFBC510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc510000_conhost.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: bbb07bebf6921e91a747d8936f3d7f4b8436abdb5c8fd6154240c2dc49a974b4
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: BE618936702B848AEB20CFA5D0843EE77B0F749B89F044229EF5917B98DB38D196C711

Function 000001AFBC542330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001AFBC542416
StrCpyW.SHLWAPI ref: 000001AFBC54242D

Strings

\\.\pipe\, xrefs: 000001AFBC542421

Memory Dump Source

Source File: 00000023.00000002.1910671563.000001AFBC540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001AFBC540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc540000_conhost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 94153bbf33019caaa40224d47f7b4f8b7f9df6d428528a95645a5a22a8f385cf
Instruction ID: 67b05a8c0cf720271308226a717553685fe33cf892dcd75c7e33915ff2a78701
Opcode Fuzzy Hash: 94153bbf33019caaa40224d47f7b4f8b7f9df6d428528a95645a5a22a8f385cf
Instruction Fuzzy Hash: F951113270639581E664DEAAE8583FB6670F39E783F44013DCE4903B9EDA39C5078762

Function 000001AFBC5526F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000001AFBC552807
GetLastError.KERNEL32 ref: 000001AFBC552829

Strings

U, xrefs: 000001AFBC5527B3

Memory Dump Source

Source File: 00000023.00000002.1910671563.000001AFBC540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001AFBC540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc540000_conhost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction ID: 295048c59590e8054d7e6aa5fdf121aa015287c38449c3382b4a6d06de0f359c
Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction Fuzzy Hash: 1F418E76326A8486DB20CFA5E8443EA67B0F799795F404039EE4D87798EB38C443CB51

Function 000001AFBC5494A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000001AFBC5494F0
RaiseException.KERNEL32 ref: 000001AFBC549531

Strings

csm, xrefs: 000001AFBC54951E

Memory Dump Source

Source File: 00000023.00000002.1910671563.000001AFBC540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001AFBC540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc540000_conhost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction ID: f6b3b55573afc424faa85c2d353ed70a2ee5d018316b08b0dcd606c185d30460
Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction Fuzzy Hash: 4B112B36215B8082EB61CB15E4403AA77E5FB89B95F584224EE8C47B59DF3CC552CB00

Function 000001AFBC517356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000001AFBC51737C

Strings

ierarchy Descriptor', xrefs: 000001AFBC517381
riptor at (, xrefs: 000001AFBC517364

Memory Dump Source

Source File: 00000023.00000002.1910632317.000001AFBC510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AFBC510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc510000_conhost.jbxd

Similarity

API ID: __std_exception_copy
String ID: ierarchy Descriptor'$riptor at (
API String ID: 592178966-758928094
Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction ID: e9c828ba714dd37ac94a670972fd563f6154ad2898c2eafd49d117bceaec99b9
Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction Fuzzy Hash: 29E04F61741B4490DB019F61E8403E933A09B5DB64B889122D95C4B315EA38D1EBC311

Function 000001AFBC5173B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000001AFBC5173D8

Strings

Locator', xrefs: 000001AFBC5173DD
riptor at (, xrefs: 000001AFBC5173C0

Memory Dump Source

Source File: 00000023.00000002.1910632317.000001AFBC510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AFBC510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc510000_conhost.jbxd

Similarity

API ID: __std_exception_copy
String ID: Locator'$riptor at (
API String ID: 592178966-4215709766
Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction ID: 178ba7a70b487c7996aeedb7a93e32d729062f67a058f3e99010c1ea5efa4f68
Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction Fuzzy Hash: 4EE08671701B4480DF01DF61D8402E973B0E75DB64BC89132C94C4B315EA38D1E7C311

Function 000001AFBC541BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001AFBC541C2D
HeapAlloc.KERNEL32 ref: 000001AFBC541C3B
GetProcessHeap.KERNEL32 ref: 000001AFBC541C77
HeapFree.KERNEL32 ref: 000001AFBC541C85

Part of subcall function 000001AFBC54152C: StrCmpIW.SHLWAPI ref: 000001AFBC54155D

Memory Dump Source

Source File: 00000023.00000002.1910671563.000001AFBC540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001AFBC540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc540000_conhost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction ID: 2871b7426f0820f8f9f7e24d5927a5920c192db9858cc37ca576c90683a03b07
Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction Fuzzy Hash: 1D111939712B8481EA54DBA6E8053BB67B1EB8EFC2F184038DE495776ADE38C4438311

Function 000001AFBC541268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001AFBC54126E
HeapAlloc.KERNEL32 ref: 000001AFBC54127D
GetProcessHeap.KERNEL32 ref: 000001AFBC541297
HeapAlloc.KERNEL32 ref: 000001AFBC5412A8

Memory Dump Source

Source File: 00000023.00000002.1910671563.000001AFBC540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001AFBC540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1afbc540000_conhost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction ID: daba48c2f3db54e5f11212f8be95aeff4fcfdfb2e1a9d4c7d303d50d0221170b
Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction Fuzzy Hash: 08E03939722A4486EB44CBA2D8083AA36E1EB8EB06F048028C90907751DF7D849AC761

Analysis Process: svchost.exePID: 920, Parent PID: 8136COMMON

Execution Graph

Execution Coverage:	0.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	73
Total number of Limit Nodes:	2

Executed Functions

Function 000002A66130328C Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 000002A6613032AE
PathFindFileNameW.SHLWAPI ref: 000002A6613032BD

Part of subcall function 000002A661303844: StrCmpNIW.SHLWAPI ref: 000002A66130385C

Part of subcall function 000002A661303790: GetModuleHandleW.KERNEL32 ref: 000002A66130379E
Part of subcall function 000002A661303790: GetCurrentProcess.KERNEL32 ref: 000002A6613037CC
Part of subcall function 000002A661303790: VirtualProtectEx.KERNEL32 ref: 000002A6613037EE
Part of subcall function 000002A661303790: GetCurrentProcess.KERNEL32 ref: 000002A661303809
Part of subcall function 000002A661303790: VirtualProtectEx.KERNEL32 ref: 000002A66130382A

CreateThread.KERNEL32 ref: 000002A66130330B

Part of subcall function 000002A661301D14: GetCurrentThread.KERNEL32 ref: 000002A661301D1F

Memory Dump Source

Source File: 00000024.00000002.3238343628.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a661300000_svchost.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction ID: 077229c1eed964279b07ec97370b47b92095969d86f76acc536d4c6ada0caa5e
Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction Fuzzy Hash: DC11AD70F246408BFB60EB61F98DB6923ECA746F46F8C41249907A3691EF7CC04C8283

Function 000002A661301ABC Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000002A661301628: GetProcessHeap.KERNEL32 ref: 000002A661301633
Part of subcall function 000002A661301628: HeapAlloc.KERNEL32 ref: 000002A661301642
Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A6613016B2
Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A6613016DF
Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A6613016F9
Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A661301719
Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A661301734
Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A661301754
Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A66130176F
Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A66130178F
Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A6613017AA
Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A6613017CA

Sleep.KERNEL32 ref: 000002A661301AD7
SleepEx.KERNELBASE ref: 000002A661301ADD

Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A6613017E5
Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A661301805
Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A661301820
Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A661301840
Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A66130185B
Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A66130187B
Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A661301896
Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A6613018A0

Memory Dump Source

Source File: 00000024.00000002.3238343628.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a661300000_svchost.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction ID: 99b07525fd2711d8e82b8b49fba128a9359a21ce05ef994d83d7f8484eb62716
Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction Fuzzy Hash: F3314171B00A4593FF509B26DA4D3A963FCAB46FCAF0C54219E0BA7295FF1CC459C292

Function 000002A661303844 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpNIW.SHLWAPI ref: 000002A66130385C

Strings

dialer, xrefs: 000002A661303855

Memory Dump Source

Source File: 00000024.00000002.3238343628.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a661300000_svchost.jbxd

Similarity

API ID:
String ID: dialer
API String ID: 0-3528709123
Opcode ID: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
Instruction ID: 84d7da99e8808b0adfb76846f8b28e16625e6655772c6f218550ef611b4de524
Opcode Fuzzy Hash: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
Instruction Fuzzy Hash: 59D0A760B512498BFF14DFE688CDA603798EB09F45F8C4034D90213150DF6C8A9D9711

Function 000002A6612D273C Relevance: 1.7, APIs: 1, Instructions: 187
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 000002A6612D285E

Memory Dump Source

Source File: 00000024.00000002.3238218318.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a6612d0000_svchost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction ID: 1627250a6f1587746d6adcb486bc21ae0d1f8d3e6a0bb4f849c2ff22e67d6bd2
Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction Fuzzy Hash: DC61F0B2F016908BDB548F25D0487ADB3AEFB55FA4F688121DE5907788DF38D89AC701

Non-executed Functions

Function 000002A661302B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 000002A661302BD0
lstrlenW.KERNEL32 ref: 000002A661302E0A

Part of subcall function 000002A66130199C: OpenProcess.KERNEL32 ref: 000002A6613019C2
Part of subcall function 000002A66130199C: K32GetModuleFileNameExW.KERNEL32 ref: 000002A6613019E0
Part of subcall function 000002A66130199C: PathFindFileNameW.SHLWAPI ref: 000002A6613019EF
Part of subcall function 000002A66130199C: lstrlenW.KERNEL32 ref: 000002A6613019FB
Part of subcall function 000002A66130199C: StrCpyW.SHLWAPI ref: 000002A661301A0E
Part of subcall function 000002A66130199C: CloseHandle.KERNEL32 ref: 000002A661301A1C

GetProcAddress.KERNEL32 ref: 000002A661302BE5

Part of subcall function 000002A66130152C: StrCmpIW.SHLWAPI ref: 000002A66130155D

Part of subcall function 000002A661303844: StrCmpNIW.SHLWAPI ref: 000002A66130385C

StrCmpNIW.SHLWAPI ref: 000002A661302C28
lstrlenW.KERNEL32 ref: 000002A661302D50

Strings

\Device\Nsi, xrefs: 000002A661302C1B
NtQueryObject, xrefs: 000002A661302BDB
ntdll.dll, xrefs: 000002A661302BC9

Memory Dump Source

Source File: 00000024.00000002.3238343628.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a661300000_svchost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction ID: 517c12f0b0e1090de60bb0fcc7bf1fefb46beb5eab338aff40a4245cd4b9731a
Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction Fuzzy Hash: 52B17C72B10A9087EB649F35D64C7A963E9F746F86F485016EE0A63B94DF39CC48C381

Function 000002A661307D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000002A661307DAC
RtlCaptureContext.NTDLL ref: 000002A661307DD9
RtlLookupFunctionEntry.NTDLL ref: 000002A661307DF3
RtlVirtualUnwind.NTDLL ref: 000002A661307E34
IsDebuggerPresent.KERNEL32 ref: 000002A661307E88
SetUnhandledExceptionFilter.KERNEL32 ref: 000002A661307EA9
UnhandledExceptionFilter.KERNEL32 ref: 000002A661307EB4

Memory Dump Source

Source File: 00000024.00000002.3238343628.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a661300000_svchost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction ID: cc74eacb843f1603229d41cad126e5c04d88afadf7cf4452611ec155d591a17a
Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction Fuzzy Hash: E5315072705B808AEB609F60E8483ED73A8F785B44F484429DA8E67B94EF7CC54DC710

Function 000002A66130D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000002A66130D31D
RtlLookupFunctionEntry.NTDLL ref: 000002A66130D335
RtlVirtualUnwind.NTDLL ref: 000002A66130D370
IsDebuggerPresent.KERNEL32 ref: 000002A66130D3A9
SetUnhandledExceptionFilter.KERNEL32 ref: 000002A66130D3B3
UnhandledExceptionFilter.KERNEL32 ref: 000002A66130D3BE

Memory Dump Source

Source File: 00000024.00000002.3238343628.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a661300000_svchost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction ID: 36f9f4375d1256616007857bae393de0df9f8980b3b202d925a5ac7eb32d36a2
Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction Fuzzy Hash: 4A316F32714F8086DB60CF25E84839E73A8F78AB55F580125EA9E53B68DF7CC159CB41

Function 000002A661301628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000002A661301633
HeapAlloc.KERNEL32 ref: 000002A661301642

Part of subcall function 000002A661301268: GetProcessHeap.KERNEL32 ref: 000002A66130126E
Part of subcall function 000002A661301268: HeapAlloc.KERNEL32 ref: 000002A66130127D
Part of subcall function 000002A661301268: GetProcessHeap.KERNEL32 ref: 000002A661301297
Part of subcall function 000002A661301268: HeapAlloc.KERNEL32 ref: 000002A6613012A8

RegOpenKeyExW.ADVAPI32 ref: 000002A6613016B2
RegOpenKeyExW.ADVAPI32 ref: 000002A6613016DF
RegCloseKey.ADVAPI32 ref: 000002A6613016F9
RegOpenKeyExW.ADVAPI32 ref: 000002A661301719
RegCloseKey.ADVAPI32 ref: 000002A661301734
RegOpenKeyExW.ADVAPI32 ref: 000002A661301754
RegCloseKey.ADVAPI32 ref: 000002A66130176F
RegOpenKeyExW.ADVAPI32 ref: 000002A66130178F
RegCloseKey.ADVAPI32 ref: 000002A6613017AA
RegOpenKeyExW.ADVAPI32 ref: 000002A6613017CA
RegCloseKey.ADVAPI32 ref: 000002A6613017E5
RegOpenKeyExW.ADVAPI32 ref: 000002A661301805
RegCloseKey.ADVAPI32 ref: 000002A661301820
RegOpenKeyExW.ADVAPI32 ref: 000002A661301840
RegCloseKey.ADVAPI32 ref: 000002A66130185B
RegOpenKeyExW.ADVAPI32 ref: 000002A66130187B
RegCloseKey.ADVAPI32 ref: 000002A661301896
RegCloseKey.ADVAPI32 ref: 000002A6613018A0

Part of subcall function 000002A6613012BC: RegQueryInfoKeyW.ADVAPI32 ref: 000002A661301319
Part of subcall function 000002A6613012BC: GetProcessHeap.KERNEL32 ref: 000002A661301327
Part of subcall function 000002A6613012BC: HeapAlloc.KERNEL32 ref: 000002A661301338
Part of subcall function 000002A6613012BC: RegEnumValueW.ADVAPI32 ref: 000002A661301397
Part of subcall function 000002A6613012BC: GetProcessHeap.KERNEL32 ref: 000002A6613013DF
Part of subcall function 000002A6613012BC: HeapAlloc.KERNEL32 ref: 000002A6613013ED
Part of subcall function 000002A6613012BC: GetProcessHeap.KERNEL32 ref: 000002A66130140A
Part of subcall function 000002A6613012BC: HeapFree.KERNEL32 ref: 000002A661301418
Part of subcall function 000002A6613012BC: lstrlenW.KERNEL32 ref: 000002A661301421
Part of subcall function 000002A6613012BC: GetProcessHeap.KERNEL32 ref: 000002A66130142F
Part of subcall function 000002A6613012BC: HeapAlloc.KERNEL32 ref: 000002A66130143D

Strings

udp, xrefs: 000002A661301874
paths, xrefs: 000002A661301788
tcp_local, xrefs: 000002A6613017FE
tcp_remote, xrefs: 000002A661301839
startup, xrefs: 000002A6613016D5
pid, xrefs: 000002A661301712
service_names, xrefs: 000002A6613017C3
process_names, xrefs: 000002A66130174D
SOFTWARE\dialerconfig, xrefs: 000002A661301692

Memory Dump Source

Source File: 00000024.00000002.3238343628.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a661300000_svchost.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction ID: c27f832fced2d29170b0e4fb301a485cb6098ecabde165e8eb95b814a7a813c5
Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction Fuzzy Hash: BA71F476B10E5087EB10DF65E89D69933B8FB8AF8DF081121DA4F67A68DF28C548C341

Function 000002A6613012BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000002A661301319
GetProcessHeap.KERNEL32 ref: 000002A661301327
HeapAlloc.KERNEL32 ref: 000002A661301338
RegEnumValueW.ADVAPI32 ref: 000002A661301397

Part of subcall function 000002A66130152C: StrCmpIW.SHLWAPI ref: 000002A66130155D

GetProcessHeap.KERNEL32 ref: 000002A6613013DF
HeapAlloc.KERNEL32 ref: 000002A6613013ED
GetProcessHeap.KERNEL32 ref: 000002A66130140A
HeapFree.KERNEL32 ref: 000002A661301418
lstrlenW.KERNEL32 ref: 000002A661301421
GetProcessHeap.KERNEL32 ref: 000002A66130142F
HeapAlloc.KERNEL32 ref: 000002A66130143D
StrCpyW.SHLWAPI ref: 000002A66130145F
GetProcessHeap.KERNEL32 ref: 000002A661301476
HeapFree.KERNEL32 ref: 000002A661301484

Strings

d, xrefs: 000002A66130135A

Memory Dump Source

Source File: 00000024.00000002.3238343628.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a661300000_svchost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction ID: 5c01c19bc0298f85c8339ea94e196dd5b5f1323890ee4be88120aa0ba9bb59bc
Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction Fuzzy Hash: F0512776A14B8487EB50CFA2E44D35AB7B9F78AF89F094124DA4A27728DF7CC049C741

Function 000002A661301D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 000002A661301D1F

Part of subcall function 000002A661301FD4: GetModuleHandleA.KERNEL32 ref: 000002A661301FEC
Part of subcall function 000002A661301FD4: GetProcAddress.KERNEL32 ref: 000002A661301FFD

Part of subcall function 000002A661305B30: GetCurrentThreadId.KERNEL32 ref: 000002A661305B6B

Strings

EnumServiceGroupW, xrefs: 000002A661301DF0
NtQuerySystemInformation, xrefs: 000002A661301D45
EnumServicesStatusExW, xrefs: 000002A661301E11, 000002A661301E32
NtEnumerateValueKey, xrefs: 000002A661301DD6
NtQueryDirectoryFileEx, xrefs: 000002A661301D9C
NtEnumerateKey, xrefs: 000002A661301DB9
sechost.dll, xrefs: 000002A661301E39
advapi32.dll, xrefs: 000002A661301DF7, 000002A661301E18
NtDeviceIoControlFile, xrefs: 000002A661301E56
NtResumeThread, xrefs: 000002A661301D62
ntdll.dll, xrefs: 000002A661301D2D
NtQueryDirectoryFile, xrefs: 000002A661301D7F

Memory Dump Source

Source File: 00000024.00000002.3238343628.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a661300000_svchost.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction ID: 147c2e2ec541b53145e726b289546c28288565d736413d3e5244b9f1f05d4738
Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction Fuzzy Hash: 8A31A064B10A5AA3EA04EBA5ED5E6D423A9B717F49F8C4113940B331659F3CC24DC3D2

Function 000002A6612D6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002A6612D6938
__scrt_acquire_startup_lock.LIBCMT ref: 000002A6612D698A
_RTC_Initialize.LIBCMT ref: 000002A6612D69B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002A6612D69DE
__scrt_release_startup_lock.LIBCMT ref: 000002A6612D6A09

Strings

`eh vector copy constructor iterator', xrefs: 000002A6612D6A3B
scriptor', xrefs: 000002A6612D6B39, 000002A6612D6BB2, 000002A6612D6BEC
`dynamic initializer for ', xrefs: 000002A6612D69C7
`eh vector vbase copy constructor iterator', xrefs: 000002A6612D69EE

Memory Dump Source

Source File: 00000024.00000002.3238218318.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a6612d0000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
API String ID: 190073905-1786718095
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: e87bf346922b52b2af9168f1f418e053012b6a09ee5fcf7955fafdcfd6fac762
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: 0D81CE21F106818BFA54AB66D48D399329DAF87F80F5C8125DA4987796EF3CC9CD8703

Function 000002A66130CE28 Relevance: 18.1, APIs: 12, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 000002A66130CE37
FlsGetValue.KERNEL32(?,?,?,000002A661310A6B,?,?,?,000002A66131045C,?,?,?,000002A66130C84F), ref: 000002A66130CE4C
FlsSetValue.KERNEL32(?,?,?,000002A661310A6B,?,?,?,000002A66131045C,?,?,?,000002A66130C84F), ref: 000002A66130CE6D
FlsSetValue.KERNEL32(?,?,?,000002A661310A6B,?,?,?,000002A66131045C,?,?,?,000002A66130C84F), ref: 000002A66130CE9A
FlsSetValue.KERNEL32(?,?,?,000002A661310A6B,?,?,?,000002A66131045C,?,?,?,000002A66130C84F), ref: 000002A66130CEAB
FlsSetValue.KERNEL32(?,?,?,000002A661310A6B,?,?,?,000002A66131045C,?,?,?,000002A66130C84F), ref: 000002A66130CEBC
SetLastError.KERNEL32 ref: 000002A66130CED7
FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000002A661310A6B,?,?,?,000002A66131045C,?,?,?,000002A66130C84F), ref: 000002A66130CF0D
FlsSetValue.KERNEL32(?,?,00000001,000002A66130ECCC,?,?,?,?,000002A66130BF9F,?,?,?,?,?,000002A661307AB0), ref: 000002A66130CF2C

Part of subcall function 000002A66130D6CC: HeapAlloc.KERNEL32 ref: 000002A66130D721

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002A661310A6B,?,?,?,000002A66131045C,?,?,?,000002A66130C84F), ref: 000002A66130CF54

Part of subcall function 000002A66130D744: HeapFree.KERNEL32 ref: 000002A66130D75A
Part of subcall function 000002A66130D744: GetLastError.KERNEL32 ref: 000002A66130D764

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002A661310A6B,?,?,?,000002A66131045C,?,?,?,000002A66130C84F), ref: 000002A66130CF65
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002A661310A6B,?,?,?,000002A66131045C,?,?,?,000002A66130C84F), ref: 000002A66130CF76

Memory Dump Source

Source File: 00000024.00000002.3238343628.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a661300000_svchost.jbxd

Similarity

API ID: Value$ErrorLast$Heap$AllocFree
String ID:
API String ID: 570795689-0
Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction ID: a3ebcece3df98fd1e9725f906f8bf8db5f5c64855dc8a79f9fd7b15e885684d0
Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction Fuzzy Hash: 77417420F0128443FA68A735595D36922DD5B47FB2F1C4764A93B376E6DF2C980D8393

Function 000002A661302244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessIdOfThread.KERNEL32 ref: 000002A661302259
GetCurrentProcessId.KERNEL32 ref: 000002A661302263

Part of subcall function 000002A661301934: OpenProcess.KERNEL32 ref: 000002A661301952
Part of subcall function 000002A661301934: IsWow64Process.KERNEL32 ref: 000002A661301968
Part of subcall function 000002A661301934: CloseHandle.KERNEL32 ref: 000002A661301983

CreateFileW.KERNEL32 ref: 000002A6613022BC
WriteFile.KERNEL32 ref: 000002A6613022E4
ReadFile.KERNEL32 ref: 000002A661302303
CloseHandle.KERNEL32 ref: 000002A66130230C

Strings

\\.\pipe\dialerchildproc64, xrefs: 000002A66130228C
\\.\pipe\dialerchildproc32, xrefs: 000002A661302293

Memory Dump Source

Source File: 00000024.00000002.3238343628.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a661300000_svchost.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction ID: 9e913e5ef9d9d4dd90f3ca067dd4efb44e8ac8cefc28dc1332a14b226ca3e093
Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction Fuzzy Hash: 6C213A72B18A9083EB10CB65E54D35A73A4F78ABA5F580215EA5A13AA8CF7CC149CB41

Function 000002A66130A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000002A66130A5A1

Part of subcall function 000002A66130B414: __GetUnwindTryBlock.LIBCMT ref: 000002A66130B457
Part of subcall function 000002A66130B414: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000002A66130B47C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000002A66130A679
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000002A66130A8CE
std::bad_alloc::bad_alloc.LIBCMT ref: 000002A66130A9DA

Strings

csm, xrefs: 000002A66130A5BB
csm, xrefs: 000002A66130A69C
csm, xrefs: 000002A66130A622

Memory Dump Source

Source File: 00000024.00000002.3238343628.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a661300000_svchost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction ID: f9dc5a9824cbe41745e6e6afb53450f4abea2dc5f6e99ba2920a5b912b4b268f
Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction Fuzzy Hash: AEE19F72B047448BEB20DF25A44C39D7BE8F746B99F084115DE8A67BA5CF38C189C782

Function 000002A6612D9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000002A6612D99A1

Part of subcall function 000002A6612DA814: __GetUnwindTryBlock.LIBCMT ref: 000002A6612DA857
Part of subcall function 000002A6612DA814: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000002A6612DA87C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000002A6612D9A79
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000002A6612D9CCE
std::bad_alloc::bad_alloc.LIBCMT ref: 000002A6612D9DDA

Strings

csm, xrefs: 000002A6612D9A22
csm, xrefs: 000002A6612D9A9C
csm, xrefs: 000002A6612D99BB

Memory Dump Source

Source File: 00000024.00000002.3238218318.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a6612d0000_svchost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction ID: 681959dd6542599d6789764f186a42efd8a6d505218f830932f82b8ebb8010d4
Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction Fuzzy Hash: C1E17C32F04B808BEB609B65D45839D77ACFB56B98F181115EE8957B99CF38C0E9C702

Function 000002A66130F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32 ref: 000002A66130F510
GetProcAddress.KERNEL32 ref: 000002A66130F51C

Strings

ext-ms-, xrefs: 000002A66130F46D
api-ms-, xrefs: 000002A66130F45A

Memory Dump Source

Source File: 00000024.00000002.3238343628.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a661300000_svchost.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction ID: fa6adfc857896f79626ba7455a121a59232fbacac11bf9aa969e94737a29d1b3
Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction Fuzzy Hash: 2241E122B15A0083EA16DB56A80C75533DDBB46FE1F0E41259D0BB7784EF3CC44D838A

Function 000002A66130104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99
memoryregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000002A6613010B1
RegEnumValueW.ADVAPI32 ref: 000002A661301117
GetProcessHeap.KERNEL32 ref: 000002A66130115A
HeapAlloc.KERNEL32 ref: 000002A661301168
GetProcessHeap.KERNEL32 ref: 000002A661301185
HeapFree.KERNEL32 ref: 000002A661301193

Strings

d, xrefs: 000002A6613010D6

Memory Dump Source

Source File: 00000024.00000002.3238343628.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a661300000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction ID: 29549edc3a05bb9f30fb41ffd792d5d1f480f0e7d2fd4d10c68227b69ff2f9b1
Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction Fuzzy Hash: 2B418B72614B80C7E764CF61E44839A77B5F389F89F488129DA8A17B58DF3CC489CB41

Function 000002A66130D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,000002A66130C7DE,?,?,?,?,?,?,?,?,000002A66130CF9D,?,?,00000001), ref: 000002A66130D087
FlsSetValue.KERNEL32(?,?,?,000002A66130C7DE,?,?,?,?,?,?,?,?,000002A66130CF9D,?,?,00000001), ref: 000002A66130D0A6
FlsSetValue.KERNEL32(?,?,?,000002A66130C7DE,?,?,?,?,?,?,?,?,000002A66130CF9D,?,?,00000001), ref: 000002A66130D0CE
FlsSetValue.KERNEL32(?,?,?,000002A66130C7DE,?,?,?,?,?,?,?,?,000002A66130CF9D,?,?,00000001), ref: 000002A66130D0DF
FlsSetValue.KERNEL32(?,?,?,000002A66130C7DE,?,?,?,?,?,?,?,?,000002A66130CF9D,?,?,00000001), ref: 000002A66130D0F0

Strings

Y%, xrefs: 000002A66130D0A6
1%, xrefs: 000002A66130D0CE

Memory Dump Source

Source File: 00000024.00000002.3238343628.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a661300000_svchost.jbxd

Similarity

API ID: Value
String ID: 1%$Y%
API String ID: 3702945584-1395475152
Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction ID: bc4377a1b8938ee1d589c6b188f15fe87120af383a10576ee3c01281e8991c6e
Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction Fuzzy Hash: F2118620F0428443FA68A735595D36962DD5B46FF1F1C4324993B277DADF2CC40A8686

Function 000002A661307510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002A661307538
__scrt_acquire_startup_lock.LIBCMT ref: 000002A66130758A
_RTC_Initialize.LIBCMT ref: 000002A6613075B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002A6613075DE
__scrt_release_startup_lock.LIBCMT ref: 000002A661307609

Memory Dump Source

Source File: 00000024.00000002.3238343628.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a661300000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: 94d9e67a34e61d90d8dc91a526529cd9d217a7a82295564c3aa49440afe65ca8
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: 79810230F0064187FA50AB69984D39966ECAB87F82F1C44249A8B73396DF3DC84D8783

Function 000002A661309DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 000002A661309E49
GetLastError.KERNEL32 ref: 000002A661309E57
LoadLibraryExW.KERNEL32 ref: 000002A661309E81
FreeLibrary.KERNEL32 ref: 000002A661309EC7
GetProcAddress.KERNEL32 ref: 000002A661309ED3

Strings

api-ms-, xrefs: 000002A661309E69

Memory Dump Source

Source File: 00000024.00000002.3238343628.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a661300000_svchost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction ID: 50e13fa17c3bf59197d400e801c98b0be272adff0d23520052f25ab3404dd5bc
Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction Fuzzy Hash: 3F319021B12A40A3EE11DF46A80C76562DCB74AFA1F5D05259D1F6B790DF3DC849C392

Function 000002A661313DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000002A661313DE5
GetLastError.KERNEL32 ref: 000002A661313DF1
CloseHandle.KERNEL32 ref: 000002A661313E09
CreateFileW.KERNEL32 ref: 000002A661313E34
WriteConsoleW.KERNEL32 ref: 000002A661313E53

Strings

CONOUT$, xrefs: 000002A661313E15

Memory Dump Source

Source File: 00000024.00000002.3238343628.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a661300000_svchost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction ID: ff65df3e6d8c9de4419cb773b33199b337b810cada23280e1cd4933ea371c746
Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction Fuzzy Hash: 8A116D32B14B8087E7509B52E84D31976B8F78AFE4F084224EA5F97794CF7CC8188781

Function 000002A661303790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000002A66130379E
GetCurrentProcess.KERNEL32 ref: 000002A6613037CC
VirtualProtectEx.KERNEL32 ref: 000002A6613037EE
GetCurrentProcess.KERNEL32 ref: 000002A661303809
VirtualProtectEx.KERNEL32 ref: 000002A66130382A

Strings

wr, xrefs: 000002A6613037FF

Memory Dump Source

Source File: 00000024.00000002.3238343628.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a661300000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID: wr
API String ID: 1092925422-2678910430
Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction ID: 025d1bc40c232432275dae4ecc1318edf57f0e1ebcf64f5229914e418f725714
Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction Fuzzy Hash: F8115B76B04B8187EF149B62E40C66976B8FB8AF85F480029DE8E17794EF3DC609C705

Function 000002A661305B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002A661305B6B
GetThreadContext.KERNEL32 ref: 000002A661305CD5

Part of subcall function 000002A661305960: GetCurrentThreadId.KERNEL32 ref: 000002A661305964

Memory Dump Source

Source File: 00000024.00000002.3238343628.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a661300000_svchost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
Instruction ID: 5f5900bbcb72c6ae03449aabeaeaebc51276a3d35255987f9de81e93377eb069
Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
Instruction Fuzzy Hash: 3BD1B836604B8882EA70DB0AE49835A77F4F389F85F144216EACE57BA5CF3DC545CB81

Function 000002A661302F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002A661302F27
HeapAlloc.KERNEL32 ref: 000002A661302F3A
StrCmpNIW.SHLWAPI ref: 000002A661302FAF
GetProcessHeap.KERNEL32 ref: 000002A661303015
HeapFree.KERNEL32 ref: 000002A661303023

Strings

dialer, xrefs: 000002A661302FA8

Memory Dump Source

Source File: 00000024.00000002.3238343628.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a661300000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction ID: 0dbaea95a655bbe900e3289c597c93d81e3b199630ae2b61a37e5e2c9be7583f
Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction Fuzzy Hash: AA31BF32B01B5183EA10DF66A64C76A67E8FB46FC5F0C40249E4A17B55EF3CC4A98381

Function 000002A66130CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000002A66130CFAF
FlsSetValue.KERNEL32(?,?,?,000002A66130D6B5,?,?,?,?,000002A66130D778), ref: 000002A66130CFE5
FlsSetValue.KERNEL32(?,?,?,000002A66130D6B5,?,?,?,?,000002A66130D778), ref: 000002A66130D012
FlsSetValue.KERNEL32(?,?,?,000002A66130D6B5,?,?,?,?,000002A66130D778), ref: 000002A66130D023
FlsSetValue.KERNEL32(?,?,?,000002A66130D6B5,?,?,?,?,000002A66130D778), ref: 000002A66130D034
SetLastError.KERNEL32 ref: 000002A66130D04F

Memory Dump Source

Source File: 00000024.00000002.3238343628.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a661300000_svchost.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction ID: 0c3f37101a929da6b2ab2e1659a4edb589a4527edbf683f148d599b530f189ca
Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction Fuzzy Hash: A4116020B0028443FA64A7315A5D72962DE6B86FF1F1C4724A937676D6DF6C84098783

Function 000002A66130199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000002A6613019C2
K32GetModuleFileNameExW.KERNEL32 ref: 000002A6613019E0
PathFindFileNameW.SHLWAPI ref: 000002A6613019EF
lstrlenW.KERNEL32 ref: 000002A6613019FB
StrCpyW.SHLWAPI ref: 000002A661301A0E
CloseHandle.KERNEL32 ref: 000002A661301A1C

Memory Dump Source

Source File: 00000024.00000002.3238343628.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a661300000_svchost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction ID: 471f3759c9f5d2bef42bfea3fd4cb3963e2dd95c959e6c4d1128e52080657580
Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction Fuzzy Hash: C4015771B00A8083EA50DB92A85C35AA3A9F789FC5F884035DE8A63764DF7CC98DC741

Function 000002A6613036C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000002A6613036E4
GetCurrentProcess.KERNEL32 ref: 000002A6613036F2
VirtualProtectEx.KERNEL32 ref: 000002A661303714
GetCurrentProcess.KERNEL32 ref: 000002A661303732
VirtualProtectEx.KERNEL32 ref: 000002A661303753
TerminateThread.KERNEL32 ref: 000002A661303762

Memory Dump Source

Source File: 00000024.00000002.3238343628.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a661300000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction ID: 79ca0cd446847db94c87b220a4133f292dc0ecc6b103301cedece9ec62c6ad04
Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction Fuzzy Hash: B8011BB5B15B8087EB249B62E80D71972B8BB46F86F080424CA4A27754EF7DC50CC742

Function 000002A661309005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002A661309013
_IsNonwritableInCurrentImage.LIBCMT ref: 000002A6613090A8
RtlUnwindEx.NTDLL ref: 000002A6613090F7

Strings

csm, xrefs: 000002A66130908E
f, xrefs: 000002A661309026

Memory Dump Source

Source File: 00000024.00000002.3238343628.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a661300000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: 077875c1ecc3ba653c40cf27df437926aa55189474758356bf14258b29207a20
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: AC517C32B0160087EB18DF15E84CB5937DAF346F99F198528DA5B63788EF79C849C782

Function 000002A661308FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002A661309013
_IsNonwritableInCurrentImage.LIBCMT ref: 000002A6613090A8
RtlUnwindEx.NTDLL ref: 000002A6613090F7

Strings

csm, xrefs: 000002A66130908E
f, xrefs: 000002A661309026

Memory Dump Source

Source File: 00000024.00000002.3238343628.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a661300000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction ID: ba38e771323935cd7c4c993903e564a77b026bca2c24c40e091b995464114721
Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction Fuzzy Hash: 39315432B0064087E714DF12E84CB1977A9F386F89F0A8418EA5B23789DF79C948C786

Function 000002A661301A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000002A661301A60
StrCmpNIW.SHLWAPI ref: 000002A661301A7A
lstrlenW.KERNEL32 ref: 000002A661301A89
StrCpyW.SHLWAPI ref: 000002A661301A9E

Strings

\\?\, xrefs: 000002A661301A6E

Memory Dump Source

Source File: 00000024.00000002.3238343628.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a661300000_svchost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction ID: b1b7e669e6661b3feae12b7b33b5b685191a7800304716cf001d880ba287570f
Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction Fuzzy Hash: 07F08C72B0468083FB208B60E88C35A63B9F749F88F888024DA4A57964DF6CC68DCB01

Function 000002A661303044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 000002A661303066
StrCpyW.SHLWAPI ref: 000002A661303076
StrCatW.SHLWAPI ref: 000002A661303082
PathCombineW.SHLWAPI ref: 000002A661303090

Strings

\\.\pipe\, xrefs: 000002A66130305C

Memory Dump Source

Source File: 00000024.00000002.3238343628.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a661300000_svchost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction ID: cf77e8b58ec68dbf932fe7d168add0dfe5d0c02535d993d737ff7324a50749b0
Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction Fuzzy Hash: 65F08CA0B04BC083EA008B93B90D119B2A9AB4AFC0F0C8430EE4B27B28DF7CC44D8701

Function 000002A66130BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000002A66130BCBD
GetProcAddress.KERNEL32 ref: 000002A66130BCD3
FreeLibrary.KERNEL32 ref: 000002A66130BCFA

Strings

CorExitProcess, xrefs: 000002A66130BCCC
mscoree.dll, xrefs: 000002A66130BCB4

Memory Dump Source

Source File: 00000024.00000002.3238343628.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a661300000_svchost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction ID: e21ae87d0ac0485e57b5ed7f78d9bcfc49820b6887902ab70198c3f652ea4012
Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction Fuzzy Hash: 24F06275B1164583EF108B64E84D3597368EB86F61F5C4619CA6B5B1E8CF6CC14DC341

Function 000002A6613050D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002A661305156

Memory Dump Source

Source File: 00000024.00000002.3238343628.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a661300000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
Instruction ID: 9fa3ce34b8c865c90ad51e3620c2008df4696012e5c82a0db968548b5f0cb8e8
Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
Instruction Fuzzy Hash: 1002E832A19B8487EB60CB55F49835AB7E4F3C5B91F140015EA8E97BA8DF7DC488CB41

Function 000002A661305710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002A661305726

Memory Dump Source

Source File: 00000024.00000002.3238343628.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a661300000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
Instruction ID: 94fa4eeebce64f2b49e1f32bc3357c48cfb3c794009292f3f2d6159d2374f774
Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
Instruction Fuzzy Hash: AE61F636A19B44C7E7608B15E44C31AB7E8F389B85F580115EA8E57BA8DF7CC548CF82

Function 000002A661314104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000002A66131412C
_set_statfp.LIBCMT ref: 000002A661314147
_set_statfp.LIBCMT ref: 000002A661314163
_set_statfp.LIBCMT ref: 000002A66131419F

Memory Dump Source

Source File: 00000024.00000002.3238343628.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a661300000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: 66361736f5e8a90f3f2d0b71ac309b0d3cb3498acf01c0f7b7fefb88f4f0f5d8
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: F211A022F10A5123F6641568E95F369354C6B7BBBCF5C0634E977277E6CF2CC84A8202

Function 000002A6612E3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000002A6612E352C
_set_statfp.LIBCMT ref: 000002A6612E3547
_set_statfp.LIBCMT ref: 000002A6612E3563
_set_statfp.LIBCMT ref: 000002A6612E359F

Memory Dump Source

Source File: 00000024.00000002.3238218318.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a6612d0000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: 22cd65d3b8f6dd6f7d9b94902791a143805ac03df98696b6fd4da49aabfe5191
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: F2118F22F10AD113FA649539F44D36911CD7B5FB76E4C8638A966073F68F2CCACD4202

Function 000002A6612DF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000002A6612DF124

Strings

or copy constructor iterator', xrefs: 000002A6612DF25A, 000002A6612DF275
Tuesday, xrefs: 000002A6612DF0F4
Wednesday, xrefs: 000002A6612DF1ED

Memory Dump Source

Source File: 00000024.00000002.3238218318.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a6612d0000_svchost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: Tuesday$Wednesday$or copy constructor iterator'
API String ID: 3215553584-4202648911
Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction ID: 0bf1e752806efdf3d6918c8cb5621e3440e718aefe77ceb97043c9c5cc2f889e
Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction Fuzzy Hash: 80618E66F0024047FB658B75E54C32B66ADEB87F40F5D4519CA4A177A8DF3CC9CE820A

Function 000002A66130AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 000002A66130AA68
_CallSETranslator.LIBVCRUNTIME ref: 000002A66130AAB7

Strings

MOC, xrefs: 000002A66130AA7C
RCC, xrefs: 000002A66130AA85

Memory Dump Source

Source File: 00000024.00000002.3238343628.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a661300000_svchost.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: af1233a52f56241061660763b27a88547fce862d6649db4ccb4df901e0d389cc
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: 86614932B00B848AEB20DF65E44839D77E4F345B89F084215EE4A27BA8DF78C599C781

Function 000002A66130AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002A66130ADA0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000002A66130AE88

Strings

csm, xrefs: 000002A66130ADC2
csm, xrefs: 000002A66130AEDA

Memory Dump Source

Source File: 00000024.00000002.3238343628.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a661300000_svchost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: 71553aecd4e6c0be1a45bd4f8553e36c14cf70e2545c3f161416fa0a9a176b52
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: 7F519272B002808BEB648F25A49C35977E8F356F86F1C4119DA8A67BE5CF7CD458C782

Function 000002A6612DA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002A6612DA1A0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000002A6612DA288

Strings

csm, xrefs: 000002A6612DA1C2
csm, xrefs: 000002A6612DA2DA

Memory Dump Source

Source File: 00000024.00000002.3238218318.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a6612d0000_svchost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: 9e9e64640e33ee222bca170c8ee76b8c2aa3a2d202631a961c3e70975ee64d6a
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: CE515B32E042808BEBA48B26D44CB5877ADFB56F84F1C5116DA9987AE5CF7CD4D88702

Function 000002A6612D8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002A6612D8413
_IsNonwritableInCurrentImage.LIBCMT ref: 000002A6612D84A8

Strings

f, xrefs: 000002A6612D8426
csm, xrefs: 000002A6612D848E

Memory Dump Source

Source File: 00000024.00000002.3238218318.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a6612d0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: 8201e1b19b336b27b06942c19ab8646d026c506d3e7787226ca7cd4a84cb06ae
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: 4751AF32F112008BEB14CB15E40CB59379DFB52F98F9AA124DA064378CEF38D9C89706

Function 000002A6612D83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002A6612D8413
_IsNonwritableInCurrentImage.LIBCMT ref: 000002A6612D84A8

Strings

f, xrefs: 000002A6612D8426
csm, xrefs: 000002A6612D848E

Memory Dump Source

Source File: 00000024.00000002.3238218318.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a6612d0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction ID: cefbc8a046af985220aa2329bd1f73024f30a7703efedaf0860a35be415e2574
Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction Fuzzy Hash: 94317A35B1168097E7149B21E84C75937ACFB42F88F5A9018EE5A03788DF3CC988D706

Function 000002A661312058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000002A6613120D7
WriteFile.KERNEL32 ref: 000002A66131239F
WriteFile.KERNEL32 ref: 000002A6613123E5
GetLastError.KERNEL32 ref: 000002A66131249B

Memory Dump Source

Source File: 00000024.00000002.3238343628.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a661300000_svchost.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction ID: daab32c25a9fadadc3e1a32652520a2a78c62dababe1d4e9fdec7867a8e6883d
Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction Fuzzy Hash: 7AD1E332B14A808AE711CFB5D54939C3BB9F356B98F284215DE5AB7B99DF38C40AC341

Function 000002A6613014A4 Relevance: 6.3, APIs: 5, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002A6613014C5
HeapFree.KERNEL32 ref: 000002A6613014D4
GetProcessHeap.KERNEL32 ref: 000002A6613014E1
HeapFree.KERNEL32 ref: 000002A6613014F0
GetProcessHeap.KERNEL32 ref: 000002A661301500

Memory Dump Source

Source File: 00000024.00000002.3238343628.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a661300000_svchost.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
Instruction ID: 921e1a85b60784aa0bba0433d9b0249e05675eea00effd83e5fc34bb76f58227
Opcode Fuzzy Hash: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
Instruction Fuzzy Hash: D5118BB6A00AD0C7E714DFA2A80D25977B8F78AF85F084035EA4A23726DF7CC058C741

Function 000002A661312980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32 ref: 000002A661312A9C
GetLastError.KERNEL32 ref: 000002A661312B27

Memory Dump Source

Source File: 00000024.00000002.3238343628.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a661300000_svchost.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction ID: f98e1d8c780189fb48322b240abb3135e65948d30303f15e17900ffbada13fd6
Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction Fuzzy Hash: 85918E72B1065486FB609F75994E3AD3BA8B747F98F284109DE0B77694DF38C48AC702

Function 000002A661307960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000002A66130798C
GetCurrentThreadId.KERNEL32 ref: 000002A66130799A
GetCurrentProcessId.KERNEL32 ref: 000002A6613079A6
QueryPerformanceCounter.KERNEL32 ref: 000002A6613079B6

Memory Dump Source

Source File: 00000024.00000002.3238343628.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a661300000_svchost.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction ID: 1cc862d301829f27dd78957ba1fd8c5096fa0c01cbaac4e6f591e442f6dc95cb
Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction Fuzzy Hash: 14111F32B10F418AEB409B60E8593A833B8F719B58F480D21DA6E57794DF7CC1988381

Function 000002A66130253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000002A661302620
StrCpyW.SHLWAPI ref: 000002A661302639

Strings

\\.\pipe\, xrefs: 000002A66130262B

Memory Dump Source

Source File: 00000024.00000002.3238343628.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a661300000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction ID: a77167060b87a4fc452a4d9a47af32d2e27e7869f2a7b79b94de1e5e43e7598e
Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction Fuzzy Hash: 3571A436B0078147EA25DE35994C3AA67E8F386F95F580016DD0B63B89DF39C54DC782

Function 000002A6612D9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 000002A6612D9EB7

Strings

MOC, xrefs: 000002A6612D9E7C
RCC, xrefs: 000002A6612D9E85

Memory Dump Source

Source File: 00000024.00000002.3238218318.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a6612d0000_svchost.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 4c1e01fd7d14f6ffb4a4eaa44a0f6dfd295677d667dd27de79d18e1f6fb3ebd9
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: 21614832F00B848AEB20DF65D48879D77A8FB45B88F084216EF4917B99DF38D199C701

Function 000002A661302330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000002A661302416
StrCpyW.SHLWAPI ref: 000002A66130242D

Strings

\\.\pipe\, xrefs: 000002A661302421

Memory Dump Source

Source File: 00000024.00000002.3238343628.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a661300000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction ID: 8b65ca84562374e5dcff84955426101dcfa6df48021d4bc966f847153521bb2b
Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction Fuzzy Hash: 03519232B0478183E664DA39A65C3AAA6E9F386F41F4A0125DD5B33B59DF3DC50C87C2

Function 000002A6613126F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000002A661312807
GetLastError.KERNEL32 ref: 000002A661312829

Strings

U, xrefs: 000002A6613127B3

Memory Dump Source

Source File: 00000024.00000002.3238343628.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a661300000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction ID: 435cc8df130a4e77d3710c788b2ddf4808abbc3271533ea666418ec5651f9c6f
Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction Fuzzy Hash: E941E672B14A8087DB20DF25E94D3AA77A4F38AB94F584021EE4E97784DF7CC405C741

Function 000002A6613094A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000002A6613094F0
RaiseException.KERNEL32 ref: 000002A661309531

Strings

csm, xrefs: 000002A66130951E

Memory Dump Source

Source File: 00000024.00000002.3238343628.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a661300000_svchost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction ID: b3e6afc7812eff5d23d9e2531ddbd3c8dde3b3595130f4102b15f64d21df9287
Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction Fuzzy Hash: 5A115832604B8082EB218F15E448359B7E8FB89F94F1D4220EE8E17B68DF3CC555CB40

Function 000002A6612D7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000002A6612D737C

Strings

riptor at (, xrefs: 000002A6612D7364
ierarchy Descriptor', xrefs: 000002A6612D7381

Memory Dump Source

Source File: 00000024.00000002.3238218318.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a6612d0000_svchost.jbxd

Similarity

API ID: __std_exception_copy
String ID: ierarchy Descriptor'$riptor at (
API String ID: 592178966-758928094
Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction ID: 0f3f6b22aa811685f5e546128debed61f89d1e56892167602ce41c22e1950124
Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction Fuzzy Hash: FDE04F65B50B8591DB028F62E8482D833A89B5AB64B489122D95C07311EB3CD2EDC301

Function 000002A6612D73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000002A6612D73D8

Strings

Locator', xrefs: 000002A6612D73DD
riptor at (, xrefs: 000002A6612D73C0

Memory Dump Source

Source File: 00000024.00000002.3238218318.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a6612d0000_svchost.jbxd

Similarity

API ID: __std_exception_copy
String ID: Locator'$riptor at (
API String ID: 592178966-4215709766
Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction ID: 93a3ced56bc647de6299b8a1905d2a6032edb69f7bc4320d41604ef82ca62c1f
Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction Fuzzy Hash: AEE08666F10B4481DF028F71E4441D87368EB5AF54B8C9122C95C07311EF3CD2E9C301

Function 000002A661301BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002A661301C2D
HeapAlloc.KERNEL32 ref: 000002A661301C3B
GetProcessHeap.KERNEL32 ref: 000002A661301C77
HeapFree.KERNEL32 ref: 000002A661301C85

Part of subcall function 000002A66130152C: StrCmpIW.SHLWAPI ref: 000002A66130155D

Memory Dump Source

Source File: 00000024.00000002.3238343628.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a661300000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction ID: 72cf71b4c8bcd0622c645fc165e77207b5f5e2b8a8cfb2fde8c47a753de635a3
Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction Fuzzy Hash: FC115B75B01B8482EA04DB66A80D22A73E9EB8AFC5F1C4028DE4E67765DFBCC446C341

Function 000002A661301268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002A66130126E
HeapAlloc.KERNEL32 ref: 000002A66130127D
GetProcessHeap.KERNEL32 ref: 000002A661301297
HeapAlloc.KERNEL32 ref: 000002A6613012A8

Memory Dump Source

Source File: 00000024.00000002.3238343628.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_2a661300000_svchost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction ID: b5369b631e5731d7a483f2840394a7dd6d44661382897b8f9f01a4c4ceb7f075
Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction Fuzzy Hash: 18E065B5B01A4487EB088FA2D80D34A36E5FB8AF06F09C024CD0A07361DFFD8499CB91

Analysis Process: dwm.exePID: 988, Parent PID: 8136COMMON

Execution Graph

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	94.3%
Signature Coverage:	0%
Total number of Nodes:	106
Total number of Limit Nodes:	16

Executed Functions

Function 000002BAAEDD1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000002BAAEDD1633
HeapAlloc.KERNEL32 ref: 000002BAAEDD1642

Part of subcall function 000002BAAEDD1268: GetProcessHeap.KERNEL32 ref: 000002BAAEDD126E
Part of subcall function 000002BAAEDD1268: HeapAlloc.KERNEL32 ref: 000002BAAEDD127D
Part of subcall function 000002BAAEDD1268: GetProcessHeap.KERNEL32 ref: 000002BAAEDD1297
Part of subcall function 000002BAAEDD1268: HeapAlloc.KERNEL32 ref: 000002BAAEDD12A8

RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDD16B2
RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDD16DF
RegCloseKey.ADVAPI32 ref: 000002BAAEDD16F9
RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDD1719
RegCloseKey.ADVAPI32 ref: 000002BAAEDD1734
RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDD1754
RegCloseKey.ADVAPI32 ref: 000002BAAEDD176F
RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDD178F
RegCloseKey.ADVAPI32 ref: 000002BAAEDD17AA
RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDD17CA
RegCloseKey.ADVAPI32 ref: 000002BAAEDD17E5
RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDD1805
RegCloseKey.ADVAPI32 ref: 000002BAAEDD1820
RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDD1840
RegCloseKey.ADVAPI32 ref: 000002BAAEDD185B
RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDD187B
RegCloseKey.ADVAPI32 ref: 000002BAAEDD1896
RegCloseKey.ADVAPI32 ref: 000002BAAEDD18A0

Part of subcall function 000002BAAEDD12BC: RegQueryInfoKeyW.ADVAPI32 ref: 000002BAAEDD1319
Part of subcall function 000002BAAEDD12BC: GetProcessHeap.KERNEL32 ref: 000002BAAEDD1327
Part of subcall function 000002BAAEDD12BC: HeapAlloc.KERNEL32 ref: 000002BAAEDD1338
Part of subcall function 000002BAAEDD12BC: RegEnumValueW.ADVAPI32 ref: 000002BAAEDD1397
Part of subcall function 000002BAAEDD12BC: GetProcessHeap.KERNEL32 ref: 000002BAAEDD13DF
Part of subcall function 000002BAAEDD12BC: HeapAlloc.KERNEL32 ref: 000002BAAEDD13ED
Part of subcall function 000002BAAEDD12BC: GetProcessHeap.KERNEL32 ref: 000002BAAEDD140A
Part of subcall function 000002BAAEDD12BC: HeapFree.KERNEL32 ref: 000002BAAEDD1418
Part of subcall function 000002BAAEDD12BC: lstrlenW.KERNEL32 ref: 000002BAAEDD1421
Part of subcall function 000002BAAEDD12BC: GetProcessHeap.KERNEL32 ref: 000002BAAEDD142F
Part of subcall function 000002BAAEDD12BC: HeapAlloc.KERNEL32 ref: 000002BAAEDD143D

Strings

SOFTWARE\dialerconfig, xrefs: 000002BAAEDD1692
tcp_remote, xrefs: 000002BAAEDD1839
tcp_local, xrefs: 000002BAAEDD17FE
service_names, xrefs: 000002BAAEDD17C3
startup, xrefs: 000002BAAEDD16D5
paths, xrefs: 000002BAAEDD1788
process_names, xrefs: 000002BAAEDD174D
pid, xrefs: 000002BAAEDD1712
udp, xrefs: 000002BAAEDD1874

Memory Dump Source

Source File: 00000026.00000002.3267881526.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_2baaedd0000_dwm.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction ID: 1cd993aa2e4ca2ca68512b5fa9006a8bf35805f96022a16a3de0c38e9af3347a
Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction Fuzzy Hash: 03713936311A10CAEB50EF75E8986AD33B5FB84B98F201116DE8E97B68DF38C544C361

Function 000002BAAEDD3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 000002BAAEDD379E
GetCurrentProcess.KERNEL32 ref: 000002BAAEDD37CC
VirtualProtectEx.KERNEL32 ref: 000002BAAEDD37EE
GetCurrentProcess.KERNEL32 ref: 000002BAAEDD3809
VirtualProtectEx.KERNEL32 ref: 000002BAAEDD382A

Strings

wr, xrefs: 000002BAAEDD37FF

Memory Dump Source

Source File: 00000026.00000002.3267881526.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_2baaedd0000_dwm.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID: wr
API String ID: 1092925422-2678910430
Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction ID: 462342938f27d681e7f45fad441101ff68967ea814c45b17604f347c0a4b5bf3
Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction Fuzzy Hash: 7411353A705B8182EF689B21E44C26973B1FB88B95F64002ADEDD87B94EF3DC505C725

Function 000002BAAEDD5B30 Relevance: 9.2, APIs: 6, Instructions: 240
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 000002BAAEDD5B6B
GetThreadContext.KERNEL32 ref: 000002BAAEDD5CD5

Part of subcall function 000002BAAEDD5960: GetCurrentThreadId.KERNEL32 ref: 000002BAAEDD5964

Memory Dump Source

Source File: 00000026.00000002.3267881526.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_2baaedd0000_dwm.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: aba7c51250b0bd2785b454d2868164715ffdc60c22b63475f1bba81942d6465a
Instruction ID: 495d57ed8553111e4e128e1b6255c028dc87b89d2567e538d286b7ba3df4ff32
Opcode Fuzzy Hash: aba7c51250b0bd2785b454d2868164715ffdc60c22b63475f1bba81942d6465a
Instruction Fuzzy Hash: 71D1A936209B88C6DA70DB1AE49835A77B0F7C8B84F200516EACD87BA9DF3DC551CB51

Function 000002BAAEDD50D0 Relevance: 7.8, APIs: 5, Instructions: 318
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 000002BAAEDD5156

Memory Dump Source

Source File: 00000026.00000002.3267881526.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_2baaedd0000_dwm.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: a9eeae0eee8a65d3360f20c0190c6c2044be682fe56af66e10426f66e33a6bd7
Instruction ID: debfef5cb2b2f1efafcd3bde8b349a94f9ea710e3e20d61597c4b0ade23fd8dd
Opcode Fuzzy Hash: a9eeae0eee8a65d3360f20c0190c6c2044be682fe56af66e10426f66e33a6bd7
Instruction Fuzzy Hash: 9402D83221AB84C6EB60DB59E49435ABBB1F3C4794F204416EACE87BA9DF7CC454CB11

Function 000002BAAEDD39E0 Relevance: 4.6, APIs: 3, Instructions: 64
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32 ref: 000002BAAEDD3A66
VirtualAlloc.KERNEL32 ref: 000002BAAEDD3AA0

Memory Dump Source

Source File: 00000026.00000002.3267881526.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_2baaedd0000_dwm.jbxd

Similarity

API ID: Virtual$AllocQuery
String ID:
API String ID: 31662377-0
Opcode ID: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
Instruction ID: e57386cb4ae447fc151b5581e62860c8597a884605dd7c21122e93a40e2eb5d5
Opcode Fuzzy Hash: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
Instruction Fuzzy Hash: 4131242231BB8481EA71DB19E09939E77B4F388784F201526F5CD86BA9DF7DC540CB16

Function 000002BAAEDD328C Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 000002BAAEDD32AE
PathFindFileNameW.SHLWAPI ref: 000002BAAEDD32BD

Part of subcall function 000002BAAEDD3844: StrCmpNIW.SHLWAPI ref: 000002BAAEDD385C

Part of subcall function 000002BAAEDD3790: GetModuleHandleW.KERNEL32 ref: 000002BAAEDD379E
Part of subcall function 000002BAAEDD3790: GetCurrentProcess.KERNEL32 ref: 000002BAAEDD37CC
Part of subcall function 000002BAAEDD3790: VirtualProtectEx.KERNEL32 ref: 000002BAAEDD37EE
Part of subcall function 000002BAAEDD3790: GetCurrentProcess.KERNEL32 ref: 000002BAAEDD3809
Part of subcall function 000002BAAEDD3790: VirtualProtectEx.KERNEL32 ref: 000002BAAEDD382A

CreateThread.KERNEL32 ref: 000002BAAEDD330B

Part of subcall function 000002BAAEDD1D14: GetCurrentThread.KERNEL32 ref: 000002BAAEDD1D1F

Memory Dump Source

Source File: 00000026.00000002.3267881526.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_2baaedd0000_dwm.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction ID: d9976a28d3edefbc484b26820ec4384613920bc9bede386f6cfe404f3c3adaa6
Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction Fuzzy Hash: E911803161274082FB60AB25FA8D76933B4E754B44F70512AD9CEC5595EF78C144C273

Function 000002BAAEDD4DF0 Relevance: 4.5, APIs: 3, Instructions: 23
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 000002BAAEDD4DF4
VirtualProtect.KERNEL32 ref: 000002BAAEDD4E37
FlushInstructionCache.KERNEL32 ref: 000002BAAEDD4E4C

Memory Dump Source

Source File: 00000026.00000002.3267881526.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_2baaedd0000_dwm.jbxd

Similarity

API ID: CacheCurrentFlushInstructionProcessProtectVirtual
String ID:
API String ID: 3733156554-0
Opcode ID: efc513032ac2f8104d68ff6d1779eae6f51007478eb3e1ac0120cc0a77f626c8
Instruction ID: a094a045ce428c8382e8de798b1b9a6c7c6ee4977feabb25ddd08a1ad637c0c8
Opcode Fuzzy Hash: efc513032ac2f8104d68ff6d1779eae6f51007478eb3e1ac0120cc0a77f626c8
Instruction Fuzzy Hash: 6EF03A26219B04C0D631DB01E48934EBBB0F388BD4F240116FACD83BA9CB3CC690CB21

Function 000002BAAEDA273C Relevance: 3.2, APIs: 2, Instructions: 187
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 000002BAAEDA27DB
LoadLibraryA.KERNELBASE ref: 000002BAAEDA285E

Memory Dump Source

Source File: 00000026.00000002.3267820512.000002BAAEDA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_2baaeda0000_dwm.jbxd

Similarity

API ID: AllocLibraryLoadVirtual
String ID:
API String ID: 3550616410-0
Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction ID: eb3719fafc7ec8463c302ea4e313405cb53f27c6a32c8c03131f423db2fe9aad
Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction Fuzzy Hash: 46612532B0169087DB64CF2AD40872DB3B2FB54FA4F688525DE9D07788DB38D962C721

Function 000002BAAEDD1ABC Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000002BAAEDD1628: GetProcessHeap.KERNEL32 ref: 000002BAAEDD1633
Part of subcall function 000002BAAEDD1628: HeapAlloc.KERNEL32 ref: 000002BAAEDD1642
Part of subcall function 000002BAAEDD1628: RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDD16B2
Part of subcall function 000002BAAEDD1628: RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDD16DF
Part of subcall function 000002BAAEDD1628: RegCloseKey.ADVAPI32 ref: 000002BAAEDD16F9
Part of subcall function 000002BAAEDD1628: RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDD1719
Part of subcall function 000002BAAEDD1628: RegCloseKey.ADVAPI32 ref: 000002BAAEDD1734
Part of subcall function 000002BAAEDD1628: RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDD1754
Part of subcall function 000002BAAEDD1628: RegCloseKey.ADVAPI32 ref: 000002BAAEDD176F
Part of subcall function 000002BAAEDD1628: RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDD178F
Part of subcall function 000002BAAEDD1628: RegCloseKey.ADVAPI32 ref: 000002BAAEDD17AA
Part of subcall function 000002BAAEDD1628: RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDD17CA

Sleep.KERNEL32 ref: 000002BAAEDD1AD7
SleepEx.KERNELBASE ref: 000002BAAEDD1ADD

Part of subcall function 000002BAAEDD1628: RegCloseKey.ADVAPI32 ref: 000002BAAEDD17E5
Part of subcall function 000002BAAEDD1628: RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDD1805
Part of subcall function 000002BAAEDD1628: RegCloseKey.ADVAPI32 ref: 000002BAAEDD1820
Part of subcall function 000002BAAEDD1628: RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDD1840
Part of subcall function 000002BAAEDD1628: RegCloseKey.ADVAPI32 ref: 000002BAAEDD185B
Part of subcall function 000002BAAEDD1628: RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDD187B
Part of subcall function 000002BAAEDD1628: RegCloseKey.ADVAPI32 ref: 000002BAAEDD1896
Part of subcall function 000002BAAEDD1628: RegCloseKey.ADVAPI32 ref: 000002BAAEDD18A0

Memory Dump Source

Source File: 00000026.00000002.3267881526.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_2baaedd0000_dwm.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction ID: 028ec452a4f0b78a77d2aa10aed9f1aa3cfbe43c61dc3217750bbde5e745066d
Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction Fuzzy Hash: F1310E613026418AFF50DB26DAD93A933B4EB85BC0F25542B9E8DC76D6FF24C851C232

Function 000002BAAEE0273C Relevance: 1.4, APIs: 1, Instructions: 187
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 000002BAAEE027DB

Memory Dump Source

Source File: 00000026.00000002.3267980444.000002BAAEE00000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAEE00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_2baaee00000_dwm.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction ID: 78172ccfd8c0b87b0bd4e19efbe06efee7ae85add5980c363d4ee77a783d7f21
Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction Fuzzy Hash: 45614736B4169097DBA4CF19D00872D73F2F758B94FA88521CF9907B8ADB38D852C721

Non-executed Functions

Function 000002BAAEE06910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002BAAEE06938
__scrt_acquire_startup_lock.LIBCMT ref: 000002BAAEE0698A
_RTC_Initialize.LIBCMT ref: 000002BAAEE069B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002BAAEE069DE
__scrt_release_startup_lock.LIBCMT ref: 000002BAAEE06A09

Strings

`dynamic initializer for ', xrefs: 000002BAAEE069C7
scriptor', xrefs: 000002BAAEE06B39, 000002BAAEE06BB2, 000002BAAEE06BEC
`eh vector vbase copy constructor iterator', xrefs: 000002BAAEE069EE
`eh vector copy constructor iterator', xrefs: 000002BAAEE06A3B

Memory Dump Source

Source File: 00000026.00000002.3267980444.000002BAAEE00000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAEE00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_2baaee00000_dwm.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
API String ID: 190073905-1786718095
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: 624eee6c04898b6614bea2924ffbafb408891aa577c9478ede24f054e8013e9b
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: F581A061780342A6FAF0AB65945935933F0EB95780F748035A9C947FD6EB38C986C733

Function 000002BAAEDA6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002BAAEDA6938
__scrt_acquire_startup_lock.LIBCMT ref: 000002BAAEDA698A
_RTC_Initialize.LIBCMT ref: 000002BAAEDA69B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002BAAEDA69DE
__scrt_release_startup_lock.LIBCMT ref: 000002BAAEDA6A09

Strings

`eh vector vbase copy constructor iterator', xrefs: 000002BAAEDA69EE
scriptor', xrefs: 000002BAAEDA6B39, 000002BAAEDA6BB2, 000002BAAEDA6BEC
`eh vector copy constructor iterator', xrefs: 000002BAAEDA6A3B
`dynamic initializer for ', xrefs: 000002BAAEDA69C7

Memory Dump Source

Source File: 00000026.00000002.3267820512.000002BAAEDA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_2baaeda0000_dwm.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
API String ID: 190073905-1786718095
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: 32cdc5dd754b9265ed1b62c1cf3c1166db28a6efdf1a5dfff2fed84b291f1566
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: EE81E021700241C6FA90AF26944D39933F1EB89B80F748425AAED477D6EB39CB65C723

Function 000002BAAEE09944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000002BAAEE099A1

Part of subcall function 000002BAAEE0A814: __GetUnwindTryBlock.LIBCMT ref: 000002BAAEE0A857
Part of subcall function 000002BAAEE0A814: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000002BAAEE0A87C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000002BAAEE09A79
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000002BAAEE09CCE
std::bad_alloc::bad_alloc.LIBCMT ref: 000002BAAEE09DDA

Strings

csm, xrefs: 000002BAAEE09A9C
csm, xrefs: 000002BAAEE09A22
csm, xrefs: 000002BAAEE099BB

Memory Dump Source

Source File: 00000026.00000002.3267980444.000002BAAEE00000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAEE00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_2baaee00000_dwm.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction ID: 0f0db1ed4fc02c5bb2472a0a709be8c69891d3774ecc129aea9e11b29c3b51bf
Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction Fuzzy Hash: 75E1D072640B80AAEBB0DF65D48839D77B0F799B98F200115EEC957F99CB35C891C722

Function 000002BAAEDA9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000002BAAEDA99A1

Part of subcall function 000002BAAEDAA814: __GetUnwindTryBlock.LIBCMT ref: 000002BAAEDAA857
Part of subcall function 000002BAAEDAA814: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000002BAAEDAA87C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000002BAAEDA9A79
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000002BAAEDA9CCE
std::bad_alloc::bad_alloc.LIBCMT ref: 000002BAAEDA9DDA

Strings

csm, xrefs: 000002BAAEDA9A9C
csm, xrefs: 000002BAAEDA9A22
csm, xrefs: 000002BAAEDA99BB

Memory Dump Source

Source File: 00000026.00000002.3267820512.000002BAAEDA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_2baaeda0000_dwm.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction ID: 11837b641cf7fbaa2370180d18065cadece89f3cd28ec07f1272569ac3389919
Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction Fuzzy Hash: 07E1C072604B808AEB60DF75E48839D77B0F755B88F205516EECD57B9ACB34C2A1C722

Function 000002BAAEE13504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000002BAAEE1352C
_set_statfp.LIBCMT ref: 000002BAAEE13547
_set_statfp.LIBCMT ref: 000002BAAEE13563
_set_statfp.LIBCMT ref: 000002BAAEE1359F

Memory Dump Source

Source File: 00000026.00000002.3267980444.000002BAAEE00000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAEE00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_2baaee00000_dwm.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: 84363a086f0b82955cafba38430d473bf1b16bdb6e5af2d6a27fa10674c49fc1
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: C8118672A14E5131FA741529E45D36933A16B78B74F7B8638A9F606FD6CB2CC8C1C232

Function 000002BAAEE0F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000002BAAEE0F124

Strings

or copy constructor iterator', xrefs: 000002BAAEE0F25A, 000002BAAEE0F275
Wednesday, xrefs: 000002BAAEE0F1ED
Tuesday, xrefs: 000002BAAEE0F0F4

Memory Dump Source

Source File: 00000026.00000002.3267980444.000002BAAEE00000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAEE00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_2baaee00000_dwm.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: Tuesday$Wednesday$or copy constructor iterator'
API String ID: 3215553584-4202648911
Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction ID: 18434aeb0c84fc901084e78cf062feca75bce04eee735aefdd6538ae75e92cbb
Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction Fuzzy Hash: 9961D132684600A2FAF5CB68E44C32A7BB0F795740F704525CADA17FA9DB34C961C233

Function 000002BAAEDAF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000002BAAEDAF124

Strings

or copy constructor iterator', xrefs: 000002BAAEDAF25A, 000002BAAEDAF275
Wednesday, xrefs: 000002BAAEDAF1ED
Tuesday, xrefs: 000002BAAEDAF0F4

Memory Dump Source

Source File: 00000026.00000002.3267820512.000002BAAEDA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_2baaeda0000_dwm.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: Tuesday$Wednesday$or copy constructor iterator'
API String ID: 3215553584-4202648911
Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction ID: 97fb1626824143654bbe779d900eb1f5637e1533d1f2395c6091a79e8529f199
Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction Fuzzy Hash: 2B61E53260264042FA659B69E58C36A7BB2F781780F704565CADE177E4DB38CB62C333

Function 000002BAAEE0A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002BAAEE0A1A0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000002BAAEE0A288

Strings

csm, xrefs: 000002BAAEE0A2DA
csm, xrefs: 000002BAAEE0A1C2

Memory Dump Source

Source File: 00000026.00000002.3267980444.000002BAAEE00000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAEE00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_2baaee00000_dwm.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: fbf44b6c4ef83a5f2280e6267acbbcba7f182d6bcc3d933944b71546e8975092
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: 43519032180384EAEBB48F25954836C77B0F755B94F288216DADD87FD5CB38D4A1C712

Function 000002BAAEDAA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002BAAEDAA1A0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000002BAAEDAA288

Strings

csm, xrefs: 000002BAAEDAA2DA
csm, xrefs: 000002BAAEDAA1C2

Memory Dump Source

Source File: 00000026.00000002.3267820512.000002BAAEDA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_2baaeda0000_dwm.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: 7115465f893ad9538f91c80ecd4362db5de93305e29ba78ccb391585fe135c5e
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: CA518C32100380CAEB748FA5954835C77B1F355B94F289216DADE8BBD5CB39D6B1CB12

Function 000002BAAEE08405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002BAAEE08413
_IsNonwritableInCurrentImage.LIBCMT ref: 000002BAAEE084A8

Strings

f, xrefs: 000002BAAEE08426
csm, xrefs: 000002BAAEE0848E

Memory Dump Source

Source File: 00000026.00000002.3267980444.000002BAAEE00000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAEE00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_2baaee00000_dwm.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: 40f51f638e3153761a7868a6382d7c12d3b427464fb531381f830d4bad8614f1
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: B251C432741A80AADBB4DF15E44CB1937B5F354B98F718124DA9647F88EB34CC41CB2A

Function 000002BAAEDA8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002BAAEDA8413
_IsNonwritableInCurrentImage.LIBCMT ref: 000002BAAEDA84A8

Strings

f, xrefs: 000002BAAEDA8426
csm, xrefs: 000002BAAEDA848E

Memory Dump Source

Source File: 00000026.00000002.3267820512.000002BAAEDA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_2baaeda0000_dwm.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: ca5a7434315f0adfa0147800b6b2c82765ba5a1246e9b03322f2a6b9548c4be2
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: 4A51CE3AB016008AEB54EF15E44CB1937B6F354B98F708524DE9E63788EB74CE61C726

Function 000002BAAEE083E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002BAAEE08413
_IsNonwritableInCurrentImage.LIBCMT ref: 000002BAAEE084A8

Strings

f, xrefs: 000002BAAEE08426
csm, xrefs: 000002BAAEE0848E

Memory Dump Source

Source File: 00000026.00000002.3267980444.000002BAAEE00000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAEE00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_2baaee00000_dwm.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction ID: 0a6da7d6b5ec98d8b0e82541115ef4f3f6bd02b4c099e2a493ca6f97b2948d46
Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction Fuzzy Hash: D5319F32241B80A6E7A4DF11E84C71977B4F354B98F658014EEDA47F84DB38C985CB2A

Function 000002BAAEDA83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002BAAEDA8413
_IsNonwritableInCurrentImage.LIBCMT ref: 000002BAAEDA84A8

Strings

f, xrefs: 000002BAAEDA8426
csm, xrefs: 000002BAAEDA848E

Memory Dump Source

Source File: 00000026.00000002.3267820512.000002BAAEDA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_2baaeda0000_dwm.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction ID: 600f0b0a36d475cb90ff45834e4e011382e8688b953d0501ae32f59bf4019a20
Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction Fuzzy Hash: 1C31AE3A2017409AEB64EF11E84CB1977B5F340B98F258418EEDF57788DB38CA61C726

Function 000002BAAEE09E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 000002BAAEE09EB7

Strings

RCC, xrefs: 000002BAAEE09E85
MOC, xrefs: 000002BAAEE09E7C

Memory Dump Source

Source File: 00000026.00000002.3267980444.000002BAAEE00000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAEE00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_2baaee00000_dwm.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 8db24226de7537dab0611aab846cdbe9979b99d76c8ac61287aac47b4100a531
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: 1A61AC33601B889AEB60DFA5D48439D77B0F388B88F248215EF8917F98DB39D995C711

Function 000002BAAEDA9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 000002BAAEDA9EB7

Strings

MOC, xrefs: 000002BAAEDA9E7C
RCC, xrefs: 000002BAAEDA9E85

Memory Dump Source

Source File: 00000026.00000002.3267820512.000002BAAEDA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_2baaeda0000_dwm.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 6066f6a667c02a3dde5cc671d6705a9dc30413e10d50204c4eb7aca01b800b18
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: 53617B37A01B848AEB20DF65E48439D77B0F748B88F248215EF8D17B99DB38D6A5C711

Function 000002BAAEE07356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000002BAAEE0737C

Strings

riptor at (, xrefs: 000002BAAEE07364
ierarchy Descriptor', xrefs: 000002BAAEE07381

Memory Dump Source

Source File: 00000026.00000002.3267980444.000002BAAEE00000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAEE00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_2baaee00000_dwm.jbxd

Similarity

API ID: __std_exception_copy
String ID: ierarchy Descriptor'$riptor at (
API String ID: 592178966-758928094
Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction ID: 8c245744f945b1c7e01126da5c7c0e99539bde68f2e34e4c23f6018239e3454d
Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction Fuzzy Hash: 6BE08661650B44A0DF129F21E84429833B0DB68B64B589122999C4A715FB3CD1EDC312

Function 000002BAAEDA7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000002BAAEDA737C

Strings

riptor at (, xrefs: 000002BAAEDA7364
ierarchy Descriptor', xrefs: 000002BAAEDA7381

Memory Dump Source

Source File: 00000026.00000002.3267820512.000002BAAEDA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_2baaeda0000_dwm.jbxd

Similarity

API ID: __std_exception_copy
String ID: ierarchy Descriptor'$riptor at (
API String ID: 592178966-758928094
Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction ID: aecd9389ed42b80ddfab9e11b308651d5f6fd54687e5ebd5b4ac960ee60fca0a
Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction Fuzzy Hash: DFE0CD61640B44D0EF019F21E8442D833B1DB58B64F58D122DD9C07311FB38D2F9C311

Function 000002BAAEE073B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000002BAAEE073D8

Strings

Locator', xrefs: 000002BAAEE073DD
riptor at (, xrefs: 000002BAAEE073C0

Memory Dump Source

Source File: 00000026.00000002.3267980444.000002BAAEE00000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAEE00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_2baaee00000_dwm.jbxd

Similarity

API ID: __std_exception_copy
String ID: Locator'$riptor at (
API String ID: 592178966-4215709766
Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction ID: 6739d80ca3845b12d61491ac9433d10b874843df0d7838e5e2ab025565334f9c
Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction Fuzzy Hash: ACE0CD61640B48D0DF129F21D4401987370E76CB54F98D122DD9C47715FB3CD1E9C312

Function 000002BAAEDA73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000002BAAEDA73D8

Strings

riptor at (, xrefs: 000002BAAEDA73C0
Locator', xrefs: 000002BAAEDA73DD

Memory Dump Source

Source File: 00000026.00000002.3267820512.000002BAAEDA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_2baaeda0000_dwm.jbxd

Similarity

API ID: __std_exception_copy
String ID: Locator'$riptor at (
API String ID: 592178966-4215709766
Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction ID: f237e3cdf2cc05938838b27189fb35462db56802b89672789935330c5c78283d
Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction Fuzzy Hash: 80E0C261A00B48C0EF029F21E8842A873B1EB68B64F98D122CE8C07311FB38D2F9C311

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	Drive: Drive Modification, File: File Modification, Firmware: Firmware Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report services64.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Sigma Signatures

Change of critical system settings

System Summary

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Change of critical system settings

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\WindowsServices\WindowsAutHost

C:\Users\user\AppData\Local\Microsoft\Vault\UserProfileRoaming\Latest.dat

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_celngssp.xza.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gokxv2ys.3jg.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mab1rsfs.ubo.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zcj001dt.dmy.ps1

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Windows\System32\drivers\etc\hosts

C:\Windows\Temp\__PSScriptPolicyTest_4vm5bhut.hui.ps1

C:\Windows\Temp\__PSScriptPolicyTest_hg044cae.wfc.psm1

C:\Windows\Temp\__PSScriptPolicyTest_lbdh3gie.v3h.psm1

C:\Windows\Temp\__PSScriptPolicyTest_ygdwurri.usj.ps1

Windows Analysis Report
services64.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre