Edit tour

Windows Analysis Report
xmr.exe

Overview

General Information

Sample name:	xmr.exe
Analysis ID:	1585418
MD5:	154202154e41175e801a698ca940eb0c
SHA1:	6ce074d67c91cb00016cb1095319b00afab396a8
SHA256:	0612bfb5a51b0b413ba960f7d52bc647bd4cf7530fd760c0d6006aa829e806e2
Tags:	CoinMinerexeuser-aachum
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Stop EventLog

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Hooks files or directories query functions (used to hide files and directories)

Hooks processes query functions (used to hide processes)

Hooks registry keys query functions (used to hide registry keys)

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Installs new ROOT certificates

Loading BitLocker PowerShell Module

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Writes to foreign memory regions

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (may stop execution after accessing registry keys)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Powershell Defender Exclusion

Sigma detected: Uncommon Svchost Parent Process

Stores large binary data to the registry

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

xmr.exe (PID: 7660 cmdline: "C:\Users\user\Desktop\xmr.exe" MD5: 154202154E41175E801A698CA940EB0C)

powershell.exe (PID: 7712 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7884 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

cmd.exe (PID: 7940 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wusa.exe (PID: 8016 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)

sc.exe (PID: 7948 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 8036 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 8044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 8080 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 8088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 8120 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 8128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 8168 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 8176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

dialer.exe (PID: 7188 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)

winlogon.exe (PID: 556 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)

lsass.exe (PID: 640 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)

svchost.exe (PID: 920 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

dwm.exe (PID: 984 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)

svchost.exe (PID: 364 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 372 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 772 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 888 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 660 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1044 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1200 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1224 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1352 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s nsi MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1392 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1404 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1412 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1476 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1596 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1648 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1704 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1716 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1740 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1800 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1876 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 2012 cmdline: C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

sc.exe (PID: 3636 cmdline: C:\Windows\system32\sc.exe delete "ARIBLEUL" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 3344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 1848 cmdline: C:\Windows\system32\sc.exe create "ARIBLEUL" binpath= "C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 2168 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 1984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 1976 cmdline: C:\Windows\system32\sc.exe start "ARIBLEUL" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 1928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

lrgkmixyjzta.exe (PID: 2340 cmdline: C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe MD5: 154202154E41175E801A698CA940EB0C)

cleanup

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\xmr.exe", ParentImage: C:\Users\user\Desktop\xmr.exe, ParentProcessId: 7660, ParentProcessName: xmr.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 7712, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\system32\dialer.exe, ParentImage: C:\Windows\System32\dialer.exe, ParentProcessId: 7188, ParentProcessName: dialer.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, ProcessId: 920, ProcessName: svchost.exe

Sigma detected: New Service Creation Using Sc.EXE

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "ARIBLEUL" binpath= "C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "ARIBLEUL" binpath= "C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\xmr.exe", ParentImage: C:\Users\user\Desktop\xmr.exe, ParentProcessId: 7660, ParentProcessName: xmr.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "ARIBLEUL" binpath= "C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe" start= "auto", ProcessId: 1848, ProcessName: sc.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\xmr.exe", ParentImage: C:\Users\user\Desktop\xmr.exe, ParentProcessId: 7660, ParentProcessName: xmr.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 7712, ProcessName: powershell.exe

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Stop EventLog

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\xmr.exe", ParentImage: C:\Users\user\Desktop\xmr.exe, ParentProcessId: 7660, ParentProcessName: xmr.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 2168, ProcessName: sc.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe

ReversingLabs: Detection: 76%

Multi AV Scanner detection for submitted file

Source: xmr.exe

ReversingLabs: Detection: 76%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: xmr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 4_2_000001F25AC1DCE0 FindFirstFileExW,	4_2_000001F25AC1DCE0
Source: C:\Windows\System32\winlogon.exe	Code function: 23_2_000002E99175DCE0 FindFirstFileExW,	23_2_000002E99175DCE0
Source: C:\Windows\System32\lsass.exe	Code function: 28_2_00000213BDCEDCE0 FindFirstFileExW,	28_2_00000213BDCEDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_00000158709DDCE0 FindFirstFileExW,	30_2_00000158709DDCE0
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_0000026DB16DDCE0 FindFirstFileExW,	31_2_0000026DB16DDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_000002A3F066DCE0 FindFirstFileExW,	32_2_000002A3F066DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 33_2_000002C9AFBBDCE0 FindFirstFileExW,	33_2_000002C9AFBBDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000002C06FD4DCE0 FindFirstFileExW,	34_2_000002C06FD4DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 35_2_000002917C3BDCE0 FindFirstFileExW,	35_2_000002917C3BDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000002238278DCE0 FindFirstFileExW,	36_2_000002238278DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 37_2_0000028A1B88DCE0 FindFirstFileExW,	37_2_0000028A1B88DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 38_2_000001486AD7DCE0 FindFirstFileExW,	38_2_000001486AD7DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 39_2_0000024BD3CDDCE0 FindFirstFileExW,	39_2_0000024BD3CDDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 40_2_000001FA73D6DCE0 FindFirstFileExW,	40_2_000001FA73D6DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000001CD0240DCE0 FindFirstFileExW,	41_2_000001CD0240DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 42_2_00000269BA66DCE0 FindFirstFileExW,	42_2_00000269BA66DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000022054DBDCE0 FindFirstFileExW,	43_2_0000022054DBDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_0000027C57DDDCE0 FindFirstFileExW,	44_2_0000027C57DDDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 45_2_000002A333B7DCE0 FindFirstFileExW,	45_2_000002A333B7DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_000001F17456DCE0 FindFirstFileExW,	46_2_000001F17456DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000002331577DCE0 FindFirstFileExW,	47_2_000002331577DCE0

Source: lsass.exe, 0000001C.00000000.1484277029.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.1484316271.00000213BD5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: lsass.exe, 0000001C.00000002.2727831855.00000213BD551000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.1484316271.00000213BD551000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.2725471719.00000213BD460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.1484198639.00000213BD460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.2727063204.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.1484277029.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: lsass.exe, 0000001C.00000000.1483799757.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.2718147779.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.1484227127.00000213BD471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.2726112210.00000213BD471000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: lsass.exe, 0000001C.00000002.2732193110.00000213BD613000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.2723251844.00000213BD400000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
Source: lsass.exe, 0000001C.00000000.1484277029.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.1484316271.00000213BD5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: lsass.exe, 0000001C.00000000.1484277029.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.1484316271.00000213BD5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: lsass.exe, 0000001C.00000000.1483799757.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.2718147779.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.1484227127.00000213BD471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.2726112210.00000213BD471000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 0000001C.00000002.2727831855.00000213BD551000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.1484316271.00000213BD551000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.2725471719.00000213BD460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.1484198639.00000213BD460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.2727063204.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.1484277029.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: lsass.exe, 0000001C.00000002.2732193110.00000213BD613000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.2723251844.00000213BD400000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
Source: lsass.exe, 0000001C.00000000.1484277029.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.1484316271.00000213BD5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: lsass.exe, 0000001C.00000000.1484277029.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: lsass.exe, 0000001C.00000002.2727831855.00000213BD551000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.1484316271.00000213BD551000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.2725471719.00000213BD460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.1484198639.00000213BD460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.2727063204.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.1484277029.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 0000001C.00000000.1484277029.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.1484316271.00000213BD5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: lsass.exe, 0000001C.00000000.1483908790.00000213BCEB8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.2720639866.00000213BCEB8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: lsass.exe, 0000001C.00000002.2723251844.00000213BD400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.1484058252.00000213BD400000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: lsass.exe, 0000001C.00000000.1483737658.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.2716787516.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
Source: lsass.exe, 0000001C.00000000.1483799757.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.2718147779.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
Source: lsass.exe, 0000001C.00000000.1483737658.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.2716787516.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: lsass.exe, 0000001C.00000002.2732193110.00000213BD613000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.2727831855.00000213BD551000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.1484316271.00000213BD551000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.2725471719.00000213BD460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.1484198639.00000213BD460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.1483799757.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.2723251844.00000213BD400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.2718147779.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.2727063204.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.1484277029.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.1484227127.00000213BD471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.1484316271.00000213BD5AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.2726112210.00000213BD471000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: lsass.exe, 0000001C.00000000.1484277029.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: lsass.exe, 0000001C.00000000.1484277029.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.1484316271.00000213BD5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: lsass.exe, 0000001C.00000002.2727063204.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.1484277029.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: lsass.exe, 0000001C.00000000.1483737658.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.2716787516.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: lsass.exe, 0000001C.00000000.1483737658.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.2716787516.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: lsass.exe, 0000001C.00000000.1483737658.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.1483799757.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.2718147779.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.2716787516.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
Source: lsass.exe, 0000001C.00000000.1483737658.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.2716787516.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: lsass.exe, 0000001C.00000000.1483737658.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.2716787516.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
Source: lsass.exe, 0000001C.00000000.1483737658.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.2716787516.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
Source: lsass.exe, 0000001C.00000000.1484277029.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.1484316271.00000213BD5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0

Source: C:\Windows\System32\dialer.exe	Code function: 18_2_00000001400010C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,	18_2_00000001400010C0
Source: C:\Windows\System32\winlogon.exe	Code function: 23_2_000002E9917528C8 NtEnumerateValueKey,NtEnumerateValueKey,	23_2_000002E9917528C8
Source: C:\Windows\System32\lsass.exe	Code function: 28_2_00000213BDCE253C NtQueryDirectoryFileEx,GetFileType,StrCpyW,	28_2_00000213BDCE253C
Source: C:\Windows\System32\lsass.exe	Code function: 28_2_00000213BDCE202C NtQuerySystemInformation,StrCmpNIW,	28_2_00000213BDCE202C
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_0000026DB16D28C8 NtEnumerateValueKey,NtEnumerateValueKey,	31_2_0000026DB16D28C8
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000002238278202C NtQuerySystemInformation,StrCmpNIW,	36_2_000002238278202C

Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 4_2_000001F25ABE1F2C	4_2_000001F25ABE1F2C
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 4_2_000001F25ABF38A8	4_2_000001F25ABF38A8
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 4_2_000001F25ABED0E0	4_2_000001F25ABED0E0
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 4_2_000001F25AC12B2C	4_2_000001F25AC12B2C
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 4_2_000001F25AC244A8	4_2_000001F25AC244A8
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 4_2_000001F25AC1DCE0	4_2_000001F25AC1DCE0
Source: C:\Windows\System32\dialer.exe	Code function: 18_2_000000014000226C	18_2_000000014000226C
Source: C:\Windows\System32\dialer.exe	Code function: 18_2_00000001400014D8	18_2_00000001400014D8
Source: C:\Windows\System32\dialer.exe	Code function: 18_2_0000000140002560	18_2_0000000140002560
Source: C:\Windows\System32\winlogon.exe	Code function: 23_2_000002E991721F2C	23_2_000002E991721F2C
Source: C:\Windows\System32\winlogon.exe	Code function: 23_2_000002E99172D0E0	23_2_000002E99172D0E0
Source: C:\Windows\System32\winlogon.exe	Code function: 23_2_000002E9917338A8	23_2_000002E9917338A8
Source: C:\Windows\System32\winlogon.exe	Code function: 23_2_000002E991752B2C	23_2_000002E991752B2C
Source: C:\Windows\System32\winlogon.exe	Code function: 23_2_000002E99175DCE0	23_2_000002E99175DCE0
Source: C:\Windows\System32\winlogon.exe	Code function: 23_2_000002E9917644A8	23_2_000002E9917644A8
Source: C:\Windows\System32\lsass.exe	Code function: 28_2_00000213BDCBD0E0	28_2_00000213BDCBD0E0
Source: C:\Windows\System32\lsass.exe	Code function: 28_2_00000213BDCC38A8	28_2_00000213BDCC38A8
Source: C:\Windows\System32\lsass.exe	Code function: 28_2_00000213BDCB1F2C	28_2_00000213BDCB1F2C
Source: C:\Windows\System32\lsass.exe	Code function: 28_2_00000213BDCEDCE0	28_2_00000213BDCEDCE0
Source: C:\Windows\System32\lsass.exe	Code function: 28_2_00000213BDCF44A8	28_2_00000213BDCF44A8
Source: C:\Windows\System32\lsass.exe	Code function: 28_2_00000213BDCE2B2C	28_2_00000213BDCE2B2C
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_00000158709A1F2C	30_2_00000158709A1F2C
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_00000158709AD0E0	30_2_00000158709AD0E0
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_00000158709B38A8	30_2_00000158709B38A8
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_00000158709D2B2C	30_2_00000158709D2B2C
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_00000158709DDCE0	30_2_00000158709DDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_00000158709E44A8	30_2_00000158709E44A8
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_0000026DB16AD0E0	31_2_0000026DB16AD0E0
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_0000026DB16B38A8	31_2_0000026DB16B38A8
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_0000026DB16A1F2C	31_2_0000026DB16A1F2C
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_0000026DB16DDCE0	31_2_0000026DB16DDCE0
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_0000026DB16E44A8	31_2_0000026DB16E44A8
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_0000026DB16D2B2C	31_2_0000026DB16D2B2C
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_000002A3EFFCD0E0	32_2_000002A3EFFCD0E0
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_000002A3EFFD38A8	32_2_000002A3EFFD38A8
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_000002A3EFFC1F2C	32_2_000002A3EFFC1F2C
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_000002A3F0662B2C	32_2_000002A3F0662B2C
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_000002A3F06744A8	32_2_000002A3F06744A8
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_000002A3F066DCE0	32_2_000002A3F066DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 33_2_000002C9AFB8D0E0	33_2_000002C9AFB8D0E0
Source: C:\Windows\System32\svchost.exe	Code function: 33_2_000002C9AFB938A8	33_2_000002C9AFB938A8
Source: C:\Windows\System32\svchost.exe	Code function: 33_2_000002C9AFB81F2C	33_2_000002C9AFB81F2C
Source: C:\Windows\System32\svchost.exe	Code function: 33_2_000002C9AFBBDCE0	33_2_000002C9AFBBDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 33_2_000002C9AFBC44A8	33_2_000002C9AFBC44A8
Source: C:\Windows\System32\svchost.exe	Code function: 33_2_000002C9AFBB2B2C	33_2_000002C9AFBB2B2C
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000002C06F7BD0E0	34_2_000002C06F7BD0E0
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000002C06F7C38A8	34_2_000002C06F7C38A8
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000002C06F7B1F2C	34_2_000002C06F7B1F2C
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000002C06FD4DCE0	34_2_000002C06FD4DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000002C06FD544A8	34_2_000002C06FD544A8
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000002C06FD42B2C	34_2_000002C06FD42B2C
Source: C:\Windows\System32\svchost.exe	Code function: 35_2_000002917C3938A8	35_2_000002917C3938A8
Source: C:\Windows\System32\svchost.exe	Code function: 35_2_000002917C38D0E0	35_2_000002917C38D0E0
Source: C:\Windows\System32\svchost.exe	Code function: 35_2_000002917C381F2C	35_2_000002917C381F2C
Source: C:\Windows\System32\svchost.exe	Code function: 35_2_000002917C3C44A8	35_2_000002917C3C44A8
Source: C:\Windows\System32\svchost.exe	Code function: 35_2_000002917C3BDCE0	35_2_000002917C3BDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 35_2_000002917C3B2B2C	35_2_000002917C3B2B2C
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_00000223827944A8	36_2_00000223827944A8
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000002238278DCE0	36_2_000002238278DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_0000022382782B2C	36_2_0000022382782B2C
Source: C:\Windows\System32\svchost.exe	Code function: 37_2_0000028A1B88DCE0	37_2_0000028A1B88DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 37_2_0000028A1B8944A8	37_2_0000028A1B8944A8
Source: C:\Windows\System32\svchost.exe	Code function: 37_2_0000028A1B882B2C	37_2_0000028A1B882B2C
Source: C:\Windows\System32\svchost.exe	Code function: 38_2_000001486AD72B2C	38_2_000001486AD72B2C
Source: C:\Windows\System32\svchost.exe	Code function: 38_2_000001486AD7DCE0	38_2_000001486AD7DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 38_2_000001486AD844A8	38_2_000001486AD844A8
Source: C:\Windows\System32\svchost.exe	Code function: 39_2_0000024BD3CAD0E0	39_2_0000024BD3CAD0E0
Source: C:\Windows\System32\svchost.exe	Code function: 39_2_0000024BD3CB38A8	39_2_0000024BD3CB38A8
Source: C:\Windows\System32\svchost.exe	Code function: 39_2_0000024BD3CA1F2C	39_2_0000024BD3CA1F2C
Source: C:\Windows\System32\svchost.exe	Code function: 39_2_0000024BD3CDDCE0	39_2_0000024BD3CDDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 39_2_0000024BD3CE44A8	39_2_0000024BD3CE44A8
Source: C:\Windows\System32\svchost.exe	Code function: 39_2_0000024BD3CD2B2C	39_2_0000024BD3CD2B2C
Source: C:\Windows\System32\svchost.exe	Code function: 40_2_000001FA73D3D0E0	40_2_000001FA73D3D0E0
Source: C:\Windows\System32\svchost.exe	Code function: 40_2_000001FA73D438A8	40_2_000001FA73D438A8
Source: C:\Windows\System32\svchost.exe	Code function: 40_2_000001FA73D31F2C	40_2_000001FA73D31F2C
Source: C:\Windows\System32\svchost.exe	Code function: 40_2_000001FA73D6DCE0	40_2_000001FA73D6DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 40_2_000001FA73D744A8	40_2_000001FA73D744A8
Source: C:\Windows\System32\svchost.exe	Code function: 40_2_000001FA73D62B2C	40_2_000001FA73D62B2C
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000001CD021B1F2C	41_2_000001CD021B1F2C
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000001CD021C38A8	41_2_000001CD021C38A8
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000001CD021BD0E0	41_2_000001CD021BD0E0
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000001CD02402B2C	41_2_000001CD02402B2C
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000001CD024144A8	41_2_000001CD024144A8
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000001CD0240DCE0	41_2_000001CD0240DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 42_2_00000269B9FD1F2C	42_2_00000269B9FD1F2C
Source: C:\Windows\System32\svchost.exe	Code function: 42_2_00000269B9FDD0E0	42_2_00000269B9FDD0E0
Source: C:\Windows\System32\svchost.exe	Code function: 42_2_00000269B9FE38A8	42_2_00000269B9FE38A8
Source: C:\Windows\System32\svchost.exe	Code function: 42_2_00000269BA6744A8	42_2_00000269BA6744A8
Source: C:\Windows\System32\svchost.exe	Code function: 42_2_00000269BA66DCE0	42_2_00000269BA66DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 42_2_00000269BA662B2C	42_2_00000269BA662B2C
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000022054D81F2C	43_2_0000022054D81F2C
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000022054D8D0E0	43_2_0000022054D8D0E0
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000022054D938A8	43_2_0000022054D938A8
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000022054DB2B2C	43_2_0000022054DB2B2C
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000022054DBDCE0	43_2_0000022054DBDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000022054DC44A8	43_2_0000022054DC44A8
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_0000027C57DAD0E0	44_2_0000027C57DAD0E0
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_0000027C57DB38A8	44_2_0000027C57DB38A8
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_0000027C57DA1F2C	44_2_0000027C57DA1F2C
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_0000027C57DDDCE0	44_2_0000027C57DDDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_0000027C57DE44A8	44_2_0000027C57DE44A8
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_0000027C57DD2B2C	44_2_0000027C57DD2B2C
Source: C:\Windows\System32\svchost.exe	Code function: 45_2_000002A333B4D0E0	45_2_000002A333B4D0E0
Source: C:\Windows\System32\svchost.exe	Code function: 45_2_000002A333B538A8	45_2_000002A333B538A8
Source: C:\Windows\System32\svchost.exe	Code function: 45_2_000002A333B41F2C	45_2_000002A333B41F2C
Source: C:\Windows\System32\svchost.exe	Code function: 45_2_000002A333B7DCE0	45_2_000002A333B7DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 45_2_000002A333B844A8	45_2_000002A333B844A8
Source: C:\Windows\System32\svchost.exe	Code function: 45_2_000002A333B72B2C	45_2_000002A333B72B2C
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_000001F1745438A8	46_2_000001F1745438A8
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_000001F17453D0E0	46_2_000001F17453D0E0
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_000001F174531F2C	46_2_000001F174531F2C
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_000001F1745744A8	46_2_000001F1745744A8
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_000001F17456DCE0	46_2_000001F17456DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_000001F174562B2C	46_2_000001F174562B2C
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000002331574D0E0	47_2_000002331574D0E0
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_00000233157538A8	47_2_00000233157538A8
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_0000023315741F2C	47_2_0000023315741F2C
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000002331577DCE0	47_2_000002331577DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_00000233157844A8	47_2_00000233157844A8
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_0000023315772B2C	47_2_0000023315772B2C

Source: Joe Sandbox View

Dropped File: C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe 0612BFB5A51B0B413BA960F7D52BC647BD4CF7530FD760C0D6006AA829E806E2

Source: dialer.exe, 00000012.00000002.2707653386.000001A0E80A7000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ;.VBP

Source: classification engine

Classification label: mal100.evad.winEXE@40/66@0/1

Source: C:\Windows\System32\dialer.exe

Code function: 18_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,

18_2_000000014000226C

Source: C:\Windows\System32\dialer.exe

Code function: 18_2_00000001400019C4 SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString,

18_2_00000001400019C4

Source: C:\Windows\System32\dialer.exe

18_2_000000014000226C

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7720:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7956:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7964:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8176:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7256:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1928:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8088:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1984:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8128:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8044:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3344:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yyc01ryo.1ig.ps1

Jump to behavior

Source: xmr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\xmr.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: xmr.exe

ReversingLabs: Detection: 76%

Source: C:\Users\user\Desktop\xmr.exe

File read: C:\Users\user\Desktop\xmr.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\xmr.exe "C:\Users\user\Desktop\xmr.exe"
Source: C:\Users\user\Desktop\xmr.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\xmr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\Desktop\xmr.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\Desktop\xmr.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\xmr.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\xmr.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\xmr.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\xmr.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
Source: C:\Users\user\Desktop\xmr.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "ARIBLEUL"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\xmr.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "ARIBLEUL" binpath= "C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe" start= "auto"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\xmr.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
Source: C:\Users\user\Desktop\xmr.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "ARIBLEUL"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe
Source: C:\Users\user\Desktop\xmr.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\xmr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart	Jump to behavior
Source: C:\Users\user\Desktop\xmr.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc	Jump to behavior
Source: C:\Users\user\Desktop\xmr.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc	Jump to behavior
Source: C:\Users\user\Desktop\xmr.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv	Jump to behavior
Source: C:\Users\user\Desktop\xmr.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits	Jump to behavior
Source: C:\Users\user\Desktop\xmr.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc	Jump to behavior
Source: C:\Users\user\Desktop\xmr.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe	Jump to behavior
Source: C:\Users\user\Desktop\xmr.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "ARIBLEUL"	Jump to behavior
Source: C:\Users\user\Desktop\xmr.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "ARIBLEUL" binpath= "C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe" start= "auto"	Jump to behavior
Source: C:\Users\user\Desktop\xmr.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog	Jump to behavior
Source: C:\Users\user\Desktop\xmr.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "ARIBLEUL"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart	Jump to behavior

Source: C:\Users\user\Desktop\xmr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: dpx.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe	Section loaded: apphelp.dll	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: xmr.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: xmr.exe

Static file information: File size 5468672 > 1048576

Source: xmr.exe

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x52a800

Source: xmr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: xmr.exe	Static PE information: section name: .00cfg
Source: lrgkmixyjzta.exe.0.dr	Static PE information: section name: .00cfg

Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 4_2_000001F25ABFACDD push rcx; retf 003Fh	4_2_000001F25ABFACDE
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 4_2_000001F25AC262B0 push rbp; retf	4_2_000001F25AC262B3
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 4_2_000001F25AC26238 push rbp; retf	4_2_000001F25AC2623B
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 4_2_000001F25AC26208 push rsi; retf	4_2_000001F25AC2620B
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 4_2_000001F25AC26218 push rbp; retf	4_2_000001F25AC2621B
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 4_2_000001F25AC26168 push rsi; retf	4_2_000001F25AC261D3
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 4_2_000001F25AC262C8 push rbp; retf	4_2_000001F25AC262B3
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 4_2_000001F25AC262C8 push rbp; retf	4_2_000001F25AC262CB
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 4_2_000001F25AC2C6DD push rcx; retf 003Fh	4_2_000001F25AC2C6DE
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 4_2_000001F25AC26078 push rbp; retf	4_2_000001F25AC26083
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 4_2_000001F25AC26080 push rbp; retf	4_2_000001F25AC26083
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 4_2_000001F25AC260A8 push rbp; retf	4_2_000001F25AC260AB
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 4_2_000001F25AC26038 push r14; retf	4_2_000001F25AC26043
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 4_2_000001F25AC26070 push rbp; retf	4_2_000001F25AC26073
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 4_2_000001F25AC26180 push rbp; retf	4_2_000001F25AC26183
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 4_2_000001F25AC26198 push rbp; retf	4_2_000001F25AC2619B
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 4_2_000001F25AC26138 push rsi; retf	4_2_000001F25AC26143
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 4_2_000001F25AC26160 push rbp; retf	4_2_000001F25AC26163
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 4_2_000001F25AC26168 push rsi; retf	4_2_000001F25AC261D3
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 4_2_000001F25AC26130 push rbp; retf	4_2_000001F25AC26133
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 4_2_000001F25AC260E0 push r14; retf	4_2_000001F25AC260EB
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 4_2_000001F25AC260F0 push rbp; retf	4_2_000001F25AC260F3
Source: C:\Windows\System32\winlogon.exe	Code function: 23_2_000002E99173ACDD push rcx; retf 003Fh	23_2_000002E99173ACDE
Source: C:\Windows\System32\winlogon.exe	Code function: 23_2_000002E99176C6DD push rcx; retf 003Fh	23_2_000002E99176C6DE
Source: C:\Windows\System32\winlogon.exe	Code function: 23_2_000002E991759FA4 push rbp; retf	23_2_000002E99176626B
Source: C:\Windows\System32\winlogon.exe	Code function: 23_2_000002E991766130 push rbp; retf	23_2_000002E991766133
Source: C:\Windows\System32\winlogon.exe	Code function: 23_2_000002E991766138 push rsi; retf	23_2_000002E991766143
Source: C:\Windows\System32\winlogon.exe	Code function: 23_2_000002E991766100 push rbp; retf	23_2_000002E99176610B
Source: C:\Windows\System32\winlogon.exe	Code function: 23_2_000002E991766100 push rbp; retf	23_2_000002E99176610B
Source: C:\Windows\System32\winlogon.exe	Code function: 23_2_000002E9917660F0 push rbp; retf	23_2_000002E9917660F3
Source: C:\Windows\System32\winlogon.exe	Code function: 23_2_000002E9917660E0 push r14; retf	23_2_000002E9917660EB

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\System32\lsass.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior
Source: C:\Windows\System32\lsass.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior

Source: C:\Users\user\Desktop\xmr.exe

File created: C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe

Jump to dropped file

Source: C:\Users\user\Desktop\xmr.exe

File created: C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe

Jump to dropped file

Source: C:\Users\user\Desktop\xmr.exe

Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc

Hooking and other Techniques for Hiding and Protection

Hooks files or directories query functions (used to hide files and directories)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile

Hooks processes query functions (used to hide processes)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation

Hooks registry keys query functions (used to hide registry keys)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF

Source: C:\Windows\System32\lsass.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Windows\System32\dialer.exe

Code function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,

18_2_00000001400010C0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5578	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4200	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Window / User API: threadDelayed 1608	Jump to behavior
Source: C:\Windows\System32\winlogon.exe	Window / User API: threadDelayed 4851	Jump to behavior
Source: C:\Windows\System32\winlogon.exe	Window / User API: threadDelayed 5149	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Window / User API: threadDelayed 8203	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Window / User API: threadDelayed 1767	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 1567	Jump to behavior
Source: C:\Windows\System32\dwm.exe	Window / User API: threadDelayed 9871	Jump to behavior

Source: C:\Windows\System32\lsass.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep	graph_28-15427
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep	graph_4-14963
Source: C:\Windows\System32\dwm.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep	graph_31-15095
Source: C:\Windows\System32\svchost.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep	graph_30-14943
Source: C:\Windows\System32\winlogon.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep	graph_23-16956

Source: C:\Windows\System32\dialer.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_18-409

Source: C:\Windows\System32\wbem\WmiPrvSE.exe	API coverage: 5.1 %
Source: C:\Windows\System32\lsass.exe	API coverage: 7.4 %
Source: C:\Windows\System32\svchost.exe	API coverage: 5.1 %
Source: C:\Windows\System32\svchost.exe	API coverage: 4.8 %
Source: C:\Windows\System32\svchost.exe	API coverage: 5.2 %
Source: C:\Windows\System32\svchost.exe	API coverage: 5.9 %
Source: C:\Windows\System32\svchost.exe	API coverage: 6.1 %
Source: C:\Windows\System32\svchost.exe	API coverage: 4.6 %
Source: C:\Windows\System32\svchost.exe	API coverage: 4.9 %
Source: C:\Windows\System32\svchost.exe	API coverage: 6.1 %
Source: C:\Windows\System32\svchost.exe	API coverage: 5.8 %
Source: C:\Windows\System32\svchost.exe	API coverage: 5.8 %
Source: C:\Windows\System32\svchost.exe	API coverage: 5.1 %
Source: C:\Windows\System32\svchost.exe	API coverage: 5.8 %
Source: C:\Windows\System32\svchost.exe	API coverage: 5.1 %
Source: C:\Windows\System32\svchost.exe	API coverage: 5.2 %
Source: C:\Windows\System32\svchost.exe	API coverage: 5.1 %
Source: C:\Windows\System32\svchost.exe	API coverage: 5.1 %
Source: C:\Windows\System32\svchost.exe	API coverage: 5.1 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7792	Thread sleep count: 5578 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7796	Thread sleep count: 4200 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7868	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe TID: 5472	Thread sleep count: 255 > 30	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe TID: 5472	Thread sleep time: -255000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\dialer.exe TID: 7184	Thread sleep count: 1608 > 30	Jump to behavior
Source: C:\Windows\System32\dialer.exe TID: 7184	Thread sleep time: -160800s >= -30000s	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 2344	Thread sleep count: 4851 > 30	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 2344	Thread sleep time: -4851000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 2344	Thread sleep count: 5149 > 30	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 2344	Thread sleep time: -5149000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 7428	Thread sleep count: 8203 > 30	Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 7428	Thread sleep time: -8203000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 7428	Thread sleep count: 1767 > 30	Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 7428	Thread sleep time: -1767000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7416	Thread sleep count: 1567 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7416	Thread sleep time: -1567000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\dwm.exe TID: 4152	Thread sleep count: 9871 > 30	Jump to behavior
Source: C:\Windows\System32\dwm.exe TID: 4152	Thread sleep time: -9871000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2512	Thread sleep count: 260 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2512	Thread sleep time: -260000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2828	Thread sleep count: 253 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2828	Thread sleep time: -253000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2952	Thread sleep count: 252 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2952	Thread sleep time: -252000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3984	Thread sleep count: 257 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3984	Thread sleep time: -257000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5296	Thread sleep count: 194 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5296	Thread sleep time: -194000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3120	Thread sleep count: 259 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3120	Thread sleep time: -259000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1280	Thread sleep count: 253 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1280	Thread sleep time: -253000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2940	Thread sleep count: 249 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2940	Thread sleep time: -249000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3032	Thread sleep count: 252 > 30
Source: C:\Windows\System32\svchost.exe TID: 3032	Thread sleep time: -252000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4128	Thread sleep count: 244 > 30
Source: C:\Windows\System32\svchost.exe TID: 4128	Thread sleep time: -244000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4032	Thread sleep count: 257 > 30
Source: C:\Windows\System32\svchost.exe TID: 4032	Thread sleep time: -257000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3552	Thread sleep count: 258 > 30
Source: C:\Windows\System32\svchost.exe TID: 3552	Thread sleep time: -258000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3832	Thread sleep count: 259 > 30
Source: C:\Windows\System32\svchost.exe TID: 3832	Thread sleep time: -259000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6136	Thread sleep count: 259 > 30
Source: C:\Windows\System32\svchost.exe TID: 6136	Thread sleep time: -259000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4300	Thread sleep count: 250 > 30
Source: C:\Windows\System32\svchost.exe TID: 4300	Thread sleep time: -250000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2848	Thread sleep count: 261 > 30
Source: C:\Windows\System32\svchost.exe TID: 2848	Thread sleep time: -261000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 636	Thread sleep count: 257 > 30
Source: C:\Windows\System32\svchost.exe TID: 636	Thread sleep time: -257000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2616	Thread sleep count: 260 > 30
Source: C:\Windows\System32\svchost.exe TID: 2616	Thread sleep time: -260000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6556	Thread sleep count: 253 > 30
Source: C:\Windows\System32\svchost.exe TID: 6556	Thread sleep time: -253000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3500	Thread sleep count: 258 > 30
Source: C:\Windows\System32\svchost.exe TID: 3500	Thread sleep time: -258000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6816	Thread sleep count: 251 > 30
Source: C:\Windows\System32\svchost.exe TID: 6816	Thread sleep time: -251000s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\dialer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed

Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 4_2_000001F25AC1DCE0 FindFirstFileExW,	4_2_000001F25AC1DCE0
Source: C:\Windows\System32\winlogon.exe	Code function: 23_2_000002E99175DCE0 FindFirstFileExW,	23_2_000002E99175DCE0
Source: C:\Windows\System32\lsass.exe	Code function: 28_2_00000213BDCEDCE0 FindFirstFileExW,	28_2_00000213BDCEDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_00000158709DDCE0 FindFirstFileExW,	30_2_00000158709DDCE0
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_0000026DB16DDCE0 FindFirstFileExW,	31_2_0000026DB16DDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_000002A3F066DCE0 FindFirstFileExW,	32_2_000002A3F066DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 33_2_000002C9AFBBDCE0 FindFirstFileExW,	33_2_000002C9AFBBDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000002C06FD4DCE0 FindFirstFileExW,	34_2_000002C06FD4DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 35_2_000002917C3BDCE0 FindFirstFileExW,	35_2_000002917C3BDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000002238278DCE0 FindFirstFileExW,	36_2_000002238278DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 37_2_0000028A1B88DCE0 FindFirstFileExW,	37_2_0000028A1B88DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 38_2_000001486AD7DCE0 FindFirstFileExW,	38_2_000001486AD7DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 39_2_0000024BD3CDDCE0 FindFirstFileExW,	39_2_0000024BD3CDDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 40_2_000001FA73D6DCE0 FindFirstFileExW,	40_2_000001FA73D6DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000001CD0240DCE0 FindFirstFileExW,	41_2_000001CD0240DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 42_2_00000269BA66DCE0 FindFirstFileExW,	42_2_00000269BA66DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000022054DBDCE0 FindFirstFileExW,	43_2_0000022054DBDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_0000027C57DDDCE0 FindFirstFileExW,	44_2_0000027C57DDDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 45_2_000002A333B7DCE0 FindFirstFileExW,	45_2_000002A333B7DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_000001F17456DCE0 FindFirstFileExW,	46_2_000001F17456DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000002331577DCE0 FindFirstFileExW,	47_2_000002331577DCE0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: lsass.exe, 0000001C.00000000.1483872661.00000213BCE89000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicshutdownNT SERVICE
Source: lsass.exe, 0000001C.00000000.1483872661.00000213BCE89000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicvssNT SERVICE
Source: lsass.exe, 0000001C.00000000.1483872661.00000213BCE89000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicheartbeatNT SERVICE
Source: lsass.exe, 0000001C.00000002.2716144470.00000213BCE13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.1483592352.00000213BCE13000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\dialer.exe

API call chain: ExitProcess graph end node

graph_18-477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\wbem\WmiPrvSE.exe

Code function: 4_2_000001F25AC1D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_000001F25AC1D2A4

Source: C:\Windows\System32\wbem\WmiPrvSE.exe

Code function: 4_2_000001F25AC11268 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,

4_2_000001F25AC11268

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\dialer.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 4_2_000001F25AC1D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_000001F25AC1D2A4
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 4_2_000001F25AC26218 SetUnhandledExceptionFilter,	4_2_000001F25AC26218
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 4_2_000001F25AC17D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_000001F25AC17D90
Source: C:\Windows\System32\winlogon.exe	Code function: 23_2_000002E991766218 SetUnhandledExceptionFilter,	23_2_000002E991766218
Source: C:\Windows\System32\winlogon.exe	Code function: 23_2_000002E99175D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	23_2_000002E99175D2A4
Source: C:\Windows\System32\winlogon.exe	Code function: 23_2_000002E991757D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	23_2_000002E991757D90
Source: C:\Windows\System32\lsass.exe	Code function: 28_2_00000213BDCE7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	28_2_00000213BDCE7D90
Source: C:\Windows\System32\lsass.exe	Code function: 28_2_00000213BDCED2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	28_2_00000213BDCED2A4
Source: C:\Windows\System32\lsass.exe	Code function: 28_2_00000213BDCF6218 SetUnhandledExceptionFilter,	28_2_00000213BDCF6218
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_00000158709DD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	30_2_00000158709DD2A4
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_00000158709E6218 SetUnhandledExceptionFilter,	30_2_00000158709E6218
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_00000158709D7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	30_2_00000158709D7D90
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_0000026DB16E6218 SetUnhandledExceptionFilter,	31_2_0000026DB16E6218
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_0000026DB16DD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	31_2_0000026DB16DD2A4
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_0000026DB16D7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	31_2_0000026DB16D7D90
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_000002A3F066D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	32_2_000002A3F066D2A4
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_000002A3F0667D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	32_2_000002A3F0667D90
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_000002A3F0676218 SetUnhandledExceptionFilter,	32_2_000002A3F0676218
Source: C:\Windows\System32\svchost.exe	Code function: 33_2_000002C9AFBB7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	33_2_000002C9AFBB7D90
Source: C:\Windows\System32\svchost.exe	Code function: 33_2_000002C9AFBBD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	33_2_000002C9AFBBD2A4
Source: C:\Windows\System32\svchost.exe	Code function: 33_2_000002C9AFBC6218 SetUnhandledExceptionFilter,	33_2_000002C9AFBC6218
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000002C06FD4D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	34_2_000002C06FD4D2A4
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000002C06FD56218 SetUnhandledExceptionFilter,	34_2_000002C06FD56218
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000002C06FD47D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	34_2_000002C06FD47D90
Source: C:\Windows\System32\svchost.exe	Code function: 35_2_000002917C3B7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	35_2_000002917C3B7D90
Source: C:\Windows\System32\svchost.exe	Code function: 35_2_000002917C3C6218 SetUnhandledExceptionFilter,	35_2_000002917C3C6218
Source: C:\Windows\System32\svchost.exe	Code function: 35_2_000002917C3BD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	35_2_000002917C3BD2A4
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_0000022382787D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	36_2_0000022382787D90
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_0000022382796218 SetUnhandledExceptionFilter,	36_2_0000022382796218
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000002238278D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	36_2_000002238278D2A4
Source: C:\Windows\System32\svchost.exe	Code function: 37_2_0000028A1B88D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	37_2_0000028A1B88D2A4
Source: C:\Windows\System32\svchost.exe	Code function: 37_2_0000028A1B896218 SetUnhandledExceptionFilter,	37_2_0000028A1B896218
Source: C:\Windows\System32\svchost.exe	Code function: 37_2_0000028A1B887D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	37_2_0000028A1B887D90
Source: C:\Windows\System32\svchost.exe	Code function: 38_2_000001486AD7D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	38_2_000001486AD7D2A4
Source: C:\Windows\System32\svchost.exe	Code function: 38_2_000001486AD86218 SetUnhandledExceptionFilter,	38_2_000001486AD86218
Source: C:\Windows\System32\svchost.exe	Code function: 38_2_000001486AD77D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	38_2_000001486AD77D90
Source: C:\Windows\System32\svchost.exe	Code function: 39_2_0000024BD3CDD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	39_2_0000024BD3CDD2A4
Source: C:\Windows\System32\svchost.exe	Code function: 39_2_0000024BD3CE6218 SetUnhandledExceptionFilter,	39_2_0000024BD3CE6218
Source: C:\Windows\System32\svchost.exe	Code function: 39_2_0000024BD3CD7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	39_2_0000024BD3CD7D90
Source: C:\Windows\System32\svchost.exe	Code function: 40_2_000001FA73D6D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	40_2_000001FA73D6D2A4
Source: C:\Windows\System32\svchost.exe	Code function: 40_2_000001FA73D76218 SetUnhandledExceptionFilter,	40_2_000001FA73D76218
Source: C:\Windows\System32\svchost.exe	Code function: 40_2_000001FA73D67D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	40_2_000001FA73D67D90
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000001CD0240D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	41_2_000001CD0240D2A4
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000001CD02407D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	41_2_000001CD02407D90
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000001CD02416218 SetUnhandledExceptionFilter,	41_2_000001CD02416218
Source: C:\Windows\System32\svchost.exe	Code function: 42_2_00000269BA667D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	42_2_00000269BA667D90
Source: C:\Windows\System32\svchost.exe	Code function: 42_2_00000269BA676218 SetUnhandledExceptionFilter,	42_2_00000269BA676218
Source: C:\Windows\System32\svchost.exe	Code function: 42_2_00000269BA66D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	42_2_00000269BA66D2A4
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000022054DBD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	43_2_0000022054DBD2A4
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000022054DC6218 SetUnhandledExceptionFilter,	43_2_0000022054DC6218
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000022054DB7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	43_2_0000022054DB7D90
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_0000027C57DDD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	44_2_0000027C57DDD2A4
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_0000027C57DE6218 SetUnhandledExceptionFilter,	44_2_0000027C57DE6218
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_0000027C57DD7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	44_2_0000027C57DD7D90
Source: C:\Windows\System32\svchost.exe	Code function: 45_2_000002A333B86218 SetUnhandledExceptionFilter,	45_2_000002A333B86218
Source: C:\Windows\System32\svchost.exe	Code function: 45_2_000002A333B77D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	45_2_000002A333B77D90
Source: C:\Windows\System32\svchost.exe	Code function: 45_2_000002A333B7D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	45_2_000002A333B7D2A4
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_000001F174567D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	46_2_000001F174567D90
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_000001F174576218 SetUnhandledExceptionFilter,	46_2_000001F174576218
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_000001F17456D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	46_2_000001F17456D2A4
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_0000023315777D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	47_2_0000023315777D90
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_0000023315786218 SetUnhandledExceptionFilter,	47_2_0000023315786218
Source: C:\Windows\System32\svchost.exe	Code function: 47_2_000002331577D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	47_2_000002331577D2A4

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\xmr.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Users\user\Desktop\xmr.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force			Jump to behavior

Allocates memory in foreign processes

Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\winlogon.exe base: 2E991720000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\lsass.exe base: 213BDCB0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 158709A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dwm.exe base: 26DB16A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2A3EFFC0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2C9AFB80000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2C06F7B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2917C380000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 22382750000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 28A1B1D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1486AD40000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 24BD3CA0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1FA73D30000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1CD021B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 269B9FD0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 22054D80000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 27C57DA0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2A333B40000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1F174530000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 23315740000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2A9C8540000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1EC212A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1876D540000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 22CD8950000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 15104330000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 22308E70000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1AB19360000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1E731800000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1A6DD9B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1E2FA1C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\spoolsv.exe base: D50000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 209D2560000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1FC05190000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2AFD1A00000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1D6B0F90000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2036E550000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 150FC6C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2480FAC0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2671A930000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2C588F90000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1A8857C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 174DEDC0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 282A2110000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DA09D90000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 287FBEC0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\sihost.exe base: 2537C620000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 29B59750000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20CAB590000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1BBF95A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1D49EEE0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\ctfmon.exe base: 26E2B2E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1B0CC6E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\explorer.exe base: 9850000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 23014DD0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 21744F70000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1F02ED50000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dasHost.exe base: 1B2E6AF0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 25A84C20000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 194A0780000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2AD4DDB0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dllhost.exe base: 1C0F4C90000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1F3A5110000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\smartscreen.exe base: 2164ACF0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 19985DA0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 26D10B40000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 23F7CDE0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 2EE94180000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 23954370000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1C996D40000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 1FD7ADE0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 18BF4190000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DF00850000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 22F97EC0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 2341F720000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1A326350000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F25ABE0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Windows Defender\MpCmdRun.exe base: 1943F410000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 23170BD0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 2610B9F0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 2610BA50000 protect: page execute and read and write	Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Windows\System32\dialer.exe

Code function: 18_2_0000000140001C88 CreateProcessW,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,OpenProcess,TerminateProcess,

18_2_0000000140001C88

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\winlogon.exe EIP: 9172273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\lsass.exe EIP: BDCB273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 709A273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\dwm.exe EIP: B16A273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: EFFC273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: AFB8273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 6F7B273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 7C38273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 8275273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 1B1D273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 6AD4273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: D3CA273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 73D3273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 21B273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: B9FD273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 54D8273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 57DA273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 33B4273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 7453273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 1574273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: C854273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 212A273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 6D54273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: D895273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 433273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8E7273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 1936273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 3180273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: DD9B273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: FA1C273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D5273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D256273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 519273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D1A0273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: B0F9273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6E55273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: FC6C273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: FAC273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 1A93273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 88F9273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 857C273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: DEDC273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A211273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 9D9273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: FBEC273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7C62273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5975273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: AB59273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F95A273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 9EEE273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2B2E273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: CC6E273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 985273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 14DD273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 44F7273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2ED5273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: E6AF273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 84C2273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A078273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4DDB273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F4C9273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A511273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4ACF273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 85DA273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 10B4273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7CDE273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 9418273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5437273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 96D4273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7ADE273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F419273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 85273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 97EC273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 1F72273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2635273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5ABE273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 3F41273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 70BD273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: BA5273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: B9F273C	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 2E991720000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 213BDCB0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 158709A0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 26DB16A0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A3EFFC0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C9AFB80000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C06F7B0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2917C380000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22382750000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 28A1B1D0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1486AD40000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 24BD3CA0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FA73D30000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD021B0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 269B9FD0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22054D80000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 27C57DA0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A333B40000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F174530000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23315740000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A9C8540000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1EC212A0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1876D540000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22CD8950000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 15104330000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22308E70000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1AB19360000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E731800000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A6DD9B0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E2FA1C0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\spoolsv.exe base: D50000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 209D2560000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FC05190000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AFD1A00000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D6B0F90000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2036E550000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 150FC6C0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2480FAC0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2671A930000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C588F90000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A8857C0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 174DEDC0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 282A2110000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DA09D90000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 287FBEC0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\sihost.exe base: 2537C620000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 29B59750000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20CAB590000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BBF95A0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D49EEE0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 26E2B2E0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B0CC6E0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\explorer.exe base: 9850000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23014DD0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21744F70000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F02ED50000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dasHost.exe base: 1B2E6AF0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 25A84C20000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 194A0780000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AD4DDB0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 1C0F4C90000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1F3A5110000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 2164ACF0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 19985DA0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 26D10B40000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 23F7CDE0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2EE94180000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 23954370000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1C996D40000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1FD7ADE0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 18BF4190000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DF00850000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 22F97EC0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2341F720000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A326350000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F25ABE0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Windows Defender\MpCmdRun.exe base: 1943F410000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 23170BD0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 2610B9F0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 2610BA50000 value starts with: 4D5A	Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\dialer.exe

Memory written: PID: 4084 base: 9850000 value: 4D

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\xmr.exe

Thread register set: target process: 7188

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 2E991720000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 213BDCB0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 158709A0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 26DB16A0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A3EFFC0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C9AFB80000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C06F7B0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2917C380000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22382750000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 28A1B1D0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1486AD40000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 24BD3CA0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FA73D30000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD021B0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 269B9FD0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22054D80000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 27C57DA0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A333B40000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F174530000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23315740000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A9C8540000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1EC212A0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1876D540000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22CD8950000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 15104330000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22308E70000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1AB19360000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E731800000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A6DD9B0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E2FA1C0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\spoolsv.exe base: D50000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 209D2560000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FC05190000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AFD1A00000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D6B0F90000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2036E550000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 150FC6C0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2480FAC0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2671A930000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C588F90000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A8857C0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 174DEDC0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 282A2110000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DA09D90000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 287FBEC0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\sihost.exe base: 2537C620000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 29B59750000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20CAB590000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BBF95A0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D49EEE0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 26E2B2E0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B0CC6E0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\explorer.exe base: 9850000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23014DD0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21744F70000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F02ED50000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dasHost.exe base: 1B2E6AF0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 25A84C20000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 194A0780000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AD4DDB0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 1C0F4C90000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1F3A5110000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 2164ACF0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 19985DA0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 26D10B40000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 23F7CDE0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2EE94180000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 23954370000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1C996D40000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1FD7ADE0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 18BF4190000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DF00850000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 22F97EC0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2341F720000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A326350000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F25ABE0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Windows Defender\MpCmdRun.exe base: 1943F410000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 23170BD0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 2610B9F0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 2610BA50000	Jump to behavior

Source: C:\Users\user\Desktop\xmr.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart			Jump to behavior

Source: C:\Windows\System32\dialer.exe

Code function: 18_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

18_2_0000000140001B54

Source: C:\Windows\System32\dialer.exe

Code function: 18_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

18_2_0000000140001B54

Source: winlogon.exe, 00000017.00000002.2726637979.000002E991B71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000017.00000000.1481022199.000002E991B70000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: winlogon.exe, 00000017.00000002.2726637979.000002E991B71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000017.00000000.1481022199.000002E991B70000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: winlogon.exe, 00000017.00000002.2726637979.000002E991B71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000017.00000000.1481022199.000002E991B70000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: 0Program Manager
Source: winlogon.exe, 00000017.00000002.2726637979.000002E991B71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000017.00000000.1481022199.000002E991B70000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\wbem\WmiPrvSE.exe

Code function: 4_2_000001F25ABF36F0 cpuid

4_2_000001F25ABF36F0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask VolumeInformation	Jump to behavior

Source: C:\Windows\System32\dialer.exe

Code function: 18_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

18_2_0000000140001B54

Source: C:\Windows\System32\wbem\WmiPrvSE.exe

Code function: 4_2_000001F25AC17960 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

4_2_000001F25AC17960

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Service Execution	1 Windows Service	1 Access Token Manipulation	4 Rootkit	1 Credential API Hooking	1 System Time Discovery	Remote Services	1 Credential API Hooking	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 Windows Service	1 Disable or Modify Tools	LSASS Memory	221 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	713 Process Injection	1 Modify Registry	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	NTDS	21 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Access Token Manipulation	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	713 Process Injection	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Hidden Files and Directories	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Obfuscated Files or Information	Proc Filesystem	22 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Install Root Certificate	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 DLL Side-Loading	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
xmr.exe	76%	ReversingLabs	Win64.Infostealer.Tinba

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe	76%	ReversingLabs	Win64.Infostealer.Tinba

Name	IP	Active	Malicious	Antivirus Detection	Reputation
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy	lsass.exe, 0000001C.00000000.1483737658.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.1483799757.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.2718147779.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.2716787516.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702	lsass.exe, 0000001C.00000000.1483737658.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.2716787516.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust	lsass.exe, 0000001C.00000000.1483737658.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.2716787516.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/ws-sx/ws-trust/200512	lsass.exe, 0000001C.00000000.1483799757.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.2718147779.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	lsass.exe, 0000001C.00000000.1483737658.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.2716787516.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/09/policy	lsass.exe, 0000001C.00000000.1483737658.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.2716787516.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/wsdl/erties	lsass.exe, 0000001C.00000000.1483737658.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.2716787516.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/wsdl/soap12/	lsass.exe, 0000001C.00000000.1483737658.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.2716787516.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/wsdl/	lsass.exe, 0000001C.00000000.1483737658.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.2716787516.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.2.5

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585418
Start date and time:	2025-01-07 16:19:27 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	25
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	xmr.exe
Detection:	MAL
Classification:	mal100.evad.winEXE@40/66@0/1
EGA Information:	Successful, ratio: 91.7%
HCA Information:	Successful, ratio: 97% Number of executed functions: 61 Number of non-executed functions: 364
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 40.126.32.140, 20.190.160.20, 40.126.32.68, 40.126.32.134, 20.190.160.17, 20.190.160.14, 20.190.160.22, 40.126.32.133, 4.175.87.197
Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, ocsp.edge.digicert.com, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
Execution Graph export aborted for target lrgkmixyjzta.exe, PID 2340 because it is empty
Execution Graph export aborted for target xmr.exe, PID 7660 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: xmr.exe

Simulations

Behavior and APIs

Time	Type	Description
10:20:25	API Interceptor	1x Sleep call for process: xmr.exe modified
10:20:27	API Interceptor	16x Sleep call for process: powershell.exe modified
10:21:03	API Interceptor	367318x Sleep call for process: winlogon.exe modified
10:21:04	API Interceptor	289942x Sleep call for process: lsass.exe modified
10:21:04	API Interceptor	6333x Sleep call for process: svchost.exe modified
10:21:04	API Interceptor	1665x Sleep call for process: dialer.exe modified
10:21:06	API Interceptor	355148x Sleep call for process: dwm.exe modified
10:21:12	API Interceptor	230x Sleep call for process: WmiPrvSE.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fp2e7a.wpc.phicdn.net	sasdriver_2.0.20.119.exe_MDE_File_Sample_dc3db78edf1ce84f101e976a9966edb4cf6dcd75.zip	Get hash	malicious	Unknown	Browse	192.229.221.95
	PO_62401394_MITech_20250601.exe	Get hash	malicious	FormBook	Browse	192.229.221.95
	startuppp.bat	Get hash	malicious	Unknown	Browse	192.229.221.95
	amiri.EXE	Get hash	malicious	Unknown	Browse	192.229.221.95
	CheerSkullness.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	Insomia.exe	Get hash	malicious	LummaC	Browse	192.229.221.95
	Tax_Refund_Claim_2024_Australian_Taxation_Office.js	Get hash	malicious	Remcos	Browse	192.229.221.95
	3lhrJ4X.exe	Get hash	malicious	LiteHTTP Bot	Browse	192.229.221.95
	Your File Is Ready To Download.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://www.klim.com	Get hash	malicious	Unknown	Browse	192.229.221.95

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe	Solara.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe

Download File

Process:	C:\Users\user\Desktop\xmr.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5468672
Entropy (8bit):	6.519628355610314
Encrypted:	false
SSDEEP:	98304:LOl8w9dke5gARmiTqHc2+i72sq2GMbo9GYaUbTvcB7abEUGyxByPuZ0:LOlj9dkC8c2F2D2G1GVLB7WBBNG
MD5:	154202154E41175E801A698CA940EB0C
SHA1:	6CE074D67C91CB00016CB1095319B00AFAB396A8
SHA-256:	0612BFB5A51B0B413BA960F7D52BC647BD4CF7530FD760C0D6006AA829E806E2
SHA-512:	7D0A7474C28B87972FB02A48EE56A2549765A584A53ABBD123631E142A655B17F3508B7D3C2B90F3174D118940143AF12728355900472F27FE8280AA11A8F540
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 76%
Joe Sandbox View:	Filename: Solara.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...hr......!..L.!This program cannot be run in DOS mode.$..PE..d....;.f.........."...........R.....@..........@..............................S...........`.....................................................<.............S...............S.x...............................(.......8...........x...`............................text............................... ..`.rdata..l$.......&..................@..@.data.....R.......R.................@....pdata........S......jS.............@..@.00cfg........S......lS.............@..@.tls..........S......nS.............@....reloc..x.....S......pS.............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Vault\UserProfileRoaming\Latest.dat

Download File

Process:	C:\Windows\System32\lsass.exe
File Type:	very short file (no magic)
Category:	modified
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	93B885ADFE0DA089CDF634904FD59F71
SHA1:	5BA93C9DB0CFF93F52B521D7420E43F6EDA2784F
SHA-256:	6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D
SHA-512:	B8244D028981D693AF7B456AF8EFA4CAD63D282E19FF14942C246E50D9351D22704A802A71C3580B6370DE4CEB293C324A8423342557D4E5C38438F0E36910EE
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:NlllulxmH/lZ:NllUg
MD5:	D904BDD752B6F23D81E93ECA3BD8E0F3
SHA1:	026D8B0D0F79861746760B0431AD46BAD2A01676
SHA-256:	B393D3CEC8368794972E4ADD978B455A2F5BD37E3A116264DBED14DC8C67D6F2
SHA-512:	5B862B7F0BCCEF48E6A5A270C3F6271D7A5002465EAF347C6A266365F1B2CD3D88144C043D826D3456AA43484124D619BF16F9AEAB1F706463F553EE24CB5740
Malicious:	false
Preview:	@...e................................. ..............@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gmllbled.gz3.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_juzgyfll.bs2.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pqbalilt.lva.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yyc01ryo.1ig.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	4680
Entropy (8bit):	3.7111246928185304
Encrypted:	false
SSDEEP:	96:pYMguQII4i5et6h4aGdinipV9ll7UY5HAmzQ+:9A4q/xne7HO+
MD5:	0D60969BED3B7E408F6EEFB00666B71E
SHA1:	D1C1EEDDB110FFDAC3C71C6232A0FDAEE1F0C0EE
SHA-256:	12F1D710F133AC6D1488B4C0D81349F4A3CDCED18D7C616DBF100A86C0D146AF
SHA-512:	DCAC2259335EC47A9C80209B49E29A78697B7FDE17EEEAB87BAFB76A2A7FF7C5E877EE894B65A998562066BC721EFB3C1113A3DF1CE9A25E0C6410958ECAE500
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...6.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.S.o.u.r.c.e.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.0.).<./.S.o.u.r.c.e.>..... . . . .<.A.u.t.h.o.r.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.0.).<./.A.u.t.h.o.r.>..... . . . .<.V.e.r.s.i.o.n.>.1...0.<./.V.e.r.s.i.o.n.>..... . . . .<.D.e.s.c.r.i.p.t.i.o.n.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.1.).<./.D.e.s.c.r.i.p.t.i.o.n.>..... . . . .<.U.R.I.>.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.S.o.f.t.w.a.r.e.P.r.o.t.e.c.t.i.o.n.P.l.a.t.f.o.r.m.\.S.v.c.R.e.s.t.a.r.t.T.a.s.k.<./.U.R.I.>..... . . . .<.S.e.c.u.r.i.t.y.D.e.s.c.r.i.p.t.o.r.>.D.:.P.(.A.;.;.F.A.;.;.;.S.Y.).(.A.;.;.F.A.;.;.;.B.A.).

C:\Windows\System32\winevt\Logs\Application.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	3408
Entropy (8bit):	3.957879980473957
Encrypted:	false
SSDEEP:	48:MoZUQ4frP+yXCrPwfFRVEfWb3/Ooc0wHytxsiekd9SqdrSDFDS0yel:UpCrup/vOoclgeie6joF1
MD5:	4E70AECBDB74B8BA6C1BD8A191B78927
SHA1:	DF279189413492D16C18316C05E64615BA67E2C8
SHA-256:	213479E82374E7CF07F8EDE98D27EDC91CD3D081FC8EDCAA8732AD9ECB6F3958
SHA-512:	BC056CC554B5D4133859B869CE601F28A9E5454800CAFD8A92D604B7059FB529F40DE2A0892383E73A426920FF8E51919765A6D56545392615C9BFC4A2D10716
Malicious:	false
Preview:	ElfChnk.................[.......\...........X...P.....1.....................................................................N.=............................................=...........................................................................................................................g...............@...........................n...................M...]...........................j...........................~...........................................&...............................................**..X...[..........a.........3d.&........3d....P..k..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Z............{..P.r.o.v.i.d.e.r...7...F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.e.c.u.r.i.t.y.-.S.P.P.F........)...G.u.i.d.....&.{.E.2.3.B.3.3.B.0.-.C.8.C.9.-.4.7.2.C.-.A.5.F.9.-.F.2.B.D.F.E.

C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows Vista Event Log, 3 chunks (no. 2 in use), next record no. 310, DIRTY
Category:	dropped
Size (bytes):	112664
Entropy (8bit):	3.740554326511005
Encrypted:	false
SSDEEP:	768:uVUHiapX7xadptrDT9W84H62VUHiapX7xadptrDT9W84H6:hHi6xadptrX9WPapHi6xadptrX9WPa
MD5:	3E1327B42ED47E009DF5E36412C4EF9F
SHA1:	02BC9FF524807C5F1A852F5CCD05995533E4A9F2
SHA-256:	0A44AD86CF2A357DD892C0F7CED38C07F91ADA64723402E29721C109AD76F3E1
SHA-512:	9752849A0BEB68022D84D315E6E442FA1799CDE64983B8F3DB7C0D34BAB0D0E16AA7653059CBA4BF3F994C158F324043AF71A085201F2292F1F45BF038241CBE
Malicious:	false
Preview:	ElfFile.................6....................................................................................................I].ElfChnk.........7...............7...............................................................................................................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........r...................m..............qo...................>...;..................**..............4.9...............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.377721629524822
Encrypted:	false
SSDEEP:	384:fhZN/GN6N/NDsNadNDtNkN6NQNQxNhdNQaNwNwNONPNavNqN6NfNjNALNCNyN7Ns:fZeIPRThtUmqYXL3QXr0Q7
MD5:	B59AFB7FCA4C7067FBB3EF413064809B
SHA1:	785A500AA8ADA1D59F3F7FD48E876F2305E7072D
SHA-256:	ED35583D239B8BBF565E20C872268401F9D05A4DCCE4ABA7F83BA99A5978FD95
SHA-512:	C86B8AE075AA4E669D9DE8EDC1C3E430D68F1A155153EE7B4C7B1898E03E42334C37FFAE7CD35B759EB019822762C7048083BEA711439FAA1D869360CE59CD88
Malicious:	false
Preview:	ElfChnk.{...............{..........................[.x......................................................................D.\........................................V...=...........................................................................................................................f...............?...........................m...................M...F...................=c......................=j...........................?......]...............................................-g..................**......{.......n=.df..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	92752
Entropy (8bit):	4.271441929571394
Encrypted:	false
SSDEEP:	384:5V7VZVBV4V0VahMVnRVSV3V9VbVSV5VjVMV/V1VQVPTV0V6V6VoVbVaVVVlVlVmZ:Q+HIi20Hl6MunK+Hc
MD5:	1B0A3E0AF5BDFE8099B6F3E39052DDE1
SHA1:	75516DD43AE2F679B32068A9F43738E9190217E0
SHA-256:	FDF6ACB0F41D94B69049C296FEECF2C818A5192C1E7B017FD382B80F8DCBEDF7
SHA-512:	C0F3C709D22C0A6C62D7DF213585B69DC34841CF7761BDB7F30FCBB6A0720BD24ED785F63D8D6212F19AFDD6521B11EC1332D07746EB70B09ED2089421EEBFA5
Malicious:	false
Preview:	ElfChnk......................................X...Y...:.T......................................................................#.................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................9@...............................=......*...............>..g..........Z..&...............................................................@.......X..._.!.....E..........@.>..g...0.U.f....U.f................................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t...'..Y.J.R>:..=_M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t./.O.p.e.r.a.t.i.o.n.a.l...f.d.........L...M.i.c.r.o.s.o.f.t...W.i.n.d.o.w.s.A.l.a.r.m.s._.8.w.e.k.y.b.3.d.8.b.b.w.e.....n.d.o....**..............0...g..........Z

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	67008
Entropy (8bit):	4.180357047407191
Encrypted:	false
SSDEEP:	384:rmOmUhsmsmi7mRXZmVkWmhTimmdmBmKmPhmRTmimZ8mevmcsm7mrmQmzmjmvmTmn:t2klTiGFKX93WGUGseOg26
MD5:	C77C01DD036163AA5EF8E896B46CB6AA
SHA1:	7B0662962F17C474445E9A36696ADC9AAA07F1D7
SHA-256:	2395770878BE943F3FE3CC5F5724574004F2BC447B31A2492ACD105B006BA6A1
SHA-512:	85BE7E1E9A0335E25CE8AA2B29D2ED811262547E277F1E4F5A67C0CF0818B7F65A387EF4DF05F2C04A4074AB1A89568853EDC6864FE097A2530B9DEDA706BA50
Malicious:	false
Preview:	ElfChnk.@-......o-......@-......o-..........(.........=(.....................................................................i..................\...........................=...........................................................................................................................f...............?...........................m...................M...F................................i...&...,...........................7..................................5...c#..{1..k:...................v................n-.......T_.g..........Z..&...............................................................N.......d..._.!.....[..........@.T_.g...0.U.f....,U.f...$.......n-...................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t.-.S.e.r.v.e.r.9.G?...J...]..-CM.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t.S.e.r.v.e.r./.O.p.e.r.a.t.i.o.n.a.l...e$W..R......................(.....................s.v.c.h.o.s.t...e.x.e.,.S.t.o.r.S.v.c........-...........

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 4, DIRTY
Category:	dropped
Size (bytes):	70680
Entropy (8bit):	0.7871093480042242
Encrypted:	false
SSDEEP:	192:PdV7pp8nMLkmp8nPp8nYMvCp8npV7pp8nMLkmp8nPp8nYMvCp8n:PdhpiMLxiPiYMKiphpiMLxiPiYMKi
MD5:	1C474FA57EA35BC8D87C0822584A90EC
SHA1:	DE02AF34C9712DBAE46EB08832060E0B0AD2A210
SHA-256:	DBB1C86667F3E7CEDA43A880545C6E8619F9E0CCAC5B85FFE76464D70353D9AB
SHA-512:	22265BCDE2A77318355204C34111516310EC05B512A42BDAD9692AC42A7657FC7C2291B54452C316F034AF296DB00376D3E5B9D12173B3BFAF118CCBABDDD175
Malicious:	false
Preview:	ElfFile.........................................................................................................................ElfChnk.....................................@..................................................................................o............................................=...........................................................................................................................f...............?...................................p...........M...F...............................................f...................................................................................&...............**..p...........n.d.............g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.467947111655398
Encrypted:	false
SSDEEP:	1536:xZPZn2bBN2A4VD7VAx8whAGU2woJQghwMvOUFwe8OQhNwRA:
MD5:	6B473E7917B1EDEE80CAFE7D24A6A4E8
SHA1:	1940F41550F2986C928648ED00F9C6E4868D1A23
SHA-256:	1D52F13D2EA4ACC472815240DBFF0F34C6CD5E86F980D04D9AD28E42C3E7A355
SHA-512:	9AABAD5B7425A9692545864C11B99DDED0051CE8B442FFAB7BAB21DD8CD68B51BC980B01F324A81C685DC56793581AE2E6751DD08497CCBA64FB3339A9B5483D
Malicious:	false
Preview:	ElfChnk.e.......h.......e.......h...............x....;.......................................................................Z}............................................=...............y...........................................................................................................L...............?...............................................M...F...............................................&...................................................................................n...............**......e..........f..........'.z&........'.z..^................A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.565838744973026
Encrypted:	false
SSDEEP:	1536:PXY5nVYIyyqED5BVZUe39vHxt1BSocM1:PXY5nVYIyyqED5BVZUe39vHxt1BSot
MD5:	B30C931B9EF047307E1443502CE7EE14
SHA1:	BAC3632B709B853DFFCD9C4D65D1F9236F6FE551
SHA-256:	033CF49641F4E76EFABF8F25753074E7EE72DD567FBA4145D446032D3D9CFADB
SHA-512:	F5A9CA2D464EBA1F2F4EA426AC3864FB399A8951958BA44BA550E2129C4F4D4DA9E60F0D1B18A07CC76D4BC2CFD20D283F446A47DF990B52916113D5383A1952
Malicious:	false
Preview:	ElfChnk.........~...............~...................F..........................................................................T................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................N...............y.......................**................9..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	87168
Entropy (8bit):	1.973270255901999
Encrypted:	false
SSDEEP:	384:+osKaRo4hdo69CcoTorNorWorbvorTorZorQorNor7orqorlGhorXorWorxFo8oQ:kDCFUDCFsu
MD5:	52AB0437C16776AA4A68E5F8807A6EA4
SHA1:	CA5442311C99F3B04A411A1C22066B2668D63609
SHA-256:	561B70B63F57EDAF6C39F9832B82D675938560C90C9A667A2E739188415BFB26
SHA-512:	2ECAEB5B8BE8BFD89625371EAC7C2C82B071338CE441B1F73DE4B1F7A8D164D68975BB3A77CDD517466D67908ED51CE2E68B54FC3B43F4D26D5AF16E37604BA9
Malicious:	false
Preview:	ElfChnk......................................+...-..Y.QR......................................................................^.................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................&................................................................................ ......U)..............................**...............I..a.........Z... ..............................................................>.......V...X.!..e...............I..a..0.U.f....0U.f................................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.o.d.e.I.n.t.e.g.r.i.t.y..k.N.<.D..97d>7.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.o.d.e.I.n.t.e.g.r.i.t.y./.O.p.e.r.a.t.i.o.n.a.l...!>.U)......!>....[.U.....i...........\|...:....A..3...b...%....=.......F.i.l.e.N.a.m.e.L.e.n.g.t.h.......A..3...b...%....=.......F.i.l.e.N

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8511209646626153
Encrypted:	false
SSDEEP:	384:ChAiPA5PNPxPEPHPhPEPmPSPRP3PoPbPfP0bPnPdP:C2NZ
MD5:	A98C811B8E1B821CD1FE05A68ADD446A
SHA1:	4E8B739F5E308F943962E72FF24212FFBE47FAD7
SHA-256:	58F6584C100174B80ACB8940226841B77884326A293CEE9072F4DD4CF8C10133
SHA-512:	24A7B9C86A6CE93B9B7F4107A433A247789EE568EB69E301B51DC9D01AA40D2F408AD76B78F7F83E5F4EB47C1677276BC86F86A99BAB95186C2331ABE4CA523C
Malicious:	false
Preview:	ElfChnk......................................%...&..?........................................................................<.m................N...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&................................................................................ ..............'.......................**..x.............\|..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8431535491551847
Encrypted:	false
SSDEEP:	384:OhZ21JJgL4JJFiJJ+aeJJ+WBJJ+5vJJ+/UJJ+4fJJ+CwJJ+D2JJ+a2JJ+JtJJ+lk:OWXSYieD+tvgzmMvRQAsNi
MD5:	106F006ACA6287586EF71A10A5C06C4D
SHA1:	B4B6D91FF53E9BDFC8D0D99A0D6F643E49074932
SHA-256:	79E64A943AED80ADAE43934E4573F95AE7308DDD6FC896EEDDB386C8A41FBA65
SHA-512:	F4D49C8CBC2B46719521935DFABDC3E05883C2360D4E472920C420B1ACC74D0F835D10A2C5BA6E29038425809D585025172FDC9E534619C017D70FA4D9F23D53
Malicious:	false
Preview:	ElfChnk......................................$...&..{n.8.....................................................................{..................F...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................................................................................................**..p............zu..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	66536
Entropy (8bit):	3.102055044626284
Encrypted:	false
SSDEEP:	384:ljh1hqhSx4h/y4Rhph5h6hNh5hah/hrhbhmhjh/h7hkh8hbhMh9hYwhChwh8hRqX:ljbCyhLfIIy
MD5:	4A8EE4A005B2E39CC30884D680251433
SHA1:	2077242488C9F3EDE3558763B1982F350E0DB598
SHA-256:	B77A1CC55581F8318B8987FCE28DA3B1CF81554020B782AB7D2F0D6681463111
SHA-512:	0EC0AFF335E3C75C6ED3323BC91573E493A7343EEFD574860E165A98BB31B9B41120E59B294EC312A0481C9B61CA0574063A35FD7300226D1160FB96261B9254
Malicious:	false
Preview:	ElfChnk.........K...............K...........H...0.....(j........................................................................................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................n................................................{......................................**......K........A..a.........Z...{..............................................................<.......T.....!..................A..a..0.U.f.....U.f...........K....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.r.y.p.t.o.-.D.P.A.P.I.@.....NF.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.r.y.p.t.o.-.D.P.A.P.I./.O.p.e.r.a.t.i.o.n.a.l....0.............`....l~..;.D.Z-.>..C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.M.i.c.r.o.s.o.f.t.\.P.r.o.t.e.c.t.\.S.-.1.-.5.-.1.8.\..............

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-NCrypt%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.318227577210551
Encrypted:	false
SSDEEP:	768:5cMhFBuyKskZljdoKXjtT/r18rQXn8BiJCF9Hhr:CMhFBuV
MD5:	5C633A280FB6049ED65FB3D9FB6ED41D
SHA1:	EA8D9B84B69F08E866CEE93019E7D9D2F2055666
SHA-256:	C173BD37497EC6CC0B01BDBD0F2813644D398457279644AEDA0F9925E546091F
SHA-512:	3E040021C7ABF4B9242BA0851F377EB0B077A1CFCAC0E012A4AB7E2551157BF7AC70E979A6F7225A3E260D5C393DBACAA78831C0BC46356C966A524271CC57CF
Malicious:	false
Preview:	ElfChnk.........M...............M..............8...^..Q....................................................................q...................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............m...........................5A.........................................**..x...........,.8..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.894621869531994
Encrypted:	false
SSDEEP:	768:svG6Q+uYvAzBCBao/F6Cf2SEqEhwaK41HZavAFDtCwvhr9OA2:VHuN
MD5:	324E44DC9694B00295C89D4D5F97D685
SHA1:	631C3A756A30EA3AB1E8373BD81661BD601FF9C1
SHA-256:	97C9383956E32FB74B27567D7FF4D8E521E45CB5EF18C562751ED5834B5B037B
SHA-512:	D18CDFB2CC9784AAD911593BCB3AEDD58670E19B2A1D0FFC36129C70F29F314CAC74CCB255393812158BF0B568CF372C879EA0FF707220FE2807BD35762F8422
Malicious:	false
Preview:	ElfChnk.v.......x.......v.......x...........P...`...+.$Y......................................................................E.........................................V...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................&.......................................**..@...v.........=.f..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 25, DIRTY
Category:	dropped
Size (bytes):	92008
Entropy (8bit):	2.681712404440702
Encrypted:	false
SSDEEP:	384:gHh1kbAP1gzkw3kN5Ayqk+HkzGk+hkV3SuckzlckA66k+4DkzRxk+dkzwUk+rkzJ:eMAP1Qa5AgfQQzy3MAP1Qa5AgfQQzy
MD5:	E50FE39620606CD6AC01CB7CD857361A
SHA1:	C18530537740D8BE0EE68F4BD7691CF120823445
SHA-256:	C6B32015EE7A045ACBB0CB97F20BA015C6DEF7595DD5555AD7C9F38CED29BC35
SHA-512:	0FA353003CB90A4FFAFA98D6183B298C78D85D97A256D250586C63E39F1AD2109ED15347B3CB4C567CEA352867F86FB86FF8C2845986E38BFDA917B9CCA67D3A
Malicious:	false
Preview:	ElfFile........................................................................................................................WElfChnk......................................c...f...C.v....................................................................).6.................b...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........................................&.......\......;...............................**..x...........HD................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.441017411582523
Encrypted:	false
SSDEEP:	384:BhdERE5EUELEvE/EpEbEmEfEjoPjE4FEqEZEVEiEUhqEd/2EME0EHE+EIy4qEQi0:BQoPjvh7jhHl7lzuzbCN7y+D
MD5:	8D30244BF7119CFA2F8A7A5AF8FCDAB7
SHA1:	F0827675265E0DF98A4967D8A539D476551DCAA6
SHA-256:	489E810931FD45E6D7620FE65EBF1F1A66235B06E572C2C293BD080EE1C8E1ED
SHA-512:	C71504A8F8D370825FC0C8C605B9F7217EFF2025838ED8FDF3F04CCC41E86751659BB60C7E79C48BBDDC1089C771DD16A193C107DDE4A1487F037BB2FC1455B8
Malicious:	false
Preview:	ElfChnk.q...............q....................i..Pk..buI......................................................................o._................&.......................N...=...........................................................................................................................f...............?...........................m...................M...F........................................7...(..................};...........?..M=.......9..............U..&....$..........."..............=1......*......q........\|.xf..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.2803522685445374
Encrypted:	false
SSDEEP:	384:RhYCAKRuKIYKxkKiCKVIAK8sL4K5VKjPKwnKZ/K50K8/0KXAKuWKSlK+NK8t3Kl0:R1T4hZovIZC7
MD5:	4A70DB2946C129829BEDDB2E147FBE04
SHA1:	4D3255FABE0E857840591072D9370047FDDFB83A
SHA-256:	C10981A84E3884E62907E34159FB7AA2D1F908C3E328D8D8B942B9934DFDE09C
SHA-512:	7FDBE43D4773CBC17A3879CBC012F8C9FC823529DDF6FE5E10C623B2D7AA89159132F10FE01C0632B6F8F92A0C474C67EF1D5DA4DC2EDC3CA5499D6220922AA4
Malicious:	false
Preview:	ElfChnk.........k...............k...........................................................................................<../................V.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.............................................................../.......................**............... .$..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.445920452673848
Encrypted:	false
SSDEEP:	384:ihFiDhKxDmqIDrfDYEDdDDDbDOD2DSD+DtDFDxDlDUDEDoDADeDuDx4DWDXDjDff:izSKEqsMuy6SbKrTPpOIKm
MD5:	21B26F726BBEBA7FD5C4C45386FC544F
SHA1:	F6CC3E80D2AD9D2F420C42D7DA3AA3C48C9D956A
SHA-256:	63E1A62EA280BF1B031E1C98FBF21FF88795119983E5BC96C036B8EEF30D325D
SHA-512:	A28CB789E4967DB231359AFE7D221C55A57FB56EF899997EBAA0F79EBD92D34547530A64B4B5492400ABFC81631E5ED792D47B836525E5E1583BA6F656062DD5
Malicious:	false
Preview:	ElfChnk.........L...............L......................f....................................................................s.J.................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................=........................................f......................................**...............v?..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.1562721664799103
Encrypted:	false
SSDEEP:	384:BhMLzI9ozTxzFEz3zLzWztCzizQzzz5zqfzDz5z1zkzSz9zEzWz+zQzqbzUTz3z2:Bmw9g3LQ
MD5:	B2C3D7448B237C268D23FE1A78777AA5
SHA1:	6C3A39325392F2B088C00CDC1763268F15832447
SHA-256:	05BC150DCBE6B62CE7D2A9CB8F706130DF70BABC54752199B02B4C91ACEE1C4E
SHA-512:	F9286BC0FC6DB6C52295C0292E2BF732C010F2D542999085F999501AC555C317FB1AFED9A2FF2DF6D91913373D0A32D2307C707381419883F5605F1D67DEE70E
Malicious:	false
Preview:	ElfChnk.........6...............6...........(o...p....Zo....................................................................ZU.#................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......E.......................n.......#.......................................^^......................................**..............j...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.9195298486885948
Encrypted:	false
SSDEEP:	384:3hPIRbiY8SIUIi0IsIGIAICI5I2IBIaIKI+I3lKaZrIVlKaZOITTIwI:3LQ9KC8KCV
MD5:	D4A00CC59E964B7DFD6EFDB643322E9E
SHA1:	7307AF862B22D743BF6B531829DABE041E9F1F92
SHA-256:	49414D51861772E0899416FE42628F8641622E9F793F435DE7F0118F45EDE065
SHA-512:	51663BF2E9D8F1FA3BA6B87918CD36A02AFC2F53FF89F3ED104A4B4129682F0947DC825912A81844E2D25083E7249CE7C1EE8F899D847F511AB20B0404B22F27
Malicious:	false
Preview:	ElfChnk.K.......L.......K.......L...........x...86..........................................................................E.U.................&.......................N...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................&.......................................**..x...K.......1..f..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.119748237037944
Encrypted:	false
SSDEEP:	384:Sh1hM7MpMEaMWFMu/Ma2M+AMmGM1cMNF3Mg9Ml7MABMczM0cMKhMpRaMRlM7kMGU:SeJB
MD5:	D1CFC256BC075DC75D7FD92207C9C0F2
SHA1:	587C19CF65305AD470E82AB5A1ED5B2E36472625
SHA-256:	6C0365C674BCE55E0C49A62D23782660D34ECB388A8A7418AD9A75DFD36E612E
SHA-512:	85F88C26274975D8EB8DDC65297064427A103B557712BD46F459B8E26A1B7E38DA3B4674920FA61476D108BA3B9846430F59AA82926AFEBDCE92B25A527331A3
Malicious:	false
Preview:	ElfChnk......................................1..p3..\q........................................................................_U........................................>...=...........................................................................................................................f...............?...........................m...................M...F...........................&................................................................................,......................................**..............c...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.182756017330751
Encrypted:	false
SSDEEP:	384:9hk1EL1I1Vh1C1D161f1f181L1tY1VGm1Q1L1p1VG1U1Z1s1VA141c1Vc1q1tS1B:9BjdjP0csdHkp
MD5:	9BA8F6B60705B6A27084436D1D4370AD
SHA1:	DCAFEC9C3F76CCE3FF65F8FED6E373B863780B6E
SHA-256:	580E71D95D6201104E37944E8A0A6596869D6C8A0CA2CD3B704FEFC9D319C957
SHA-512:	BFBAEA71174AEE5233857BFDB4427C59D945A3797EA6F5D02708807321E0ADD12ED632BAA3C5E59141CFEF108FADE90315AB670BB960A281D0E95DB18C4976A4
Malicious:	false
Preview:	ElfChnk.....................................8.......I#.e......................................................................hB................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................A.......................................................*..............5.8..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	77528
Entropy (8bit):	3.3178620947691186
Encrypted:	false
SSDEEP:	384:duIjolIWIMIgIRINIuI0iIY2I+EGIJrIxIUILIoINIjIkHIXIXIk3hDIEQAGxIHr:dsG53ZxGe6dWG
MD5:	E7CDA0B0E4127ECCCB280DFDA125BF90
SHA1:	D54B475FAC98839FA98386ED26BE40AEB25BFC1B
SHA-256:	7B8A7AB4045720B330DD42B040EA9B6FA7426C21EA23C7990E7AD64AC00454E4
SHA-512:	F9C744BCF6B95C24F9CD9626A92EDBEEB410FF941F4965A7550404235AAA0BD607E33861FA6E23D99EF2BE79E6324C9709E943F4568372BD5705F05DC8A76385
Malicious:	false
Preview:	ElfChnk.T...............T...........................b..\|.......................................................................o........................................>...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................1............................V...........6..........................**......x............a.........Z...V..............................................................,.......D.....!........... ....@.....a..0.U.f.....U.f.......4...x....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.N.t.f.s..z.?..nM.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.N.t.f.s./.O.p.e.r.a.t.i.o.n.a.l...........&.......6p.\.#i....>..........2........A..=...>.../....=.......V.o.l.u.m.e.C.o.r.r.e.l.a.t.i.o.n.I.d.......A..7...>...)....=.......V.o.l.u.m.e.N.a.m.e.L.e.n.g.t.h....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4WHC.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.800476718060657
Encrypted:	false
SSDEEP:	384:7h6iIvcImIvITIQIoIoI3IEIMIoIBIzI9IwWInIE1IFtI:7oxqV
MD5:	F25E3A5940E51F9A49AC271DE377E2C1
SHA1:	38EB4D0BCB8EA4C72C03AD88CF9B7136C39BCDC5
SHA-256:	D2B29761907A72BE3EC03C586D87729FF91EE3D9A6CF39319FD90A1977602663
SHA-512:	CADA8EFD9868D26AA1B4DBC5A5BDD31E624547E5755ED7B413EA74D69AB731B000BB2B8FCBDD3027FDA278A7D69058DF4BE3BAEE5AB253055C70EDE7D3AA9993
Malicious:	false
Preview:	ElfChnk.....................................X"...#.../......................................................................V)..............................................=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................................................................................................**..............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.999140584854273
Encrypted:	false
SSDEEP:	768:q4u1n8zfFFU1x4Dk13xIb13xIb13xIt13xIi13xI513xIU13xI013xIF13xIH135:o
MD5:	5234109523F4243D8DFEEAFD9202BC60
SHA1:	49A4B237FB8BEE3A2BDAA0C20A579E06D2645F65
SHA-256:	D4CE68FD0E970CC24971E8258B962534A3BF7CB1F1E6209AA0BB1D09F4FB80E6
SHA-512:	C2CC9A4E7282BF37C4113FADBA4F7FDD1D2094B8F40FE145C58A5ABEE4A90BCD55FBD8876415BD9140EBEE36314D02FEE5525076B539BB5AA01FB1D32058B426
Malicious:	false
Preview:	ElfChnk.....................................(...8...\|.........................................................................6................(.......................P...=...........................................................................................................................f...............?...........................m...................M...F...........................&................................ ......................................................................................**...............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	dBase III DBT, next free block index 1130785861, 1st item "**"
Category:	dropped
Size (bytes):	68624
Entropy (8bit):	3.916487984459231
Encrypted:	false
SSDEEP:	768:p7X0GMAow407SZRcZv76NcRkpHrWbGyYKQc90XnztputDTjV8k+u7eUtHpoVWN78:wztputDTjV8k+u7PtHpoVW
MD5:	DA866C71B16055A96A254AB6B13FA9F5
SHA1:	EC9B9D5434416301E4061E93A8DD6CB7343CFCEE
SHA-256:	A686E94CAFE91479C75CE2C7B05CDA71B0871CFD86BAE00BC9FAE41AABA6B717
SHA-512:	0F9D7DB91F34544DF227B414623A62224DF05F6AE1659E75275FC4E85F31C41A3AC77FCEA9B12485F761424A7143F76CA81F71CDC19F57C70693AB9677609A03
Malicious:	false
Preview:	ElfChnk.................K.......M...........................................................................................+#..................2...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................&.......................................**..`...K.......19...a.........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.419800841260525
Encrypted:	false
SSDEEP:	384:hhWKyzK5SK+jKLSKDlKMAwpTKZDGKPK9KyKJSK2KVKzKAGP1K6GSKzKhMK7KS3Kj:hIgpCnz/Gh4wRub4ad4TA7Kx+
MD5:	4095EAB3A14C4A6B96BC777FF6F5791C
SHA1:	07A81726C4041010720F3FF3E237A7B847DDEE58
SHA-256:	BBDD4F53CAADF3AC0857238C32435C2B8D283F9A0D464E8113218D43DC015DEF
SHA-512:	E883CC73C4FE338A59D65865830CF58E2F2AD7B8A9D6B3D8933CEF9DA842ADE35113F68D2976E11F611FE21117E180B8BEDA5C036681BF8E865C19FCF545FD89
Malicious:	false
Preview:	ElfChnk.........[...............[...........`........".......................................................................q.H................p...........................=...........................................................................................................................f...............?...........................m...................M...F.......................................................'f.......D...T.......................s..........O....p...h............../$...............}..**................qdf..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.760021633915647
Encrypted:	false
SSDEEP:	384:4hP8o8Z85848V8M8g8D8R8E8C888FB8J8a8:4R
MD5:	91415CB1A68CB19DCDB017402AAEB51E
SHA1:	EEEB808B9D0DFB3DB247AA10B64290A5029EAB89
SHA-256:	EDEE7AB462BF2D986393D24304BDEF02415A6E0483DE793BD452E169B7D08170
SHA-512:	C2F5AF43559DCE7BB66ABE305DF2DCFF0C95E2CF431D8DD0B6A02E216C8F4329C3B888BF2BF378918851A3066976FCEE745593B60970E5B9843535E6301E5BA0
Malicious:	false
Preview:	ElfChnk.........................................8!..$.0v....................................................................>...........................................V...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......................................................................................**..(.............................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.764259692525428
Encrypted:	false
SSDEEP:	1536:KXh9UyS+z1VV18o838c8bUc8cVVsz8VX8SoX8aA8cmtpjAiVB18dwE4vjcYoMjn1:KXznS
MD5:	C161448D6658C570F447D8717DA5E0B5
SHA1:	34365837512ABCEC09E1AF4F49D5211ADF181CF5
SHA-256:	E901F6226250771411EBD2A0D3F315A7D75183562A63DE26145C8C771DEBFEF4
SHA-512:	33E5234D7810CEF9034571CD818CB8E840CDAC975390C7A6744E4CAE951CD64BB6A8849AE828A63C8BE211180717062F40A6D8EA865851372570B720DBBF5B57
Malicious:	false
Preview:	ElfChnk.........'...............'............I...J..}.%........................................................................................v...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&................................................>..............O.......................**..............g5...............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.4373812410985773
Encrypted:	false
SSDEEP:	768:50VsLY/Z5aFka2aKazzabCafama5Sa0ra6rzaJcavkao9OaafcmafEMXW0OWkjWr:jcEt
MD5:	5166C2E32BD35C5E8D122799E53B4EA3
SHA1:	628619C0E31F8C29ED260FCC063CD27935ACC25C
SHA-256:	433A96E20784F1E6FB099FA4AB020EEA75BB22EEBC7D969497A31ABCB9B415AB
SHA-512:	E5EA93AA871264E180BBC67008D7AA1012CDCAC74D22D10B47F1849380E092DF2FD798C7143DD3CAB5D9192EB4A89BB0EE60DA662E626923551906AB8F31DFD9
Malicious:	false
Preview:	ElfChnk.........?...............?............y...{...v.......................................................................bV................Q...........................=...........................................................a...............................................................f...............?...2...........................................M...F......................................&.......>h..................................................%_..........................]...................*.............._.............X..&.......X...],T.'tB..E........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1912
Entropy (8bit):	3.6169799741714623
Encrypted:	false
SSDEEP:	48:MCWJLrCKOrCK3QuB69D4JmN3mCKOrCK3QQkcqrP:srCKOrCKgO69D4Je2CKOrCKgQkcGP
MD5:	8FE2094E0AFA2E21E595ACC901C61620
SHA1:	E791EB629A8AD3012F528BCA391C7BC7F050E7D1
SHA-256:	B7B97F42815CCD4E5DC9D2AD84503A1A446C9D41E283B4206606C74CD3E9BCD4
SHA-512:	443FF66C535BD0C3C3DC4DDB9723544DBC0E1D0F4DC63F40E8160A1393D07BA6CEAA589578A292259E2E195D0CBB583836135B112AEE6E7A10BFB94CF4770C37
Malicious:	false
Preview:	ElfChnk.'.......-.......'.......-............-...0....l.....................................................................~@.H................X...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................1...............................................................&.......................................**......,........\...a.........Z..&...............................................................L.......b.....!..................\...a..p........f.K...........,....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.e.c.u.r.i.t.y.-.M.i.t.i.g.a.t.i.o.n.s........J...M..<.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.e.c.u.r.i.t.y.-.M.i.t.i.g.a.t.i.o.n.s./.K.e.r.n.e.l.M.o.d.e...!..^1...........h.......>...................................4.\.D.e.v.i.c.e.\.H.a.r.d.d.i.s.k.V.o.l.u.m.e.3.\.W.i

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Debug.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.322146858454247
Encrypted:	false
SSDEEP:	384:NH6/hDGCyCkCzCRCFC5CdCbCHCQCrlC+C2CV2CfCrUCECZ/C/C/2a22j2EW2z2/5:NH6/d7kNrTgt
MD5:	D8DABE7AC7FE8F2D1CD853002971BB8A
SHA1:	AC6B0F9940C1B3DB1FBC58DE8A95DD252FA73A6A
SHA-256:	DDC0E74C04DFDB71841128067C33E0B5388CC5E93EEA1FDA4ADDFC6CA39FCC77
SHA-512:	A9AF55922FC793B10A17731BC7F83A70E741E695B47249993530612A11D0A41481068A4DFD4B07182F5604A4AE289211D00766B79DB67CC25171D4ECA5A9292A
Malicious:	false
Preview:	ElfChnk.U...............U...................`...h....fyC......................................................................K................F.......................n...=...........................................................................................................................f...............?...........................m...................M...F............................F..............................&...............................................nw..............iq......................**..0...U.........Df..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4AppDefaults.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.475265357832672
Encrypted:	false
SSDEEP:	1536:P1W7C3yZy0PwbjNIFTLyQV2qRR4jBGDL+2ubu1ho7t8ckcXWIkFElThsk687vzGe:P1W7C3yZy0PwbjNIFTLyQV2qRR4jBGD+
MD5:	605D94FA0C65C59EECEECC2BEB2F61B5
SHA1:	28CA14F5E02A0A0348C4AC4A22BC228390B64F94
SHA-256:	4667182188A73611A09A2F2B7A5E623367634933BE49899E07ED2FFB99142381
SHA-512:	10CC31A6B3F5CC0AF090861E7EC615289DE4AB43E7B612F4F6518D6FEF8CD943E6A0F8A165AB4F6CAD5509575CC0C0D46960940799C95F1C6D6F103B4594EEA6
Malicious:	false
Preview:	ElfChnk.....................................0k...l..C.......................................................................2\x5................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................6Y......................................**..............X.j[d.............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	70808
Entropy (8bit):	4.478258057924485
Encrypted:	false
SSDEEP:	1536:KpAENzy/a9q4dtOyzFyQWsk4cLSKph9YC/cmqbL9tKGjDLSGUpBpJyGBapAENzyA:K+ENzwa9q4dtOyzFyNsk4cLSKph9YC/Y
MD5:	B11B988799543BBDE931B3E36AEC865A
SHA1:	9BD32C90EFEA364F8B45284AE9138E8E8BCA91DA
SHA-256:	6A535C910BBBB4FB0384CC324450F4CE35B6CAE1DA4116A6EF7D9EC8461CE013
SHA-512:	6EFB4C2AC791A7EA8659ACC0F51D29E04D29A90EA64FC870D774D38BE9108489431C16C8E44C3390087192957B34229A62A93596A2ECF6A081CA6652F2213EFE
Malicious:	false
Preview:	ElfChnk.+.......[.......+.......[...........X]...^..C..\|.......................................................................................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F................................................................................................O.......8..&.......AR...6..12...............:........x...R........?...a.........Z..&...............................................................8.......P.....!....nqm......... .?...a....,.X\.A....k.........R........................$.N......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.h.e.l.l.-.C.o.r.e..n30'.\|D..Q.R.a.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.h.e.l.l.-.C.o.r.e./.O.p.e.r.a.t.i.o.n.a.l......L12........r.i.tx.....(...S.......;....a.........Z..&...............................................................8.......P.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.517082344367377
Encrypted:	false
SSDEEP:	384:YjdAhA71d7587RS7a07DL7T7G7z7L7k7OXD7u7y7I717/7u7m727L07E7K72t7Rt:YBAiHEV6koTxbkeQEWi7Di
MD5:	2628D3458E9FBE638FC3A49E317866FA
SHA1:	8DB033ED373F8A837073679CE0F3B5DC1BD7085B
SHA-256:	D2B987B5AC61D1C66CACD6D0492AC4C4C316C9EE94638A0D312803BB9C24FD00
SHA-512:	6C3683E0A8CF261353830E1F2344A59428E55BBCAFE032AF52624FF961F28608C7E64134BBA4764DEB8885D384DFA593325DB889E9D752226FC29885E3520A67
Malicious:	false
Preview:	ElfChnk.....................................po..@q....`....................................................................\.$.............................................=...........................................................................................................................f...............?...........................m...................M...F...........................e4.............../..s...........&................................................L..............e2......................**..H............<R.d.............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.314954486903959
Encrypted:	false
SSDEEP:	384:5mhc+uaNuru+uhuKVuPJu5u9u4ufuTuxuDuvuDuOuXumui+udutui4uTAuFuauia:s6Ovc0S5UyEeDgLpIC4DoA4
MD5:	864CAA67E4BF2A335E088526FF347CD9
SHA1:	64E224001D864A18D4999F5D33A42C532877A361
SHA-256:	C904C319101B31E991343FC8FF2929F6841599C9DCC23AC6218272F630AD5894
SHA-512:	B899FA6CDC7D0F97BACCC9025516045878BBA58E86ADEA79AA164B3B27F00F6E52F8B8838210A3ECD0C0E6A20D9DD48A4A4754F7408C1DA5F1FDC2EE7A504231
Malicious:	false
Preview:	ElfChnk.........A...............A............u...v..........................................................................c.w.................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................................................................6f......w...............................**...............&3..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.773262505715791
Encrypted:	false
SSDEEP:	384:bhGuZumutu4uEu5uOuDuyb2uPu1uVupUupu+R7udu4uEu1u0u8uhuluxuMuxuMuH:b/vI
MD5:	C06B3BF303EBDD17D76D87B596EE5407
SHA1:	BFC46338E3A89112D6D7E1CFF7A9FB5909DE6458
SHA-256:	26AB9FE5730119306B700304DF2B2C11C6E8322F29CAA9AD49CBBA968DD54CD9
SHA-512:	7CBD5FFB770669AC0295C6221E02D24C116F4B72E3D990F60D122B2AED3280075DA5C3DBCA8A5749F5E566920799087D1094ECB31B5937D8B78EFB40BEC0D0A2
Malicious:	false
Preview:	ElfChnk.........T...............T...........@........J......................................................................?..................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................vN......................................**..............Wy.8..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.2371167268838485
Encrypted:	false
SSDEEP:	384:RhiAeCv4A+yMrAmA1AHA6AbAMAEAFmANA49ALAEAyKiAfAFgAw+AqAFAApjANAil:RCCvudb6KinaWRQJ4+8nEPDh0
MD5:	3F2115642206C3D448781C58F4EE8AF3
SHA1:	1408F4FF05D6887F74B445E296BC9B69163EDDAE
SHA-256:	84EF0FE4C7A64FA8200DEE7E064A658C2BB94A262A6DBD1353CB7EE458DF1684
SHA-512:	C3B530EA9AC3FD03615D91457CB88474254CCC6B53B3737C932690059274ED18552F40836F7CF78B698A650D636A93B72EC8C8E8057921A28CAF3718D18C85CC
Malicious:	false
Preview:	ElfChnk.........................................@....a..........................................................................................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...........................................5.................................................... ..........&................................$......**..`..............;f..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Health.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.1631981097466806
Encrypted:	false
SSDEEP:	384:4hKpsdp90mp9b2p9iGp95ep94+p9/Kp9Wqp9tap98Cp9Pp96p9lp9za1p9Dp9Wpb:4cafg0Y
MD5:	CBAE5379AAAD2B6A84714F5CEA39ACFA
SHA1:	A1AC7C71917C9F27EDA9E17CF0CAD78FC07A82E5
SHA-256:	726B1343CDE4D4B7D2558B9B3E86DAD3782983304D0349974FFA7725D40A9D2B
SHA-512:	7A6DF8A6BDF99348719F7005EFD293089BDD9EB93E2801CB7F3F38C77717E1E47D496E7A1D8FA9FED8EC27D28946214B71C7B156A537B40112D4A76E38F968B8
Malicious:	false
Preview:	ElfChnk.........'...............'....................k......................................................................+N.>........................................<...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................&.......................................**..............E.yrf..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.036288214996343
Encrypted:	false
SSDEEP:	384:vhtbpwV1pIvpLfpvQpw2pQYph15pcApLqBpJxTp0qo8psfp4yp4Rphe3p7PpLWB0:vwDoh1V00eB9iVsTBwMjO2
MD5:	80B64057A5C06D0016A06F2D493CF301
SHA1:	452FDD974A9D63E05AC2F9AE4199CFD0C7CDCD62
SHA-256:	5ABDEF24E5D651A400B36F57A109443BC4F1C975FDAEBB512ADE44935C8BEB1A
SHA-512:	4F9E119EDA7FEED0948DABBDE51C9CBD835DB19EE717F3ED6EB99A16240EB351C968F4A8C39E8BCA2124A0E8A1C53AE5CD8A7D7F61748AFDE0574FF675166F43
Malicious:	false
Preview:	ElfChnk.\...............\.......................X...j.......................................................................LU.t.......................................R...=...........................................................................................................................f...............?...........................m...................M...F............................................;..............&...................................i..................................mS..............*..8...\........=..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.166433348209963
Encrypted:	false
SSDEEP:	384:/hwCCRzCaCkClCzCYC/CyCVCGCMCvCACWCKECQCMCdC:/KF6
MD5:	9AB3073B8BEBBC3C1E9DCB47217C8E27
SHA1:	33477618A675262EFDC74FACE70AE448EE9CAA05
SHA-256:	E19A280A63CB747D2029892A6F0E67D2C83461FF15112067AF24B8B5E136CC30
SHA-512:	58DD3DECA39CBF605861F78EDD27F3F97858581322063E9F7F1169C9F190613A22649289959A525729F503643B5EFDF5C1C20EE43C21B69C9B4468BA0BDAD6F5
Malicious:	false
Preview:	ElfChnk.....................................04..h6............................................................................4................V.......................~...=...........................................................................................................................f...............?...........................m...................M...F...........................&................................................................................+................................../...**..p............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	modified
Size (bytes):	103744
Entropy (8bit):	4.524216194849794
Encrypted:	false
SSDEEP:	384:yMPYcMPYrMzY7MzYbMzBM2M/M8fMsMsMhhzMOYQNM6dM1MoYFMoYOKIKFKSKBKYk:05sFmKNLZ5sF8
MD5:	8F410BF6390D292AE3117F69B213A041
SHA1:	9D8AD0B3275AF7632E135F84292CE8ADB201E9C1
SHA-256:	D937F0E0C293099BCFAD990AA2D4DC4710D1B5A5DD3FD1A7F943E9E95110D7B6
SHA-512:	E133B5BAD6711E10771B10AE35FEC5FDD2FECF9CDFA62BB5F5BE89CA8700A0B1C61860E97172D8463E7D8DC95BE6284C927BBE950D5D8BBAD04C285C978B3C9F
Malicious:	false
Preview:	ElfChnk..%.......%.......%.......%...........o...r..5.l......................................................................x.........................................6...=...........................................................................................................................f...............?...........................m...................M...F........................H..................................u...............................................&.............................................%......b...g..........Z..&.......................................................................F...9.!...A.A...........b...g...0.U.f....U.f.......P....%...................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.t.o.r.e..7*...\..C.....M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.t.o.r.e./.O.p.e.r.a.t.i.o.n.a.l......................I.......S.k.i.p.p.i.n.g. .l.i.c.e.n.s.e. .m.a.n.a.g.e.r.:. .P.F.N. .M.i.c.r.o.s.o.f.t...W.i.n.d.o.w.s.A.l.a.r.m.s._.1.0...1.9.0.6...2.1.8.2...0._.x.6.4

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storsvc%4Diagnostic.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 15, DIRTY
Category:	dropped
Size (bytes):	79016
Entropy (8bit):	1.821617794541319
Encrypted:	false
SSDEEP:	384:yWhL6UsE0ZUmxUmgDUmSUmKUmgUmlUmB8UmCUmeUm6UmaUmVAUmSUmxhL6UsE0ZI:ZY7L8LY7L8
MD5:	386CCDD7CA512EB5AC6165D7993D3A22
SHA1:	855A099D23078C20019C4D34CB978FF6E4135F44
SHA-256:	9E40F84C9FB8CD68C9BC9E706AC8C9C9E1C5C3A0F2256565090D7DFCBB5ECB3E
SHA-512:	A0CCB30C6BFBA3EC1D338109C8AF879DDE73A69F1F028CE60B9C5469A9921859EF40D36C384651A5874E92B16585E0DD486FA15C8BE9F701BBB9BFCDADEFD295
Malicious:	false
Preview:	ElfFile.....................................................................................................................\>.eElfChnk......................................1..(4...........................................................................zN................. .......................H...=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................................................................>-......................................**..............a...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

C:\Windows\System32\winevt\Logs\Microsoft-Windows-TZUtil%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	67776
Entropy (8bit):	0.3684227027893663
Encrypted:	false
SSDEEP:	48:MdVWd8HrP+8QNRBEZWTENO4brBE3olDD/6yHVWd8HrP+8QNRBEZWTENO4brBE3oX:8qNVaO8io1/6yNqNVaO8io1/6y
MD5:	82426AAEC6347B4EB99B3AAD13F81F64
SHA1:	66830127F38135ABD8750679474753B24FE09AF3
SHA-256:	04EE213CDFCAD5D4F07309857C4F3EF997676C9FD38F0EDD5006CC168913B8C7
SHA-512:	6EB778D87F2DD4D9694A2495F39EFFC53CA5972B2936A31A418C4F6CAA8385A44AEF99F1B6D28152001F18C369EF8FDAD64D7DF6F38BE378C1AD5E9A09BBB5CF
Malicious:	false
Preview:	ElfChnk.......................................................................................................................K.................".......................J...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................&.......................................**...............3..g..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.9658503180918458
Encrypted:	false
SSDEEP:	384:khHivRiLiakrkEi5iciMiHiQi8ixiBiFioikiFiixFiIMZifiwiLitixgZJiJi/P:kgtxHMa
MD5:	9961A2C4F5AC430AB4FE55D69904E2C9
SHA1:	BA49A1A12A889812148BECC8D5B285AD418D54FE
SHA-256:	EAE8AAB4F398C27A8E7855C8524389EBE4F695B28D2B51E9EA916738D5E579E9
SHA-512:	B7B0B29444E2B9BECCA18B96D5CA3D7098236C9919F7DE59A37405012C19C6B641CD3C1DA7E9E12F454004B93BB022F689125D31E26825929BB9A7D79FEF3199
Malicious:	false
Preview:	ElfChnk.y...............y................... d..0f.....6.....................................................................;.................>,..........................=.......................#.......................................>...........................................................f...............?.......................P.......................M...F...................................................9.......n(...............................................:...............,......................**......y..........a...........g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.406780926092983
Encrypted:	false
SSDEEP:	768:QZaQLBaLa3azavaKWabafaHa7aqOaLaDaXaHafafa3aLaraDanaTavaHafajaTaK:ELQ
MD5:	CBD25CED1C3F6F0D6215874D4E24B845
SHA1:	27B08A2238A8A0F4E067ECA9BE36063C3EBCC451
SHA-256:	37C7688A334523D0CB0D41A7CF52185BFC47639C524F045A2AF863B7720C69E6
SHA-512:	D4955A2A8431DAC65F8A08104B1641FBC6FDF783F6F0B4A6825E590C69602A571E27A0945B87D03EA765BBE62FA3C2126582CAEDA76986A530D5AF6DB2512229
Malicious:	false
Preview:	ElfChnk.........@...............@...............`....).......................................................................'.1................b...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................&...;...................................**..H...............f..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.3650161876414235
Encrypted:	false
SSDEEP:	384:2haXJb4+XJcXJsXJrXJQXJIXJdXJkXJuXJyXJLMXJiXJtXJiXJWTXJpXJUXJ4XJ:2Q0yUkNYwD8imLEWTWW1fsg
MD5:	346E087AE87A771402B2E38619AB7B71
SHA1:	4B7EFEA99E401A5E6C0D115E2B27C48778704C13
SHA-256:	82B60B9565D3FDA733EF5B4A6996AD51C08BC604BE6DC184255A8928B1220EE5
SHA-512:	63C3EB568562AD3560924F7830F0ED120CC362A9FC24EA6CCE4B0EC5F90A0BBEF58539C26B5379A5E6D1939BED7D06A92B4A2521775AF2516793F42A289C0E4B
Malicious:	false
Preview:	ElfChnk......................................A...D.....<....................................................................7...................j...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&................................................6..........C...........................**..............@V.$..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.335318634068108
Encrypted:	false
SSDEEP:	384:ehRmsmRm1m4mXm9mSmBmStmtmimMmAmAmRmcmxHmEmqmwmHmLmlm9mGmdmpm3mfr:euDcxMmo
MD5:	3B31610BEABB5895A19C346C64C234C6
SHA1:	84316C06991A51AD91C247130B615F0E56CD4D01
SHA-256:	EA4D4D4A4D56D42B0205793B2C9E45A732EA2F8909095BF924C2F4A138DE0404
SHA-512:	2B9784678702654E8FA65456A501F9F6B48ABD575EE58264709A97FFF9C38C26C7A6ED9057278E1A090BBB4BD2F88FBC95E636D9DEE509142B67B4D81FBAB5A1
Malicious:	false
Preview:	ElfChnk......................................'...(..'.D........................................................................R................L.......................t...=...........................................................................................................................f...............?...........................m...................M...F...............................................K...........................................%...............&.......................................**.................Hf..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7112352075765392
Encrypted:	false
SSDEEP:	192:BV7VDiDL/bDiDwTDiDHDiDDDiDSDiD8DiDkDiD0DiDEDiDMDiDMDiDMDiD:BhV2nT2UT272/2+2w2g2w2I2o2A2I2
MD5:	5D63AFB3EA60A7655FF95B4DB1B451E0
SHA1:	B5D236316CC6617071D83D7E1B4367DDA1A889B1
SHA-256:	815D1AE9187ED88319DDCD4F95D544E3B4FC3D12E2BF9A0DFD30441819089010
SHA-512:	C00665A8527B92BB677696119894947DA47603CD1168B3536E7317E8D82C1A3563D50612C4AEF5BDEE75D491AEC97F8AB543F5FA1EB5E4080E7B1D8A55FE57E6
Malicious:	false
Preview:	ElfChnk.............................................u.=k....................................................................Z}#.................N.......................v...=...........................................................................................................................f...............?...........................m...................M...F...............................'...........................................................................&.......................................**.................sf..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	68712
Entropy (8bit):	4.361668814791369
Encrypted:	false
SSDEEP:	384:QRR4z0jBDRPR39ZhlR0CsRNHgR/R0ZRpERORRRR4z0jBDRPRHmXR9XPRFrRXVRcy:UZiHRm3X3NI538LMi
MD5:	7839B088DE61B1CF65F70A24FA115B45
SHA1:	25C56E3363C4BB415405B47FB1BCB7C721FF369E
SHA-256:	3B342B1F051DDF5140B2828047DBCD036E86DEC12CE2421DFFCF00936E39D9E4
SHA-512:	5DC3EDD102FC94F491AF775AAEDD7EA3AE4F5CEF644348C84E0B9F8A73104E745789BAD17390073AC3976029A6F69E4679DB9ED44242633C3CA9AE38D45F326A
Malicious:	false
Preview:	ElfChnk.J.......S.......J.......S............,.../....U........................................................................3....................C.......Q............(..=.......................................0"..d....................'..7#..........................................V(......(...f...+...........?....................... .......................M...F.......)(.......'..............................&............................................................&.....................................*......Q........8...a.........'.z&...............................................................<.......T.....!................@.8...a......R.6O.O..=..Q........Q....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.W.M.I.-.A.c.t.i.v.i.t.y.......#F.~.J.{..M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.W.M.I.-.A.c.t.i.v.i.t.y./.O.p.e.r.a.t.i.o.n.a.l...(~K..&..."..(~K..95S....V.X.........A.......&..?...g<..O.p.e.r.a.t.i.o.n._.C.l.i.e.n.t.F.a.i.l.u.r.e...o....j.....3.h.t.t.p.:././.m.a.n.i.f.e.s

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wcmsvc%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.282820835556058
Encrypted:	false
SSDEEP:	384:chOhpuhdh+h9hthXhzh8cghshqh9hihXhMhxhzhwhohGh5h3hShChWhzhLhahYhr:cQsFpkBc1S
MD5:	7DB7567819F7CFC6955126B8306826E6
SHA1:	45CCB1C41CA1C6E1384207444A8B84437408DF1A
SHA-256:	0DDCE2B5ADFAAB4EF8A1686D0064B8CCFF43B1D3C93893A62EF07B7FB896E8E5
SHA-512:	FF5F662885580210B522215F56FD29417B6555F0878610D44D8F798E044876F99F86C5FF688BB77C92B894368E5DF32130B52BFE37401BACD3305B63463A2394
Malicious:	false
Preview:	ElfChnk.........................................P.....Q................................................................................................................:...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................&...............!.......................**...............k..f..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WebAuthN%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.232783163157918
Encrypted:	false
SSDEEP:	384:ZhOVPiVcVCVC7VNVtVEV3Vob7V5VXVmVbVoV/VEVptVtVBVnVOVMV3VJmVhpVEVA:Zyjbj
MD5:	71A005B17A2D32C10709277023D447E6
SHA1:	14754F04007D539159F75D62AACC6A282CAA8D54
SHA-256:	6E220C6CCBB76AEE639EDFCC6204C80EEC9FA1CCE0AC40EE4B821AF3AC27887B
SHA-512:	BC3533B3DEF1BC8B7D990700CA573EFF57D05C4E72DF2BB536247466D5FE9EB5DFE6F2EC18F02C808449F998AC00E26E920E3984B4E8367F8E9AF188BD1D9518
Malicious:	false
Preview:	ElfChnk.........!...............!............7..`8...).....................................................................Ce.~................&...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................v................................................+......................................**..P...........y................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.214092789754939
Encrypted:	false
SSDEEP:	384:mhZBwBjsrBwBhBwBj4BwB6p+/4WBwBQ/cBwBjQNqObx13ABwBqhdBwBQ/LQBwBQZ:mOsc6QNqObxZyS3qes
MD5:	08A246EE9A5813CA40C7F9B6D3B9C36F
SHA1:	96FD95304A9D1F958128D8447A9C9805AB7AFACB
SHA-256:	4662FE870ACC7D800BCAA664F14EE7E1AF8772462933274E933CAA78CC1397B8
SHA-512:	9BB7E230CB4CD4653F7102177492517329F07429589B5C45DD054E315D84C581734420C90A050CD673B9C7B4A232EECDEF6084833FD54AA0DA922052CA0C175B
Malicious:	false
Preview:	ElfChnk.^.......m.......^.......m...........@;..p>....T.......................................................................o............................................=...........................................................................................................................f...............?...........................m...................M...F...........................g...............................................................................&.......................................*.. ...^...........f..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.414298413407747
Encrypted:	false
SSDEEP:	384:3thQUE2UEFUE5UEKUEODUEzUEFUEsUE/UEGUE6UEWUE9UEtUEBUE8UEGUEuUE5UD:9w/RPoP6e
MD5:	77D9AFD001F6BBD592C19652D671FEA3
SHA1:	B87EA73299713B00D44A123C4B48636957EA90CE
SHA-256:	E25E174DE18D3B90B5EBC3C394A7C6BFC34F3E27FB260758BC8CB135E4D45770
SHA-512:	C81A545351015315060E812535A43C97A0FCBC2F49AA2034B50F963839F7F7DC1BC16EF070D5FF951E5FE82A9B315E8EFC20470707FD8C995A932E44369845E8
Malicious:	false
Preview:	ElfChnk.........................................8...,..t......................................................................>.......................................R...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................&.......................................*..............._..f..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Security.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	68128
Entropy (8bit):	4.242923777939073
Encrypted:	false
SSDEEP:	384:2FRRFRHTjoNSg0PtocChoLu60zCwySonMt0SoHMtoLoHMtaoDoH5OD0obO9ZoJf1:wNLFj0Dyid9sPryVpxy
MD5:	006C6C2036A0D06A3653C7548763C7B7
SHA1:	683F6DD7F52333497D1449C2A6F04B0CEA1DAD87
SHA-256:	CE03030248BB7A6E2C5A04EF37C8095664713E6A0EC3287E1E68C7FDBBEDB7DA
SHA-512:	15EAE3E540C4EF034E3201E605D244C3627A85A634DA74FB9EC6B83DB85A9F30DFC75B1F55672FBDC6470DF9EB7B1FD536834297CC6E25093A94EC5DD8951AB7
Malicious:	false
Preview:	ElfChnk......................................... .....Q...........................................................................................s...h...............N...=...................................................N...............................................w.......6......................./...................................]...........).......M...T...:...............................................................................................................&...............................*.. ...........!\...a...........&.........*.9.LS5..f....A.......A..5...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....^...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

C:\Windows\System32\winevt\Logs\Setup.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	67992
Entropy (8bit):	0.40418713094207487
Encrypted:	false
SSDEEP:	96:u7NVaO8ioTE8SRO217NVaO8ioTE8SRO2:uJV7uE1RLJV7uE1R
MD5:	9A44CAAB8F3A4A9AD3D6CFFCE3EE0AA8
SHA1:	936960E6E76267FD20A931DEB8A1D32DF5326810
SHA-256:	2AB1651667A8876745942FA25F87B1192C49B46433C8F6EBE378A0769788FE3A
SHA-512:	54868AF2E01A222DBA108A090E4DBA4F92B98E1972283D7D74D844BE66446D2629C1E10D696C3E36AD9EA1D7D5C5AA36AEBA961624004C49F9E07762227BD911
Malicious:	false
Preview:	ElfChnk...............................................6&....................................................................................................................=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................&.......................................**..............(k..a.........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\System.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	79360
Entropy (8bit):	4.407312477284869
Encrypted:	false
SSDEEP:	768:8W2fW27Mo46/iP6f/4wNeRKe+PH+YektW22KQd:UMFfP6PeMPZdpQd
MD5:	C48E4B37238FC810CDA8387E76BC2129
SHA1:	90D11DFA71D872C73C07D4B50A453DA767068ADA
SHA-256:	1012A2D506505F259A264F172529CDD5076A5B44A36805E2CF513A13E40B6084
SHA-512:	42267A9D6DD47C822261DED6EC003CDE170535CF8105A3E583718F53171CE8A670AD77B39D5C4CE62AA9B1665E4E9E664E474B6A58370B4E3928D79FB6FD9E20
Malicious:	false
Preview:	ElfChnk..............................................'......................................................................0%......................s...h...................=...................................................N...............................i...0...........w.......2.......................G...................................Y...........).......M...5...:........................................................................................................... ...........................&.......**..............!\...a.........#m.&........#m...].N.I.P.=.......A..1...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....Z...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

C:\Windows\System32\winevt\Logs\Windows PowerShell.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	77088
Entropy (8bit):	3.822549954950183
Encrypted:	false
SSDEEP:	1536:TU8398/1Z2ngybZU8398/1Z2ngybSaCssVtIdhxJVf+9f9f+AHF5bx7CQR:phxJVf
MD5:	97A2CFDD2893B6ECF7749024E29784DB
SHA1:	0E9F8C809E9E1D61BE9F927E7C7FEE3EDE7C6605
SHA-256:	17500910834A64B3BDF514B5391DB6A851D4FDD3360358BB71FADECE380F5C10
SHA-512:	1606598B68D62EBCDC2160BD2FDF769E15F4292456211A41F2524CD398BDBA7E4C26800F613D5AA9DF19580ACA22FC158A91D1C5BE72C0CB226D84E785DB8F81
Malicious:	false
Preview:	ElfChnk.................i.......p............(.. -.........................................................................................................................=..........................................................................................................................._...............8...........................f...................M...c...........................p...............&.......................................................................................................**......i........Nt..a........!j..&.......!j....:Tc`.)..h........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..R............{..P.r.o.v.i.d.e.r.../....=.......K...N.a.m.e.......P.o.w.e.r.S.h.e.l.l..A..M...s........a..E.v.e.n.t.I.D...'............)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n............

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.519628355610314
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	xmr.exe
File size:	5'468'672 bytes
MD5:	154202154e41175e801a698ca940eb0c
SHA1:	6ce074d67c91cb00016cb1095319b00afab396a8
SHA256:	0612bfb5a51b0b413ba960f7d52bc647bd4cf7530fd760c0d6006aa829e806e2
SHA512:	7d0a7474c28b87972fb02a48ee56a2549765a584a53abbd123631e142a655b17f3508b7d3c2b90f3174d118940143af12728355900472f27fe8280aa11a8f540
SSDEEP:	98304:LOl8w9dke5gARmiTqHc2+i72sq2GMbo9GYaUbTvcB7abEUGyxByPuZ0:LOlj9dkC8c2F2D2G1GVLB7WBBNG
TLSH:	0F4623485EEF1CE8E0F458340C5254A7F67B7069F972D3CB66AA93E081F2F1EA150987
File Content Preview:	MZx.....................@...................................x...hr......!..L.!This program cannot be run in DOS mode.$..PE..d....;.f.........."...........R.....@..........@..............................S...........`........................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x140001140
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66C13B8A [Sun Aug 18 00:08:42 2024 UTC]
TLS Callbacks:	0x40001760, 0x1, 0x400017e0, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	203d63d5d9a088e2d84cef737227986b

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [00009ED5h]
mov dword ptr [eax], 00000001h
call 00007F0B9CD74E0Fh
nop
nop
nop
dec eax
add esp, 28h
ret
nop
inc ecx
push edi
inc ecx
push esi
push esi
push edi
push ebx
dec eax
sub esp, 20h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov edi, dword ptr [eax+08h]
dec eax
mov esi, dword ptr [00009EC9h]
xor eax, eax
dec eax
cmpxchg dword ptr [esi], edi
sete bl
je 00007F0B9CD74E30h
dec eax
cmp edi, eax
je 00007F0B9CD74E2Bh
dec esp
mov esi, dword ptr [0000BE19h]
nop word ptr [eax+eax+00000000h]
mov ecx, 000003E8h
inc ecx
call esi
xor eax, eax
dec eax
cmpxchg dword ptr [esi], edi
sete bl
je 00007F0B9CD74E07h
dec eax
cmp edi, eax
jne 00007F0B9CD74DE9h
dec eax
mov edi, dword ptr [00009E90h]
mov eax, dword ptr [edi]
cmp eax, 01h
jne 00007F0B9CD74E0Eh
mov ecx, 0000001Fh
call 00007F0B9CD7E0B4h
jmp 00007F0B9CD74E29h
cmp dword ptr [edi], 00000000h
je 00007F0B9CD74E0Bh
mov byte ptr [00537531h], 00000001h
jmp 00007F0B9CD74E1Bh
mov dword ptr [edi], 00000001h
dec eax
mov ecx, dword ptr [00009E7Ah]
dec eax
mov edx, dword ptr [00009E7Bh]
call 00007F0B9CD7E0ABh
mov eax, dword ptr [edi]
cmp eax, 01h
jne 00007F0B9CD74E1Bh
dec eax
mov ecx, dword ptr [00009E50h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xccd8	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x53a000	0x18c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x53d000	0x78	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xb0a0	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb410	0x138	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xce78	0x160	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9616	0x9800	44eda265e6365a2ed99c22dead73472d	False	0.48553145559210525	data	6.141032412393602	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xb000	0x246c	0x2600	eca998696ecb54736320991caa9725f7	False	0.45672286184210525	data	4.6492072318033415	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xe000	0x52bd98	0x52a800	55e127bbc47e7a45f700ba8b973f4d47	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x53a000	0x18c	0x200	bce08e81f3f6fdaabc1f878981edacd9	False	0.5078125	data	3.183906458783946	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.00cfg	0x53b000	0x10	0x200	b18c7380298e104adf73576fa46bccc1	False	0.04296875	data	0.15127132530476972	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x53c000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x53d000	0x78	0x200	7b813d4cf20ea86d13c0c697436c2c04	False	0.236328125	data	1.435244403940088	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
msvcrt.dll	__C_specific_handler, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _commode, _fmode, _initterm, _onexit, _wcsicmp, _wcsnicmp, abort, calloc, exit, fprintf, free, fwrite, malloc, memcpy, memset, signal, strlen, strncmp, vfprintf, wcscat, wcscpy, wcslen, wcsncmp, wcsstr
KERNEL32.dll	DeleteCriticalSection, EnterCriticalSection, GetLastError, InitializeCriticalSection, LeaveCriticalSection, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 7, 2025 16:20:43.713453054 CET	1.1.1.1	192.168.2.8	0xf548	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 7, 2025 16:20:43.713453054 CET	1.1.1.1	192.168.2.8	0xf548	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Jan 7, 2025 16:21:20.687737942 CET	1.1.1.1	192.168.2.8	0x16d1	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 7, 2025 16:21:20.687737942 CET	1.1.1.1	192.168.2.8	0x16d1	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
ZwEnumerateKey	INLINE	explorer.exe, winlogon.exe
NtQuerySystemInformation	INLINE	explorer.exe, winlogon.exe
ZwResumeThread	INLINE	explorer.exe, winlogon.exe
NtDeviceIoControlFile	INLINE	explorer.exe, winlogon.exe
ZwDeviceIoControlFile	INLINE	explorer.exe, winlogon.exe
NtEnumerateKey	INLINE	explorer.exe, winlogon.exe
NtQueryDirectoryFile	INLINE	explorer.exe, winlogon.exe
ZwEnumerateValueKey	INLINE	explorer.exe, winlogon.exe
ZwQuerySystemInformation	INLINE	explorer.exe, winlogon.exe
NtResumeThread	INLINE	explorer.exe, winlogon.exe
RtlGetNativeSystemInformation	INLINE	explorer.exe, winlogon.exe
NtQueryDirectoryFileEx	INLINE	explorer.exe, winlogon.exe
NtEnumerateValueKey	INLINE	explorer.exe, winlogon.exe
ZwQueryDirectoryFileEx	INLINE	explorer.exe, winlogon.exe
ZwQueryDirectoryFile	INLINE	explorer.exe, winlogon.exe

Processes

Process: explorer.exe, Module: ntdll.dll

Function Name	Hook Type	New Data
ZwEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
ZwResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
NtDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
ZwDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
NtEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF
ZwEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
RtlGetNativeSystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
NtEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
ZwQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF

Process: winlogon.exe, Module: ntdll.dll

Function Name	Hook Type	New Data
ZwEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
ZwResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
NtDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
ZwDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
NtEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF
ZwEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
RtlGetNativeSystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
NtEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
ZwQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF

Target ID:	0
Start time:	10:20:25
Start date:	07/01/2025
Path:	C:\Users\user\Desktop\xmr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\xmr.exe"
Imagebase:	0x7ff7b0200000
File size:	5'468'672 bytes
MD5 hash:	154202154E41175E801A698CA940EB0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:20:25
Start date:	07/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Imagebase:	0x7ff6cb6b0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:20:25
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:20:29
Start date:	07/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff605670000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	10:20:29
Start date:	07/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff60d9a0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:20:29
Start date:	07/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop UsoSvc
Imagebase:	0x7ff738950000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:20:29
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	10:20:29
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	10:20:29
Start date:	07/01/2025
Path:	C:\Windows\System32\wusa.exe
Wow64 process (32bit):	false
Commandline:	wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff75a840000
File size:	345'088 bytes
MD5 hash:	FBDA2B8987895780375FE0E6254F6198
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	10:20:29
Start date:	07/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop WaaSMedicSvc
Imagebase:	0x7ff738950000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	10:20:30
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	10:20:30
Start date:	07/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop wuauserv
Imagebase:	0x7ff738950000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	10:20:30
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	10:20:30
Start date:	07/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop bits
Imagebase:	0x7ff738950000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	10:20:30
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	10:20:30
Start date:	07/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop dosvc
Imagebase:	0x7ff738950000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	10:20:30
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	10:20:30
Start date:	07/01/2025
Path:	C:\Windows\System32\dialer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\dialer.exe
Imagebase:	0x7ff66fbf0000
File size:	39'936 bytes
MD5 hash:	B2626BDCF079C6516FC016AC5646DF93
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	10:20:30
Start date:	07/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe delete "ARIBLEUL"
Imagebase:	0x7ff738950000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	10:20:30
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	10:20:30
Start date:	07/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe create "ARIBLEUL" binpath= "C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe" start= "auto"
Imagebase:	0x7ff738950000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	10:20:30
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	10:20:30
Start date:	07/01/2025
Path:	C:\Windows\System32\winlogon.exe
Wow64 process (32bit):	false
Commandline:	winlogon.exe
Imagebase:	0x7ff6cc5a0000
File size:	906'240 bytes
MD5 hash:	F8B41A1B3E569E7E6F990567F21DCE97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	10:20:31
Start date:	07/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop eventlog
Imagebase:	0x7ff738950000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	10:20:31
Start date:	07/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe start "ARIBLEUL"
Imagebase:	0x7ff738950000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	10:20:31
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	10:20:31
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	10:20:31
Start date:	07/01/2025
Path:	C:\Windows\System32\lsass.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\lsass.exe
Imagebase:	0x7ff6b5fa0000
File size:	59'456 bytes
MD5 hash:	A1CC00332BBF370654EE3DC8CDC8C95A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	29
Start time:	10:20:31
Start date:	07/01/2025
Path:	C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe
Wow64 process (32bit):	false
Commandline:	C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe
Imagebase:	0x7ff61c0a0000
File size:	5'468'672 bytes
MD5 hash:	154202154E41175E801A698CA940EB0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 76%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	10:20:31
Start date:	07/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	31
Start time:	10:20:31
Start date:	07/01/2025
Path:	C:\Windows\System32\dwm.exe
Wow64 process (32bit):	false
Commandline:	"dwm.exe"
Imagebase:	0x7ff7751a0000
File size:	94'720 bytes
MD5 hash:	5C27608411832C5B39BA04E33D53536C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	32
Start time:	10:20:33
Start date:	07/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	33
Start time:	10:20:33
Start date:	07/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	34
Start time:	10:20:33
Start date:	07/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	35
Start time:	10:20:34
Start date:	07/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	36
Start time:	10:20:34
Start date:	07/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	37
Start time:	10:20:34
Start date:	07/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	38
Start time:	10:20:35
Start date:	07/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	39
Start time:	10:20:35
Start date:	07/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	40
Start time:	10:20:36
Start date:	07/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	41
Start time:	10:20:36
Start date:	07/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	42
Start time:	10:20:36
Start date:	07/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	43
Start time:	10:20:36
Start date:	07/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	44
Start time:	10:20:37
Start date:	07/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	45
Start time:	10:20:37
Start date:	07/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	46
Start time:	10:20:37
Start date:	07/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	47
Start time:	10:20:37
Start date:	07/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	48
Start time:	10:20:38
Start date:	07/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	49
Start time:	10:20:38
Start date:	07/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	50
Start time:	10:20:38
Start date:	07/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	51
Start time:	10:20:38
Start date:	07/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	52
Start time:	10:20:39
Start date:	07/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Function 00007FF7B0201140 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1483083922.00007FF7B0201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B0200000, based on PE: true

Associated: 00000000.00000002.1483040048.00007FF7B0200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483126256.00007FF7B020B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483162443.00007FF7B020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483198670.00007FF7B020F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1484042744.00007FF7B0703000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1484100023.00007FF7B073A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b0200000_xmr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09aa500106249f898c70f176d5dd8b6a7b84f69ff7d021052aa52de95c06f874
Instruction ID: f5bcce84e009c7f5ad1f2bdb9465ef98119259d398ba8de59d8ca220d68dfee5
Opcode Fuzzy Hash: 09aa500106249f898c70f176d5dd8b6a7b84f69ff7d021052aa52de95c06f874
Instruction Fuzzy Hash: 82B09234D0430984E2053B0998412A9AA617B2A740F800020D60C02366EA6D60484B20

Analysis Process: WmiPrvSE.exePID: 7884, Parent PID: 744COMMON

Execution Graph

Execution Coverage:	0.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.7%
Total number of Nodes:	81
Total number of Limit Nodes:	2

Executed Functions

Function 000001F25AC1328C Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 000001F25AC132AE
PathFindFileNameW.SHLWAPI ref: 000001F25AC132BD

Part of subcall function 000001F25AC13844: StrCmpNIW.SHLWAPI ref: 000001F25AC1385C

Part of subcall function 000001F25AC13790: GetModuleHandleW.KERNEL32 ref: 000001F25AC1379E
Part of subcall function 000001F25AC13790: GetCurrentProcess.KERNEL32 ref: 000001F25AC137CC
Part of subcall function 000001F25AC13790: VirtualProtectEx.KERNEL32 ref: 000001F25AC137EE
Part of subcall function 000001F25AC13790: GetCurrentProcess.KERNEL32 ref: 000001F25AC13809
Part of subcall function 000001F25AC13790: VirtualProtectEx.KERNEL32 ref: 000001F25AC1382A

CreateThread.KERNEL32 ref: 000001F25AC1330B

Part of subcall function 000001F25AC11D14: GetCurrentThread.KERNEL32 ref: 000001F25AC11D1F

Memory Dump Source

Source File: 00000004.00000002.2716327273.000001F25AC10000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F25AC10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25ac10000_WmiPrvSE.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction ID: 0ba97a8d74514715650d30c05628389cf15b5cf2b2ea17ad3bcdc96d6a851b40
Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction Fuzzy Hash: 8111ADF0F2274382FBA0AB25F8073F92294AB7470BF805139D946856B0EF78C0498E18

Function 000001F25AC11ABC Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000001F25AC11628: GetProcessHeap.KERNEL32 ref: 000001F25AC11633
Part of subcall function 000001F25AC11628: HeapAlloc.KERNEL32 ref: 000001F25AC11642
Part of subcall function 000001F25AC11628: RegOpenKeyExW.ADVAPI32 ref: 000001F25AC116B2
Part of subcall function 000001F25AC11628: RegOpenKeyExW.ADVAPI32 ref: 000001F25AC116DF
Part of subcall function 000001F25AC11628: RegCloseKey.ADVAPI32 ref: 000001F25AC116F9
Part of subcall function 000001F25AC11628: RegOpenKeyExW.ADVAPI32 ref: 000001F25AC11719
Part of subcall function 000001F25AC11628: RegCloseKey.ADVAPI32 ref: 000001F25AC11734
Part of subcall function 000001F25AC11628: RegOpenKeyExW.ADVAPI32 ref: 000001F25AC11754
Part of subcall function 000001F25AC11628: RegCloseKey.ADVAPI32 ref: 000001F25AC1176F
Part of subcall function 000001F25AC11628: RegOpenKeyExW.ADVAPI32 ref: 000001F25AC1178F
Part of subcall function 000001F25AC11628: RegCloseKey.ADVAPI32 ref: 000001F25AC117AA
Part of subcall function 000001F25AC11628: RegOpenKeyExW.ADVAPI32 ref: 000001F25AC117CA

Sleep.KERNEL32 ref: 000001F25AC11AD7
SleepEx.KERNELBASE ref: 000001F25AC11ADD

Part of subcall function 000001F25AC11628: RegCloseKey.ADVAPI32 ref: 000001F25AC117E5
Part of subcall function 000001F25AC11628: RegOpenKeyExW.ADVAPI32 ref: 000001F25AC11805
Part of subcall function 000001F25AC11628: RegCloseKey.ADVAPI32 ref: 000001F25AC11820
Part of subcall function 000001F25AC11628: RegOpenKeyExW.ADVAPI32 ref: 000001F25AC11840
Part of subcall function 000001F25AC11628: RegCloseKey.ADVAPI32 ref: 000001F25AC1185B
Part of subcall function 000001F25AC11628: RegOpenKeyExW.ADVAPI32 ref: 000001F25AC1187B
Part of subcall function 000001F25AC11628: RegCloseKey.ADVAPI32 ref: 000001F25AC11896
Part of subcall function 000001F25AC11628: RegCloseKey.ADVAPI32 ref: 000001F25AC118A0

Memory Dump Source

Source File: 00000004.00000002.2716327273.000001F25AC10000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F25AC10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25ac10000_WmiPrvSE.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction ID: 8c509b35c596b76e4e940d8f447e88ef2275b40013f635437f5716b361f0f9b4
Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction Fuzzy Hash: BE31BCF131274681FF509B26E6822F963E5AB64BD6F045439DE0D876B5EE3CC451CA10

Function 000001F25AC13844 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpNIW.SHLWAPI ref: 000001F25AC1385C

Strings

dialer, xrefs: 000001F25AC13855

Memory Dump Source

Source File: 00000004.00000002.2716327273.000001F25AC10000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F25AC10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25ac10000_WmiPrvSE.jbxd

Similarity

API ID:
String ID: dialer
API String ID: 0-3528709123
Opcode ID: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
Instruction ID: 7501180c65486ae6da6c165926f0c9e3a94fc71c4350587be73713b4c7d5ca5c
Opcode Fuzzy Hash: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
Instruction Fuzzy Hash: 14D05EF471234786FB649FAA88C66F02390EB24B5AF884031C90001260DB38C98E9E20

Function 000001F25ABE273C Relevance: 1.7, APIs: 1, Instructions: 187
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 000001F25ABE285E

Memory Dump Source

Source File: 00000004.00000002.2715522869.000001F25ABE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F25ABE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25abe0000_WmiPrvSE.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction ID: 6309380138738fe91e75c5bf563d6ec4c223cfd73ac06ac9c8f1a056d8b6f98e
Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction Fuzzy Hash: 3A61003AB0179287EF548F1590227FDB3A2FB64BA4F589131DE5907798DA38DC52CB80

Non-executed Functions

Function 000001F25AC12B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 000001F25AC12BD0
lstrlenW.KERNEL32 ref: 000001F25AC12E0A

Part of subcall function 000001F25AC1199C: OpenProcess.KERNEL32 ref: 000001F25AC119C2
Part of subcall function 000001F25AC1199C: K32GetModuleFileNameExW.KERNEL32 ref: 000001F25AC119E0
Part of subcall function 000001F25AC1199C: PathFindFileNameW.SHLWAPI ref: 000001F25AC119EF
Part of subcall function 000001F25AC1199C: lstrlenW.KERNEL32 ref: 000001F25AC119FB
Part of subcall function 000001F25AC1199C: StrCpyW.SHLWAPI ref: 000001F25AC11A0E
Part of subcall function 000001F25AC1199C: CloseHandle.KERNEL32 ref: 000001F25AC11A1C

GetProcAddress.KERNEL32 ref: 000001F25AC12BE5

Part of subcall function 000001F25AC1152C: StrCmpIW.SHLWAPI ref: 000001F25AC1155D

Part of subcall function 000001F25AC13844: StrCmpNIW.SHLWAPI ref: 000001F25AC1385C

StrCmpNIW.SHLWAPI ref: 000001F25AC12C28
lstrlenW.KERNEL32 ref: 000001F25AC12D50

Strings

ntdll.dll, xrefs: 000001F25AC12BC9
NtQueryObject, xrefs: 000001F25AC12BDB
\Device\Nsi, xrefs: 000001F25AC12C1B

Memory Dump Source

Source File: 00000004.00000002.2716327273.000001F25AC10000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F25AC10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25ac10000_WmiPrvSE.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction ID: 0c3d88725adf3c0f433bb3e4ee51c0532380295866b861db82f7b7c286521447
Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction Fuzzy Hash: FDB1AFBA312B9282EB649F25D4527F963A8FB64B86F045036EE4A577B4DF34CC40CB40

Function 000001F25AC17D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000001F25AC17DAC
RtlCaptureContext.NTDLL ref: 000001F25AC17DD9
RtlLookupFunctionEntry.NTDLL ref: 000001F25AC17DF3
RtlVirtualUnwind.NTDLL ref: 000001F25AC17E34
IsDebuggerPresent.KERNEL32 ref: 000001F25AC17E88
SetUnhandledExceptionFilter.KERNEL32 ref: 000001F25AC17EA9
UnhandledExceptionFilter.KERNEL32 ref: 000001F25AC17EB4

Memory Dump Source

Source File: 00000004.00000002.2716327273.000001F25AC10000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F25AC10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25ac10000_WmiPrvSE.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction ID: 98e832783d1c9fb0a6b8fd5b1458bb9140b0f520a8726e174c91bdd1911924a5
Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction Fuzzy Hash: 59316FB2306B818AEB609F64E8517ED7360FB94745F44443ADA8D57BA8EF38C648CB10

Function 000001F25AC1D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000001F25AC1D31D
RtlLookupFunctionEntry.NTDLL ref: 000001F25AC1D335
RtlVirtualUnwind.NTDLL ref: 000001F25AC1D370
IsDebuggerPresent.KERNEL32 ref: 000001F25AC1D3A9
SetUnhandledExceptionFilter.KERNEL32 ref: 000001F25AC1D3B3
UnhandledExceptionFilter.KERNEL32 ref: 000001F25AC1D3BE

Memory Dump Source

Source File: 00000004.00000002.2716327273.000001F25AC10000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F25AC10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25ac10000_WmiPrvSE.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction ID: 0cad5f263617cc2d805d522448f7be092e1cf7a56641b2ce013f580c7c3a1516
Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction Fuzzy Hash: 91318D76215F8186EB60CF29E8413EE73A0F798B55F500126EA9D43BA8DF38C156CF00

Function 000001F25AC17960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000001F25AC1798C
GetCurrentThreadId.KERNEL32 ref: 000001F25AC1799A
GetCurrentProcessId.KERNEL32 ref: 000001F25AC179A6
QueryPerformanceCounter.KERNEL32 ref: 000001F25AC179B6

Memory Dump Source

Source File: 00000004.00000002.2716327273.000001F25AC10000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F25AC10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25ac10000_WmiPrvSE.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction ID: 156379ed1e986be3a0cc8f8fc0c9c0e0dd145386c769b34554085f4f09779d23
Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction Fuzzy Hash: 0C111876711B028AEF00CB60E8563E833A4F719B69F440E31DAAD867A4DB78D1988780

Function 000001F25AC11268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001F25AC1126E
HeapAlloc.KERNEL32 ref: 000001F25AC1127D
GetProcessHeap.KERNEL32 ref: 000001F25AC11297
HeapAlloc.KERNEL32 ref: 000001F25AC112A8

Memory Dump Source

Source File: 00000004.00000002.2716327273.000001F25AC10000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F25AC10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25ac10000_WmiPrvSE.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction ID: da34ea0c25d3edc25a7d6ed81c5568d3c8d3267fbcca8a4a5566cc2624463e26
Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction Fuzzy Hash: FBE039B560270586EB048B62D8093AA36E1EB89F06F048034C98907361DF7DD499CB60

Function 000001F25AC244A8 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 000001F25AC246F7
RaiseException.KERNEL32 ref: 000001F25AC24708

Memory Dump Source

Source File: 00000004.00000002.2716327273.000001F25AC10000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F25AC10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25ac10000_WmiPrvSE.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 91c45a23742243141810e6f77c67a66073dfa56da4d49e6a277af36b1acf7cf1
Instruction ID: 689a0a1896cc36ef4a3362a35023d3a0199c76ea9c79fd94efde157a87ba8672
Opcode Fuzzy Hash: 91c45a23742243141810e6f77c67a66073dfa56da4d49e6a277af36b1acf7cf1
Instruction Fuzzy Hash: A7B13AB7601B89CBEB15CF29C9463A87BA0F784F49F158961DBA9877B4CB39C451CB00

Function 000001F25ABF38A8 Relevance: 1.7, APIs: 1, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 000001F25ABF3AF7

Memory Dump Source

Source File: 00000004.00000002.2715522869.000001F25ABE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F25ABE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25abe0000_WmiPrvSE.jbxd

Similarity

API ID: _clrfp
String ID:
API String ID: 3618594692-0
Opcode ID: 91c45a23742243141810e6f77c67a66073dfa56da4d49e6a277af36b1acf7cf1
Instruction ID: 8325964808e2932e461bd396ea9543888a41ca2e7bb6f03a8aaeb6b0feb46545
Opcode Fuzzy Hash: 91c45a23742243141810e6f77c67a66073dfa56da4d49e6a277af36b1acf7cf1
Instruction Fuzzy Hash: AAB14073200B898BEB55CF29C4563AC7BA0F344B58F198A26DB6D877B4CB3AC451CB40

Function 000001F25AC1DCE0 Relevance: 1.6, APIs: 1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2716327273.000001F25AC10000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F25AC10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25ac10000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
Instruction ID: 7295b7932013457e2f14b3ac711580a5a2e2056819afbeb38639e257c8f4df75
Opcode Fuzzy Hash: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
Instruction Fuzzy Hash: A35104B2701B9189FB20DB72A8417FE7BA1F754BE9F144125EE5867BA9DB38C501CB00

Function 000001F25ABE1F2C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2715522869.000001F25ABE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F25ABE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25abe0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ede98a6d8d02e88a1d8b84a5c6c80a15dedc9657b0a7b1a34b363c45f1d0dee8
Instruction ID: c815595f94e8c91bda60602bdd143a81502d12fabb2fbe8701638750b002383d
Opcode Fuzzy Hash: ede98a6d8d02e88a1d8b84a5c6c80a15dedc9657b0a7b1a34b363c45f1d0dee8
Instruction Fuzzy Hash: 3DB1907221075286EF698F25D8627F9A3A5F764B84F445036EE09577B4DF35CD80CB80

Function 000001F25ABED0E0 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2715522869.000001F25ABE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F25ABE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25abe0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
Instruction ID: cab2004a2689af636979c9812c42feadb76c20edb9c50480d52c427c17b93cf5
Opcode Fuzzy Hash: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
Instruction Fuzzy Hash: 7D51E43270079289FB20DB72E8517EEBBA1F7647D8F144224EE5927BA9DB78C401CB40

Function 000001F25ABF36F0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2715522869.000001F25ABE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F25ABE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25abe0000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06df2142d5dd0183fd0e01b7d5608ecb5bc0210788fa76ce78b9fbce82fbb0aa
Instruction ID: 767de0c70f50164e58cc1f00a6955423746f0c22730054a5221f60f815c919c5
Opcode Fuzzy Hash: 06df2142d5dd0183fd0e01b7d5608ecb5bc0210788fa76ce78b9fbce82fbb0aa
Instruction Fuzzy Hash: FFF062B17153958EDBA88F28A8037BE77E1F308385FD0812AD68A83B14D23C9060CF04

Function 000001F25AC26218 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2716327273.000001F25AC10000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F25AC10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25ac10000_WmiPrvSE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c307f67adb8aff98d3f095286b2b700dfcb55a183617c16c72d4ace8312b7d4
Instruction ID: 038cc99b61fe1a58f79dc842e8ffe6d2d7c0790616e2838ebdfb41b054369831
Opcode Fuzzy Hash: 7c307f67adb8aff98d3f095286b2b700dfcb55a183617c16c72d4ace8312b7d4
Instruction Fuzzy Hash:

Function 000001F25AC11628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000001F25AC11633
HeapAlloc.KERNEL32 ref: 000001F25AC11642

Part of subcall function 000001F25AC11268: GetProcessHeap.KERNEL32 ref: 000001F25AC1126E
Part of subcall function 000001F25AC11268: HeapAlloc.KERNEL32 ref: 000001F25AC1127D
Part of subcall function 000001F25AC11268: GetProcessHeap.KERNEL32 ref: 000001F25AC11297
Part of subcall function 000001F25AC11268: HeapAlloc.KERNEL32 ref: 000001F25AC112A8

RegOpenKeyExW.ADVAPI32 ref: 000001F25AC116B2
RegOpenKeyExW.ADVAPI32 ref: 000001F25AC116DF
RegCloseKey.ADVAPI32 ref: 000001F25AC116F9
RegOpenKeyExW.ADVAPI32 ref: 000001F25AC11719
RegCloseKey.ADVAPI32 ref: 000001F25AC11734
RegOpenKeyExW.ADVAPI32 ref: 000001F25AC11754
RegCloseKey.ADVAPI32 ref: 000001F25AC1176F
RegOpenKeyExW.ADVAPI32 ref: 000001F25AC1178F
RegCloseKey.ADVAPI32 ref: 000001F25AC117AA
RegOpenKeyExW.ADVAPI32 ref: 000001F25AC117CA
RegCloseKey.ADVAPI32 ref: 000001F25AC117E5
RegOpenKeyExW.ADVAPI32 ref: 000001F25AC11805
RegCloseKey.ADVAPI32 ref: 000001F25AC11820
RegOpenKeyExW.ADVAPI32 ref: 000001F25AC11840
RegCloseKey.ADVAPI32 ref: 000001F25AC1185B
RegOpenKeyExW.ADVAPI32 ref: 000001F25AC1187B
RegCloseKey.ADVAPI32 ref: 000001F25AC11896
RegCloseKey.ADVAPI32 ref: 000001F25AC118A0

Part of subcall function 000001F25AC112BC: RegQueryInfoKeyW.ADVAPI32 ref: 000001F25AC11319
Part of subcall function 000001F25AC112BC: GetProcessHeap.KERNEL32 ref: 000001F25AC11327
Part of subcall function 000001F25AC112BC: HeapAlloc.KERNEL32 ref: 000001F25AC11338
Part of subcall function 000001F25AC112BC: RegEnumValueW.ADVAPI32 ref: 000001F25AC11397
Part of subcall function 000001F25AC112BC: GetProcessHeap.KERNEL32 ref: 000001F25AC113DF
Part of subcall function 000001F25AC112BC: HeapAlloc.KERNEL32 ref: 000001F25AC113ED
Part of subcall function 000001F25AC112BC: GetProcessHeap.KERNEL32 ref: 000001F25AC1140A
Part of subcall function 000001F25AC112BC: HeapFree.KERNEL32 ref: 000001F25AC11418
Part of subcall function 000001F25AC112BC: lstrlenW.KERNEL32 ref: 000001F25AC11421
Part of subcall function 000001F25AC112BC: GetProcessHeap.KERNEL32 ref: 000001F25AC1142F
Part of subcall function 000001F25AC112BC: HeapAlloc.KERNEL32 ref: 000001F25AC1143D

Strings

startup, xrefs: 000001F25AC116D5
udp, xrefs: 000001F25AC11874
service_names, xrefs: 000001F25AC117C3
tcp_local, xrefs: 000001F25AC117FE
SOFTWARE\dialerconfig, xrefs: 000001F25AC11692
pid, xrefs: 000001F25AC11712
process_names, xrefs: 000001F25AC1174D
tcp_remote, xrefs: 000001F25AC11839
paths, xrefs: 000001F25AC11788

Memory Dump Source

Source File: 00000004.00000002.2716327273.000001F25AC10000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F25AC10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25ac10000_WmiPrvSE.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction ID: 8747f2a0371690a77fc4e7d7f74ad5a99c08b48c5666836459dce7354d599cd2
Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction Fuzzy Hash: 2C714DB6712B5286EB109F25E852AE933A4FB94F8AF001135DE8E53B39DF38C444CB54

Function 000001F25AC112BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001F25AC11319
GetProcessHeap.KERNEL32 ref: 000001F25AC11327
HeapAlloc.KERNEL32 ref: 000001F25AC11338
RegEnumValueW.ADVAPI32 ref: 000001F25AC11397

Part of subcall function 000001F25AC1152C: StrCmpIW.SHLWAPI ref: 000001F25AC1155D

GetProcessHeap.KERNEL32 ref: 000001F25AC113DF
HeapAlloc.KERNEL32 ref: 000001F25AC113ED
GetProcessHeap.KERNEL32 ref: 000001F25AC1140A
HeapFree.KERNEL32 ref: 000001F25AC11418
lstrlenW.KERNEL32 ref: 000001F25AC11421
GetProcessHeap.KERNEL32 ref: 000001F25AC1142F
HeapAlloc.KERNEL32 ref: 000001F25AC1143D
StrCpyW.SHLWAPI ref: 000001F25AC1145F
GetProcessHeap.KERNEL32 ref: 000001F25AC11476
HeapFree.KERNEL32 ref: 000001F25AC11484

Strings

d, xrefs: 000001F25AC1135A

Memory Dump Source

Source File: 00000004.00000002.2716327273.000001F25AC10000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F25AC10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25ac10000_WmiPrvSE.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction ID: 44487bf2d17a37d44878ef97f2e1b2cfd746a67cf1612522659d3b5bfdb207d4
Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction Fuzzy Hash: E3514BB6201B8586EB54CF62E5493EAB7A1F789F9AF444134DE8A07768DF3CD049CB10

Function 000001F25AC11D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 000001F25AC11D1F

Part of subcall function 000001F25AC11FD4: GetModuleHandleA.KERNEL32 ref: 000001F25AC11FEC
Part of subcall function 000001F25AC11FD4: GetProcAddress.KERNEL32 ref: 000001F25AC11FFD

Part of subcall function 000001F25AC15B30: GetCurrentThreadId.KERNEL32 ref: 000001F25AC15B6B

Strings

NtDeviceIoControlFile, xrefs: 000001F25AC11E56
advapi32.dll, xrefs: 000001F25AC11DF7, 000001F25AC11E18
NtQueryDirectoryFile, xrefs: 000001F25AC11D7F
sechost.dll, xrefs: 000001F25AC11E39
ntdll.dll, xrefs: 000001F25AC11D2D
NtQuerySystemInformation, xrefs: 000001F25AC11D45
NtQueryDirectoryFileEx, xrefs: 000001F25AC11D9C
NtEnumerateKey, xrefs: 000001F25AC11DB9
EnumServicesStatusExW, xrefs: 000001F25AC11E11, 000001F25AC11E32
EnumServiceGroupW, xrefs: 000001F25AC11DF0
NtResumeThread, xrefs: 000001F25AC11D62
NtEnumerateValueKey, xrefs: 000001F25AC11DD6

Memory Dump Source

Source File: 00000004.00000002.2716327273.000001F25AC10000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F25AC10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25ac10000_WmiPrvSE.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction ID: 2baf3473c1a282d5b7a1d90e640af3ec4ba63154d3530100ed64b32adac985f4
Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction Fuzzy Hash: C83182F8222B4BA0FF05EB69E8636F46360BB64747F905033D44A12575DE78C249CBA0

Function 000001F25ABE6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001F25ABE6938
__scrt_acquire_startup_lock.LIBCMT ref: 000001F25ABE698A
_RTC_Initialize.LIBCMT ref: 000001F25ABE69B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001F25ABE69DE
__scrt_release_startup_lock.LIBCMT ref: 000001F25ABE6A09

Strings

`dynamic initializer for ', xrefs: 000001F25ABE69C7
`eh vector copy constructor iterator', xrefs: 000001F25ABE6A3B
`eh vector vbase copy constructor iterator', xrefs: 000001F25ABE69EE
scriptor', xrefs: 000001F25ABE6B39, 000001F25ABE6BB2, 000001F25ABE6BEC

Memory Dump Source

Source File: 00000004.00000002.2715522869.000001F25ABE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F25ABE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25abe0000_WmiPrvSE.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
API String ID: 190073905-1786718095
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: 99a44772c745fba8234e98babaf613cc9e19d8c1bd81c4d56ac4e50a6b926959
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: 9181C271A0034386FA549B25A8733FDE2A0EBB5780F588135EA45437B7EB39C9459F80

Function 000001F25AC1CE28 Relevance: 18.1, APIs: 12, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 000001F25AC1CE37
FlsGetValue.KERNEL32(?,?,?,000001F25AC20A6B,?,?,?,000001F25AC2045C,?,?,?,000001F25AC1C84F), ref: 000001F25AC1CE4C
FlsSetValue.KERNEL32(?,?,?,000001F25AC20A6B,?,?,?,000001F25AC2045C,?,?,?,000001F25AC1C84F), ref: 000001F25AC1CE6D
FlsSetValue.KERNEL32(?,?,?,000001F25AC20A6B,?,?,?,000001F25AC2045C,?,?,?,000001F25AC1C84F), ref: 000001F25AC1CE9A
FlsSetValue.KERNEL32(?,?,?,000001F25AC20A6B,?,?,?,000001F25AC2045C,?,?,?,000001F25AC1C84F), ref: 000001F25AC1CEAB
FlsSetValue.KERNEL32(?,?,?,000001F25AC20A6B,?,?,?,000001F25AC2045C,?,?,?,000001F25AC1C84F), ref: 000001F25AC1CEBC
SetLastError.KERNEL32 ref: 000001F25AC1CED7
FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000001F25AC20A6B,?,?,?,000001F25AC2045C,?,?,?,000001F25AC1C84F), ref: 000001F25AC1CF0D
FlsSetValue.KERNEL32(?,?,00000001,000001F25AC1ECCC,?,?,?,?,000001F25AC1BF9F,?,?,?,?,?,000001F25AC17AB0), ref: 000001F25AC1CF2C

Part of subcall function 000001F25AC1D6CC: HeapAlloc.KERNEL32 ref: 000001F25AC1D721

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001F25AC20A6B,?,?,?,000001F25AC2045C,?,?,?,000001F25AC1C84F), ref: 000001F25AC1CF54

Part of subcall function 000001F25AC1D744: HeapFree.KERNEL32 ref: 000001F25AC1D75A
Part of subcall function 000001F25AC1D744: GetLastError.KERNEL32 ref: 000001F25AC1D764

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001F25AC20A6B,?,?,?,000001F25AC2045C,?,?,?,000001F25AC1C84F), ref: 000001F25AC1CF65
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001F25AC20A6B,?,?,?,000001F25AC2045C,?,?,?,000001F25AC1C84F), ref: 000001F25AC1CF76

Memory Dump Source

Source File: 00000004.00000002.2716327273.000001F25AC10000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F25AC10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25ac10000_WmiPrvSE.jbxd

Similarity

API ID: Value$ErrorLast$Heap$AllocFree
String ID:
API String ID: 570795689-0
Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction ID: 457ab694039689bc5f41a149c40a94b1d3e21910beec71ba5cdd43e388265465
Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction Fuzzy Hash: 4E4178F434B74686FF69A72156533F922829FA47B6F140B39F836066F6DE38C4018E80

Function 000001F25AC12244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessIdOfThread.KERNEL32 ref: 000001F25AC12259
GetCurrentProcessId.KERNEL32 ref: 000001F25AC12263

Part of subcall function 000001F25AC11934: OpenProcess.KERNEL32 ref: 000001F25AC11952
Part of subcall function 000001F25AC11934: IsWow64Process.KERNEL32 ref: 000001F25AC11968
Part of subcall function 000001F25AC11934: CloseHandle.KERNEL32 ref: 000001F25AC11983

CreateFileW.KERNEL32 ref: 000001F25AC122BC
WriteFile.KERNEL32 ref: 000001F25AC122E4
ReadFile.KERNEL32 ref: 000001F25AC12303
CloseHandle.KERNEL32 ref: 000001F25AC1230C

Strings

\\.\pipe\dialerchildproc32, xrefs: 000001F25AC12293
\\.\pipe\dialerchildproc64, xrefs: 000001F25AC1228C

Memory Dump Source

Source File: 00000004.00000002.2716327273.000001F25AC10000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F25AC10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25ac10000_WmiPrvSE.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction ID: aaad45d32278e1fcd4293fc071e181c1316f29c19e6c1de69210ed697df96d13
Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction Fuzzy Hash: E2214FB661574182FB10CB25F4453E973A0F799BA6F504225EA9A03BB8DF7CC149CF14

Function 000001F25AC1A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001F25AC1A5A1

Part of subcall function 000001F25AC1B414: __GetUnwindTryBlock.LIBCMT ref: 000001F25AC1B457
Part of subcall function 000001F25AC1B414: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001F25AC1B47C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001F25AC1A679
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001F25AC1A8CE
std::bad_alloc::bad_alloc.LIBCMT ref: 000001F25AC1A9DA

Strings

csm, xrefs: 000001F25AC1A5BB
csm, xrefs: 000001F25AC1A69C
csm, xrefs: 000001F25AC1A622

Memory Dump Source

Source File: 00000004.00000002.2716327273.000001F25AC10000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F25AC10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25ac10000_WmiPrvSE.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction ID: 30d69c952fc10e7c3ad2f3721269882f0a84359867364551a5cf64d635c965f2
Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction Fuzzy Hash: 28E1D2B6702B418AEB60DF25E4823ED77A0F765B99F400125EE8957BAACB34C191CF00

Function 000001F25ABE9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001F25ABE99A1

Part of subcall function 000001F25ABEA814: __GetUnwindTryBlock.LIBCMT ref: 000001F25ABEA857
Part of subcall function 000001F25ABEA814: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001F25ABEA87C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001F25ABE9A79
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001F25ABE9CCE
std::bad_alloc::bad_alloc.LIBCMT ref: 000001F25ABE9DDA

Strings

csm, xrefs: 000001F25ABE99BB
csm, xrefs: 000001F25ABE9A9C
csm, xrefs: 000001F25ABE9A22

Memory Dump Source

Source File: 00000004.00000002.2715522869.000001F25ABE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F25ABE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25abe0000_WmiPrvSE.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction ID: e8272fbee83594070a147f04450ddc92ea050cd817ec06975d5758abc9df6a6e
Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction Fuzzy Hash: DFE1D472604B828AEF60DF65D4923FDFBA0F765798F005125EE8957BA5CB34C0A5CB80

Function 000001F25AC1F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32 ref: 000001F25AC1F510
GetProcAddress.KERNEL32 ref: 000001F25AC1F51C

Strings

api-ms-, xrefs: 000001F25AC1F45A
ext-ms-, xrefs: 000001F25AC1F46D

Memory Dump Source

Source File: 00000004.00000002.2716327273.000001F25AC10000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F25AC10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25ac10000_WmiPrvSE.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction ID: 5bd9df6a575aafdd3790891c3df441d96f47c28fb7533f5038b02c3f04e74957
Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction Fuzzy Hash: 6441D6B2317B0291FB16CB26A8067F52391FB69BE1F058136DD0E877A4EE3CC4458B94

Function 000001F25AC1104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99
memoryregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001F25AC110B1
RegEnumValueW.ADVAPI32 ref: 000001F25AC11117
GetProcessHeap.KERNEL32 ref: 000001F25AC1115A
HeapAlloc.KERNEL32 ref: 000001F25AC11168
GetProcessHeap.KERNEL32 ref: 000001F25AC11185
HeapFree.KERNEL32 ref: 000001F25AC11193

Strings

d, xrefs: 000001F25AC110D6

Memory Dump Source

Source File: 00000004.00000002.2716327273.000001F25AC10000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F25AC10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25ac10000_WmiPrvSE.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction ID: 51e5d029c77fb4b27982b57958b8b2e420f9997c3e25a14572519bd52a8f04e5
Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction Fuzzy Hash: 3C417C73215B85C6E760CF21E4457EEB7A1F388B99F148129DA8A07B68DF3CD589CB00

Function 000001F25AC1D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,000001F25AC1C7DE,?,?,?,?,?,?,?,?,000001F25AC1CF9D,?,?,00000001), ref: 000001F25AC1D087
FlsSetValue.KERNEL32(?,?,?,000001F25AC1C7DE,?,?,?,?,?,?,?,?,000001F25AC1CF9D,?,?,00000001), ref: 000001F25AC1D0A6
FlsSetValue.KERNEL32(?,?,?,000001F25AC1C7DE,?,?,?,?,?,?,?,?,000001F25AC1CF9D,?,?,00000001), ref: 000001F25AC1D0CE
FlsSetValue.KERNEL32(?,?,?,000001F25AC1C7DE,?,?,?,?,?,?,?,?,000001F25AC1CF9D,?,?,00000001), ref: 000001F25AC1D0DF
FlsSetValue.KERNEL32(?,?,?,000001F25AC1C7DE,?,?,?,?,?,?,?,?,000001F25AC1CF9D,?,?,00000001), ref: 000001F25AC1D0F0

Strings

1%, xrefs: 000001F25AC1D0CE
Y%, xrefs: 000001F25AC1D0A6

Memory Dump Source

Source File: 00000004.00000002.2716327273.000001F25AC10000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F25AC10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25ac10000_WmiPrvSE.jbxd

Similarity

API ID: Value
String ID: 1%$Y%
API String ID: 3702945584-1395475152
Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction ID: 980368528156e16a590b22096f4fc986cc702a76797486e0bacc7a7aeadd7dcb
Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction Fuzzy Hash: 1A1160F0707B4645FB6AA7356A533F962819B647F2F644336E839467FADE38C4028E10

Function 000001F25AC17510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001F25AC17538
__scrt_acquire_startup_lock.LIBCMT ref: 000001F25AC1758A
_RTC_Initialize.LIBCMT ref: 000001F25AC175B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001F25AC175DE
__scrt_release_startup_lock.LIBCMT ref: 000001F25AC17609

Memory Dump Source

Source File: 00000004.00000002.2716327273.000001F25AC10000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F25AC10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25ac10000_WmiPrvSE.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: 428be417b2f5c1c88944349812e08768f3d457f15b7609cee00137f885508621
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: 8981F6F4B133438AFB50AB2998433F922D0EBA5B87F548435E949577B6EB38C8458F10

Function 000001F25AC19DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 000001F25AC19E49
GetLastError.KERNEL32 ref: 000001F25AC19E57
LoadLibraryExW.KERNEL32 ref: 000001F25AC19E81
FreeLibrary.KERNEL32 ref: 000001F25AC19EC7
GetProcAddress.KERNEL32 ref: 000001F25AC19ED3

Strings

api-ms-, xrefs: 000001F25AC19E69

Memory Dump Source

Source File: 00000004.00000002.2716327273.000001F25AC10000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F25AC10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25ac10000_WmiPrvSE.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction ID: 4867e9233a06017649c6c93c9fcad84a3e5deea1ef130c0c87a885ec9945dca6
Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction Fuzzy Hash: 0C31A271313B42A1EF22DB42E402BF56294FF58BA2F590535DD6E0B7A4EF39C4558B10

Function 000001F25AC23DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000001F25AC23DE5
GetLastError.KERNEL32 ref: 000001F25AC23DF1
CloseHandle.KERNEL32 ref: 000001F25AC23E09
CreateFileW.KERNEL32 ref: 000001F25AC23E34
WriteConsoleW.KERNEL32 ref: 000001F25AC23E53

Strings

CONOUT$, xrefs: 000001F25AC23E15

Memory Dump Source

Source File: 00000004.00000002.2716327273.000001F25AC10000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F25AC10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25ac10000_WmiPrvSE.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction ID: d40c03af0ab42ccbc6f4d52230912420c712a44424eaf95c9873cddf83576fbc
Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction Fuzzy Hash: 4F119871321B8186F7508B52E8453E977A0FB88FE6F044235EA9E877B4CF78C4148B44

Function 000001F25AC13790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000001F25AC1379E
GetCurrentProcess.KERNEL32 ref: 000001F25AC137CC
VirtualProtectEx.KERNEL32 ref: 000001F25AC137EE
GetCurrentProcess.KERNEL32 ref: 000001F25AC13809
VirtualProtectEx.KERNEL32 ref: 000001F25AC1382A

Strings

wr, xrefs: 000001F25AC137FF

Memory Dump Source

Source File: 00000004.00000002.2716327273.000001F25AC10000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F25AC10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25ac10000_WmiPrvSE.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID: wr
API String ID: 1092925422-2678910430
Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction ID: 019858d06fe0c9e4ba7c713d179d9d20c09148fa911e0fac336a2868811072d4
Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction Fuzzy Hash: 04115E7A706782C2FF549B11E4092F962A0FB88F86F444039DE8907764EF3DC505CB14

Function 000001F25AC15B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001F25AC15B6B
GetThreadContext.KERNEL32 ref: 000001F25AC15CD5

Part of subcall function 000001F25AC15960: GetCurrentThreadId.KERNEL32 ref: 000001F25AC15964

Memory Dump Source

Source File: 00000004.00000002.2716327273.000001F25AC10000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F25AC10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25ac10000_WmiPrvSE.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
Instruction ID: 5e877b8cada541d119fa68745e7f315084cc4b0e61b990304c59b648bb0fce19
Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
Instruction Fuzzy Hash: 24D198B6216B8985DB70DB0AE4913EA77A0F798B85F100126EA8D47BB5DF3CC551CF40

Function 000001F25AC12F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001F25AC12F27
HeapAlloc.KERNEL32 ref: 000001F25AC12F3A
StrCmpNIW.SHLWAPI ref: 000001F25AC12FAF
GetProcessHeap.KERNEL32 ref: 000001F25AC13015
HeapFree.KERNEL32 ref: 000001F25AC13023

Strings

dialer, xrefs: 000001F25AC12FA8

Memory Dump Source

Source File: 00000004.00000002.2716327273.000001F25AC10000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F25AC10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25ac10000_WmiPrvSE.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction ID: 105a8e926858c6104e0e52754ec573f93a2939de935bd8cfa7cd827c9f04161c
Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction Fuzzy Hash: 5431B0B6702B6682EB54CF16E5427F967A0FB64B86F084034DE8947B75EF38D4A18F40

Function 000001F25AC1CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000001F25AC1CFAF
FlsSetValue.KERNEL32(?,?,?,000001F25AC1D6B5,?,?,?,?,000001F25AC1D778), ref: 000001F25AC1CFE5
FlsSetValue.KERNEL32(?,?,?,000001F25AC1D6B5,?,?,?,?,000001F25AC1D778), ref: 000001F25AC1D012
FlsSetValue.KERNEL32(?,?,?,000001F25AC1D6B5,?,?,?,?,000001F25AC1D778), ref: 000001F25AC1D023
FlsSetValue.KERNEL32(?,?,?,000001F25AC1D6B5,?,?,?,?,000001F25AC1D778), ref: 000001F25AC1D034
SetLastError.KERNEL32 ref: 000001F25AC1D04F

Memory Dump Source

Source File: 00000004.00000002.2716327273.000001F25AC10000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F25AC10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25ac10000_WmiPrvSE.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction ID: 3966b10216d6702cdd40c491cd4c4c388c5c00da74342e64e6bc2ab1681c0977
Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction Fuzzy Hash: A5116DF4347B8281FB65A72556473F92282ABA47B6F144735E836477FADE38C4018E50

Function 000001F25AC1199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000001F25AC119C2
K32GetModuleFileNameExW.KERNEL32 ref: 000001F25AC119E0
PathFindFileNameW.SHLWAPI ref: 000001F25AC119EF
lstrlenW.KERNEL32 ref: 000001F25AC119FB
StrCpyW.SHLWAPI ref: 000001F25AC11A0E
CloseHandle.KERNEL32 ref: 000001F25AC11A1C

Memory Dump Source

Source File: 00000004.00000002.2716327273.000001F25AC10000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F25AC10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25ac10000_WmiPrvSE.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction ID: df366813fd4bf199540d1d0b45f2f72c4d0e8e02a91ca0afb0c1090cb3b72350
Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction Fuzzy Hash: 22018071301B8282EB20DB52A4493E963A1FB88FC2F484035DE8953764DF3CC949CB10

Function 000001F25AC136C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000001F25AC136E4
GetCurrentProcess.KERNEL32 ref: 000001F25AC136F2
VirtualProtectEx.KERNEL32 ref: 000001F25AC13714
GetCurrentProcess.KERNEL32 ref: 000001F25AC13732
VirtualProtectEx.KERNEL32 ref: 000001F25AC13753
TerminateThread.KERNEL32 ref: 000001F25AC13762

Memory Dump Source

Source File: 00000004.00000002.2716327273.000001F25AC10000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F25AC10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25ac10000_WmiPrvSE.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction ID: 46e086a92a1fa4ce55abfdac8701b6d05638ccb989304861ffdef2c2a0965687
Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction Fuzzy Hash: 1B0109B5712742C2EF649B22E80A7E562A0FB59B87F040435CD8907774EF3DC518CB58

Function 000001F25AC19005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001F25AC19013
_IsNonwritableInCurrentImage.LIBCMT ref: 000001F25AC190A8
RtlUnwindEx.NTDLL ref: 000001F25AC190F7

Strings

f, xrefs: 000001F25AC19026
csm, xrefs: 000001F25AC1908E

Memory Dump Source

Source File: 00000004.00000002.2716327273.000001F25AC10000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F25AC10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25ac10000_WmiPrvSE.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: 5b3739ea8b44c391d5617d850d362c8c6b21aa4928227f7ef04dbcd45d0817de
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: 8051B2B270270286EB14DB25E449BF937A6F365B8AF248134DA474B7A8DB75D981CB00

Function 000001F25AC18FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001F25AC19013
_IsNonwritableInCurrentImage.LIBCMT ref: 000001F25AC190A8
RtlUnwindEx.NTDLL ref: 000001F25AC190F7

Strings

f, xrefs: 000001F25AC19026
csm, xrefs: 000001F25AC1908E

Memory Dump Source

Source File: 00000004.00000002.2716327273.000001F25AC10000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F25AC10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25ac10000_WmiPrvSE.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction ID: 86528b9ddde4e3d28a5aa57217bc02927d9f5c519c08badfa1ddcc117702de6c
Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction Fuzzy Hash: F531D1B230274186EB14DF21E84A7E937A5F754B8AF158134EE870B7A9DB39C980CF04

Function 000001F25AC11A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000001F25AC11A60
StrCmpNIW.SHLWAPI ref: 000001F25AC11A7A
lstrlenW.KERNEL32 ref: 000001F25AC11A89
StrCpyW.SHLWAPI ref: 000001F25AC11A9E

Strings

\\?\, xrefs: 000001F25AC11A6E

Memory Dump Source

Source File: 00000004.00000002.2716327273.000001F25AC10000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F25AC10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25ac10000_WmiPrvSE.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction ID: d837ef00e8140d65635d00cadd9ce36594e5890f442382e2457a4e285c50c981
Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction Fuzzy Hash: E8F044B230578292E7708B25F8957E967A0FB58B89F944034DA8946668DF3CC64DCF10

Function 000001F25AC1BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000001F25AC1BCBD
GetProcAddress.KERNEL32 ref: 000001F25AC1BCD3
FreeLibrary.KERNEL32 ref: 000001F25AC1BCFA

Strings

mscoree.dll, xrefs: 000001F25AC1BCB4
CorExitProcess, xrefs: 000001F25AC1BCCC

Memory Dump Source

Source File: 00000004.00000002.2716327273.000001F25AC10000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F25AC10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25ac10000_WmiPrvSE.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction ID: ef96ee661185b43db184760fbb7d3a255d8253ef8dceca76e680631b59addd60
Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction Fuzzy Hash: 74F062B531374681EB148F24E4563F96320EF98F62F540229CAAA452F4CF3CC4458F50

Function 000001F25AC13044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 000001F25AC13066
StrCpyW.SHLWAPI ref: 000001F25AC13076
StrCatW.SHLWAPI ref: 000001F25AC13082
PathCombineW.SHLWAPI ref: 000001F25AC13090

Strings

\\.\pipe\, xrefs: 000001F25AC1305C

Memory Dump Source

Source File: 00000004.00000002.2716327273.000001F25AC10000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F25AC10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25ac10000_WmiPrvSE.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction ID: 2c6b9e16aa8a4862722512b983d26a3c64f0ea8c99c0ac3ea8cddd48cd5b7781
Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction Fuzzy Hash: 3DF05EB0705BC282EB508B16B9051E96260EB48FD2F044030EE8A07B28DE38C4558B10

Function 000001F25AC150D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001F25AC15156

Memory Dump Source

Source File: 00000004.00000002.2716327273.000001F25AC10000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F25AC10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25ac10000_WmiPrvSE.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
Instruction ID: 4799d1e9d946063c781ec813a0242a1478f8623b31cade9c313a778f328b0ead
Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
Instruction Fuzzy Hash: BD02CB7661AB8586EB60CB55F4913AAB7A0F3D5795F104026EA8E87BA8DF7CC444CF00

Function 000001F25AC15710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001F25AC15726

Memory Dump Source

Source File: 00000004.00000002.2716327273.000001F25AC10000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F25AC10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25ac10000_WmiPrvSE.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
Instruction ID: 185170800f5139d11ce8f46aa6f7d9bbd2c2861ab7d0332f96fc85eb1ca80752
Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
Instruction Fuzzy Hash: B961DEB662AB45C6EB60CB15E5563EA77E0F398786F100126EA8D47BB8DB7CC440CF44

Function 000001F25AC24104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000001F25AC2412C
_set_statfp.LIBCMT ref: 000001F25AC24147
_set_statfp.LIBCMT ref: 000001F25AC24163
_set_statfp.LIBCMT ref: 000001F25AC2419F

Memory Dump Source

Source File: 00000004.00000002.2716327273.000001F25AC10000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F25AC10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25ac10000_WmiPrvSE.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: 1d691a782f6052caadb7698eb294b230c3fb3f16997f331f6b85acb1648d6a2b
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: 3711A3B6A92F5313F7641568D7533F521416F78BBAF0806B4EBF6476F6CA34C8414A00

Function 000001F25ABF3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000001F25ABF352C
_set_statfp.LIBCMT ref: 000001F25ABF3547
_set_statfp.LIBCMT ref: 000001F25ABF3563
_set_statfp.LIBCMT ref: 000001F25ABF359F

Memory Dump Source

Source File: 00000004.00000002.2715522869.000001F25ABE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F25ABE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25abe0000_WmiPrvSE.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: 0673c7913c41ab504ac798730d60cbfc7e0bc0441d8170ee908fb41f6327d9f6
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: 18117032A14B5311FBA41568E47B3FD21816BF8374F4C8738EA76066FACA38C8455A90

Function 000001F25ABEF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000001F25ABEF124

Strings

or copy constructor iterator', xrefs: 000001F25ABEF25A, 000001F25ABEF275
Wednesday, xrefs: 000001F25ABEF1ED
Tuesday, xrefs: 000001F25ABEF0F4

Memory Dump Source

Source File: 00000004.00000002.2715522869.000001F25ABE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F25ABE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25abe0000_WmiPrvSE.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: Tuesday$Wednesday$or copy constructor iterator'
API String ID: 3215553584-4202648911
Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction ID: d71e18a9ed3bc932a8e88819b091ad8074af59ff7fd2fc5c206d3f868bb37412
Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction Fuzzy Hash: 4761DE7260134782FA698B78E5633FEEBA0F7A1780F558535DA0A077B5DB34C8419F81

Function 000001F25AC1AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 000001F25AC1AA68
_CallSETranslator.LIBVCRUNTIME ref: 000001F25AC1AAB7

Strings

RCC, xrefs: 000001F25AC1AA85
MOC, xrefs: 000001F25AC1AA7C

Memory Dump Source

Source File: 00000004.00000002.2716327273.000001F25AC10000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F25AC10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25ac10000_WmiPrvSE.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 0407bc0149d740d5dca4c096481f2e4ecfea53a8e579a612c7294964cbab6749
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: 2E619DB3702B858AEB20DF65E4813ED77A0F364B89F044225EF4917BA8DB38C595CB40

Function 000001F25AC1AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001F25AC1ADA0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001F25AC1AE88

Strings

csm, xrefs: 000001F25AC1ADC2
csm, xrefs: 000001F25AC1AEDA

Memory Dump Source

Source File: 00000004.00000002.2716327273.000001F25AC10000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F25AC10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25ac10000_WmiPrvSE.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: adf02e9b8f4f3a7e5be393d2a9798408e9495e7d767d963da57a6f2e39513acd
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: 7551C1B2302782CAEB748F15A4863F977A0F764B96F144135DA9987BE5CB38C461CF40

Function 000001F25ABEA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001F25ABEA1A0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001F25ABEA288

Strings

csm, xrefs: 000001F25ABEA1C2
csm, xrefs: 000001F25ABEA2DA

Memory Dump Source

Source File: 00000004.00000002.2715522869.000001F25ABE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F25ABE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25abe0000_WmiPrvSE.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: ba3c91d1af46fc15e9bfbd494829ef0eb278aeb04668bb0f47fb30f89ad2e456
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: 9851B472100382CAEB748F15A5663FCF7A9F765B86F184229DA4947BE5CB38D450CF81

Function 000001F25ABE8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001F25ABE8413
_IsNonwritableInCurrentImage.LIBCMT ref: 000001F25ABE84A8

Strings

f, xrefs: 000001F25ABE8426
csm, xrefs: 000001F25ABE848E

Memory Dump Source

Source File: 00000004.00000002.2715522869.000001F25ABE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F25ABE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25abe0000_WmiPrvSE.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: af64572985c778f6f8edd6b253f4bfa39babfdad03c8f31f5e80dbe3edc26bde
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: 5851D132B01B028AEB14CF65E465BF8BBE5F364B98F558134DA16437A8EB34CD408F84

Function 000001F25ABE83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001F25ABE8413
_IsNonwritableInCurrentImage.LIBCMT ref: 000001F25ABE84A8

Strings

f, xrefs: 000001F25ABE8426
csm, xrefs: 000001F25ABE848E

Memory Dump Source

Source File: 00000004.00000002.2715522869.000001F25ABE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F25ABE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25abe0000_WmiPrvSE.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction ID: 3572f3f9855132851bcae0ae3c01b8d0391b81f2fe3d3f5299b7568102190ae9
Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction Fuzzy Hash: 0D31B332A01B42C6E714DF51E8567E9BBA4F360B88F058124EE5703764DF38C940CF84

Function 000001F25AC22058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000001F25AC220D7
WriteFile.KERNEL32 ref: 000001F25AC2239F
WriteFile.KERNEL32 ref: 000001F25AC223E5
GetLastError.KERNEL32 ref: 000001F25AC2249B

Memory Dump Source

Source File: 00000004.00000002.2716327273.000001F25AC10000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F25AC10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25ac10000_WmiPrvSE.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction ID: d481f86a8b4eff2b7f59ed4c4edde728d35d4383d28d650e38326dd8f61e2504
Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction Fuzzy Hash: C8D113B2716B8189E711CF79D4413EC3BB5FB54B99F004226DE9AA7BA9DE34C406CB40

Function 000001F25AC114A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001F25AC114C5
HeapFree.KERNEL32 ref: 000001F25AC114D4
GetProcessHeap.KERNEL32 ref: 000001F25AC114E1
HeapFree.KERNEL32 ref: 000001F25AC114F0
GetProcessHeap.KERNEL32 ref: 000001F25AC11500

Memory Dump Source

Source File: 00000004.00000002.2716327273.000001F25AC10000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F25AC10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25ac10000_WmiPrvSE.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
Instruction ID: 2869bb432136b9d3327e3b1c3724cfb83253419823f41602c97ed7a3287a8124
Opcode Fuzzy Hash: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
Instruction Fuzzy Hash: 36015A72602BD1C6E704DF66E9052EA77A0FB88F82F044435EA8A43729DE38D051CB50

Function 000001F25AC22980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32 ref: 000001F25AC22A9C
GetLastError.KERNEL32 ref: 000001F25AC22B27

Memory Dump Source

Source File: 00000004.00000002.2716327273.000001F25AC10000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F25AC10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25ac10000_WmiPrvSE.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction ID: a69795d3a190e9ca07845f365043ada29f6f491ef73eda122b202ffb43716d34
Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction Fuzzy Hash: 4991D4B271275285FB60DF6594823FD3BA0FB54F8AF544129DE8B67AA5DB34C482CB00

Function 000001F25AC1253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001F25AC12620
StrCpyW.SHLWAPI ref: 000001F25AC12639

Strings

\\.\pipe\, xrefs: 000001F25AC1262B

Memory Dump Source

Source File: 00000004.00000002.2716327273.000001F25AC10000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F25AC10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25ac10000_WmiPrvSE.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction ID: 4589a0427296e6b4acec542e07d10472f7ab9376eef62307a20146c8cc833505
Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction Fuzzy Hash: 5171F3FA30178286E764DF25E8463FA67E4F3A9B86F440036DD0A53BA9DE34C645CB40

Function 000001F25ABE9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 000001F25ABE9EB7

Strings

MOC, xrefs: 000001F25ABE9E7C
RCC, xrefs: 000001F25ABE9E85

Memory Dump Source

Source File: 00000004.00000002.2715522869.000001F25ABE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F25ABE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25abe0000_WmiPrvSE.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 210b7faafa2b8d5f4cca5ab7e19a64415fc48ef23ec1327bf0c41eb49f480b75
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: 8A618173600B858AEB20DF65D4513EDBBA0F764B8CF044225EF5917BA9DB38D199CB80

Function 000001F25AC12330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001F25AC12416
StrCpyW.SHLWAPI ref: 000001F25AC1242D

Strings

\\.\pipe\, xrefs: 000001F25AC12421

Memory Dump Source

Source File: 00000004.00000002.2716327273.000001F25AC10000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F25AC10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25ac10000_WmiPrvSE.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction ID: 49cf16f581be4b6ea9d5290ef161cc90c2b96fce7f2b17ee43c50c1a3d240e0b
Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction Fuzzy Hash: B35105BA30A38381EB74DF29A0993FA6B91F3A5785F440135DE4A03B69DE39C505CF40

Function 000001F25AC226F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000001F25AC22807
GetLastError.KERNEL32 ref: 000001F25AC22829

Strings

U, xrefs: 000001F25AC227B3

Memory Dump Source

Source File: 00000004.00000002.2716327273.000001F25AC10000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F25AC10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25ac10000_WmiPrvSE.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction ID: 78fe206aba8bc95456a8ecce5536930e9fb3e6b8ac035441be031a580420a156
Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction Fuzzy Hash: 504180B2716B8186DB20DF25E8453E967A0F798B95F504131EE8E877A4EB7CC441CB40

Function 000001F25AC194A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000001F25AC194F0
RaiseException.KERNEL32 ref: 000001F25AC19531

Strings

csm, xrefs: 000001F25AC1951E

Memory Dump Source

Source File: 00000004.00000002.2716327273.000001F25AC10000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F25AC10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25ac10000_WmiPrvSE.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction ID: 6d7d2184d27b0bf8c4f967ace01d9b3023c94cbbc778d1773337999c69738096
Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction Fuzzy Hash: 55113A72215B8182EB618F15F4403A9B7E5FB98B99F584220EECD0BB68DF3CC551CB00

Function 000001F25ABE7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000001F25ABE737C

Strings

riptor at (, xrefs: 000001F25ABE7364
ierarchy Descriptor', xrefs: 000001F25ABE7381

Memory Dump Source

Source File: 00000004.00000002.2715522869.000001F25ABE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F25ABE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25abe0000_WmiPrvSE.jbxd

Similarity

API ID: __std_exception_copy
String ID: ierarchy Descriptor'$riptor at (
API String ID: 592178966-758928094
Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction ID: 573184f44bff6f3094fcae08121c463bafcf0f2fecbdafd10e4f02422fb9a4b9
Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction Fuzzy Hash: 39E08671A40B4990DF058F61E8912E873A0DB68B64F49D232D95C06321FA38D2E9C740

Function 000001F25ABE73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000001F25ABE73D8

Strings

riptor at (, xrefs: 000001F25ABE73C0
Locator', xrefs: 000001F25ABE73DD

Memory Dump Source

Source File: 00000004.00000002.2715522869.000001F25ABE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F25ABE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25abe0000_WmiPrvSE.jbxd

Similarity

API ID: __std_exception_copy
String ID: Locator'$riptor at (
API String ID: 592178966-4215709766
Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction ID: 8b16402c884d85f074bbb506b35bef820a6f43b5749e65aee9ed47699c8a01ad
Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction Fuzzy Hash: 67E08671A00B4980DF058F61D8911E87360E768B54B88D232C94C06361EA38D2E5C740

Function 000001F25AC11BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001F25AC11C2D
HeapAlloc.KERNEL32 ref: 000001F25AC11C3B
GetProcessHeap.KERNEL32 ref: 000001F25AC11C77
HeapFree.KERNEL32 ref: 000001F25AC11C85

Part of subcall function 000001F25AC1152C: StrCmpIW.SHLWAPI ref: 000001F25AC1155D

Memory Dump Source

Source File: 00000004.00000002.2716327273.000001F25AC10000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F25AC10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f25ac10000_WmiPrvSE.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction ID: 2e679a9bb57fba7a18322b14e340956810b76268a8967cf3235ce18482be909e
Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction Fuzzy Hash: 12116D75702B8681EB04DB66A4162F963E1FB89FC2F184038DE8D43775DF38D4828B00

Analysis Process: dialer.exePID: 7188, Parent PID: 7660COMMON

Execution Graph

Execution Coverage:	46.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	38.1%
Total number of Nodes:	226
Total number of Limit Nodes:	24

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 000000014000226C Relevance: 61.4, APIs: 27, Strings: 8, Instructions: 165
registrymemorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140001F2C: StrCpyW.SHLWAPI ref: 0000000140001F5D
Part of subcall function 0000000140001F2C: StrCatW.SHLWAPI ref: 0000000140001F6B
Part of subcall function 0000000140001F2C: GetModuleHandleW.KERNEL32 ref: 0000000140001F74
Part of subcall function 0000000140001F2C: GetCurrentProcess.KERNEL32 ref: 0000000140001F94
Part of subcall function 0000000140001F2C: K32GetModuleInformation.KERNEL32 ref: 0000000140001FA8
Part of subcall function 0000000140001F2C: CreateFileW.KERNELBASE ref: 0000000140001FD8
Part of subcall function 0000000140001F2C: CreateFileMappingW.KERNELBASE ref: 0000000140002002
Part of subcall function 0000000140001F2C: MapViewOfFile.KERNELBASE ref: 0000000140002025
Part of subcall function 0000000140001F2C: lstrcmpiA.KERNEL32 ref: 000000014000207B
Part of subcall function 0000000140001F2C: CloseHandle.KERNELBASE ref: 00000001400020E7
Part of subcall function 0000000140001F2C: CloseHandle.KERNEL32 ref: 00000001400020F0
Part of subcall function 0000000140001F2C: FreeLibrary.KERNEL32 ref: 00000001400020F9

Part of subcall function 0000000140001F2C: VirtualProtect.KERNELBASE ref: 00000001400020AE
Part of subcall function 0000000140001F2C: VirtualProtect.KERNELBASE ref: 00000001400020DE

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000228F
OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000229F
OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 00000001400022B9
LookupPrivilegeValueW.ADVAPI32 ref: 00000001400022D0
AdjustTokenPrivileges.KERNELBASE ref: 0000000140002308
GetLastError.KERNEL32 ref: 0000000140002312
CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000231B
FindResourceExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000232F
SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002346
LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000235F
LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002371
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000237E
RegCreateKeyExW.KERNELBASE ref: 00000001400023BE
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00000001400023E5
RegSetKeySecurity.KERNELBASE ref: 00000001400023FE
LocalFree.KERNEL32 ref: 0000000140002408
RegCreateKeyExW.KERNELBASE ref: 000000014000243E
GetCurrentProcessId.KERNEL32 ref: 0000000140002448
RegSetValueExW.KERNELBASE ref: 000000014000246F
RegCloseKey.KERNELBASE ref: 0000000140002479
RegCloseKey.ADVAPI32 ref: 0000000140002483
CreateThread.KERNELBASE ref: 00000001400024A4
GetProcessHeap.KERNEL32 ref: 00000001400024AA
HeapAlloc.KERNEL32 ref: 00000001400024B9
CreateThread.KERNELBASE ref: 00000001400024E8
CreateThread.KERNELBASE ref: 0000000140002509
SleepEx.KERNELBASE ref: 0000000140002511

Strings

ntdll.dll, xrefs: 0000000140002277
DLL, xrefs: 0000000140002321
D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA), xrefs: 00000001400023DE
svc64, xrefs: 0000000140002452
pid, xrefs: 000000014000241B
kernel32.dll, xrefs: 0000000140002283
SOFTWARE\dialerconfig, xrefs: 0000000140002399
SeDebugPrivilege, xrefs: 00000001400022C9

Memory Dump Source

Source File: 00000012.00000002.2699880993.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000012.00000002.2699339853.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2700447688.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2700966930.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_140000000_dialer.jbxd

Similarity

API ID: CreateProcess$Close$CurrentHandleResource$FileSecurityThread$DescriptorFreeHeapModuleOpenProtectTokenValueVirtual$AdjustAllocConvertErrorFindInformationLastLibraryLoadLocalLockLookupMappingPrivilegePrivilegesSizeofSleepStringViewlstrcmpi
String ID: D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$DLL$SOFTWARE\dialerconfig$SeDebugPrivilege$kernel32.dll$ntdll.dll$pid$svc64
API String ID: 4177739653-1130149537
Opcode ID: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
Instruction ID: c2e61514e361dd61edc66d1a85693de1d2c237bf329a5b31df93bef4cff25afe
Opcode Fuzzy Hash: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
Instruction Fuzzy Hash: B781E4B6200B4196EB26CF62F8547D977A9F78CBD8F44512AEB4A43A78DF38C148C740

Function 00000001400010C0 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 257
memorystringnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000001400018AC: OpenProcess.KERNEL32(?,?,?,000000014000110E), ref: 00000001400018CA
Part of subcall function 00000001400018AC: IsWow64Process.KERNEL32(?,?,?,000000014000110E), ref: 00000001400018E0
Part of subcall function 00000001400018AC: CloseHandle.KERNELBASE(?,?,?,000000014000110E), ref: 00000001400018FB

OpenProcess.KERNEL32 ref: 000000014000112C
OpenProcess.KERNEL32 ref: 000000014000114B
K32GetModuleFileNameExW.KERNEL32 ref: 0000000140001170
PathFindFileNameW.SHLWAPI ref: 000000014000117E
lstrlenW.KERNEL32 ref: 000000014000118A
StrCpyW.SHLWAPI ref: 00000001400011A1
CloseHandle.KERNEL32 ref: 00000001400011AD
StrCmpIW.SHLWAPI ref: 00000001400011E2
NtQueryInformationProcess.NTDLL ref: 0000000140001216
OpenProcessToken.ADVAPI32 ref: 0000000140001240
GetTokenInformation.KERNELBASE ref: 000000014000126C
GetLastError.KERNEL32 ref: 0000000140001276
LocalAlloc.KERNEL32 ref: 0000000140001289
GetTokenInformation.KERNELBASE ref: 00000001400012B5
GetSidSubAuthorityCount.ADVAPI32 ref: 00000001400012C2
GetSidSubAuthority.ADVAPI32 ref: 00000001400012D1
LocalFree.KERNEL32 ref: 00000001400012E9
CloseHandle.KERNEL32 ref: 00000001400012FD
StrStrA.SHLWAPI ref: 00000001400013A7
VirtualAllocEx.KERNELBASE ref: 000000014000140E
WriteProcessMemory.KERNELBASE ref: 0000000140001431
WaitForSingleObject.KERNEL32 ref: 000000014000147D
GetExitCodeThread.KERNEL32 ref: 0000000140001493
CloseHandle.KERNELBASE ref: 00000001400014AB
CloseHandle.KERNEL32 ref: 00000001400014B4

Strings

dialer.exe, xrefs: 00000001400011CC
MSBuild.exe, xrefs: 00000001400011B8
ReflectiveDllMain, xrefs: 000000014000139D
@, xrefs: 0000000140001401

Memory Dump Source

Source File: 00000012.00000002.2699880993.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000012.00000002.2699339853.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2700447688.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2700966930.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_140000000_dialer.jbxd

Similarity

API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileLocalName$CodeCountErrorExitFindFreeLastMemoryModuleObjectPathQuerySingleThreadVirtualWaitWow64Writelstrlen
String ID: @$MSBuild.exe$ReflectiveDllMain$dialer.exe
API String ID: 2561231171-3753927220
Opcode ID: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
Instruction ID: 2175fd9260984ecd3e092ef955109d5d50fbfcc0bf213717558b1eb8b1c9701c
Opcode Fuzzy Hash: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
Instruction Fuzzy Hash: 40B138B260468186EB26DF27F8947E927A9FB8CBC4F404125AF4A477B4EF38C645C740

Function 00000001400014D8 Relevance: 19.6, APIs: 13, Instructions: 130
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000000014000150B
HeapAlloc.KERNEL32 ref: 000000014000151E
GetProcessHeap.KERNEL32 ref: 000000014000152C
HeapAlloc.KERNEL32 ref: 000000014000153D
K32EnumProcesses.KERNEL32 ref: 0000000140001557
OpenProcess.KERNEL32 ref: 0000000140001585
K32EnumProcessModules.KERNEL32 ref: 00000001400015AA
ReadProcessMemory.KERNELBASE ref: 00000001400015E1
CloseHandle.KERNELBASE ref: 000000014000161D
GetProcessHeap.KERNEL32 ref: 000000014000162F
HeapFree.KERNEL32 ref: 000000014000163D
GetProcessHeap.KERNEL32 ref: 0000000140001643
HeapFree.KERNEL32 ref: 0000000140001651

Memory Dump Source

Source File: 00000012.00000002.2699880993.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000012.00000002.2699339853.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2700447688.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2700966930.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_140000000_dialer.jbxd

Similarity

API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
String ID:
API String ID: 4084875642-0
Opcode ID: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
Instruction ID: 4858e5a3d965c592fcd1f5951e26bd94c88d4916acf90710a0b336d1aa1e032e
Opcode Fuzzy Hash: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
Instruction Fuzzy Hash: E6519DB2711A819AEB66CF63E8587EA22A5F78DBC4F444025EF4947764DF38C545C700

Function 0000000140001B54 Relevance: 9.1, APIs: 6, Instructions: 82
memorypipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32 ref: 0000000140001BA3
SetEntriesInAclW.ADVAPI32 ref: 0000000140001BEB
LocalAlloc.KERNEL32 ref: 0000000140001BFB
InitializeSecurityDescriptor.ADVAPI32 ref: 0000000140001C0F
SetSecurityDescriptorDacl.ADVAPI32 ref: 0000000140001C26
CreateNamedPipeW.KERNELBASE ref: 0000000140001C67

Memory Dump Source

Source File: 00000012.00000002.2699880993.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000012.00000002.2699339853.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2700447688.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2700966930.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_140000000_dialer.jbxd

Similarity

API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
String ID:
API String ID: 3197395349-0
Opcode ID: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
Instruction ID: 21eaad2a8fcaa81d39f01622d1c01d05a8059e075f91819b3ade9b41c51f013a
Opcode Fuzzy Hash: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
Instruction Fuzzy Hash: FA318D72215691CAE761CF25F490BDE77A5F748B98F40521AFB4947FA8EB78C208CB40

Function 0000000140001F2C Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 124
filememorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCpyW.SHLWAPI ref: 0000000140001F5D
StrCatW.SHLWAPI ref: 0000000140001F6B
GetModuleHandleW.KERNEL32 ref: 0000000140001F74
GetCurrentProcess.KERNEL32 ref: 0000000140001F94
K32GetModuleInformation.KERNEL32 ref: 0000000140001FA8
CreateFileW.KERNELBASE ref: 0000000140001FD8
CreateFileMappingW.KERNELBASE ref: 0000000140002002
MapViewOfFile.KERNELBASE ref: 0000000140002025
lstrcmpiA.KERNEL32 ref: 000000014000207B
VirtualProtect.KERNELBASE ref: 00000001400020AE
VirtualProtect.KERNELBASE ref: 00000001400020DE
CloseHandle.KERNELBASE ref: 00000001400020E7
CloseHandle.KERNEL32 ref: 00000001400020F0
FreeLibrary.KERNEL32 ref: 00000001400020F9

Strings

.text, xrefs: 0000000140002074
C:\Windows\System32\, xrefs: 0000000140001F4F

Memory Dump Source

Source File: 00000012.00000002.2699880993.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000012.00000002.2699339853.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2700447688.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2700966930.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_140000000_dialer.jbxd

Similarity

API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
String ID: .text$C:\Windows\System32\
API String ID: 2721474350-832442975
Opcode ID: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
Instruction ID: 0b364bd3c89a37fdd3fa7b369e4888cbeb1e5b170dc00cf86e963973e9165d3d
Opcode Fuzzy Hash: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
Instruction Fuzzy Hash: CC518BB2204B8096EB62CF16F8587DAB3A5F78CBD4F444525AF4A03B68DF38C549C700

Function 0000000140002BF8 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40
sleepfilepipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140001B54: AllocateAndInitializeSid.ADVAPI32 ref: 0000000140001BA3
Part of subcall function 0000000140001B54: SetEntriesInAclW.ADVAPI32 ref: 0000000140001BEB
Part of subcall function 0000000140001B54: LocalAlloc.KERNEL32 ref: 0000000140001BFB
Part of subcall function 0000000140001B54: InitializeSecurityDescriptor.ADVAPI32 ref: 0000000140001C0F
Part of subcall function 0000000140001B54: SetSecurityDescriptorDacl.ADVAPI32 ref: 0000000140001C26
Part of subcall function 0000000140001B54: CreateNamedPipeW.KERNELBASE ref: 0000000140001C67

Sleep.KERNEL32 ref: 0000000140002C1D
ConnectNamedPipe.KERNELBASE ref: 0000000140002C2A
ReadFile.KERNELBASE ref: 0000000140002C4D
WriteFile.KERNEL32 ref: 0000000140002C7B
Sleep.KERNEL32 ref: 0000000140002C88
DisconnectNamedPipe.KERNELBASE ref: 0000000140002C91

Strings

\\.\pipe\dialerchildproc64, xrefs: 0000000140002C05
M, xrefs: 0000000140002C6E

Memory Dump Source

Source File: 00000012.00000002.2699880993.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000012.00000002.2699339853.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2700447688.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2700966930.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_140000000_dialer.jbxd

Similarity

API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
String ID: M$\\.\pipe\dialerchildproc64
API String ID: 2203880229-3489460547
Opcode ID: 180580de56f56ab00dd4d516fca46f959342e05f281243e0c5337f45e18aa23b
Instruction ID: 6dc3dc8c0bd617ca7cbe615ebfcb02ed857a87361961821bc60a1768ee808972
Opcode Fuzzy Hash: 180580de56f56ab00dd4d516fca46f959342e05f281243e0c5337f45e18aa23b
Instruction Fuzzy Hash: C01139B1218A8492F716DB22F8047EE6764A78DBE0F444225BB66036F4DF7CC548C700

Function 00000001400021D0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36
sleeppipefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140001B54: AllocateAndInitializeSid.ADVAPI32 ref: 0000000140001BA3
Part of subcall function 0000000140001B54: SetEntriesInAclW.ADVAPI32 ref: 0000000140001BEB
Part of subcall function 0000000140001B54: LocalAlloc.KERNEL32 ref: 0000000140001BFB
Part of subcall function 0000000140001B54: InitializeSecurityDescriptor.ADVAPI32 ref: 0000000140001C0F
Part of subcall function 0000000140001B54: SetSecurityDescriptorDacl.ADVAPI32 ref: 0000000140001C26
Part of subcall function 0000000140001B54: CreateNamedPipeW.KERNELBASE ref: 0000000140001C67

Sleep.KERNEL32 ref: 00000001400021F5
ConnectNamedPipe.KERNELBASE ref: 0000000140002202
ReadFile.KERNEL32 ref: 0000000140002225
Sleep.KERNEL32 ref: 0000000140002246
DisconnectNamedPipe.KERNEL32 ref: 000000014000224F

Strings

\\.\pipe\dialercontrol_redirect64, xrefs: 00000001400021DD

Memory Dump Source

Source File: 00000012.00000002.2699880993.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000012.00000002.2699339853.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2700447688.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2700966930.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_140000000_dialer.jbxd

Similarity

API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
String ID: \\.\pipe\dialercontrol_redirect64
API String ID: 2071455217-3440882674
Opcode ID: 33f89feb9858a4e39e6e7226b1872fe8dc0a47489d7e71beaca7a62b826bfc15
Instruction ID: d66e41e89491d3fe39127ed5f8ff24c46c9ecc4af95d447005e5476a51c55f6d
Opcode Fuzzy Hash: 33f89feb9858a4e39e6e7226b1872fe8dc0a47489d7e71beaca7a62b826bfc15
Instruction Fuzzy Hash: 42014BB1204A40A2EA17EB63F8443E9B365A79DBE0F144235FB66476F4DF78C488C700

Function 0000000140002B38 Relevance: 9.1, APIs: 6, Instructions: 58
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000000140002B53
HeapAlloc.KERNEL32 ref: 0000000140002B67
GetProcessHeap.KERNEL32 ref: 0000000140002B70
HeapAlloc.KERNEL32 ref: 0000000140002B7E
K32EnumProcesses.KERNEL32 ref: 0000000140002B99
SleepEx.KERNELBASE ref: 0000000140002BEE

Memory Dump Source

Source File: 00000012.00000002.2699880993.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000012.00000002.2699339853.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2700447688.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2700966930.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_140000000_dialer.jbxd

Similarity

API ID: Heap$AllocProcess$EnumProcessesSleep
String ID:
API String ID: 3676546796-0
Opcode ID: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
Instruction ID: 9c67988e037e7d22bad9650836966df18df348572cafe7f0e6f30b42da554bff
Opcode Fuzzy Hash: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
Instruction Fuzzy Hash: 3A115CB26006518AE72ACF17F85579A77A6F78DBC1F154028EB4607B68CF39D881CB40

Function 00000001400017EC Relevance: 9.1, APIs: 6, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001801
HeapAlloc.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001812

Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000150B
Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000151E
Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000152C
Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000153D
Part of subcall function 00000001400014D8: K32EnumProcesses.KERNEL32 ref: 0000000140001557
Part of subcall function 00000001400014D8: OpenProcess.KERNEL32 ref: 0000000140001585
Part of subcall function 00000001400014D8: K32EnumProcessModules.KERNEL32 ref: 00000001400015AA
Part of subcall function 00000001400014D8: ReadProcessMemory.KERNELBASE ref: 00000001400015E1
Part of subcall function 00000001400014D8: CloseHandle.KERNELBASE ref: 000000014000161D
Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000162F
Part of subcall function 00000001400014D8: HeapFree.KERNEL32 ref: 000000014000163D
Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 0000000140001643
Part of subcall function 00000001400014D8: HeapFree.KERNEL32 ref: 0000000140001651

OpenProcess.KERNEL32 ref: 0000000140001859
TerminateProcess.KERNEL32 ref: 000000014000186C
CloseHandle.KERNEL32 ref: 0000000140001875
GetProcessHeap.KERNEL32 ref: 0000000140001885

Memory Dump Source

Source File: 00000012.00000002.2699880993.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000012.00000002.2699339853.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2700447688.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2700966930.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_140000000_dialer.jbxd

Similarity

API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
String ID:
API String ID: 1323846700-0
Opcode ID: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
Instruction ID: e8e8f15008253283e0d5a10c8ea57e573901c1344bffe788f1ea91b5e390c365
Opcode Fuzzy Hash: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
Instruction Fuzzy Hash: C8115BB1B05A4186FB1ADF27F8443D966A6ABCDBC4F188038EF09037B5DE38C5868700

Function 00000001400018AC Relevance: 4.5, APIs: 3, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(?,?,?,000000014000110E), ref: 00000001400018CA
IsWow64Process.KERNEL32(?,?,?,000000014000110E), ref: 00000001400018E0
CloseHandle.KERNELBASE(?,?,?,000000014000110E), ref: 00000001400018FB

Memory Dump Source

Source File: 00000012.00000002.2699880993.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000012.00000002.2699339853.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2700447688.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2700966930.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_140000000_dialer.jbxd

Similarity

API ID: Process$CloseHandleOpenWow64
String ID:
API String ID: 10462204-0
Opcode ID: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
Instruction ID: a864651f2e5c17a125c4a55b2f5ca9b47fcd1256b8d640ad9fe9232b2a40a049
Opcode Fuzzy Hash: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
Instruction Fuzzy Hash: 77F01D7170578192EB56CF17B584399A665E78CBC0F449039EB8943768DF39C4858700

Function 0000000140002258 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000228F
Part of subcall function 000000014000226C: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000229F
Part of subcall function 000000014000226C: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 00000001400022B9
Part of subcall function 000000014000226C: LookupPrivilegeValueW.ADVAPI32 ref: 00000001400022D0
Part of subcall function 000000014000226C: AdjustTokenPrivileges.KERNELBASE ref: 0000000140002308
Part of subcall function 000000014000226C: GetLastError.KERNEL32 ref: 0000000140002312
Part of subcall function 000000014000226C: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000231B
Part of subcall function 000000014000226C: FindResourceExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000232F
Part of subcall function 000000014000226C: SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002346
Part of subcall function 000000014000226C: LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000235F
Part of subcall function 000000014000226C: LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002371
Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000237E
Part of subcall function 000000014000226C: RegCreateKeyExW.KERNELBASE ref: 00000001400023BE
Part of subcall function 000000014000226C: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00000001400023E5
Part of subcall function 000000014000226C: RegSetKeySecurity.KERNELBASE ref: 00000001400023FE
Part of subcall function 000000014000226C: LocalFree.KERNEL32 ref: 0000000140002408

ExitProcess.KERNEL32 ref: 0000000140002263

Memory Dump Source

Source File: 00000012.00000002.2699880993.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000012.00000002.2699339853.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2700447688.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2700966930.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_140000000_dialer.jbxd

Similarity

API ID: Process$Resource$Security$CurrentDescriptorOpenToken$AdjustCloseConvertCreateErrorExitFindFreeHandleLastLoadLocalLockLookupPrivilegePrivilegesSizeofStringValue
String ID:
API String ID: 3836936051-0
Opcode ID: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
Instruction ID: 542f07df19912b07f19d0c3647b83d0aa38d4f887fbb8c9b09a79fc57a6ac5cd
Opcode Fuzzy Hash: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
Instruction Fuzzy Hash: 84A002B1F1794096FA0BB7F7785E3DC21656B9CB82F500415B242472B2DD3C44558716

Non-executed Functions

Function 0000000140002560 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 296
memoryregistryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNEL32 ref: 00000001400025E7

Part of subcall function 00000001400018AC: OpenProcess.KERNEL32(?,?,?,000000014000110E), ref: 00000001400018CA
Part of subcall function 00000001400018AC: IsWow64Process.KERNEL32(?,?,?,000000014000110E), ref: 00000001400018E0
Part of subcall function 00000001400018AC: CloseHandle.KERNELBASE(?,?,?,000000014000110E), ref: 00000001400018FB

Part of subcall function 00000001400010C0: OpenProcess.KERNEL32 ref: 000000014000112C
Part of subcall function 00000001400010C0: OpenProcess.KERNEL32 ref: 000000014000114B
Part of subcall function 00000001400010C0: K32GetModuleFileNameExW.KERNEL32 ref: 0000000140001170
Part of subcall function 00000001400010C0: PathFindFileNameW.SHLWAPI ref: 000000014000117E
Part of subcall function 00000001400010C0: lstrlenW.KERNEL32 ref: 000000014000118A
Part of subcall function 00000001400010C0: StrCpyW.SHLWAPI ref: 00000001400011A1
Part of subcall function 00000001400010C0: CloseHandle.KERNEL32 ref: 00000001400011AD
Part of subcall function 00000001400010C0: StrCmpIW.SHLWAPI ref: 00000001400011E2
Part of subcall function 00000001400010C0: NtQueryInformationProcess.NTDLL ref: 0000000140001216
Part of subcall function 00000001400010C0: OpenProcessToken.ADVAPI32 ref: 0000000140001240

RegOpenKeyExW.ADVAPI32 ref: 0000000140002683
RegDeleteValueW.ADVAPI32 ref: 000000014000269B
ExitProcess.KERNEL32 ref: 00000001400026BF
GetProcessHeap.KERNEL32 ref: 00000001400026C6
HeapAlloc.KERNEL32 ref: 00000001400026D9
K32EnumProcesses.KERNEL32 ref: 00000001400026F6
ExitProcess.KERNEL32 ref: 0000000140002796

Strings

dialerstager, xrefs: 0000000140002694
SOFTWARE, xrefs: 0000000140002675
open, xrefs: 0000000140002960

Memory Dump Source

Source File: 00000012.00000002.2699880993.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000012.00000002.2699339853.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2700447688.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2700966930.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_140000000_dialer.jbxd

Similarity

API ID: Process$Open$File$CloseExitHandleHeapName$AllocDeleteEnumFindInformationModulePathProcessesQueryReadTokenValueWow64lstrlen
String ID: SOFTWARE$dialerstager$open
API String ID: 3276259517-3931493855
Opcode ID: ae79544a1ca264f77e0040c582fad8c70a14f3da5095032f2fa0f831f935a8fc
Instruction ID: ae65b9042581f7dc9e2ee581e3d1b52dcddb088aa692a5b8ad70e1a65f9de3a1
Opcode Fuzzy Hash: ae79544a1ca264f77e0040c582fad8c70a14f3da5095032f2fa0f831f935a8fc
Instruction Fuzzy Hash: 91D14DB13046818BEB7BDF26B8143E92269F74DBC8F404125BB4A47AB9DE78C605C741

Function 0000000140001C88 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 154
injectionthreadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNEL32 ref: 0000000140001D1D
VirtualAllocEx.KERNEL32 ref: 0000000140001D4C
WriteProcessMemory.KERNEL32 ref: 0000000140001D73
WriteProcessMemory.KERNEL32 ref: 0000000140001DB2
VirtualAlloc.KERNEL32 ref: 0000000140001DE3
GetThreadContext.KERNEL32 ref: 0000000140001DFF
WriteProcessMemory.KERNEL32 ref: 0000000140001E26
SetThreadContext.KERNEL32 ref: 0000000140001E44
ResumeThread.KERNEL32 ref: 0000000140001E52
OpenProcess.KERNEL32 ref: 0000000140001E6A
TerminateProcess.KERNEL32 ref: 0000000140001E7D

Strings

@, xrefs: 0000000140001D44

Memory Dump Source

Source File: 00000012.00000002.2699880993.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000012.00000002.2699339853.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2700447688.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2700966930.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_140000000_dialer.jbxd

Similarity

API ID: Process$MemoryThreadWrite$AllocContextVirtual$CreateOpenResumeTerminate
String ID: @
API String ID: 3462610200-2766056989
Opcode ID: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
Instruction ID: 5c16bc39e07cf5e776479c29415d8ab36f8b64b080a4e80c067f24e51f003d21
Opcode Fuzzy Hash: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
Instruction Fuzzy Hash: B55122B2700A808AEB52CF66E8447DE77A5FB88BD8F054125EF4997B68DF38C855C700

Function 00000001400019C4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 102memorycomCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00000001400019E6
SysAllocString.OLEAUT32 ref: 00000001400019F6
CoInitializeEx.OLE32 ref: 0000000140001A03
CoInitializeSecurity.OLE32 ref: 0000000140001A3A
CoCreateInstance.OLE32 ref: 0000000140001A7A
VariantInit.OLEAUT32 ref: 0000000140001A8C
CoUninitialize.OLE32 ref: 0000000140001B26
SysFreeString.OLEAUT32 ref: 0000000140001B2F
SysFreeString.OLEAUT32 ref: 0000000140001B38

Strings

dialersvc64, xrefs: 00000001400019DD

Memory Dump Source

Source File: 00000012.00000002.2699880993.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000012.00000002.2699339853.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2700447688.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2700966930.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_140000000_dialer.jbxd

Similarity

API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
String ID: dialersvc64
API String ID: 4184240511-3881820561
Opcode ID: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
Instruction ID: f04b9e4fe08d72b668f3c34f73b3c63bb96ebc933f76805d9c48aa5d26f439e8
Opcode Fuzzy Hash: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
Instruction Fuzzy Hash: 69415A72704A819AE712CF6AE8543DD73B5FB89B89F044125EF4E47A64DF38D149C300

Function 0000000140001000 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 0000000140001034
RegDeleteKeyW.ADVAPI32 ref: 0000000140001045
RegEnumKeyExW.ADVAPI32 ref: 0000000140001082
RegCloseKey.ADVAPI32 ref: 0000000140001093
RegDeleteKeyExW.ADVAPI32 ref: 00000001400010B0

Strings

SOFTWARE\dialerconfig, xrefs: 0000000140001026, 000000014000109C

Memory Dump Source

Source File: 00000012.00000002.2699880993.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000012.00000002.2699339853.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2700447688.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2700966930.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_140000000_dialer.jbxd

Similarity

API ID: Delete$CloseEnumOpen
String ID: SOFTWARE\dialerconfig
API String ID: 3013565938-461861421
Opcode ID: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
Instruction ID: 8f4ace04a6ff3505bb025a84b088d585f414f6eddbaae7ea6d4a7c6b6057ac94
Opcode Fuzzy Hash: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
Instruction Fuzzy Hash: 2F1186B2714A8486E762CF26F8557E92378F78C7D8F404215A74D0BAA8DF7CC248CB54

Function 0000000140002A90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 0000000140002ACB
WriteFile.KERNEL32 ref: 0000000140002AF3
WriteFile.KERNEL32 ref: 0000000140002B16
CloseHandle.KERNEL32 ref: 0000000140002B1F

Strings

\\.\pipe\dialercontrol_redirect64, xrefs: 0000000140002AA8

Memory Dump Source

Source File: 00000012.00000002.2699880993.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000012.00000002.2699339853.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2700447688.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2700966930.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_140000000_dialer.jbxd

Similarity

API ID: File$Write$CloseCreateHandle
String ID: \\.\pipe\dialercontrol_redirect64
API String ID: 148219782-3440882674
Opcode ID: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
Instruction ID: c657f3a7a6ba8077c0f3fca19c98ae9a251d12aa6ce49f65425284bb78429f7a
Opcode Fuzzy Hash: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
Instruction Fuzzy Hash: AE1139B6720B5082EB16CF16F818399A764F78DFE4F544215AB6907BA4CF78C549CB40

Function 0000000140001914 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,0000000140002138), ref: 0000000140001924
GetProcAddress.KERNEL32(?,?,00000000,0000000140002138), ref: 0000000140001937

Strings

ntdll.dll, xrefs: 000000014000191A

Memory Dump Source

Source File: 00000012.00000002.2699880993.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000012.00000002.2699339853.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2700447688.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.2700966930.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_140000000_dialer.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: ntdll.dll
API String ID: 1646373207-2227199552
Opcode ID: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
Instruction ID: 7108e587e86fbdef38877cdd133235ae9a077454219746bc209a409130a8dfa8
Opcode Fuzzy Hash: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
Instruction Fuzzy Hash: 5BD0C9F471260582EE1BDBA378643E552996B5CBC5F884020AE164B360DA38C1998600

Analysis Process: winlogon.exePID: 556, Parent PID: 7188COMMON

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	95.2%
Signature Coverage:	0%
Total number of Nodes:	124
Total number of Limit Nodes:	16

Executed Functions

Function 000002E991751628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000002E991751633
HeapAlloc.KERNEL32 ref: 000002E991751642

Part of subcall function 000002E991751268: GetProcessHeap.KERNEL32 ref: 000002E99175126E
Part of subcall function 000002E991751268: HeapAlloc.KERNEL32 ref: 000002E99175127D
Part of subcall function 000002E991751268: GetProcessHeap.KERNEL32 ref: 000002E991751297
Part of subcall function 000002E991751268: HeapAlloc.KERNEL32 ref: 000002E9917512A8

RegOpenKeyExW.ADVAPI32 ref: 000002E9917516B2
RegOpenKeyExW.ADVAPI32 ref: 000002E9917516DF
RegCloseKey.ADVAPI32 ref: 000002E9917516F9
RegOpenKeyExW.ADVAPI32 ref: 000002E991751719
RegCloseKey.ADVAPI32 ref: 000002E991751734
RegOpenKeyExW.ADVAPI32 ref: 000002E991751754
RegCloseKey.ADVAPI32 ref: 000002E99175176F
RegOpenKeyExW.ADVAPI32 ref: 000002E99175178F
RegCloseKey.ADVAPI32 ref: 000002E9917517AA
RegOpenKeyExW.ADVAPI32 ref: 000002E9917517CA
RegCloseKey.ADVAPI32 ref: 000002E9917517E5
RegOpenKeyExW.ADVAPI32 ref: 000002E991751805
RegCloseKey.ADVAPI32 ref: 000002E991751820
RegOpenKeyExW.ADVAPI32 ref: 000002E991751840
RegCloseKey.ADVAPI32 ref: 000002E99175185B
RegOpenKeyExW.ADVAPI32 ref: 000002E99175187B
RegCloseKey.ADVAPI32 ref: 000002E991751896
RegCloseKey.ADVAPI32 ref: 000002E9917518A0

Part of subcall function 000002E9917512BC: RegQueryInfoKeyW.ADVAPI32 ref: 000002E991751319
Part of subcall function 000002E9917512BC: GetProcessHeap.KERNEL32 ref: 000002E991751327
Part of subcall function 000002E9917512BC: HeapAlloc.KERNEL32 ref: 000002E991751338
Part of subcall function 000002E9917512BC: RegEnumValueW.ADVAPI32 ref: 000002E991751397
Part of subcall function 000002E9917512BC: GetProcessHeap.KERNEL32 ref: 000002E9917513DF
Part of subcall function 000002E9917512BC: HeapAlloc.KERNEL32 ref: 000002E9917513ED
Part of subcall function 000002E9917512BC: GetProcessHeap.KERNEL32 ref: 000002E99175140A
Part of subcall function 000002E9917512BC: HeapFree.KERNEL32 ref: 000002E991751418
Part of subcall function 000002E9917512BC: lstrlenW.KERNEL32 ref: 000002E991751421
Part of subcall function 000002E9917512BC: GetProcessHeap.KERNEL32 ref: 000002E99175142F
Part of subcall function 000002E9917512BC: HeapAlloc.KERNEL32 ref: 000002E99175143D

Strings

startup, xrefs: 000002E9917516D5
tcp_remote, xrefs: 000002E991751839
pid, xrefs: 000002E991751712
process_names, xrefs: 000002E99175174D
SOFTWARE\dialerconfig, xrefs: 000002E991751692
paths, xrefs: 000002E991751788
tcp_local, xrefs: 000002E9917517FE
udp, xrefs: 000002E991751874
service_names, xrefs: 000002E9917517C3

Memory Dump Source

Source File: 00000017.00000002.2716006104.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991750000_winlogon.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction ID: 54b8228711d56d83d96e028295ec185cd7547312acf9b7e7a1458d33eaddbd6f
Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction Fuzzy Hash: A0713036354B9285EB10AF67E858A5D3374F784BC9F82112AED4E87B6ADF34C484CB50

Function 000002E991753790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 000002E99175379E
GetCurrentProcess.KERNEL32 ref: 000002E9917537CC
VirtualProtectEx.KERNEL32 ref: 000002E9917537EE
GetCurrentProcess.KERNEL32 ref: 000002E991753809
VirtualProtectEx.KERNEL32 ref: 000002E99175382A

Strings

wr, xrefs: 000002E9917537FF

Memory Dump Source

Source File: 00000017.00000002.2716006104.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991750000_winlogon.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID: wr
API String ID: 1092925422-2678910430
Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction ID: 889b996a8caf1a720874174e44a79219beab5574743a7c3e537098b2f91f301b
Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction Fuzzy Hash: 85115E2674478682EF189B12E40866962B0F748BC5F86042EEE8947766EF3DC585CB24

Function 000002E991755B30 Relevance: 9.2, APIs: 6, Instructions: 240
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 000002E991755B6B
GetThreadContext.KERNEL32 ref: 000002E991755CD5

Part of subcall function 000002E991755960: GetCurrentThreadId.KERNEL32 ref: 000002E991755964

Memory Dump Source

Source File: 00000017.00000002.2716006104.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991750000_winlogon.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: aba7c51250b0bd2785b454d2868164715ffdc60c22b63475f1bba81942d6465a
Instruction ID: 1cfaaca5a2e5f2dbf610dce76985e3aebf4ce61cea1ed6e8382bb37d242726a6
Opcode Fuzzy Hash: aba7c51250b0bd2785b454d2868164715ffdc60c22b63475f1bba81942d6465a
Instruction Fuzzy Hash: 25D19C76244B8982DA70DB06E49835A77B0F388B84F52411BEACD47BA6DF3CC591CF50

Function 000002E9917550D0 Relevance: 7.8, APIs: 5, Instructions: 318
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 000002E991755156

Memory Dump Source

Source File: 00000017.00000002.2716006104.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991750000_winlogon.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: a9eeae0eee8a65d3360f20c0190c6c2044be682fe56af66e10426f66e33a6bd7
Instruction ID: eebe92032a7fdedf781faa804f7575b613c740f96bbb6c7e2e6b86a645c85fbc
Opcode Fuzzy Hash: a9eeae0eee8a65d3360f20c0190c6c2044be682fe56af66e10426f66e33a6bd7
Instruction Fuzzy Hash: E802BA32259BC586E7A0CB56F49435ABBA1F3C4794F11401AEA8E87BA9DF7CC494CF10

Function 000002E9917539E0 Relevance: 4.6, APIs: 3, Instructions: 64
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32 ref: 000002E991753A66
VirtualAlloc.KERNEL32 ref: 000002E991753AA0

Memory Dump Source

Source File: 00000017.00000002.2716006104.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991750000_winlogon.jbxd

Similarity

API ID: Virtual$AllocQuery
String ID:
API String ID: 31662377-0
Opcode ID: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
Instruction ID: bd37eb1f9fe1cce81840bdfd23b72ab3f02b45a8b3f74b5eeca5040b27afc49a
Opcode Fuzzy Hash: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
Instruction Fuzzy Hash: 07315022759AC581EA70DA17E05835E67A4F388784F11052BF5CE06BBADF7CC2C08F20

Function 000002E99175328C Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 000002E9917532AE
PathFindFileNameW.SHLWAPI ref: 000002E9917532BD

Part of subcall function 000002E991753844: StrCmpNIW.SHLWAPI ref: 000002E99175385C

Part of subcall function 000002E991753790: GetModuleHandleW.KERNEL32 ref: 000002E99175379E
Part of subcall function 000002E991753790: GetCurrentProcess.KERNEL32 ref: 000002E9917537CC
Part of subcall function 000002E991753790: VirtualProtectEx.KERNEL32 ref: 000002E9917537EE
Part of subcall function 000002E991753790: GetCurrentProcess.KERNEL32 ref: 000002E991753809
Part of subcall function 000002E991753790: VirtualProtectEx.KERNEL32 ref: 000002E99175382A

CreateThread.KERNEL32 ref: 000002E99175330B

Part of subcall function 000002E991751D14: GetCurrentThread.KERNEL32 ref: 000002E991751D1F

Memory Dump Source

Source File: 00000017.00000002.2716006104.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991750000_winlogon.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction ID: 351c7813d095973389ab4a2bf15dbcd6c7863a8031ac115e2cdad26015686c69
Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction Fuzzy Hash: 56118031B946C382FB60AB33F84D76922A4B754345F92412FA916816B3EF79C0C48E70

Function 000002E991754DF0 Relevance: 4.5, APIs: 3, Instructions: 23
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 000002E991754DF4
VirtualProtect.KERNEL32 ref: 000002E991754E37
FlushInstructionCache.KERNEL32 ref: 000002E991754E4C

Memory Dump Source

Source File: 00000017.00000002.2716006104.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991750000_winlogon.jbxd

Similarity

API ID: CacheCurrentFlushInstructionProcessProtectVirtual
String ID:
API String ID: 3733156554-0
Opcode ID: efc513032ac2f8104d68ff6d1779eae6f51007478eb3e1ac0120cc0a77f626c8
Instruction ID: d4000fd86275b36a03d69cb5381fd848dff25b8e8b72ec9c6e4ac05b9341f0d5
Opcode Fuzzy Hash: efc513032ac2f8104d68ff6d1779eae6f51007478eb3e1ac0120cc0a77f626c8
Instruction Fuzzy Hash: DCF0302625CB85C0D631DB02E44934A6BA0F38C7D4F55011AFA8E03B6ADB3CC6C08F50

Function 000002E99172273C Relevance: 3.2, APIs: 2, Instructions: 187
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 000002E9917227DB
LoadLibraryA.KERNELBASE ref: 000002E99172285E

Memory Dump Source

Source File: 00000017.00000002.2715128142.000002E991720000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991720000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991720000_winlogon.jbxd

Similarity

API ID: AllocLibraryLoadVirtual
String ID:
API String ID: 3550616410-0
Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction ID: 0174b3c931968c58cb23d2eb9d8b9e4d39f5b79fd9c5245184543cdb20c18685
Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction Fuzzy Hash: A4616872B422D187DB54CF16C00872D7392F754BE4F19852ADF991778ADA38D893CB20

Function 000002E991751ABC Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000002E991751628: GetProcessHeap.KERNEL32 ref: 000002E991751633
Part of subcall function 000002E991751628: HeapAlloc.KERNEL32 ref: 000002E991751642
Part of subcall function 000002E991751628: RegOpenKeyExW.ADVAPI32 ref: 000002E9917516B2
Part of subcall function 000002E991751628: RegOpenKeyExW.ADVAPI32 ref: 000002E9917516DF
Part of subcall function 000002E991751628: RegCloseKey.ADVAPI32 ref: 000002E9917516F9
Part of subcall function 000002E991751628: RegOpenKeyExW.ADVAPI32 ref: 000002E991751719
Part of subcall function 000002E991751628: RegCloseKey.ADVAPI32 ref: 000002E991751734
Part of subcall function 000002E991751628: RegOpenKeyExW.ADVAPI32 ref: 000002E991751754
Part of subcall function 000002E991751628: RegCloseKey.ADVAPI32 ref: 000002E99175176F
Part of subcall function 000002E991751628: RegOpenKeyExW.ADVAPI32 ref: 000002E99175178F
Part of subcall function 000002E991751628: RegCloseKey.ADVAPI32 ref: 000002E9917517AA
Part of subcall function 000002E991751628: RegOpenKeyExW.ADVAPI32 ref: 000002E9917517CA

Sleep.KERNEL32 ref: 000002E991751AD7
SleepEx.KERNELBASE ref: 000002E991751ADD

Part of subcall function 000002E991751628: RegCloseKey.ADVAPI32 ref: 000002E9917517E5
Part of subcall function 000002E991751628: RegOpenKeyExW.ADVAPI32 ref: 000002E991751805
Part of subcall function 000002E991751628: RegCloseKey.ADVAPI32 ref: 000002E991751820
Part of subcall function 000002E991751628: RegOpenKeyExW.ADVAPI32 ref: 000002E991751840
Part of subcall function 000002E991751628: RegCloseKey.ADVAPI32 ref: 000002E99175185B
Part of subcall function 000002E991751628: RegOpenKeyExW.ADVAPI32 ref: 000002E99175187B
Part of subcall function 000002E991751628: RegCloseKey.ADVAPI32 ref: 000002E991751896
Part of subcall function 000002E991751628: RegCloseKey.ADVAPI32 ref: 000002E9917518A0

Memory Dump Source

Source File: 00000017.00000002.2716006104.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991750000_winlogon.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction ID: 98a2260962f66e790094138e64364fcbcff5423d27e2e98684da735ba5be122f
Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction Fuzzy Hash: 3731F1613816C342FF509B27D6493A913A4BB44BC6F0A542B9E1B87697FF34C8D1CA31

Non-executed Functions

Function 000002E991752B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 000002E991752BD0
lstrlenW.KERNEL32 ref: 000002E991752E0A

Part of subcall function 000002E99175199C: OpenProcess.KERNEL32 ref: 000002E9917519C2
Part of subcall function 000002E99175199C: K32GetModuleFileNameExW.KERNEL32 ref: 000002E9917519E0
Part of subcall function 000002E99175199C: PathFindFileNameW.SHLWAPI ref: 000002E9917519EF
Part of subcall function 000002E99175199C: lstrlenW.KERNEL32 ref: 000002E9917519FB
Part of subcall function 000002E99175199C: StrCpyW.SHLWAPI ref: 000002E991751A0E
Part of subcall function 000002E99175199C: CloseHandle.KERNEL32 ref: 000002E991751A1C

GetProcAddress.KERNEL32 ref: 000002E991752BE5

Part of subcall function 000002E99175152C: StrCmpIW.SHLWAPI ref: 000002E99175155D

Part of subcall function 000002E991753844: StrCmpNIW.SHLWAPI ref: 000002E99175385C

StrCmpNIW.SHLWAPI ref: 000002E991752C28
lstrlenW.KERNEL32 ref: 000002E991752D50

Strings

NtQueryObject, xrefs: 000002E991752BDB
ntdll.dll, xrefs: 000002E991752BC9
\Device\Nsi, xrefs: 000002E991752C1B

Memory Dump Source

Source File: 00000017.00000002.2716006104.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991750000_winlogon.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction ID: 9267f257902aa87408aaac54b14cc2c1c9bedbda9888c08ae2a81d07cc4cf480
Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction Fuzzy Hash: 49B19F22250BD2C6EB698F27D4487A963A5F748B84F56501FEE0953796EF35CCC0CB60

Function 000002E991757D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000002E991757DAC
RtlCaptureContext.NTDLL ref: 000002E991757DD9
RtlLookupFunctionEntry.NTDLL ref: 000002E991757DF3
RtlVirtualUnwind.NTDLL ref: 000002E991757E34
IsDebuggerPresent.KERNEL32 ref: 000002E991757E88
SetUnhandledExceptionFilter.KERNEL32 ref: 000002E991757EA9
UnhandledExceptionFilter.KERNEL32 ref: 000002E991757EB4

Memory Dump Source

Source File: 00000017.00000002.2716006104.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991750000_winlogon.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction ID: 0216bfbab142289af890d8c45534b75c134c54bc5fdd387169f2726022cc0a09
Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction Fuzzy Hash: F6318372245BC19AEB609F62E8443ED7364F784744F85402EEB4D97B95EF38C588CB20

Function 000002E99175D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000002E99175D31D
RtlLookupFunctionEntry.NTDLL ref: 000002E99175D335
RtlVirtualUnwind.NTDLL ref: 000002E99175D370
IsDebuggerPresent.KERNEL32 ref: 000002E99175D3A9
SetUnhandledExceptionFilter.KERNEL32 ref: 000002E99175D3B3
UnhandledExceptionFilter.KERNEL32 ref: 000002E99175D3BE

Memory Dump Source

Source File: 00000017.00000002.2716006104.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991750000_winlogon.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction ID: a23a05519f5be50e9521a24267438afb78831fdbfdb93237bbf99c1e24bec194
Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction Fuzzy Hash: C0319332254FC196EB60DF26E84439E73A4F789794F91012AEA9D43B96DF38C185CF10

Function 000002E9917512BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000002E991751319
GetProcessHeap.KERNEL32 ref: 000002E991751327
HeapAlloc.KERNEL32 ref: 000002E991751338
RegEnumValueW.ADVAPI32 ref: 000002E991751397

Part of subcall function 000002E99175152C: StrCmpIW.SHLWAPI ref: 000002E99175155D

GetProcessHeap.KERNEL32 ref: 000002E9917513DF
HeapAlloc.KERNEL32 ref: 000002E9917513ED
GetProcessHeap.KERNEL32 ref: 000002E99175140A
HeapFree.KERNEL32 ref: 000002E991751418
lstrlenW.KERNEL32 ref: 000002E991751421
GetProcessHeap.KERNEL32 ref: 000002E99175142F
HeapAlloc.KERNEL32 ref: 000002E99175143D
StrCpyW.SHLWAPI ref: 000002E99175145F
GetProcessHeap.KERNEL32 ref: 000002E991751476
HeapFree.KERNEL32 ref: 000002E991751484

Strings

d, xrefs: 000002E99175135A

Memory Dump Source

Source File: 00000017.00000002.2716006104.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991750000_winlogon.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction ID: faf9fcae4cad09d4b21471a3c83bc15139729c09b9c22fc87df00bbc9025f63a
Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction Fuzzy Hash: B3516D72240BC5C6EB54CF62E44835AB7A1F389FC9F85412AEA4A8771ADF3CC085CB51

Function 000002E991751D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 000002E991751D1F

Part of subcall function 000002E991751FD4: GetModuleHandleA.KERNEL32 ref: 000002E991751FEC
Part of subcall function 000002E991751FD4: GetProcAddress.KERNEL32 ref: 000002E991751FFD

Part of subcall function 000002E991755B30: GetCurrentThreadId.KERNEL32 ref: 000002E991755B6B

Strings

ntdll.dll, xrefs: 000002E991751D2D
NtQueryDirectoryFileEx, xrefs: 000002E991751D9C
sechost.dll, xrefs: 000002E991751E39
NtQueryDirectoryFile, xrefs: 000002E991751D7F
EnumServiceGroupW, xrefs: 000002E991751DF0
NtQuerySystemInformation, xrefs: 000002E991751D45
EnumServicesStatusExW, xrefs: 000002E991751E11, 000002E991751E32
advapi32.dll, xrefs: 000002E991751DF7, 000002E991751E18
NtDeviceIoControlFile, xrefs: 000002E991751E56
NtEnumerateValueKey, xrefs: 000002E991751DD6
NtEnumerateKey, xrefs: 000002E991751DB9
NtResumeThread, xrefs: 000002E991751D62

Memory Dump Source

Source File: 00000017.00000002.2716006104.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991750000_winlogon.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction ID: 4753043bf12ce9e32f38f3c1a54f8f46ce1ac6560c3b79c386cbf99cf72d279c
Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction Fuzzy Hash: FA31D664191ACBA1FB00EFA7E85D6D42320B710384FC3101B945A461B79F3886CACF71

Function 000002E991726910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002E991726938
__scrt_acquire_startup_lock.LIBCMT ref: 000002E99172698A
_RTC_Initialize.LIBCMT ref: 000002E9917269B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002E9917269DE
__scrt_release_startup_lock.LIBCMT ref: 000002E991726A09

Strings

`eh vector copy constructor iterator', xrefs: 000002E991726A3B
scriptor', xrefs: 000002E991726B39, 000002E991726BB2, 000002E991726BEC
`eh vector vbase copy constructor iterator', xrefs: 000002E9917269EE
`dynamic initializer for ', xrefs: 000002E9917269C7

Memory Dump Source

Source File: 00000017.00000002.2715128142.000002E991720000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991720000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991720000_winlogon.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
API String ID: 190073905-1786718095
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: e16fa48834a59c6cd4a499f0462a1a18f190ef002cbaf03bf6bfe41264d5c29d
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: 9F81A4617822C386FB50AB27D44939922A1FB99780F96482FBD4547797DB38C9C78F30

Function 000002E99175CE28 Relevance: 18.1, APIs: 12, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 000002E99175CE37
FlsGetValue.KERNEL32(?,?,?,000002E991760A6B,?,?,?,000002E99176045C,?,?,?,000002E99175C84F), ref: 000002E99175CE4C
FlsSetValue.KERNEL32(?,?,?,000002E991760A6B,?,?,?,000002E99176045C,?,?,?,000002E99175C84F), ref: 000002E99175CE6D
FlsSetValue.KERNEL32(?,?,?,000002E991760A6B,?,?,?,000002E99176045C,?,?,?,000002E99175C84F), ref: 000002E99175CE9A
FlsSetValue.KERNEL32(?,?,?,000002E991760A6B,?,?,?,000002E99176045C,?,?,?,000002E99175C84F), ref: 000002E99175CEAB
FlsSetValue.KERNEL32(?,?,?,000002E991760A6B,?,?,?,000002E99176045C,?,?,?,000002E99175C84F), ref: 000002E99175CEBC
SetLastError.KERNEL32 ref: 000002E99175CED7
FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000002E991760A6B,?,?,?,000002E99176045C,?,?,?,000002E99175C84F), ref: 000002E99175CF0D
FlsSetValue.KERNEL32(?,?,00000001,000002E99175ECCC,?,?,?,?,000002E99175BF9F,?,?,?,?,?,000002E991757AB0), ref: 000002E99175CF2C

Part of subcall function 000002E99175D6CC: HeapAlloc.KERNEL32 ref: 000002E99175D721

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002E991760A6B,?,?,?,000002E99176045C,?,?,?,000002E99175C84F), ref: 000002E99175CF54

Part of subcall function 000002E99175D744: HeapFree.KERNEL32 ref: 000002E99175D75A
Part of subcall function 000002E99175D744: GetLastError.KERNEL32 ref: 000002E99175D764

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002E991760A6B,?,?,?,000002E99176045C,?,?,?,000002E99175C84F), ref: 000002E99175CF65
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002E991760A6B,?,?,?,000002E99176045C,?,?,?,000002E99175C84F), ref: 000002E99175CF76

Memory Dump Source

Source File: 00000017.00000002.2716006104.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991750000_winlogon.jbxd

Similarity

API ID: Value$ErrorLast$Heap$AllocFree
String ID:
API String ID: 570795689-0
Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction ID: d19b245fd988bfb2817d68be97438e53c8424c1f9c669e008c2cccf14dbdb104
Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction Fuzzy Hash: 734174203C12C742FA69A737D55D3692289BB447B4F160B2FA936466E7DF3884C19F30

Function 000002E991752244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 000002E991752259
GetCurrentProcessId.KERNEL32 ref: 000002E991752263

Part of subcall function 000002E991751934: OpenProcess.KERNEL32 ref: 000002E991751952
Part of subcall function 000002E991751934: IsWow64Process.KERNEL32 ref: 000002E991751968
Part of subcall function 000002E991751934: CloseHandle.KERNEL32 ref: 000002E991751983

CreateFileW.KERNEL32 ref: 000002E9917522BC
WriteFile.KERNEL32 ref: 000002E9917522E4
ReadFile.KERNEL32 ref: 000002E991752303
CloseHandle.KERNEL32 ref: 000002E99175230C

Strings

\\.\pipe\dialerchildproc32, xrefs: 000002E991752293
\\.\pipe\dialerchildproc64, xrefs: 000002E99175228C

Memory Dump Source

Source File: 00000017.00000002.2716006104.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991750000_winlogon.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction ID: 2ec8cc7cd3fe4d2c1af7483aaecc8ed615e3356d440049c4b66141594478c441
Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction Fuzzy Hash: F4214F32654781C3FB108B26F44875973A1F789BE4F91021AEA5943BA9DF3CC589CF51

Function 000002E991729944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000002E9917299A1

Part of subcall function 000002E99172A814: __GetUnwindTryBlock.LIBCMT ref: 000002E99172A857
Part of subcall function 000002E99172A814: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000002E99172A87C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000002E991729A79
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000002E991729CCE
std::bad_alloc::bad_alloc.LIBCMT ref: 000002E991729DDA

Strings

csm, xrefs: 000002E9917299BB
csm, xrefs: 000002E991729A9C
csm, xrefs: 000002E991729A22

Memory Dump Source

Source File: 00000017.00000002.2715128142.000002E991720000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991720000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991720000_winlogon.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction ID: 920fc7fd0e7b6407fb21e7a3f32b8b7f41c9ae5ea962bf932353d45c49382d83
Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction Fuzzy Hash: BAE1C1326427D286EB60CF26D4883AD77A0F749788F15091AEE8947B9BCF34C1D2CB10

Function 000002E99175A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000002E99175A5A1

Part of subcall function 000002E99175B414: __GetUnwindTryBlock.LIBCMT ref: 000002E99175B457
Part of subcall function 000002E99175B414: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000002E99175B47C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000002E99175A679
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000002E99175A8CE
std::bad_alloc::bad_alloc.LIBCMT ref: 000002E99175A9DA

Strings

csm, xrefs: 000002E99175A5BB
csm, xrefs: 000002E99175A622
csm, xrefs: 000002E99175A69C

Memory Dump Source

Source File: 00000017.00000002.2716006104.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991750000_winlogon.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction ID: 97f73203f8982477833e52015e33f754f7e99079407345b81d307e64eaf0c1f0
Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction Fuzzy Hash: C1E18F72644BC28AEB20DF66D4883AD77A0F745798F12112BEE8957B97CB34D5C1CB20

Function 000002E99175F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 000002E99175F510
GetProcAddress.KERNEL32 ref: 000002E99175F51C

Strings

ext-ms-, xrefs: 000002E99175F46D
api-ms-, xrefs: 000002E99175F45A

Memory Dump Source

Source File: 00000017.00000002.2716006104.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991750000_winlogon.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction ID: a37450bc1c151caee95b075b815692e99cd55a6f4dc24f28fbba06317fb40626
Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction Fuzzy Hash: 2741D622391B8292FB56CB17E8087562795B745BE0F47492F9D0E87786EF3CC4C58B60

Function 000002E99175104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000002E9917510B1
RegEnumValueW.ADVAPI32 ref: 000002E991751117
GetProcessHeap.KERNEL32 ref: 000002E99175115A
HeapAlloc.KERNEL32 ref: 000002E991751168
GetProcessHeap.KERNEL32 ref: 000002E991751185
HeapFree.KERNEL32 ref: 000002E991751193

Strings

d, xrefs: 000002E9917510D6

Memory Dump Source

Source File: 00000017.00000002.2716006104.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991750000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction ID: c14a8d93c31946622ec18366339607f616fe7fb0c74b8ef5f7eef75a911a86bd
Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction Fuzzy Hash: A0419133214BC5C6E760CF22E44879EB7A1F388B89F44812AEA8A47759DF38C485CB50

Function 000002E99175D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,000002E99175C7DE,?,?,?,?,?,?,?,?,000002E99175CF9D,?,?,00000001), ref: 000002E99175D087
FlsSetValue.KERNEL32(?,?,?,000002E99175C7DE,?,?,?,?,?,?,?,?,000002E99175CF9D,?,?,00000001), ref: 000002E99175D0A6
FlsSetValue.KERNEL32(?,?,?,000002E99175C7DE,?,?,?,?,?,?,?,?,000002E99175CF9D,?,?,00000001), ref: 000002E99175D0CE
FlsSetValue.KERNEL32(?,?,?,000002E99175C7DE,?,?,?,?,?,?,?,?,000002E99175CF9D,?,?,00000001), ref: 000002E99175D0DF
FlsSetValue.KERNEL32(?,?,?,000002E99175C7DE,?,?,?,?,?,?,?,?,000002E99175CF9D,?,?,00000001), ref: 000002E99175D0F0

Strings

1%, xrefs: 000002E99175D0CE
Y%, xrefs: 000002E99175D0A6

Memory Dump Source

Source File: 00000017.00000002.2716006104.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991750000_winlogon.jbxd

Similarity

API ID: Value
String ID: 1%$Y%
API String ID: 3702945584-1395475152
Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction ID: a96b1890e74b2ecd0ea9938466009dfee319b739ed4c7e033c1762021a338c56
Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction Fuzzy Hash: 481181207902C242FA69A737D55D3696185BB443F4F16472F983A466EBDF38C4C28E30

Function 000002E991757510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002E991757538
__scrt_acquire_startup_lock.LIBCMT ref: 000002E99175758A
_RTC_Initialize.LIBCMT ref: 000002E9917575B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002E9917575DE
__scrt_release_startup_lock.LIBCMT ref: 000002E991757609

Memory Dump Source

Source File: 00000017.00000002.2716006104.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991750000_winlogon.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: cd15232f422848d1d810b8ca1d68bf3e5a859180c35751ee036576ae4bb720cf
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: 4981C3216806C3A6FB50AB6BE44D3A922D4F745780FD7441FAA0987797EB38C9C58F31

Function 000002E991759DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 000002E991759E49
GetLastError.KERNEL32 ref: 000002E991759E57
LoadLibraryExW.KERNEL32 ref: 000002E991759E81
FreeLibrary.KERNEL32 ref: 000002E991759EC7
GetProcAddress.KERNEL32 ref: 000002E991759ED3

Strings

api-ms-, xrefs: 000002E991759E69

Memory Dump Source

Source File: 00000017.00000002.2716006104.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991750000_winlogon.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction ID: 207c3dd52896e77b572485204b7de8f36d24d6c4bffc08408b80e03efac7f2a8
Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction Fuzzy Hash: 363196223526C2E1EE15DB43E4487656394B74CBA0F9B052F9D1D47792EF39C4C59B20

Function 000002E991763DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000002E991763DE5
GetLastError.KERNEL32 ref: 000002E991763DF1
CloseHandle.KERNEL32 ref: 000002E991763E09
CreateFileW.KERNEL32 ref: 000002E991763E34
WriteConsoleW.KERNEL32 ref: 000002E991763E53

Strings

CONOUT$, xrefs: 000002E991763E15

Memory Dump Source

Source File: 00000017.00000002.2716006104.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991750000_winlogon.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction ID: 5be6fbadabfa398e5c5c06da23e062949b7ae7d32590008ef573cc00081c362b
Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction Fuzzy Hash: 6B11B231350BC182E7508B13E84831972A4F388FE4F45022AEA5EC7796CF38C4948BA1

Function 000002E991752F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002E991752F27
HeapAlloc.KERNEL32 ref: 000002E991752F3A
StrCmpNIW.SHLWAPI ref: 000002E991752FAF
GetProcessHeap.KERNEL32 ref: 000002E991753015
HeapFree.KERNEL32 ref: 000002E991753023

Strings

dialer, xrefs: 000002E991752FA8

Memory Dump Source

Source File: 00000017.00000002.2716006104.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991750000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction ID: 186717381455e3181557c70e4b3e181aab8ff8ec6f9d2597f1690986fa17b43e
Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction Fuzzy Hash: 6931C522741B92C3EB54DF17E54872967A1FB44BC0F4A402AAE4847B97EF34C4E18B60

Function 000002E99175CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000002E99175CFAF
FlsSetValue.KERNEL32(?,?,?,000002E99175D6B5,?,?,?,?,000002E99175D778), ref: 000002E99175CFE5
FlsSetValue.KERNEL32(?,?,?,000002E99175D6B5,?,?,?,?,000002E99175D778), ref: 000002E99175D012
FlsSetValue.KERNEL32(?,?,?,000002E99175D6B5,?,?,?,?,000002E99175D778), ref: 000002E99175D023
FlsSetValue.KERNEL32(?,?,?,000002E99175D6B5,?,?,?,?,000002E99175D778), ref: 000002E99175D034
SetLastError.KERNEL32 ref: 000002E99175D04F

Memory Dump Source

Source File: 00000017.00000002.2716006104.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991750000_winlogon.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction ID: 88b896e7da52e95fd00ccff7768d99056a53124772a0c671c365fb61c8ceb8e1
Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction Fuzzy Hash: 92115E203912C242FA65A733D55D3292185BB447F4F16072EA836467D7DF7884C28F30

Function 000002E99175199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000002E9917519C2
K32GetModuleFileNameExW.KERNEL32 ref: 000002E9917519E0
PathFindFileNameW.SHLWAPI ref: 000002E9917519EF
lstrlenW.KERNEL32 ref: 000002E9917519FB
StrCpyW.SHLWAPI ref: 000002E991751A0E
CloseHandle.KERNEL32 ref: 000002E991751A1C

Memory Dump Source

Source File: 00000017.00000002.2716006104.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991750000_winlogon.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction ID: 715ac3fdfa83c77bb0e460137307d450772adbe10476670a3786bf80235cc521
Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction Fuzzy Hash: 17012D21340A8282EB54DB53E45C75963A5F788BC5FCA403AEE5A83756DF3CC989CB50

Function 000002E9917536C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000002E9917536E4
GetCurrentProcess.KERNEL32 ref: 000002E9917536F2
VirtualProtectEx.KERNEL32 ref: 000002E991753714
GetCurrentProcess.KERNEL32 ref: 000002E991753732
VirtualProtectEx.KERNEL32 ref: 000002E991753753
TerminateThread.KERNEL32 ref: 000002E991753762

Memory Dump Source

Source File: 00000017.00000002.2716006104.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991750000_winlogon.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction ID: c6f769b54c004a354a452a2a46bf369459501ef8588b7fa1b2b20c3275c221d8
Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction Fuzzy Hash: 69016D6475178282FB249B23E80C71523B0FB49B82F96082EDD4947766EF3CC1888F20

Function 000002E991758FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002E991759013
_IsNonwritableInCurrentImage.LIBCMT ref: 000002E9917590A8
RtlUnwindEx.NTDLL ref: 000002E9917590F7

Strings

csm, xrefs: 000002E99175908E
f, xrefs: 000002E991759026

Memory Dump Source

Source File: 00000017.00000002.2716006104.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991750000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
Instruction ID: e9dc35c7a832d2cc683b6cd1fa1022522abd5526910dd1348563b3731bf2def8
Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
Instruction Fuzzy Hash: 1851C33274169286EB54CF26E84CB693796F344BC8F52852EDA064778ADB35DCC1CF20

Function 000002E991751A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000002E991751A60
StrCmpNIW.SHLWAPI ref: 000002E991751A7A
lstrlenW.KERNEL32 ref: 000002E991751A89
StrCpyW.SHLWAPI ref: 000002E991751A9E

Strings

\\?\, xrefs: 000002E991751A6E

Memory Dump Source

Source File: 00000017.00000002.2716006104.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991750000_winlogon.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction ID: 412175bfc77c0f7889df0d48bc3560869d283f7d8297d7432b8b3449444d2e85
Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction Fuzzy Hash: 09F04F223446C292EB608B22F99875967A5F748BC9FC5402ADA498695ADF3CC6CDCF10

Function 000002E991753044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 000002E991753066
StrCpyW.SHLWAPI ref: 000002E991753076
StrCatW.SHLWAPI ref: 000002E991753082
PathCombineW.SHLWAPI ref: 000002E991753090

Strings

\\.\pipe\, xrefs: 000002E99175305C

Memory Dump Source

Source File: 00000017.00000002.2716006104.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991750000_winlogon.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction ID: c358c5bd6c370e4e94212374ef1c3ac1b27339a5d47b43ba3a3d7addd493d33b
Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction Fuzzy Hash: 44F08260354BC682EA008B13F91C119A261BB48FC0F85403AEE4A87B2ADF3CC4C58B21

Function 000002E99175BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000002E99175BCBD
GetProcAddress.KERNEL32 ref: 000002E99175BCD3
FreeLibrary.KERNEL32 ref: 000002E99175BCFA

Strings

CorExitProcess, xrefs: 000002E99175BCCC
mscoree.dll, xrefs: 000002E99175BCB4

Memory Dump Source

Source File: 00000017.00000002.2716006104.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991750000_winlogon.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction ID: 25295f8d8ab3043a6409b7c076f3c8c014371e5dc60beb8abb4c75a9d3b53d50
Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction Fuzzy Hash: 27F0966135178691EB108B26E45C3696331FB84BE1F95031FDA6A861F6DF3CC4C5CB61

Function 000002E991755710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002E991755726

Memory Dump Source

Source File: 00000017.00000002.2716006104.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991750000_winlogon.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 0c7f3a11ae4e5ff47235e902b7b6ce7055ed727b420134bb2449cab27e882fd8
Instruction ID: 899714654cfee5a0a87d9affd5898931fb4ed2655e43b4f37e6fe9002d5fc822
Opcode Fuzzy Hash: 0c7f3a11ae4e5ff47235e902b7b6ce7055ed727b420134bb2449cab27e882fd8
Instruction Fuzzy Hash: 4761E736559BC6C7E760DB16E44831AB7E4F388784F52011AEA8E47BAADB7CC590CF10

Function 000002E991733504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000002E99173352C
_set_statfp.LIBCMT ref: 000002E991733547
_set_statfp.LIBCMT ref: 000002E991733563
_set_statfp.LIBCMT ref: 000002E99173359F

Memory Dump Source

Source File: 00000017.00000002.2715128142.000002E991720000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991720000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991720000_winlogon.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: 6fce0c9865f46e94ad79d61300e9938692d5aaaf41cf770363b3baa4ae580780
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: 7B11A323BD0AD315FAB4153BF44D36911807B58374F6B862FA9760A2D7CA28CBC34A30

Function 000002E991764104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000002E99176412C
_set_statfp.LIBCMT ref: 000002E991764147
_set_statfp.LIBCMT ref: 000002E991764163
_set_statfp.LIBCMT ref: 000002E99176419F

Memory Dump Source

Source File: 00000017.00000002.2716006104.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991750000_winlogon.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: 8833cec01b3b712e7df5753de1625ed22ad95ee90a5c308719c3cffe9809f191
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: 1B11E322BD0AC3A5F66F156AD45D36911407B783F8F1B062FA977876D7CA24C8C08A23

Function 000002E99172F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000002E99172F124

Strings

or copy constructor iterator', xrefs: 000002E99172F25A, 000002E99172F275
Tuesday, xrefs: 000002E99172F0F4
Wednesday, xrefs: 000002E99172F1ED

Memory Dump Source

Source File: 00000017.00000002.2715128142.000002E991720000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991720000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991720000_winlogon.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: Tuesday$Wednesday$or copy constructor iterator'
API String ID: 3215553584-4202648911
Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction ID: 27c43efc3ebcb98436fdd8ae9cc1473d170633621c7fc37e2b7ea1367af98575
Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction Fuzzy Hash: 1E61B3625866C642F7658B6BE54C32E26E1F746740FA34C1FCA0A177A7DA34C9C38B30

Function 000002E99175AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 000002E99175AA68
_CallSETranslator.LIBVCRUNTIME ref: 000002E99175AAB7

Strings

RCC, xrefs: 000002E99175AA85
MOC, xrefs: 000002E99175AA7C

Memory Dump Source

Source File: 00000017.00000002.2716006104.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991750000_winlogon.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: c265801518a2bdb581e286e63e256228ab63efdfaaa28672a2b32cc6fb03c2c2
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: CE619F33600B858AEB20DF66D4843AD77B0F344B8CF05462AEF4917B9ADB38C595CB50

Function 000002E99172A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002E99172A1A0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000002E99172A288

Strings

csm, xrefs: 000002E99172A2DA
csm, xrefs: 000002E99172A1C2

Memory Dump Source

Source File: 00000017.00000002.2715128142.000002E991720000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991720000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991720000_winlogon.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: f3086e5e95a6481f7f96e1afe717cc730f762cabb17a0b2f305e154ee185ea95
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: 1A518D321453C2CAEB648B16D44835877A0F395B94F1A491BDA8987BD7CB78D4D2CF10

Function 000002E99175AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002E99175ADA0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000002E99175AE88

Strings

csm, xrefs: 000002E99175AEDA
csm, xrefs: 000002E99175ADC2

Memory Dump Source

Source File: 00000017.00000002.2716006104.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991750000_winlogon.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: 446d1a1c64522073db0cd5d5834e42522880cf304d97d4b8b40f77ecf9adbd4b
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: DE515E721803C28BEB648B27E58835977A0F354B95F1A512FDA9947BDACB38D4D1CF10

Function 000002E991728405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002E991728413
_IsNonwritableInCurrentImage.LIBCMT ref: 000002E9917284A8

Strings

f, xrefs: 000002E991728426
csm, xrefs: 000002E99172848E

Memory Dump Source

Source File: 00000017.00000002.2715128142.000002E991720000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991720000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991720000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: 310a40da76a7e8494b2a523292ada4b4d5fdfe551cf15d0e710db459a0c84222
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: 5C51D63274228287EB14CF17E408B1837D5F354B98F62892EDA564374EE736C9C28F24

Function 000002E9917283E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002E991728413
_IsNonwritableInCurrentImage.LIBCMT ref: 000002E9917284A8

Strings

f, xrefs: 000002E991728426
csm, xrefs: 000002E99172848E

Memory Dump Source

Source File: 00000017.00000002.2715128142.000002E991720000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991720000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991720000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction ID: 4d9fb923a024668931dd26515bb1f8222d8a35d90d0c19900a676a0e9de2e7fc
Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction Fuzzy Hash: 6D31A23124278197E714DF13E84871977E4F744B98F16891EEE9A0778ADB39CA82CF24

Function 000002E991762058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000002E9917620D7
WriteFile.KERNEL32 ref: 000002E99176239F
WriteFile.KERNEL32 ref: 000002E9917623E5
GetLastError.KERNEL32 ref: 000002E99176249B

Memory Dump Source

Source File: 00000017.00000002.2716006104.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991750000_winlogon.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction ID: d17a5b66f24651ba47f914fd9a9177c7c4c5eae1cb0dd37e5dc1cb50b43e6a1d
Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction Fuzzy Hash: 0DD10132B14AC18AE751CFBAD4483DC3BB1F3547D8F12821ACE5997B9ADA34C486CB51

Function 000002E9917514A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002E9917514C5
HeapFree.KERNEL32 ref: 000002E9917514D4
GetProcessHeap.KERNEL32 ref: 000002E9917514E1
HeapFree.KERNEL32 ref: 000002E9917514F0
GetProcessHeap.KERNEL32 ref: 000002E991751500

Memory Dump Source

Source File: 00000017.00000002.2716006104.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991750000_winlogon.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
Instruction ID: 958daf10776be36ad14651f8af9b4503ca9b67d81655b7db465c2faf28d38bcd
Opcode Fuzzy Hash: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
Instruction Fuzzy Hash: F4015E32641BD1C6D708DF67E90814A77A0F788FC5F85442AEA4A9371ADF38C091CB91

Function 000002E991762980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32 ref: 000002E991762A9C
GetLastError.KERNEL32 ref: 000002E991762B27

Memory Dump Source

Source File: 00000017.00000002.2716006104.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991750000_winlogon.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction ID: dea98d673b1eb583a7a563bef56f37ee4aaf8a9f40eb06f1ad15a2b81e6a3132
Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction Fuzzy Hash: BD91C3727546D285F7A09F66D4483AD3BA0F744BC8F56410FDE0AA7A96DB34C4C2CB22

Function 000002E991757960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000002E99175798C
GetCurrentThreadId.KERNEL32 ref: 000002E99175799A
GetCurrentProcessId.KERNEL32 ref: 000002E9917579A6
QueryPerformanceCounter.KERNEL32 ref: 000002E9917579B6

Memory Dump Source

Source File: 00000017.00000002.2716006104.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991750000_winlogon.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction ID: 4a3cbd926c2ff67caed56cc86b37f60de1dd5d3bcd68790c06f0eef6869e381a
Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction Fuzzy Hash: 31117322750F418AEB00CF61E8593A833B4F318758F850E26EA6D82795DF78C194C790

Function 000002E99175253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000002E991752620
StrCpyW.SHLWAPI ref: 000002E991752639

Strings

\\.\pipe\, xrefs: 000002E99175262B

Memory Dump Source

Source File: 00000017.00000002.2716006104.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991750000_winlogon.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction ID: 1f9f842b75453c5857f6b2e56ffc77b939292a8ca7035f958eb5257443a8da6b
Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction Fuzzy Hash: EE71B4362407C2C6E765DF27D8483AA6794F389B84F46042FDE0A53B9ADF35C685CB20

Function 000002E991729E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 000002E991729EB7

Strings

MOC, xrefs: 000002E991729E7C
RCC, xrefs: 000002E991729E85

Memory Dump Source

Source File: 00000017.00000002.2715128142.000002E991720000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991720000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991720000_winlogon.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 84d4d0f52c9fe8424e130a51802f206c56cb391b230e05c660d89bf47d82b7fc
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: E6618633601B858AE720DF66D4443AD77B0F348B88F09451AEF4917B99DB38D596CB10

Function 000002E991752330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000002E991752416
StrCpyW.SHLWAPI ref: 000002E99175242D

Strings

\\.\pipe\, xrefs: 000002E991752421

Memory Dump Source

Source File: 00000017.00000002.2716006104.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991750000_winlogon.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction ID: f62a7e3c712747ec3032839da713c06c279082095f181f860e761592c369468b
Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction Fuzzy Hash: 4A51F8326843C3C1E6749A2BE05C36A6B61F385784F56012FDD9A03B5BDB39C984CFA0

Function 000002E9917626F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000002E991762807
GetLastError.KERNEL32 ref: 000002E991762829

Strings

U, xrefs: 000002E9917627B3

Memory Dump Source

Source File: 00000017.00000002.2716006104.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991750000_winlogon.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction ID: 3c3291cdee80793f077ca875b2c93d8f285802d27222ba8780e6ad337528432c
Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction Fuzzy Hash: 8541D532755B8282DB60CF26E8487A977A0F3987D4F92402AEE4DC7785EB3CC481CB51

Function 000002E9917594A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000002E9917594F0
RaiseException.KERNEL32 ref: 000002E991759531

Strings

csm, xrefs: 000002E99175951E

Memory Dump Source

Source File: 00000017.00000002.2716006104.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991750000_winlogon.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction ID: 207757b0be7941945bbc5168ef3fd331411ff0e9450000233a5a2120af0f3481
Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction Fuzzy Hash: 01114F32215B8182EB618F16F44435A77E5F788B98F594229EF8C47759EF3CC591CB00

Function 000002E991727356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000002E99172737C

Strings

ierarchy Descriptor', xrefs: 000002E991727381
riptor at (, xrefs: 000002E991727364

Memory Dump Source

Source File: 00000017.00000002.2715128142.000002E991720000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991720000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991720000_winlogon.jbxd

Similarity

API ID: __std_exception_copy
String ID: ierarchy Descriptor'$riptor at (
API String ID: 592178966-758928094
Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction ID: a257186f3850c7b0ed0a211b5e55a5bcdb9ea12776083c4015b6f529102d0367
Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction Fuzzy Hash: 16E08661681B8990DF018F62E84429833A0EB59B64B499123995C06312FA38D2FAC720

Function 000002E9917273B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000002E9917273D8

Strings

Locator', xrefs: 000002E9917273DD
riptor at (, xrefs: 000002E9917273C0

Memory Dump Source

Source File: 00000017.00000002.2715128142.000002E991720000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991720000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991720000_winlogon.jbxd

Similarity

API ID: __std_exception_copy
String ID: Locator'$riptor at (
API String ID: 592178966-4215709766
Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction ID: 666d30d5e13efd7c2989cd14f499e6fcad5fce96985e36ef4ac7ff9aefadf28a
Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction Fuzzy Hash: CFE0CD61641B89C0DF018F62E44019873A0F759B54F8AD123CD4C07312FB38D2E6C720

Function 000002E991751BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002E991751C2D
HeapAlloc.KERNEL32 ref: 000002E991751C3B
GetProcessHeap.KERNEL32 ref: 000002E991751C77
HeapFree.KERNEL32 ref: 000002E991751C85

Part of subcall function 000002E99175152C: StrCmpIW.SHLWAPI ref: 000002E99175155D

Memory Dump Source

Source File: 00000017.00000002.2716006104.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991750000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction ID: d4a5e8aca712c33a79de3256f17f9e0da43bbae3851e7c4569dd7d8c7212e1c3
Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction Fuzzy Hash: FD119125641B8581EA44DB67E40C22973A1FB89FC1F5A402EDE4E93767DF39C482C750

Function 000002E991751268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002E99175126E
HeapAlloc.KERNEL32 ref: 000002E99175127D
GetProcessHeap.KERNEL32 ref: 000002E991751297
HeapAlloc.KERNEL32 ref: 000002E9917512A8

Memory Dump Source

Source File: 00000017.00000002.2716006104.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e991750000_winlogon.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction ID: 1436bcb16dbf9b340cef29a2e619caaeb5be8261704b43b7e2ccef2ff9d21f13
Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction Fuzzy Hash: 9EE06D35641645C7EB088F63D80C34A36E1FB89F86F86C028C90987352DF7D84D9CBA1

Analysis Process: lsass.exePID: 640, Parent PID: 7188COMMON

Execution Graph

Execution Coverage:	0.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	142
Total number of Limit Nodes:	10

Executed Functions

Function 00000213BDCE253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNEL32 ref: 00000213BDCE2620
StrCpyW.SHLWAPI ref: 00000213BDCE2639

Strings

\\.\pipe\, xrefs: 00000213BDCE262B

Memory Dump Source

Source File: 0000001C.00000002.2736881956.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdce0000_lsass.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction ID: 402ccc82d5c6591d2abd376835e1d3f6cc6d53c76c666844c3b5344b78894b12
Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction Fuzzy Hash: 1371C6B620879987EF24DF25D8483EAA796F3A978CF540036DD0943B89FE36D7458700

Function 00000213BDCE202C Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpNIW.SHLWAPI ref: 00000213BDCE20C6

Part of subcall function 00000213BDCE2F04: GetProcessHeap.KERNEL32 ref: 00000213BDCE2F27
Part of subcall function 00000213BDCE2F04: HeapAlloc.KERNEL32 ref: 00000213BDCE2F3A
Part of subcall function 00000213BDCE2F04: StrCmpNIW.SHLWAPI ref: 00000213BDCE2FAF
Part of subcall function 00000213BDCE2F04: GetProcessHeap.KERNEL32 ref: 00000213BDCE3015
Part of subcall function 00000213BDCE2F04: HeapFree.KERNEL32 ref: 00000213BDCE3023

Strings

dialer, xrefs: 00000213BDCE20BF
S, xrefs: 00000213BDCE21E7

Memory Dump Source

Source File: 0000001C.00000002.2736881956.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdce0000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: S$dialer
API String ID: 756756679-3873981283
Opcode ID: 10a6181ad89868b013f95f8d430f86fb0b73c76b57149a1256a42c526e771eaa
Instruction ID: 01a705c1139b4e3a3236aaa51ba8ea78d077b3526d5db40ec5641de093292221
Opcode Fuzzy Hash: 10a6181ad89868b013f95f8d430f86fb0b73c76b57149a1256a42c526e771eaa
Instruction Fuzzy Hash: C951B2B2B1862887EF61CF25D8487EDA3E6F72879CF459021DE0552B85EB36EB51C300

Function 00000213BDCE1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 00000213BDCE1A60
StrCmpNIW.SHLWAPI ref: 00000213BDCE1A7A
lstrlenW.KERNEL32 ref: 00000213BDCE1A89
StrCpyW.SHLWAPI ref: 00000213BDCE1A9E

Strings

\\?\, xrefs: 00000213BDCE1A6E

Memory Dump Source

Source File: 0000001C.00000002.2736881956.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdce0000_lsass.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction ID: 9a3ceae17c6c449fcd09eca06c2232397e8d057c9f4e4c09271c551668b01824
Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction Fuzzy Hash: 4AF0317230864592EF70CB21E8887D96762F768B9CF945020DA494A558EB3DC74DCB00

Function 00000213BDCE1000 Relevance: 5.0, APIs: 4, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00000213BDCE1006
HeapAlloc.KERNEL32 ref: 00000213BDCE1015
GetProcessHeap.KERNEL32 ref: 00000213BDCE1028
HeapAlloc.KERNEL32 ref: 00000213BDCE1037

Memory Dump Source

Source File: 0000001C.00000002.2736881956.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdce0000_lsass.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 5b325dc3880ca3c93f8f4c7f4460fba72f6c1ea06a067b14687c409243df247f
Instruction ID: f613eb4a6c9d5595687b5f6d6db476b834a7316b017e4d15599aea490d94b422
Opcode Fuzzy Hash: 5b325dc3880ca3c93f8f4c7f4460fba72f6c1ea06a067b14687c409243df247f
Instruction Fuzzy Hash: 5FE0ED7565160486EB08DB62D8082DA76B2FB98B1AF44C024C9090B315EE3A8699C610

Function 00000213BDCE328C Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 00000213BDCE32AE
PathFindFileNameW.SHLWAPI ref: 00000213BDCE32BD

Part of subcall function 00000213BDCE3844: StrCmpNIW.SHLWAPI ref: 00000213BDCE385C

Part of subcall function 00000213BDCE3790: GetModuleHandleW.KERNEL32 ref: 00000213BDCE379E
Part of subcall function 00000213BDCE3790: GetCurrentProcess.KERNEL32 ref: 00000213BDCE37CC
Part of subcall function 00000213BDCE3790: VirtualProtectEx.KERNEL32 ref: 00000213BDCE37EE
Part of subcall function 00000213BDCE3790: GetCurrentProcess.KERNEL32 ref: 00000213BDCE3809
Part of subcall function 00000213BDCE3790: VirtualProtectEx.KERNEL32 ref: 00000213BDCE382A

CreateThread.KERNEL32 ref: 00000213BDCE330B

Part of subcall function 00000213BDCE1D14: GetCurrentThread.KERNEL32 ref: 00000213BDCE1D1F

Memory Dump Source

Source File: 0000001C.00000002.2736881956.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdce0000_lsass.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction ID: 5d40ba2aa3b61c65a6b29e875bc405932eba3ae14eb689a115a8dbd4c5664118
Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction Fuzzy Hash: 3411E1B161CA0883FF20D720F80DBE92297ABB430EF5001389946451A6FF3BF3488254

Function 00000213BDCE1ABC Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000213BDCE1628: GetProcessHeap.KERNEL32 ref: 00000213BDCE1633
Part of subcall function 00000213BDCE1628: HeapAlloc.KERNEL32 ref: 00000213BDCE1642
Part of subcall function 00000213BDCE1628: RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE16B2
Part of subcall function 00000213BDCE1628: RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE16DF
Part of subcall function 00000213BDCE1628: RegCloseKey.ADVAPI32 ref: 00000213BDCE16F9
Part of subcall function 00000213BDCE1628: RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE1719
Part of subcall function 00000213BDCE1628: RegCloseKey.ADVAPI32 ref: 00000213BDCE1734
Part of subcall function 00000213BDCE1628: RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE1754
Part of subcall function 00000213BDCE1628: RegCloseKey.ADVAPI32 ref: 00000213BDCE176F
Part of subcall function 00000213BDCE1628: RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE178F
Part of subcall function 00000213BDCE1628: RegCloseKey.ADVAPI32 ref: 00000213BDCE17AA
Part of subcall function 00000213BDCE1628: RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE17CA

Sleep.KERNEL32 ref: 00000213BDCE1AD7
SleepEx.KERNELBASE ref: 00000213BDCE1ADD

Part of subcall function 00000213BDCE1628: RegCloseKey.ADVAPI32 ref: 00000213BDCE17E5
Part of subcall function 00000213BDCE1628: RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE1805
Part of subcall function 00000213BDCE1628: RegCloseKey.ADVAPI32 ref: 00000213BDCE1820
Part of subcall function 00000213BDCE1628: RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE1840
Part of subcall function 00000213BDCE1628: RegCloseKey.ADVAPI32 ref: 00000213BDCE185B
Part of subcall function 00000213BDCE1628: RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE187B
Part of subcall function 00000213BDCE1628: RegCloseKey.ADVAPI32 ref: 00000213BDCE1896
Part of subcall function 00000213BDCE1628: RegCloseKey.ADVAPI32 ref: 00000213BDCE18A0

Memory Dump Source

Source File: 0000001C.00000002.2736881956.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdce0000_lsass.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction ID: 5c1e5f493c3240c0c1d6ba6cc6eea2f3c80886ee07ec0849ec39ecbda1c65d01
Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction Fuzzy Hash: 2D31F0F120964943FF50DB26DA593E913A6ABA4BCCF0474319E098B695FE36E771C310

Function 00000213BDCB273C Relevance: 1.7, APIs: 1, Instructions: 187
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00000213BDCB285E

Memory Dump Source

Source File: 0000001C.00000002.2736461371.00000213BDCB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdcb0000_lsass.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction ID: 62858d15b17bcbc33b2ca6a6066d80486455f950e6546258cbebb37c44571cfa
Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction Fuzzy Hash: AF61E132B4969887EF54CF1590087ADB3A3F764BACF588125DE5D07788EA3ADA53C700

Non-executed Functions

Function 00000213BDCE2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 00000213BDCE2BD0
lstrlenW.KERNEL32 ref: 00000213BDCE2E0A

Part of subcall function 00000213BDCE199C: OpenProcess.KERNEL32 ref: 00000213BDCE19C2
Part of subcall function 00000213BDCE199C: K32GetModuleFileNameExW.KERNEL32 ref: 00000213BDCE19E0
Part of subcall function 00000213BDCE199C: PathFindFileNameW.SHLWAPI ref: 00000213BDCE19EF
Part of subcall function 00000213BDCE199C: lstrlenW.KERNEL32 ref: 00000213BDCE19FB
Part of subcall function 00000213BDCE199C: StrCpyW.SHLWAPI ref: 00000213BDCE1A0E
Part of subcall function 00000213BDCE199C: CloseHandle.KERNEL32 ref: 00000213BDCE1A1C

GetProcAddress.KERNEL32 ref: 00000213BDCE2BE5

Part of subcall function 00000213BDCE152C: StrCmpIW.SHLWAPI ref: 00000213BDCE155D

Part of subcall function 00000213BDCE3844: StrCmpNIW.SHLWAPI ref: 00000213BDCE385C

StrCmpNIW.SHLWAPI ref: 00000213BDCE2C28
lstrlenW.KERNEL32 ref: 00000213BDCE2D50

Strings

NtQueryObject, xrefs: 00000213BDCE2BDB
\Device\Nsi, xrefs: 00000213BDCE2C1B
ntdll.dll, xrefs: 00000213BDCE2BC9

Memory Dump Source

Source File: 0000001C.00000002.2736881956.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdce0000_lsass.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction ID: 5807444a8450fc688cd656404e5327faf8bf80d9ed4d8e3fcbe0e129d3a2233c
Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction Fuzzy Hash: 16B190B2219A9883EF65CF25D4487E9A3A6FB68B8DF445026DE0953794FB36DF40C340

Function 00000213BDCE7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00000213BDCE7DAC
RtlCaptureContext.NTDLL ref: 00000213BDCE7DD9
RtlLookupFunctionEntry.NTDLL ref: 00000213BDCE7DF3
RtlVirtualUnwind.NTDLL ref: 00000213BDCE7E34
IsDebuggerPresent.KERNEL32 ref: 00000213BDCE7E88
SetUnhandledExceptionFilter.KERNEL32 ref: 00000213BDCE7EA9
UnhandledExceptionFilter.KERNEL32 ref: 00000213BDCE7EB4

Memory Dump Source

Source File: 0000001C.00000002.2736881956.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdce0000_lsass.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction ID: b5ca2973510a18e9044a362400021c8bf4fd35d0e5851b09ad40746068c8bd5a
Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction Fuzzy Hash: E9311772209A848AEB60DF60E8847EE7366F79474CF44442ADA4E57A98EF39C748C710

Function 00000213BDCED2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 00000213BDCED31D
RtlLookupFunctionEntry.NTDLL ref: 00000213BDCED335
RtlVirtualUnwind.NTDLL ref: 00000213BDCED370
IsDebuggerPresent.KERNEL32 ref: 00000213BDCED3A9
SetUnhandledExceptionFilter.KERNEL32 ref: 00000213BDCED3B3
UnhandledExceptionFilter.KERNEL32 ref: 00000213BDCED3BE

Memory Dump Source

Source File: 0000001C.00000002.2736881956.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdce0000_lsass.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction ID: 8c31cb887ca66331edc06f01b646ec043365c389dcc0a630b6fed02098722ee4
Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction Fuzzy Hash: 6B319E76218B8086EB60CF25E8443DE73A1F79975CF500126EA9D47B99EF39C75ACB00

Function 00000213BDCE1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00000213BDCE1633
HeapAlloc.KERNEL32 ref: 00000213BDCE1642

Part of subcall function 00000213BDCE1268: GetProcessHeap.KERNEL32 ref: 00000213BDCE126E
Part of subcall function 00000213BDCE1268: HeapAlloc.KERNEL32 ref: 00000213BDCE127D
Part of subcall function 00000213BDCE1268: GetProcessHeap.KERNEL32 ref: 00000213BDCE1297
Part of subcall function 00000213BDCE1268: HeapAlloc.KERNEL32 ref: 00000213BDCE12A8

Part of subcall function 00000213BDCE1000: GetProcessHeap.KERNEL32 ref: 00000213BDCE1006
Part of subcall function 00000213BDCE1000: HeapAlloc.KERNEL32 ref: 00000213BDCE1015
Part of subcall function 00000213BDCE1000: GetProcessHeap.KERNEL32 ref: 00000213BDCE1028
Part of subcall function 00000213BDCE1000: HeapAlloc.KERNEL32 ref: 00000213BDCE1037

RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE16B2
RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE16DF
RegCloseKey.ADVAPI32 ref: 00000213BDCE16F9
RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE1719
RegCloseKey.ADVAPI32 ref: 00000213BDCE1734
RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE1754
RegCloseKey.ADVAPI32 ref: 00000213BDCE176F
RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE178F
RegCloseKey.ADVAPI32 ref: 00000213BDCE17AA
RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE17CA
RegCloseKey.ADVAPI32 ref: 00000213BDCE17E5
RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE1805
RegCloseKey.ADVAPI32 ref: 00000213BDCE1820
RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE1840
RegCloseKey.ADVAPI32 ref: 00000213BDCE185B
RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE187B
RegCloseKey.ADVAPI32 ref: 00000213BDCE1896
RegCloseKey.ADVAPI32 ref: 00000213BDCE18A0

Part of subcall function 00000213BDCE12BC: RegQueryInfoKeyW.ADVAPI32 ref: 00000213BDCE1319
Part of subcall function 00000213BDCE12BC: GetProcessHeap.KERNEL32 ref: 00000213BDCE1327
Part of subcall function 00000213BDCE12BC: HeapAlloc.KERNEL32 ref: 00000213BDCE1338
Part of subcall function 00000213BDCE12BC: RegEnumValueW.ADVAPI32 ref: 00000213BDCE1397
Part of subcall function 00000213BDCE12BC: GetProcessHeap.KERNEL32 ref: 00000213BDCE13DF
Part of subcall function 00000213BDCE12BC: HeapAlloc.KERNEL32 ref: 00000213BDCE13ED
Part of subcall function 00000213BDCE12BC: GetProcessHeap.KERNEL32 ref: 00000213BDCE140A
Part of subcall function 00000213BDCE12BC: HeapFree.KERNEL32 ref: 00000213BDCE1418
Part of subcall function 00000213BDCE12BC: lstrlenW.KERNEL32 ref: 00000213BDCE1421
Part of subcall function 00000213BDCE12BC: GetProcessHeap.KERNEL32 ref: 00000213BDCE142F
Part of subcall function 00000213BDCE12BC: HeapAlloc.KERNEL32 ref: 00000213BDCE143D

Strings

tcp_remote, xrefs: 00000213BDCE1839
pid, xrefs: 00000213BDCE1712
process_names, xrefs: 00000213BDCE174D
udp, xrefs: 00000213BDCE1874
startup, xrefs: 00000213BDCE16D5
service_names, xrefs: 00000213BDCE17C3
paths, xrefs: 00000213BDCE1788
tcp_local, xrefs: 00000213BDCE17FE
SOFTWARE\dialerconfig, xrefs: 00000213BDCE1692

Memory Dump Source

Source File: 0000001C.00000002.2736881956.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdce0000_lsass.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-2879589442
Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction ID: 9ce6f8576089a91c0a41a3022284374a307a37465a46bb01b2766921063186a7
Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction Fuzzy Hash: BE712A76318A5486EF10DF22E848AD923A6F7A4B8CF402121DE4E47B6DEF36C758C744

Function 00000213BDCE12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000213BDCE1319
GetProcessHeap.KERNEL32 ref: 00000213BDCE1327
HeapAlloc.KERNEL32 ref: 00000213BDCE1338
RegEnumValueW.ADVAPI32 ref: 00000213BDCE1397

Part of subcall function 00000213BDCE152C: StrCmpIW.SHLWAPI ref: 00000213BDCE155D

GetProcessHeap.KERNEL32 ref: 00000213BDCE13DF
HeapAlloc.KERNEL32 ref: 00000213BDCE13ED
GetProcessHeap.KERNEL32 ref: 00000213BDCE140A
HeapFree.KERNEL32 ref: 00000213BDCE1418
lstrlenW.KERNEL32 ref: 00000213BDCE1421
GetProcessHeap.KERNEL32 ref: 00000213BDCE142F
HeapAlloc.KERNEL32 ref: 00000213BDCE143D
StrCpyW.SHLWAPI ref: 00000213BDCE145F
GetProcessHeap.KERNEL32 ref: 00000213BDCE1476
HeapFree.KERNEL32 ref: 00000213BDCE1484

Strings

d, xrefs: 00000213BDCE135A

Memory Dump Source

Source File: 0000001C.00000002.2736881956.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdce0000_lsass.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction ID: 7e46c3b6a7d5331c3c7ee4b2a60feacf72bead3f45980719ba22298b4a17c25e
Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction Fuzzy Hash: 42514D76208B8487EB54CF62E5483DA77A2F799F9DF448124DA4A0B758EF3DC259CB00

Function 00000213BDCE1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 00000213BDCE1D1F

Part of subcall function 00000213BDCE1FD4: GetModuleHandleA.KERNEL32 ref: 00000213BDCE1FEC
Part of subcall function 00000213BDCE1FD4: GetProcAddress.KERNEL32 ref: 00000213BDCE1FFD

Part of subcall function 00000213BDCE5B30: GetCurrentThreadId.KERNEL32 ref: 00000213BDCE5B6B

Strings

EnumServiceGroupW, xrefs: 00000213BDCE1DF0
EnumServicesStatusExW, xrefs: 00000213BDCE1E11, 00000213BDCE1E32
sechost.dll, xrefs: 00000213BDCE1E39
NtResumeThread, xrefs: 00000213BDCE1D62
NtQuerySystemInformation, xrefs: 00000213BDCE1D45
ntdll.dll, xrefs: 00000213BDCE1D2D
NtDeviceIoControlFile, xrefs: 00000213BDCE1E56
NtEnumerateValueKey, xrefs: 00000213BDCE1DD6
NtEnumerateKey, xrefs: 00000213BDCE1DB9
NtQueryDirectoryFile, xrefs: 00000213BDCE1D7F
NtQueryDirectoryFileEx, xrefs: 00000213BDCE1D9C
advapi32.dll, xrefs: 00000213BDCE1DF7, 00000213BDCE1E18

Memory Dump Source

Source File: 0000001C.00000002.2736881956.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdce0000_lsass.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction ID: 8f728ad5951c134e967336f2fc31f6c713d23b700de02865da5b7b8926e8932e
Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction Fuzzy Hash: D431E3B411998EA2EF01EF65EC697D4A323BB7435CF801023A44D0656AFF7A934DC391

Function 00000213BDCB6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000213BDCB6938
__scrt_acquire_startup_lock.LIBCMT ref: 00000213BDCB698A
_RTC_Initialize.LIBCMT ref: 00000213BDCB69B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00000213BDCB69DE
__scrt_release_startup_lock.LIBCMT ref: 00000213BDCB6A09

Strings

`eh vector copy constructor iterator', xrefs: 00000213BDCB6A3B
`dynamic initializer for ', xrefs: 00000213BDCB69C7
scriptor', xrefs: 00000213BDCB6B39, 00000213BDCB6BB2, 00000213BDCB6BEC
`eh vector vbase copy constructor iterator', xrefs: 00000213BDCB69EE

Memory Dump Source

Source File: 0000001C.00000002.2736461371.00000213BDCB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdcb0000_lsass.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
API String ID: 190073905-1786718095
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: f8cd9e1dbe3062c5f4ba020bde542ea39c0e4a61bba442b43b9d51f3a524e4ca
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: 0781F4317DC24986FE50EB25D4493D966A3E7B4B8CF284025DA494B7D6FB3BCB468700

Function 00000213BDCECE28 Relevance: 18.1, APIs: 12, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 00000213BDCECE37
FlsGetValue.KERNEL32(?,?,?,00000213BDCF0A6B,?,?,?,00000213BDCF045C,?,?,?,00000213BDCEC84F), ref: 00000213BDCECE4C
FlsSetValue.KERNEL32(?,?,?,00000213BDCF0A6B,?,?,?,00000213BDCF045C,?,?,?,00000213BDCEC84F), ref: 00000213BDCECE6D
FlsSetValue.KERNEL32(?,?,?,00000213BDCF0A6B,?,?,?,00000213BDCF045C,?,?,?,00000213BDCEC84F), ref: 00000213BDCECE9A
FlsSetValue.KERNEL32(?,?,?,00000213BDCF0A6B,?,?,?,00000213BDCF045C,?,?,?,00000213BDCEC84F), ref: 00000213BDCECEAB
FlsSetValue.KERNEL32(?,?,?,00000213BDCF0A6B,?,?,?,00000213BDCF045C,?,?,?,00000213BDCEC84F), ref: 00000213BDCECEBC
SetLastError.KERNEL32 ref: 00000213BDCECED7
FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000213BDCF0A6B,?,?,?,00000213BDCF045C,?,?,?,00000213BDCEC84F), ref: 00000213BDCECF0D
FlsSetValue.KERNEL32(?,?,00000001,00000213BDCEECCC,?,?,?,?,00000213BDCEBF9F,?,?,?,?,?,00000213BDCE7AB0), ref: 00000213BDCECF2C

Part of subcall function 00000213BDCED6CC: HeapAlloc.KERNEL32 ref: 00000213BDCED721

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000213BDCF0A6B,?,?,?,00000213BDCF045C,?,?,?,00000213BDCEC84F), ref: 00000213BDCECF54

Part of subcall function 00000213BDCED744: HeapFree.KERNEL32 ref: 00000213BDCED75A
Part of subcall function 00000213BDCED744: GetLastError.KERNEL32 ref: 00000213BDCED764

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000213BDCF0A6B,?,?,?,00000213BDCF045C,?,?,?,00000213BDCEC84F), ref: 00000213BDCECF65
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000213BDCF0A6B,?,?,?,00000213BDCF045C,?,?,?,00000213BDCEC84F), ref: 00000213BDCECF76

Memory Dump Source

Source File: 0000001C.00000002.2736881956.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdce0000_lsass.jbxd

Similarity

API ID: Value$ErrorLast$Heap$AllocFree
String ID:
API String ID: 570795689-0
Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction ID: 9cfdffa4e4f0b56bcb752030e4244594aa8fca63efa0d4e671618fb2b64398c0
Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction Fuzzy Hash: 85418DB424928C43FE68E371565E3F962435BB47BCF144738A83A476D7FE3AAB414600

Function 00000213BDCE2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessIdOfThread.KERNEL32 ref: 00000213BDCE2259
GetCurrentProcessId.KERNEL32 ref: 00000213BDCE2263

Part of subcall function 00000213BDCE1934: OpenProcess.KERNEL32 ref: 00000213BDCE1952
Part of subcall function 00000213BDCE1934: IsWow64Process.KERNEL32 ref: 00000213BDCE1968
Part of subcall function 00000213BDCE1934: CloseHandle.KERNEL32 ref: 00000213BDCE1983

CreateFileW.KERNEL32 ref: 00000213BDCE22BC
WriteFile.KERNEL32 ref: 00000213BDCE22E4
ReadFile.KERNEL32 ref: 00000213BDCE2303
CloseHandle.KERNEL32 ref: 00000213BDCE230C

Strings

\\.\pipe\dialerchildproc64, xrefs: 00000213BDCE228C
\\.\pipe\dialerchildproc32, xrefs: 00000213BDCE2293

Memory Dump Source

Source File: 0000001C.00000002.2736881956.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdce0000_lsass.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction ID: 6b7d2558ae4a3ac574cfc8a772d118d668cf07695c60263a9c00d2c5ba11f754
Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction Fuzzy Hash: 2E213D7261864483EF10CB25F44879967A2F799BACF504215EA5906BA8EF3DC349CB04

Function 00000213BDCEA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00000213BDCEA5A1

Part of subcall function 00000213BDCEB414: __GetUnwindTryBlock.LIBCMT ref: 00000213BDCEB457
Part of subcall function 00000213BDCEB414: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00000213BDCEB47C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00000213BDCEA679
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00000213BDCEA8CE
std::bad_alloc::bad_alloc.LIBCMT ref: 00000213BDCEA9DA

Strings

csm, xrefs: 00000213BDCEA5BB
csm, xrefs: 00000213BDCEA69C
csm, xrefs: 00000213BDCEA622

Memory Dump Source

Source File: 0000001C.00000002.2736881956.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdce0000_lsass.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction ID: a4356b529713084a557e2c4423f012a0144f846992504cd020869ae66375d7b3
Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction Fuzzy Hash: E0E19BB26087888BEF20DB6594883DD77A6F76578CF100126EA8D97B95EB35E381C704

Function 00000213BDCB9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00000213BDCB99A1

Part of subcall function 00000213BDCBA814: __GetUnwindTryBlock.LIBCMT ref: 00000213BDCBA857
Part of subcall function 00000213BDCBA814: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00000213BDCBA87C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00000213BDCB9A79
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00000213BDCB9CCE
std::bad_alloc::bad_alloc.LIBCMT ref: 00000213BDCB9DDA

Strings

csm, xrefs: 00000213BDCB99BB
csm, xrefs: 00000213BDCB9A22
csm, xrefs: 00000213BDCB9A9C

Memory Dump Source

Source File: 0000001C.00000002.2736461371.00000213BDCB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdcb0000_lsass.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction ID: f386ab9bdd8cc4c87b67ff9b5e600b282352f279eca3ceb4b3cc66de4f1deea9
Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction Fuzzy Hash: 87E1AD32648B888AEF60DB65D4883DD77A2F769B8CF100115EE8957B99EF36C391C700

Function 00000213BDCEF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 00000213BDCEF510
GetProcAddress.KERNEL32 ref: 00000213BDCEF51C

Strings

ext-ms-, xrefs: 00000213BDCEF46D
api-ms-, xrefs: 00000213BDCEF45A

Memory Dump Source

Source File: 0000001C.00000002.2736881956.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdce0000_lsass.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction ID: 64b1116dec4a1fc2bb3371278ef814e94841622c5338f0fb36631d38e615d017
Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction Fuzzy Hash: 7941F6B231AA0442FE16CB56A8087D52393FB65BACF1442399D0D8B789FE3ED7458354

Function 00000213BDCE104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000213BDCE10B1
RegEnumValueW.ADVAPI32 ref: 00000213BDCE1117
GetProcessHeap.KERNEL32 ref: 00000213BDCE115A
HeapAlloc.KERNEL32 ref: 00000213BDCE1168
GetProcessHeap.KERNEL32 ref: 00000213BDCE1185
HeapFree.KERNEL32 ref: 00000213BDCE1193

Strings

d, xrefs: 00000213BDCE10D6

Memory Dump Source

Source File: 0000001C.00000002.2736881956.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdce0000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction ID: c9b898f511c2e52726208957a962c9b291cdc106b1d13140a09b1ea003ed6b20
Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction Fuzzy Hash: 9E417273218B84C6EB60CF21E4487DE77A2F399B9CF048125DA894B758EF39D659CB00

Function 00000213BDCED068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00000213BDCEC7DE,?,?,?,?,?,?,?,?,00000213BDCECF9D,?,?,00000001), ref: 00000213BDCED087
FlsSetValue.KERNEL32(?,?,?,00000213BDCEC7DE,?,?,?,?,?,?,?,?,00000213BDCECF9D,?,?,00000001), ref: 00000213BDCED0A6
FlsSetValue.KERNEL32(?,?,?,00000213BDCEC7DE,?,?,?,?,?,?,?,?,00000213BDCECF9D,?,?,00000001), ref: 00000213BDCED0CE
FlsSetValue.KERNEL32(?,?,?,00000213BDCEC7DE,?,?,?,?,?,?,?,?,00000213BDCECF9D,?,?,00000001), ref: 00000213BDCED0DF
FlsSetValue.KERNEL32(?,?,?,00000213BDCEC7DE,?,?,?,?,?,?,?,?,00000213BDCECF9D,?,?,00000001), ref: 00000213BDCED0F0

Strings

1%, xrefs: 00000213BDCED0CE
Y%, xrefs: 00000213BDCED0A6

Memory Dump Source

Source File: 0000001C.00000002.2736881956.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdce0000_lsass.jbxd

Similarity

API ID: Value
String ID: 1%$Y%
API String ID: 3702945584-1395475152
Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction ID: 19c205c0411bc615aa3bccdf6f4f64bbad6ab17fba574e3ff0c824cae7453082
Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction Fuzzy Hash: 801184B070D24843FD64D725655E3E962475BB43FCF188338A87D466DAFE3AE7024600

Function 00000213BDCE7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000213BDCE7538
__scrt_acquire_startup_lock.LIBCMT ref: 00000213BDCE758A
_RTC_Initialize.LIBCMT ref: 00000213BDCE75B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00000213BDCE75DE
__scrt_release_startup_lock.LIBCMT ref: 00000213BDCE7609

Memory Dump Source

Source File: 0000001C.00000002.2736881956.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdce0000_lsass.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: 551094e2023b39dc9ace01dde74fdb1ba5573d69ed1bde9d232f088fcbd9e271
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: 2B81D3B160C24987FE60EB66A44D3D92293ABB578CF344439E944477D6FB3BEB468700

Function 00000213BDCE9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 00000213BDCE9E49
GetLastError.KERNEL32 ref: 00000213BDCE9E57
LoadLibraryExW.KERNEL32 ref: 00000213BDCE9E81
FreeLibrary.KERNEL32 ref: 00000213BDCE9EC7
GetProcAddress.KERNEL32 ref: 00000213BDCE9ED3

Strings

api-ms-, xrefs: 00000213BDCE9E69

Memory Dump Source

Source File: 0000001C.00000002.2736881956.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdce0000_lsass.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction ID: 4d4d0faf7020efbe67ed0a855dfe3d6003a087379504cbf48fb87940a6e137d3
Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction Fuzzy Hash: 6631C57121A744D2EE25DB42A4087D57296F768BACF590935DE1E0B394FF3AE7458300

Function 00000213BDCF3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00000213BDCF3DE5
GetLastError.KERNEL32 ref: 00000213BDCF3DF1
CloseHandle.KERNEL32 ref: 00000213BDCF3E09
CreateFileW.KERNEL32 ref: 00000213BDCF3E34
WriteConsoleW.KERNEL32 ref: 00000213BDCF3E53

Strings

CONOUT$, xrefs: 00000213BDCF3E15

Memory Dump Source

Source File: 0000001C.00000002.2736881956.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdce0000_lsass.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction ID: 1e37ad57197f2f5fd627e52480ce6183fe70d503e9319598513a9094b24cedb1
Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction Fuzzy Hash: DC118631718B4086EB50CB52F8583D976A1F7A8FECF144214EE5A8B798EF39C7188744

Function 00000213BDCE3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00000213BDCE379E
GetCurrentProcess.KERNEL32 ref: 00000213BDCE37CC
VirtualProtectEx.KERNEL32 ref: 00000213BDCE37EE
GetCurrentProcess.KERNEL32 ref: 00000213BDCE3809
VirtualProtectEx.KERNEL32 ref: 00000213BDCE382A

Strings

wr, xrefs: 00000213BDCE37FF

Memory Dump Source

Source File: 0000001C.00000002.2736881956.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdce0000_lsass.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID: wr
API String ID: 1092925422-2678910430
Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction ID: 12712e2fa7eb8b967a2fcefc972e563151717b3967eefe160898bd9f6f4aa3e4
Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction Fuzzy Hash: E7115A76308B4583EF14DB11E4082A962B2F799B8DF14012ADE890B758FF3ED709C704

Function 00000213BDCE5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000213BDCE5B6B
GetThreadContext.KERNEL32 ref: 00000213BDCE5CD5

Part of subcall function 00000213BDCE5960: GetCurrentThreadId.KERNEL32 ref: 00000213BDCE5964

Memory Dump Source

Source File: 0000001C.00000002.2736881956.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdce0000_lsass.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
Instruction ID: 3446894e02afeb19a9966952644c75a0c5e86968940c19ee8a431a5bd0db41b7
Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
Instruction Fuzzy Hash: B6D18176219B4882DA70DB06E49439A7BA1F7D8B8CF100126EACD47BA9DF3DD751CB40

Function 00000213BDCE2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000213BDCE2F27
HeapAlloc.KERNEL32 ref: 00000213BDCE2F3A
StrCmpNIW.SHLWAPI ref: 00000213BDCE2FAF
GetProcessHeap.KERNEL32 ref: 00000213BDCE3015
HeapFree.KERNEL32 ref: 00000213BDCE3023

Strings

dialer, xrefs: 00000213BDCE2FA8

Memory Dump Source

Source File: 0000001C.00000002.2736881956.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdce0000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction ID: 44251474c1ee8a42ccd6e3d1f93cc1b766dec72a69286a1cba37760e0419152a
Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction Fuzzy Hash: FC31B572709B59C3EE14CF1695487A9A7A2FB68B8CF044030AE4807B55FF36E7658700

Function 00000213BDCECFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00000213BDCECFAF
FlsSetValue.KERNEL32(?,?,?,00000213BDCED6B5,?,?,?,?,00000213BDCED778), ref: 00000213BDCECFE5
FlsSetValue.KERNEL32(?,?,?,00000213BDCED6B5,?,?,?,?,00000213BDCED778), ref: 00000213BDCED012
FlsSetValue.KERNEL32(?,?,?,00000213BDCED6B5,?,?,?,?,00000213BDCED778), ref: 00000213BDCED023
FlsSetValue.KERNEL32(?,?,?,00000213BDCED6B5,?,?,?,?,00000213BDCED778), ref: 00000213BDCED034
SetLastError.KERNEL32 ref: 00000213BDCED04F

Memory Dump Source

Source File: 0000001C.00000002.2736881956.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdce0000_lsass.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction ID: 77ac6954afd6c966781107e5719d7c64fe3f53195b268d9a5bd80fbe793f95d1
Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction Fuzzy Hash: 08118EB024D28843FE24D321665E3E962435BB47BCF144738A87A477DAFE3AAB018700

Function 00000213BDCE199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 00000213BDCE19C2
K32GetModuleFileNameExW.KERNEL32 ref: 00000213BDCE19E0
PathFindFileNameW.SHLWAPI ref: 00000213BDCE19EF
lstrlenW.KERNEL32 ref: 00000213BDCE19FB
StrCpyW.SHLWAPI ref: 00000213BDCE1A0E
CloseHandle.KERNEL32 ref: 00000213BDCE1A1C

Memory Dump Source

Source File: 0000001C.00000002.2736881956.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdce0000_lsass.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction ID: 3eb0d0c2679584ddfa503f59038269ae77ed88556fc385ff5f1d0553037a01c9
Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction Fuzzy Hash: F0015B71308A4482EA20DB52A4487D963A2F798BCCF588035DE4A47758EF39CB49C700

Function 00000213BDCE36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00000213BDCE36E4
GetCurrentProcess.KERNEL32 ref: 00000213BDCE36F2
VirtualProtectEx.KERNEL32 ref: 00000213BDCE3714
GetCurrentProcess.KERNEL32 ref: 00000213BDCE3732
VirtualProtectEx.KERNEL32 ref: 00000213BDCE3753
TerminateThread.KERNEL32 ref: 00000213BDCE3762

Memory Dump Source

Source File: 0000001C.00000002.2736881956.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdce0000_lsass.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction ID: 88d3306e3c19d980f3158101e8290f900e8424f24f65f37777eb6f4afb0b7499
Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction Fuzzy Hash: 0B015B7421AB4482EF24DB21F81D79632A2FB65B8EF140428C9890B758FF3EC7088714

Function 00000213BDCE8FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000213BDCE9013
_IsNonwritableInCurrentImage.LIBCMT ref: 00000213BDCE90A8
RtlUnwindEx.NTDLL ref: 00000213BDCE90F7

Strings

csm, xrefs: 00000213BDCE908E
f, xrefs: 00000213BDCE9026

Memory Dump Source

Source File: 0000001C.00000002.2736881956.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdce0000_lsass.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
Instruction ID: 6fb5bacd63384bb3f90134f8c5460c85208d4914d2655ed1bad9711df1c3dd6d
Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
Instruction Fuzzy Hash: 22518BB26096048BEF14CB25E84CB9937A7F369B8CF508524DA1687788FF36EB41C740

Function 00000213BDCEBC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00000213BDCEBCBD
GetProcAddress.KERNEL32 ref: 00000213BDCEBCD3
FreeLibrary.KERNEL32 ref: 00000213BDCEBCFA

Strings

mscoree.dll, xrefs: 00000213BDCEBCB4
CorExitProcess, xrefs: 00000213BDCEBCCC

Memory Dump Source

Source File: 0000001C.00000002.2736881956.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdce0000_lsass.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction ID: 540f723a61500467f8a8b8c4ca4f47b4269590684ce67fd343b054dd3f87c0fa
Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction Fuzzy Hash: EEF0627121960582EF14CF24E44D3E96363EBA576DF540229CA6A492E8EF3EC34CC300

Function 00000213BDCE3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 00000213BDCE3066
StrCpyW.SHLWAPI ref: 00000213BDCE3076
StrCatW.SHLWAPI ref: 00000213BDCE3082
PathCombineW.SHLWAPI ref: 00000213BDCE3090

Strings

\\.\pipe\, xrefs: 00000213BDCE305C

Memory Dump Source

Source File: 0000001C.00000002.2736881956.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdce0000_lsass.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction ID: 143933a49c9e38150b676d3b6c803f89c80bf75aa8c52dce601b1f25c80bbb55
Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction Fuzzy Hash: 13F0F874718B8482EE14CB52B9181D96662AB68FDDF089130EE4A4BB18EE3DD74D8700

Function 00000213BDCE50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000213BDCE5156

Memory Dump Source

Source File: 0000001C.00000002.2736881956.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdce0000_lsass.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
Instruction ID: ff1cd853ef15dbd82275a915282ff6a598436b67fb0be58782aaa7236b1550e1
Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
Instruction Fuzzy Hash: 3502EF7221DB8486DB60CB55F45439ABBA1F3D4798F100125EACE87BA9DF7DDA44CB00

Function 00000213BDCE5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000213BDCE5726

Memory Dump Source

Source File: 0000001C.00000002.2736881956.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdce0000_lsass.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
Instruction ID: d223e9dcadd96ac9e86b04a6cfbd1f11c297519e412362c6c507cdbf370bb6f3
Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
Instruction Fuzzy Hash: 4361DC7652CB44C7EA60CB15E45835A7BA1F39478CF500129E68E87BA8EB7DDB51CF00

Function 00000213BDCF4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00000213BDCF412C
_set_statfp.LIBCMT ref: 00000213BDCF4147
_set_statfp.LIBCMT ref: 00000213BDCF4163
_set_statfp.LIBCMT ref: 00000213BDCF419F

Memory Dump Source

Source File: 0000001C.00000002.2736881956.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdce0000_lsass.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: f9e4e7116411792c9900663e4fd0b77c758cabd73c1539257dc2faf97d7e1066
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: C311C132A1CA4711FF649568D4DD3E511436B783BCF188A24E9764E6DEEB36CB4C4200

Function 00000213BDCC3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00000213BDCC352C
_set_statfp.LIBCMT ref: 00000213BDCC3547
_set_statfp.LIBCMT ref: 00000213BDCC3563
_set_statfp.LIBCMT ref: 00000213BDCC359F

Memory Dump Source

Source File: 0000001C.00000002.2736461371.00000213BDCB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdcb0000_lsass.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: d2d7dd6e1439f03189a3226a9b5cce41787e5537534634c01bb2080864e62fb7
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: D711E73265CE0101FE949328F44E3E910836B79B7CF4D4728AF66063D6FA36DB4042C1

Function 00000213BDCE9650 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00000213BDCE966F
SetLastError.KERNEL32 ref: 00000213BDCE96F6

Memory Dump Source

Source File: 0000001C.00000002.2736881956.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdce0000_lsass.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 46c896f13dff0714c7ccebb8ca9383bb675cc38bcf091c92c481f4a556b8b138
Instruction ID: 32291ebe63344caa2b2a00819642319f6feb277e8a2eeb88ccaa8891375a908e
Opcode Fuzzy Hash: 46c896f13dff0714c7ccebb8ca9383bb675cc38bcf091c92c481f4a556b8b138
Instruction Fuzzy Hash: 4311B4B021925843FE60DB61A84D3E832976BA47ECF044635E966477DAFE3AEB41C300

Function 00000213BDCBF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000213BDCBF124

Strings

Wednesday, xrefs: 00000213BDCBF1ED
Tuesday, xrefs: 00000213BDCBF0F4
or copy constructor iterator', xrefs: 00000213BDCBF25A, 00000213BDCBF275

Memory Dump Source

Source File: 0000001C.00000002.2736461371.00000213BDCB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdcb0000_lsass.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: Tuesday$Wednesday$or copy constructor iterator'
API String ID: 3215553584-4202648911
Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction ID: dd33b7bdeea741fb6d5fb3879698249c2b400a189a1bb143957139dfcfd1a244
Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction Fuzzy Hash: E561F73668E20842FE6ACB28E54C3EE6BA3E77174CF545815CA46177A5FB37CB418301

Function 00000213BDCEAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00000213BDCEAA68
_CallSETranslator.LIBVCRUNTIME ref: 00000213BDCEAAB7

Strings

MOC, xrefs: 00000213BDCEAA7C
RCC, xrefs: 00000213BDCEAA85

Memory Dump Source

Source File: 0000001C.00000002.2736881956.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdce0000_lsass.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 1fa883078d8b0df735174c791d3315410991ce76529377e33f37aec33171b3e6
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: 876179B3608B88CAEB10DF65D0443DD77A2F364B8CF144225EE4957B98EB39E284C704

Function 00000213BDCEAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000213BDCEADA0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00000213BDCEAE88

Strings

csm, xrefs: 00000213BDCEADC2
csm, xrefs: 00000213BDCEAEDA

Memory Dump Source

Source File: 0000001C.00000002.2736881956.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdce0000_lsass.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: 3c048601c7fcc0ffe57f7261eab226645e3cc41df1823d05877d79c368e95740
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: FD515FB2108388CFEF64CB159588399B7A2F364B8DF184125EA5D87B95EB39E760C704

Function 00000213BDCBA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000213BDCBA1A0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00000213BDCBA288

Strings

csm, xrefs: 00000213BDCBA1C2
csm, xrefs: 00000213BDCBA2DA

Memory Dump Source

Source File: 0000001C.00000002.2736461371.00000213BDCB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdcb0000_lsass.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: f6b80d2922ff79a09da4c367b45cc3c1b98fc3b25da29179d71979c1a959d6c1
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: E351AF32188288CAEF64CB15D44839C77A2F365B8CF185116DACD87BD5EB7AD750C709

Function 00000213BDCB8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000213BDCB8413
_IsNonwritableInCurrentImage.LIBCMT ref: 00000213BDCB84A8

Strings

csm, xrefs: 00000213BDCB848E
f, xrefs: 00000213BDCB8426

Memory Dump Source

Source File: 0000001C.00000002.2736461371.00000213BDCB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdcb0000_lsass.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: dc5653ac438f2d6e495d45b1ca0cfa69a93c7d117f4fad526aed404aa48302df
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: 2D51ED327592088AEF19CF15E448B9837A6FB68B9CF548024DA0643788FB36DF458B08

Function 00000213BDCB83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000213BDCB8413
_IsNonwritableInCurrentImage.LIBCMT ref: 00000213BDCB84A8

Strings

csm, xrefs: 00000213BDCB848E
f, xrefs: 00000213BDCB8426

Memory Dump Source

Source File: 0000001C.00000002.2736461371.00000213BDCB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdcb0000_lsass.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction ID: 82ec953c2abcd69afeb9a379956e593d8954b52f8e7d0185f21bbf325504b95f
Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction Fuzzy Hash: A331C23165974486EF19DF11E8487993BA6FB68F8CF058014EE5B03788EB3ACB41CB48

Function 00000213BDCF2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00000213BDCF20D7
WriteFile.KERNEL32 ref: 00000213BDCF239F
WriteFile.KERNEL32 ref: 00000213BDCF23E5
GetLastError.KERNEL32 ref: 00000213BDCF249B

Memory Dump Source

Source File: 0000001C.00000002.2736881956.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdce0000_lsass.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction ID: d0ae188cb9208859d57580f57e68af91c772b1affd1422831023fc799dab810f
Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction Fuzzy Hash: BAD1E272718A808AEB11CFA5D4443DC7BB2F36579CF108216CE599BB9DEA35C70AC740

Function 00000213BDCE14A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000213BDCE14C5
HeapFree.KERNEL32 ref: 00000213BDCE14D4
GetProcessHeap.KERNEL32 ref: 00000213BDCE14E1
HeapFree.KERNEL32 ref: 00000213BDCE14F0
GetProcessHeap.KERNEL32 ref: 00000213BDCE1500

Memory Dump Source

Source File: 0000001C.00000002.2736881956.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdce0000_lsass.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
Instruction ID: 31cca27c97c10b50b0d1f4af92040512d4615bcca040e4e08102490f9d85dd7c
Opcode Fuzzy Hash: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
Instruction Fuzzy Hash: 91015A32648B94C6EB04DF66E9081CA77B2F798F8DF048425EA4A47729EE39D255C740

Function 00000213BDCF2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32 ref: 00000213BDCF2A9C
GetLastError.KERNEL32 ref: 00000213BDCF2B27

Memory Dump Source

Source File: 0000001C.00000002.2736881956.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdce0000_lsass.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction ID: 0ed097bee9c2838b483cb9f14b03d6e6f10cfa9755ec3a11846def29111419fb
Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction Fuzzy Hash: AF91073270865089FF60DF6594483EDBBA2F764B8CF144109DE4A9B69CEB36C78AC700

Function 00000213BDCE7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00000213BDCE798C
GetCurrentThreadId.KERNEL32 ref: 00000213BDCE799A
GetCurrentProcessId.KERNEL32 ref: 00000213BDCE79A6
QueryPerformanceCounter.KERNEL32 ref: 00000213BDCE79B6

Memory Dump Source

Source File: 0000001C.00000002.2736881956.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdce0000_lsass.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction ID: f3e89c732882dc4be1fda66988cc4488258048f9f4970aa2de9805cb3fbce708
Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction Fuzzy Hash: 80111F32754B0589EF00CB60E8593E833A4F76975CF440D25DAAD86798EB79C3988380

Function 00000213BDCB9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 00000213BDCB9EB7

Strings

RCC, xrefs: 00000213BDCB9E85
MOC, xrefs: 00000213BDCB9E7C

Memory Dump Source

Source File: 0000001C.00000002.2736461371.00000213BDCB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdcb0000_lsass.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: bbb7cdb92cb596dcb0788d693a3b58d75f0e34908b0e226618241f28b02e5c54
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: ED616A32608B888AEB20DF65D4443DD77A2F768B8CF144215EF8917B98EB79D255C700

Function 00000213BDCE2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00000213BDCE2416
StrCpyW.SHLWAPI ref: 00000213BDCE242D

Strings

\\.\pipe\, xrefs: 00000213BDCE2421

Memory Dump Source

Source File: 0000001C.00000002.2736881956.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdce0000_lsass.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction ID: 188ea66b7bcfd0c47726733c40de34c55d45513101da1f913a5e3211a342359a
Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction Fuzzy Hash: A151D4B220C78983EE64DE29A55C3FAA753F3AA74CF440135DD5903B49EA3BE7058780

Function 00000213BDCF26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00000213BDCF2807
GetLastError.KERNEL32 ref: 00000213BDCF2829

Strings

U, xrefs: 00000213BDCF27B3

Memory Dump Source

Source File: 0000001C.00000002.2736881956.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdce0000_lsass.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction ID: 7ca704e4079fb843e18e962332c75f2c7a1687e35e23e5be027c6cd1584b2488
Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction Fuzzy Hash: D841A572319A8082DB20CF25E4483D9B7A1F7A879CF504121EE8D8B798EB3DC645CB40

Function 00000213BDCE94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 00000213BDCE94F0
RaiseException.KERNEL32 ref: 00000213BDCE9531

Strings

csm, xrefs: 00000213BDCE951E

Memory Dump Source

Source File: 0000001C.00000002.2736881956.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdce0000_lsass.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction ID: 450ba37ac19791e17a21ad49c035722d0e53f3451afd1a5ee852b307dddf2d54
Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction Fuzzy Hash: AC112B32219B8482EB61CB15E44439977E6F798B9CF584220EE8D07768EF3DC655CB00

Function 00000213BDCB7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 00000213BDCB737C

Strings

riptor at (, xrefs: 00000213BDCB7364
ierarchy Descriptor', xrefs: 00000213BDCB7381

Memory Dump Source

Source File: 0000001C.00000002.2736461371.00000213BDCB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdcb0000_lsass.jbxd

Similarity

API ID: __std_exception_copy
String ID: ierarchy Descriptor'$riptor at (
API String ID: 592178966-758928094
Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction ID: f4862c4d9b7376f1182d3b6f5f2b365ac3009e22aec70bc65f16aebbe18ce939
Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction Fuzzy Hash: 4EE08671654B4890DF01CF21E8442D833A5DB68B6CB8891229A5C06315FA38D7EBC300

Function 00000213BDCB73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 00000213BDCB73D8

Strings

riptor at (, xrefs: 00000213BDCB73C0
Locator', xrefs: 00000213BDCB73DD

Memory Dump Source

Source File: 0000001C.00000002.2736461371.00000213BDCB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdcb0000_lsass.jbxd

Similarity

API ID: __std_exception_copy
String ID: Locator'$riptor at (
API String ID: 592178966-4215709766
Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction ID: 27a04a9311f7d125a749bde97889680f3ba368b48a2d80739b1b772cb5aa5af3
Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction Fuzzy Hash: 6FE08C71A54B4880DF02CF21E8802D873A6EB68B6CF889122DA4C06311FA38D7EAC300

Function 00000213BDCE1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000213BDCE1C2D
HeapAlloc.KERNEL32 ref: 00000213BDCE1C3B
GetProcessHeap.KERNEL32 ref: 00000213BDCE1C77
HeapFree.KERNEL32 ref: 00000213BDCE1C85

Part of subcall function 00000213BDCE152C: StrCmpIW.SHLWAPI ref: 00000213BDCE155D

Memory Dump Source

Source File: 0000001C.00000002.2736881956.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdce0000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction ID: 02eb1687d551be4925cf3a57e29467bdb8e87c8f6b08593b3f3d5ec8add5e525
Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction Fuzzy Hash: C9118275605B4882EE04DB66A4082A977A2FB99FCCF185024DE4D87765EF3AD652D300

Function 00000213BDCE1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000213BDCE126E
HeapAlloc.KERNEL32 ref: 00000213BDCE127D
GetProcessHeap.KERNEL32 ref: 00000213BDCE1297
HeapAlloc.KERNEL32 ref: 00000213BDCE12A8

Memory Dump Source

Source File: 0000001C.00000002.2736881956.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_213bdce0000_lsass.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction ID: ca62a568da37a1804808f6c472a8f8a8754ce746572dadf88ae12087715b600f
Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction Fuzzy Hash: CCE0393564160486EB04CB62D80838A36E2EB99B0AF04C02489090B355EF7E8699C750

Analysis Process: lrgkmixyjzta.exePID: 2340, Parent PID: 624COMMON

Executed Functions

Function 00007FF61C0A1140 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1484360566.00007FF61C0A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF61C0A0000, based on PE: true

Associated: 0000001D.00000002.1484336293.00007FF61C0A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000001D.00000002.1484382081.00007FF61C0AB000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000001D.00000002.1484409869.00007FF61C0AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000001D.00000002.1484434372.00007FF61C0AF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 0000001D.00000002.1484952699.00007FF61C5D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000001D.00000002.1484977655.00007FF61C5DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff61c0a0000_lrgkmixyjzta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09aa500106249f898c70f176d5dd8b6a7b84f69ff7d021052aa52de95c06f874
Instruction ID: 0e5c22bc9e7b26d5b1651f83b0919e3ce3844d5e7faa2d17ffed164cc46211f6
Opcode Fuzzy Hash: 09aa500106249f898c70f176d5dd8b6a7b84f69ff7d021052aa52de95c06f874
Instruction Fuzzy Hash: 64B09234904A0984E2002B4298412EC22606B88F92F600420C51C42362DF6E90404B10

Analysis Process: svchost.exePID: 920, Parent PID: 7188COMMON

Execution Graph

Execution Coverage:	0.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	81
Total number of Limit Nodes:	2

Executed Functions

Function 00000158709D328C Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 00000158709D32AE
PathFindFileNameW.SHLWAPI ref: 00000158709D32BD

Part of subcall function 00000158709D3844: StrCmpNIW.SHLWAPI ref: 00000158709D385C

Part of subcall function 00000158709D3790: GetModuleHandleW.KERNEL32 ref: 00000158709D379E
Part of subcall function 00000158709D3790: GetCurrentProcess.KERNEL32 ref: 00000158709D37CC
Part of subcall function 00000158709D3790: VirtualProtectEx.KERNEL32 ref: 00000158709D37EE
Part of subcall function 00000158709D3790: GetCurrentProcess.KERNEL32 ref: 00000158709D3809
Part of subcall function 00000158709D3790: VirtualProtectEx.KERNEL32 ref: 00000158709D382A

CreateThread.KERNEL32 ref: 00000158709D330B

Part of subcall function 00000158709D1D14: GetCurrentThread.KERNEL32 ref: 00000158709D1D1F

Memory Dump Source

Source File: 0000001E.00000002.2722834758.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709d0000_svchost.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction ID: d10138deb8bbbe3c9e36edbeaa6ef6b6b2d091da5ebc89b531e029dc850f4207
Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction Fuzzy Hash: 9211C43E658E08C2F7609B21FE053D97294B7CC387FB08124990A6D6E6EF78C0468E00

Function 00000158709D1ABC Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000158709D1628: GetProcessHeap.KERNEL32 ref: 00000158709D1633
Part of subcall function 00000158709D1628: HeapAlloc.KERNEL32 ref: 00000158709D1642
Part of subcall function 00000158709D1628: RegOpenKeyExW.ADVAPI32 ref: 00000158709D16B2
Part of subcall function 00000158709D1628: RegOpenKeyExW.ADVAPI32 ref: 00000158709D16DF
Part of subcall function 00000158709D1628: RegCloseKey.ADVAPI32 ref: 00000158709D16F9
Part of subcall function 00000158709D1628: RegOpenKeyExW.ADVAPI32 ref: 00000158709D1719
Part of subcall function 00000158709D1628: RegCloseKey.ADVAPI32 ref: 00000158709D1734
Part of subcall function 00000158709D1628: RegOpenKeyExW.ADVAPI32 ref: 00000158709D1754
Part of subcall function 00000158709D1628: RegCloseKey.ADVAPI32 ref: 00000158709D176F
Part of subcall function 00000158709D1628: RegOpenKeyExW.ADVAPI32 ref: 00000158709D178F
Part of subcall function 00000158709D1628: RegCloseKey.ADVAPI32 ref: 00000158709D17AA
Part of subcall function 00000158709D1628: RegOpenKeyExW.ADVAPI32 ref: 00000158709D17CA

Sleep.KERNEL32 ref: 00000158709D1AD7
SleepEx.KERNELBASE ref: 00000158709D1ADD

Part of subcall function 00000158709D1628: RegCloseKey.ADVAPI32 ref: 00000158709D17E5
Part of subcall function 00000158709D1628: RegOpenKeyExW.ADVAPI32 ref: 00000158709D1805
Part of subcall function 00000158709D1628: RegCloseKey.ADVAPI32 ref: 00000158709D1820
Part of subcall function 00000158709D1628: RegOpenKeyExW.ADVAPI32 ref: 00000158709D1840
Part of subcall function 00000158709D1628: RegCloseKey.ADVAPI32 ref: 00000158709D185B
Part of subcall function 00000158709D1628: RegOpenKeyExW.ADVAPI32 ref: 00000158709D187B
Part of subcall function 00000158709D1628: RegCloseKey.ADVAPI32 ref: 00000158709D1896
Part of subcall function 00000158709D1628: RegCloseKey.ADVAPI32 ref: 00000158709D18A0

Memory Dump Source

Source File: 0000001E.00000002.2722834758.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709d0000_svchost.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction ID: dd6c86af37df3cdfce808d9367ca0a589ea4c12304fe849a19c5307a2c397293
Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction Fuzzy Hash: C931B47B244D49E1EB509B36DE513F93394A7CCBD2F2454229E09AF79BEE18C4538A10

Function 00000158709D3844 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpNIW.SHLWAPI ref: 00000158709D385C

Strings

dialer, xrefs: 00000158709D3855

Memory Dump Source

Source File: 0000001E.00000002.2722834758.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709d0000_svchost.jbxd

Similarity

API ID:
String ID: dialer
API String ID: 0-3528709123
Opcode ID: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
Instruction ID: 780bff3d9f94a45a4787809db9a9868108e6e80b955a58f819050ff7eb005af9
Opcode Fuzzy Hash: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
Instruction Fuzzy Hash: 8ED05E79351A09C6FB149FA68CC47A03350AB8C7D6FA89020990019160DF188D9EAE10

Function 00000158709A273C Relevance: 1.7, APIs: 1, Instructions: 187
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00000158709A285E

Memory Dump Source

Source File: 0000001E.00000002.2721983767.00000158709A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709a0000_svchost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction ID: 917a96bc1d6c895ecea56c2d7ec6bba4e4c507b6cb4fc8ea2b9ce0172117c01a
Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction Fuzzy Hash: 9A61E3BAB09A90C7DB548F19D9007EA7392F7D8B95F248121DE593B784DE38D853EB00

Non-executed Functions

Function 00000158709D2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 00000158709D2BD0
lstrlenW.KERNEL32 ref: 00000158709D2E0A

Part of subcall function 00000158709D199C: OpenProcess.KERNEL32 ref: 00000158709D19C2
Part of subcall function 00000158709D199C: K32GetModuleFileNameExW.KERNEL32 ref: 00000158709D19E0
Part of subcall function 00000158709D199C: PathFindFileNameW.SHLWAPI ref: 00000158709D19EF
Part of subcall function 00000158709D199C: lstrlenW.KERNEL32 ref: 00000158709D19FB
Part of subcall function 00000158709D199C: StrCpyW.SHLWAPI ref: 00000158709D1A0E
Part of subcall function 00000158709D199C: CloseHandle.KERNEL32 ref: 00000158709D1A1C

GetProcAddress.KERNEL32 ref: 00000158709D2BE5

Part of subcall function 00000158709D152C: StrCmpIW.SHLWAPI ref: 00000158709D155D

Part of subcall function 00000158709D3844: StrCmpNIW.SHLWAPI ref: 00000158709D385C

StrCmpNIW.SHLWAPI ref: 00000158709D2C28
lstrlenW.KERNEL32 ref: 00000158709D2D50

Strings

NtQueryObject, xrefs: 00000158709D2BDB
\Device\Nsi, xrefs: 00000158709D2C1B
ntdll.dll, xrefs: 00000158709D2BC9

Memory Dump Source

Source File: 0000001E.00000002.2722834758.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709d0000_svchost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction ID: e19b0cfe6a8045a754af9c3da777dccb95321baacbab1f044a34d1dd9148c669
Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction Fuzzy Hash: 4EB1B03A218E58C2EB648F25DC407E973A5FBD8B96F245016EE496B796DF34CC42CB40

Function 00000158709D7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00000158709D7DAC
RtlCaptureContext.NTDLL ref: 00000158709D7DD9
RtlLookupFunctionEntry.NTDLL ref: 00000158709D7DF3
RtlVirtualUnwind.NTDLL ref: 00000158709D7E34
IsDebuggerPresent.KERNEL32 ref: 00000158709D7E88
SetUnhandledExceptionFilter.KERNEL32 ref: 00000158709D7EA9
UnhandledExceptionFilter.KERNEL32 ref: 00000158709D7EB4

Memory Dump Source

Source File: 0000001E.00000002.2722834758.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709d0000_svchost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction ID: e7c148938d73b118393facd0308456c1e40248a19777e3d89d8291f9a2c8a452
Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction Fuzzy Hash: 9D313A76205E84CAEB609F60E8403EE7361F788745F54402ADA4D6BBA5EF38C949CB10

Function 00000158709DD2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 00000158709DD31D
RtlLookupFunctionEntry.NTDLL ref: 00000158709DD335
RtlVirtualUnwind.NTDLL ref: 00000158709DD370
IsDebuggerPresent.KERNEL32 ref: 00000158709DD3A9
SetUnhandledExceptionFilter.KERNEL32 ref: 00000158709DD3B3
UnhandledExceptionFilter.KERNEL32 ref: 00000158709DD3BE

Memory Dump Source

Source File: 0000001E.00000002.2722834758.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709d0000_svchost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction ID: 059a4172f76ea96128a6440cafd08da1c107212dcb3790aa4d309b172f3a75cd
Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction Fuzzy Hash: C5315B3A214F84C6DB60CB25E8403DE73A0F7C9799F640126EA9D5BBA5EF38C556CB00

Function 00000158709D1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00000158709D1633
HeapAlloc.KERNEL32 ref: 00000158709D1642

Part of subcall function 00000158709D1268: GetProcessHeap.KERNEL32 ref: 00000158709D126E
Part of subcall function 00000158709D1268: HeapAlloc.KERNEL32 ref: 00000158709D127D
Part of subcall function 00000158709D1268: GetProcessHeap.KERNEL32 ref: 00000158709D1297
Part of subcall function 00000158709D1268: HeapAlloc.KERNEL32 ref: 00000158709D12A8

RegOpenKeyExW.ADVAPI32 ref: 00000158709D16B2
RegOpenKeyExW.ADVAPI32 ref: 00000158709D16DF
RegCloseKey.ADVAPI32 ref: 00000158709D16F9
RegOpenKeyExW.ADVAPI32 ref: 00000158709D1719
RegCloseKey.ADVAPI32 ref: 00000158709D1734
RegOpenKeyExW.ADVAPI32 ref: 00000158709D1754
RegCloseKey.ADVAPI32 ref: 00000158709D176F
RegOpenKeyExW.ADVAPI32 ref: 00000158709D178F
RegCloseKey.ADVAPI32 ref: 00000158709D17AA
RegOpenKeyExW.ADVAPI32 ref: 00000158709D17CA
RegCloseKey.ADVAPI32 ref: 00000158709D17E5
RegOpenKeyExW.ADVAPI32 ref: 00000158709D1805
RegCloseKey.ADVAPI32 ref: 00000158709D1820
RegOpenKeyExW.ADVAPI32 ref: 00000158709D1840
RegCloseKey.ADVAPI32 ref: 00000158709D185B
RegOpenKeyExW.ADVAPI32 ref: 00000158709D187B
RegCloseKey.ADVAPI32 ref: 00000158709D1896
RegCloseKey.ADVAPI32 ref: 00000158709D18A0

Part of subcall function 00000158709D12BC: RegQueryInfoKeyW.ADVAPI32 ref: 00000158709D1319
Part of subcall function 00000158709D12BC: GetProcessHeap.KERNEL32 ref: 00000158709D1327
Part of subcall function 00000158709D12BC: HeapAlloc.KERNEL32 ref: 00000158709D1338
Part of subcall function 00000158709D12BC: RegEnumValueW.ADVAPI32 ref: 00000158709D1397
Part of subcall function 00000158709D12BC: GetProcessHeap.KERNEL32 ref: 00000158709D13DF
Part of subcall function 00000158709D12BC: HeapAlloc.KERNEL32 ref: 00000158709D13ED
Part of subcall function 00000158709D12BC: GetProcessHeap.KERNEL32 ref: 00000158709D140A
Part of subcall function 00000158709D12BC: HeapFree.KERNEL32 ref: 00000158709D1418
Part of subcall function 00000158709D12BC: lstrlenW.KERNEL32 ref: 00000158709D1421
Part of subcall function 00000158709D12BC: GetProcessHeap.KERNEL32 ref: 00000158709D142F
Part of subcall function 00000158709D12BC: HeapAlloc.KERNEL32 ref: 00000158709D143D

Strings

tcp_remote, xrefs: 00000158709D1839
tcp_local, xrefs: 00000158709D17FE
SOFTWARE\dialerconfig, xrefs: 00000158709D1692
process_names, xrefs: 00000158709D174D
udp, xrefs: 00000158709D1874
paths, xrefs: 00000158709D1788
pid, xrefs: 00000158709D1712
service_names, xrefs: 00000158709D17C3
startup, xrefs: 00000158709D16D5

Memory Dump Source

Source File: 0000001E.00000002.2722834758.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709d0000_svchost.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction ID: 0f6089fd75106e825002abacbaf1900165387074937e0fada7e43ed3f6eff390
Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction Fuzzy Hash: 3371183B314E14D6EB109F72EC4079933A5F7C8B8AF101121DA4E6BB29DE34C956CB40

Function 00000158709D12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000158709D1319
GetProcessHeap.KERNEL32 ref: 00000158709D1327
HeapAlloc.KERNEL32 ref: 00000158709D1338
RegEnumValueW.ADVAPI32 ref: 00000158709D1397

Part of subcall function 00000158709D152C: StrCmpIW.SHLWAPI ref: 00000158709D155D

GetProcessHeap.KERNEL32 ref: 00000158709D13DF
HeapAlloc.KERNEL32 ref: 00000158709D13ED
GetProcessHeap.KERNEL32 ref: 00000158709D140A
HeapFree.KERNEL32 ref: 00000158709D1418
lstrlenW.KERNEL32 ref: 00000158709D1421
GetProcessHeap.KERNEL32 ref: 00000158709D142F
HeapAlloc.KERNEL32 ref: 00000158709D143D
StrCpyW.SHLWAPI ref: 00000158709D145F
GetProcessHeap.KERNEL32 ref: 00000158709D1476
HeapFree.KERNEL32 ref: 00000158709D1484

Strings

d, xrefs: 00000158709D135A

Memory Dump Source

Source File: 0000001E.00000002.2722834758.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709d0000_svchost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction ID: eb3ce238f31fcb04bd06a980f3a210d1e24ed5b83b152061e04dc28651e22d57
Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction Fuzzy Hash: E5513A3B208B84D6EB55CF62E84839A77A1F7C9BDAF144124DA491B729DF38C456CB00

Function 00000158709D1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 00000158709D1D1F

Part of subcall function 00000158709D1FD4: GetModuleHandleA.KERNEL32 ref: 00000158709D1FEC
Part of subcall function 00000158709D1FD4: GetProcAddress.KERNEL32 ref: 00000158709D1FFD

Part of subcall function 00000158709D5B30: GetCurrentThreadId.KERNEL32 ref: 00000158709D5B6B

Strings

sechost.dll, xrefs: 00000158709D1E39
EnumServicesStatusExW, xrefs: 00000158709D1E11, 00000158709D1E32
NtDeviceIoControlFile, xrefs: 00000158709D1E56
NtResumeThread, xrefs: 00000158709D1D62
NtQueryDirectoryFileEx, xrefs: 00000158709D1D9C
ntdll.dll, xrefs: 00000158709D1D2D
EnumServiceGroupW, xrefs: 00000158709D1DF0
NtEnumerateKey, xrefs: 00000158709D1DB9
NtQueryDirectoryFile, xrefs: 00000158709D1D7F
NtEnumerateValueKey, xrefs: 00000158709D1DD6
NtQuerySystemInformation, xrefs: 00000158709D1D45
advapi32.dll, xrefs: 00000158709D1DF7, 00000158709D1E18

Memory Dump Source

Source File: 0000001E.00000002.2722834758.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709d0000_svchost.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction ID: fe178ff9f80e494172ea236cf487610b27fb66f29a12b80d336874847e16e756
Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction Fuzzy Hash: B131AE7E545E4AE0EA04EBA9EC517E43320F7DC346FA9401394493E277AF38865BCB50

Function 00000158709A6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000158709A6938
__scrt_acquire_startup_lock.LIBCMT ref: 00000158709A698A
_RTC_Initialize.LIBCMT ref: 00000158709A69B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00000158709A69DE
__scrt_release_startup_lock.LIBCMT ref: 00000158709A6A09

Strings

`eh vector copy constructor iterator', xrefs: 00000158709A6A3B
`eh vector vbase copy constructor iterator', xrefs: 00000158709A69EE
scriptor', xrefs: 00000158709A6B39, 00000158709A6BB2, 00000158709A6BEC
`dynamic initializer for ', xrefs: 00000158709A69C7

Memory Dump Source

Source File: 0000001E.00000002.2721983767.00000158709A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709a0000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
API String ID: 190073905-1786718095
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: 2bc89b2b44f4cc9601cd367f7fcf5040b1f2b50bcf0555486a2ee6e897309275
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: 0481AFBD708E41C6FA909B659C413D972A0A7CD782F7480259A49BF796DF38C847EF00

Function 00000158709DCE28 Relevance: 18.1, APIs: 12, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 00000158709DCE37
FlsGetValue.KERNEL32(?,?,?,00000158709E0A6B,?,?,?,00000158709E045C,?,?,?,00000158709DC84F), ref: 00000158709DCE4C
FlsSetValue.KERNEL32(?,?,?,00000158709E0A6B,?,?,?,00000158709E045C,?,?,?,00000158709DC84F), ref: 00000158709DCE6D
FlsSetValue.KERNEL32(?,?,?,00000158709E0A6B,?,?,?,00000158709E045C,?,?,?,00000158709DC84F), ref: 00000158709DCE9A
FlsSetValue.KERNEL32(?,?,?,00000158709E0A6B,?,?,?,00000158709E045C,?,?,?,00000158709DC84F), ref: 00000158709DCEAB
FlsSetValue.KERNEL32(?,?,?,00000158709E0A6B,?,?,?,00000158709E045C,?,?,?,00000158709DC84F), ref: 00000158709DCEBC
SetLastError.KERNEL32 ref: 00000158709DCED7
FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000158709E0A6B,?,?,?,00000158709E045C,?,?,?,00000158709DC84F), ref: 00000158709DCF0D
FlsSetValue.KERNEL32(?,?,00000001,00000158709DECCC,?,?,?,?,00000158709DBF9F,?,?,?,?,?,00000158709D7AB0), ref: 00000158709DCF2C

Part of subcall function 00000158709DD6CC: HeapAlloc.KERNEL32 ref: 00000158709DD721

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000158709E0A6B,?,?,?,00000158709E045C,?,?,?,00000158709DC84F), ref: 00000158709DCF54

Part of subcall function 00000158709DD744: HeapFree.KERNEL32 ref: 00000158709DD75A
Part of subcall function 00000158709DD744: GetLastError.KERNEL32 ref: 00000158709DD764

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000158709E0A6B,?,?,?,00000158709E045C,?,?,?,00000158709DC84F), ref: 00000158709DCF65
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000158709E0A6B,?,?,?,00000158709E045C,?,?,?,00000158709DC84F), ref: 00000158709DCF76

Memory Dump Source

Source File: 0000001E.00000002.2722834758.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709d0000_svchost.jbxd

Similarity

API ID: Value$ErrorLast$Heap$AllocFree
String ID:
API String ID: 570795689-0
Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction ID: 9975690624174f1e8eecd39a416a149b1b9c960f19d828ddab801993930161a0
Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction Fuzzy Hash: DB4184BC289E4DC1FA6867255D523E932425BCC7B6F740724A8367E7DBED28D8434E80

Function 00000158709D2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessIdOfThread.KERNEL32 ref: 00000158709D2259
GetCurrentProcessId.KERNEL32 ref: 00000158709D2263

Part of subcall function 00000158709D1934: OpenProcess.KERNEL32 ref: 00000158709D1952
Part of subcall function 00000158709D1934: IsWow64Process.KERNEL32 ref: 00000158709D1968
Part of subcall function 00000158709D1934: CloseHandle.KERNEL32 ref: 00000158709D1983

CreateFileW.KERNEL32 ref: 00000158709D22BC
WriteFile.KERNEL32 ref: 00000158709D22E4
ReadFile.KERNEL32 ref: 00000158709D2303
CloseHandle.KERNEL32 ref: 00000158709D230C

Strings

\\.\pipe\dialerchildproc32, xrefs: 00000158709D2293
\\.\pipe\dialerchildproc64, xrefs: 00000158709D228C

Memory Dump Source

Source File: 0000001E.00000002.2722834758.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709d0000_svchost.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction ID: 9d08b4948e7ab7a7583e3835b8c16d8cf2b2d0085f3f9790f0536a71d5975b49
Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction Fuzzy Hash: 0D21303A618A54C2E710CB25F84439977A0F7C9BE6F640215DA591ABA8CF3CC55ACF00

Function 00000158709DA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00000158709DA5A1

Part of subcall function 00000158709DB414: __GetUnwindTryBlock.LIBCMT ref: 00000158709DB457
Part of subcall function 00000158709DB414: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00000158709DB47C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00000158709DA679
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00000158709DA8CE
std::bad_alloc::bad_alloc.LIBCMT ref: 00000158709DA9DA

Strings

csm, xrefs: 00000158709DA622
csm, xrefs: 00000158709DA5BB
csm, xrefs: 00000158709DA69C

Memory Dump Source

Source File: 0000001E.00000002.2722834758.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709d0000_svchost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction ID: f3fa1228f9b23b1bab88f1be00c529a69e786049c2ce1459848cac513dec6a52
Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction Fuzzy Hash: D0E1807A648F48CAEB20DF65D8803DD77A0F799799F640115EE896BB96CF34C492CB00

Function 00000158709A9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00000158709A99A1

Part of subcall function 00000158709AA814: __GetUnwindTryBlock.LIBCMT ref: 00000158709AA857
Part of subcall function 00000158709AA814: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00000158709AA87C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00000158709A9A79
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00000158709A9CCE
std::bad_alloc::bad_alloc.LIBCMT ref: 00000158709A9DDA

Strings

csm, xrefs: 00000158709A9A22
csm, xrefs: 00000158709A99BB
csm, xrefs: 00000158709A9A9C

Memory Dump Source

Source File: 0000001E.00000002.2721983767.00000158709A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709a0000_svchost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction ID: 08ab0671c9424b5081223383289d6080edcd3caa4dd75a7e0d5916fa68029c91
Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction Fuzzy Hash: 8AE16EBA608F40CAEB60DB69DC403DD77A4F799799F204116EE896BB95CF34C492DB00

Function 00000158709DF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32 ref: 00000158709DF510
GetProcAddress.KERNEL32 ref: 00000158709DF51C

Strings

ext-ms-, xrefs: 00000158709DF46D
api-ms-, xrefs: 00000158709DF45A

Memory Dump Source

Source File: 0000001E.00000002.2722834758.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709d0000_svchost.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction ID: cb0434ac2a4b0d4f8a64736bfb55d34b7dfcd7b844d76ba5a6e5c12046194fd4
Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction Fuzzy Hash: 9441293A359E04D1EA15CB16AC147D63391B7CDBE2F2541299D0DAF7AAEE38C4478B40

Function 00000158709D104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99
memoryregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000158709D10B1
RegEnumValueW.ADVAPI32 ref: 00000158709D1117
GetProcessHeap.KERNEL32 ref: 00000158709D115A
HeapAlloc.KERNEL32 ref: 00000158709D1168
GetProcessHeap.KERNEL32 ref: 00000158709D1185
HeapFree.KERNEL32 ref: 00000158709D1193

Strings

d, xrefs: 00000158709D10D6

Memory Dump Source

Source File: 0000001E.00000002.2722834758.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709d0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction ID: 406b0553ad116c0cf0cb50d7a38d1fd5da460869398bb6113de0fb484408bd0d
Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction Fuzzy Hash: 99418237218F84D6E760CF21E84439E77A1F389B99F148129DB891B758DF38C586CB00

Function 00000158709DD068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00000158709DC7DE,?,?,?,?,?,?,?,?,00000158709DCF9D,?,?,00000001), ref: 00000158709DD087
FlsSetValue.KERNEL32(?,?,?,00000158709DC7DE,?,?,?,?,?,?,?,?,00000158709DCF9D,?,?,00000001), ref: 00000158709DD0A6
FlsSetValue.KERNEL32(?,?,?,00000158709DC7DE,?,?,?,?,?,?,?,?,00000158709DCF9D,?,?,00000001), ref: 00000158709DD0CE
FlsSetValue.KERNEL32(?,?,?,00000158709DC7DE,?,?,?,?,?,?,?,?,00000158709DCF9D,?,?,00000001), ref: 00000158709DD0DF
FlsSetValue.KERNEL32(?,?,?,00000158709DC7DE,?,?,?,?,?,?,?,?,00000158709DCF9D,?,?,00000001), ref: 00000158709DD0F0

Strings

1%, xrefs: 00000158709DD0CE
Y%, xrefs: 00000158709DD0A6

Memory Dump Source

Source File: 0000001E.00000002.2722834758.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709d0000_svchost.jbxd

Similarity

API ID: Value
String ID: 1%$Y%
API String ID: 3702945584-1395475152
Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction ID: 1d2e9aa775ac6edd092d1a246d88b9f5446202352410f6619a6c14a773fb799f
Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction Fuzzy Hash: 9811307878DE4CC1FA6857259D523F971419BCC7A6F78422594292E7DBDE28D4438A00

Function 00000158709D7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000158709D7538
__scrt_acquire_startup_lock.LIBCMT ref: 00000158709D758A
_RTC_Initialize.LIBCMT ref: 00000158709D75B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00000158709D75DE
__scrt_release_startup_lock.LIBCMT ref: 00000158709D7609

Memory Dump Source

Source File: 0000001E.00000002.2722834758.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709d0000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: 3d8f95e5633d4c6b653d59d18f429cffb185ad790c80063b25e37e7c71a7f415
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: 03817E3D688E49C6FA50EB65AC413D9B291ABCD782F744415A9086F7A7FF38C8478F01

Function 00000158709D9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 00000158709D9E49
GetLastError.KERNEL32 ref: 00000158709D9E57
LoadLibraryExW.KERNEL32 ref: 00000158709D9E81
FreeLibrary.KERNEL32 ref: 00000158709D9EC7
GetProcAddress.KERNEL32 ref: 00000158709D9ED3

Strings

api-ms-, xrefs: 00000158709D9E69

Memory Dump Source

Source File: 0000001E.00000002.2722834758.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709d0000_svchost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction ID: 7fb3335a45b0d0e99637cb6ac1d0fd9b443a23753f7729f4e4207a61b16c956a
Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction Fuzzy Hash: 2031D83A35AE44E1EE11EB42AC007D97394B7CCBA2F7906259D1E6F392DF38C4568B10

Function 00000158709E3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00000158709E3DE5
GetLastError.KERNEL32 ref: 00000158709E3DF1
CloseHandle.KERNEL32 ref: 00000158709E3E09
CreateFileW.KERNEL32 ref: 00000158709E3E34
WriteConsoleW.KERNEL32 ref: 00000158709E3E53

Strings

CONOUT$, xrefs: 00000158709E3E15

Memory Dump Source

Source File: 0000001E.00000002.2722834758.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709d0000_svchost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction ID: 5854a10f70b8acde66e217e2d3e673b9bf3bb195df514e6a525a3e7a0ccb6496
Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction Fuzzy Hash: 52118236314F40C6E7508B52FC5435976A0F7CCFE6F244218EA5A9B7A4CF78C9668B80

Function 00000158709D3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00000158709D379E
GetCurrentProcess.KERNEL32 ref: 00000158709D37CC
VirtualProtectEx.KERNEL32 ref: 00000158709D37EE
GetCurrentProcess.KERNEL32 ref: 00000158709D3809
VirtualProtectEx.KERNEL32 ref: 00000158709D382A

Strings

wr, xrefs: 00000158709D37FF

Memory Dump Source

Source File: 0000001E.00000002.2722834758.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709d0000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID: wr
API String ID: 1092925422-2678910430
Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction ID: c1706b2b0473ed2e9d02f1dddf1a74ec365221044fa21d2a3e131ac40444c417
Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction Fuzzy Hash: 60113C3A708F45C2EF549B22E8043A972A1F788B97F644029DE895B765EF3DC916CB04

Function 00000158709D5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000158709D5B6B
GetThreadContext.KERNEL32 ref: 00000158709D5CD5

Part of subcall function 00000158709D5960: GetCurrentThreadId.KERNEL32 ref: 00000158709D5964

Memory Dump Source

Source File: 0000001E.00000002.2722834758.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709d0000_svchost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
Instruction ID: 60ab21630707aac3798ecf9166792788bd74f2907c85a2321cc20bfd57c17da0
Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
Instruction Fuzzy Hash: CFD17B7A259F48D1DA70DB16E89439A77A0F3CCB85F200116EA8D5BBA5DF38C552CF40

Function 00000158709D2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000158709D2F27
HeapAlloc.KERNEL32 ref: 00000158709D2F3A
StrCmpNIW.SHLWAPI ref: 00000158709D2FAF
GetProcessHeap.KERNEL32 ref: 00000158709D3015
HeapFree.KERNEL32 ref: 00000158709D3023

Strings

dialer, xrefs: 00000158709D2FA8

Memory Dump Source

Source File: 0000001E.00000002.2722834758.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709d0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction ID: e6d8faa326a562ef7d00f18873055ee8b9534239608773783dd45c2c1394fe41
Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction Fuzzy Hash: FE31923A709F59C2E615CF16ED407E977A0FB98B82F1884249E485BB56EF34C462CB00

Function 00000158709DCFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00000158709DCFAF
FlsSetValue.KERNEL32(?,?,?,00000158709DD6B5,?,?,?,?,00000158709DD778), ref: 00000158709DCFE5
FlsSetValue.KERNEL32(?,?,?,00000158709DD6B5,?,?,?,?,00000158709DD778), ref: 00000158709DD012
FlsSetValue.KERNEL32(?,?,?,00000158709DD6B5,?,?,?,?,00000158709DD778), ref: 00000158709DD023
FlsSetValue.KERNEL32(?,?,?,00000158709DD6B5,?,?,?,?,00000158709DD778), ref: 00000158709DD034
SetLastError.KERNEL32 ref: 00000158709DD04F

Memory Dump Source

Source File: 0000001E.00000002.2722834758.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709d0000_svchost.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction ID: aa873455afc96999b87c21931bd58146887484eb7e08ab61906587a09483081b
Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction Fuzzy Hash: EA116379389E48C1FA6457259E553E931425BCC7F6F344714A8366F7DBDD28C4438E40

Function 00000158709D199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 00000158709D19C2
K32GetModuleFileNameExW.KERNEL32 ref: 00000158709D19E0
PathFindFileNameW.SHLWAPI ref: 00000158709D19EF
lstrlenW.KERNEL32 ref: 00000158709D19FB
StrCpyW.SHLWAPI ref: 00000158709D1A0E
CloseHandle.KERNEL32 ref: 00000158709D1A1C

Memory Dump Source

Source File: 0000001E.00000002.2722834758.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709d0000_svchost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction ID: 7cc37782291b92a2b75e31e5930a5bab2ef7aa798e5d7ec79eb9ff034366abf0
Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction Fuzzy Hash: 2F016D36304E44C2EB54DB62A84839973A1F78CBC2FA84035DE4967765DF3CC99ACB00

Function 00000158709D36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00000158709D36E4
GetCurrentProcess.KERNEL32 ref: 00000158709D36F2
VirtualProtectEx.KERNEL32 ref: 00000158709D3714
GetCurrentProcess.KERNEL32 ref: 00000158709D3732
VirtualProtectEx.KERNEL32 ref: 00000158709D3753
TerminateThread.KERNEL32 ref: 00000158709D3762

Memory Dump Source

Source File: 0000001E.00000002.2722834758.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709d0000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction ID: d92c0bde52101c03c87867e95d8acc90603132017f221265b0eb273a598ab5d0
Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction Fuzzy Hash: 3B011B7A215F44C2FB249B22EC0839973A0BB9DB87F244428CD492B765EF3DC51A8B00

Function 00000158709D9005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000158709D9013
_IsNonwritableInCurrentImage.LIBCMT ref: 00000158709D90A8
RtlUnwindEx.NTDLL ref: 00000158709D90F7

Strings

f, xrefs: 00000158709D9026
csm, xrefs: 00000158709D908E

Memory Dump Source

Source File: 0000001E.00000002.2722834758.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709d0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: 04aa9ae47b2a9c131ca64884b0331827bb0d1dcec54a8120c3393878895a1e76
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: CE51C63A74DA06CADB14EF15EC48B993795F389B9AF218124DA076B74ADF75CC42CB00

Function 00000158709D8FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000158709D9013
_IsNonwritableInCurrentImage.LIBCMT ref: 00000158709D90A8
RtlUnwindEx.NTDLL ref: 00000158709D90F7

Strings

f, xrefs: 00000158709D9026
csm, xrefs: 00000158709D908E

Memory Dump Source

Source File: 0000001E.00000002.2722834758.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709d0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction ID: cc6c5033e38e6afa751b52c8de9f6da4c93002e611e71df0da7fecd0cba56087
Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction Fuzzy Hash: 0F31C43A348A44D6E714EF11EC447993765F388BCAF258114EE4A2B746DF39C942CF04

Function 00000158709D1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 00000158709D1A60
StrCmpNIW.SHLWAPI ref: 00000158709D1A7A
lstrlenW.KERNEL32 ref: 00000158709D1A89
StrCpyW.SHLWAPI ref: 00000158709D1A9E

Strings

\\?\, xrefs: 00000158709D1A6E

Memory Dump Source

Source File: 0000001E.00000002.2722834758.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709d0000_svchost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction ID: 698509cad8b23d240c0b825ecc2b97b4a5749d1b6b2534689e1e69f203ffbdc3
Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction Fuzzy Hash: 77F03C37704A45D2EB608B61FC847997760F78CBDAFA44020DA495AA65DE2CCA9ECF00

Function 00000158709D3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 00000158709D3066
StrCpyW.SHLWAPI ref: 00000158709D3076
StrCatW.SHLWAPI ref: 00000158709D3082
PathCombineW.SHLWAPI ref: 00000158709D3090

Strings

\\.\pipe\, xrefs: 00000158709D305C

Memory Dump Source

Source File: 0000001E.00000002.2722834758.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709d0000_svchost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction ID: de2cf2f2a9d9284385138a2729b234b0e2eb91eb51179958fd2d97b66a3f2f3e
Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction Fuzzy Hash: 8EF05439204F84C1EA104B12BD042997260A78CFD2F289120DD461BB29DE28C8568B00

Function 00000158709DBC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00000158709DBCBD
GetProcAddress.KERNEL32 ref: 00000158709DBCD3
FreeLibrary.KERNEL32 ref: 00000158709DBCFA

Strings

mscoree.dll, xrefs: 00000158709DBCB4
CorExitProcess, xrefs: 00000158709DBCCC

Memory Dump Source

Source File: 0000001E.00000002.2722834758.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709d0000_svchost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction ID: 10d4d02c46d8948fd3dba8b0568bcad9390f76deb3f3d4399e5b44582f6e7a45
Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction Fuzzy Hash: C0F0627A215E04D1EB148B29EC443997320FBCDBA7F640219CA6A5D2F4CF2CC956CB00

Function 00000158709D50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000158709D5156

Memory Dump Source

Source File: 0000001E.00000002.2722834758.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709d0000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
Instruction ID: d8e4fcef7782aab0e6196fa45eef77e5817cd3fcfaeadc4be3155837d2d64916
Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
Instruction Fuzzy Hash: EF02A83625DB84C6E760CB55E89039AB7A1F3C8795F204015EA8E9BBA9DF7CC495CF00

Function 00000158709D5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000158709D5726

Memory Dump Source

Source File: 0000001E.00000002.2722834758.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709d0000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
Instruction ID: 2d239d733d9f377039aa2bd8920474b359dab336e32e40763e3e9fde822d2307
Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
Instruction Fuzzy Hash: 4961C73A559E48C6E760CB15E85435AB7A0F3CC786F600116EA8E5BBA9DF7CC452CF40

Function 00000158709E4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00000158709E412C
_set_statfp.LIBCMT ref: 00000158709E4147
_set_statfp.LIBCMT ref: 00000158709E4163
_set_statfp.LIBCMT ref: 00000158709E419F

Memory Dump Source

Source File: 0000001E.00000002.2722834758.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709d0000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: 45fce9a1b44715b5da1f110af4fbf2b5e72d243b065df00d6a6cb7d411a89504
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: F011B23BA18F40E1FE645578DC553E531416BFC3A6E380624A5766E6F6CEA8CCA34901

Function 00000158709B3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00000158709B352C
_set_statfp.LIBCMT ref: 00000158709B3547
_set_statfp.LIBCMT ref: 00000158709B3563
_set_statfp.LIBCMT ref: 00000158709B359F

Memory Dump Source

Source File: 0000001E.00000002.2721983767.00000158709A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709a0000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: b22d272b1eca59d2f8be55dc33f3d675a4ea0f3ee1479b912bd1a7d695708eec
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: C411C47A610E01D1FA749568EC513E934806BDC37EF78C728BD6ABEED78EA4C8474900

Function 00000158709AF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000158709AF124

Strings

or copy constructor iterator', xrefs: 00000158709AF25A, 00000158709AF275
Tuesday, xrefs: 00000158709AF0F4
Wednesday, xrefs: 00000158709AF1ED

Memory Dump Source

Source File: 0000001E.00000002.2721983767.00000158709A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709a0000_svchost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: Tuesday$Wednesday$or copy constructor iterator'
API String ID: 3215553584-4202648911
Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction ID: bfa070ed68fe50ba7f1f2c297ac04698a413684fc1faf6f2fb695e8f31954a37
Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction Fuzzy Hash: 2A6192BE60CE00C2FA658BA4DC603EA7A90E7CD792F714516CA153F795EE34C847EA00

Function 00000158709DAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00000158709DAA68
_CallSETranslator.LIBVCRUNTIME ref: 00000158709DAAB7

Strings

RCC, xrefs: 00000158709DAA85
MOC, xrefs: 00000158709DAA7C

Memory Dump Source

Source File: 0000001E.00000002.2722834758.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709d0000_svchost.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 7893eb5ab0e642a1a0fa3d649198329584f3167fee0553330bce6cb7a40f68a6
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: 06614C3A605A48CAEB109F65D8403DD77A1F388B99F244216DE492BB95DF38D556CB00

Function 00000158709DAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000158709DADA0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00000158709DAE88

Strings

csm, xrefs: 00000158709DADC2
csm, xrefs: 00000158709DAEDA

Memory Dump Source

Source File: 0000001E.00000002.2722834758.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709d0000_svchost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: c55e6b89f1deeede7607d44a4678232a21c5566193418bc64356b270fa1dde39
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: 8A51B57A148B88CAEB748F25D9443D977A0F3D8B96F244115DA496BBD6CF34C462CF00

Function 00000158709AA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000158709AA1A0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00000158709AA288

Strings

csm, xrefs: 00000158709AA1C2
csm, xrefs: 00000158709AA2DA

Memory Dump Source

Source File: 0000001E.00000002.2721983767.00000158709A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709a0000_svchost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: ad2e3dc20faeaab019d23fdd26e7ac47928873f210296601eed610e87e364d0a
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: C051D1BA108A80CBEF648B15984439877A0F3DCB96F284116DA596BBC5CF39D462EF40

Function 00000158709A8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000158709A8413
_IsNonwritableInCurrentImage.LIBCMT ref: 00000158709A84A8

Strings

f, xrefs: 00000158709A8426
csm, xrefs: 00000158709A848E

Memory Dump Source

Source File: 0000001E.00000002.2721983767.00000158709A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709a0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: 522bc94808ccd0891ba8f4ee668879e4334006ea7c9bfdc7b7a578e3ad5792e1
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: 4F51E7BAB15A00CAD754CF15D808B9AB395F3C8B99F609064EE066B748EF34CC42DF04

Function 00000158709A83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000158709A8413
_IsNonwritableInCurrentImage.LIBCMT ref: 00000158709A84A8

Strings

f, xrefs: 00000158709A8426
csm, xrefs: 00000158709A848E

Memory Dump Source

Source File: 0000001E.00000002.2721983767.00000158709A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709a0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction ID: 425ae51dfe7bd6ea10f93c1d87e22065c9b592431508976835fcf9b4f7ab9431
Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction Fuzzy Hash: 1131D1B9615B40DAE710DF11EC4879AB7A4F3C8B9AF258014EE4A6B794DF38C942DB04

Function 00000158709E2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00000158709E20D7
WriteFile.KERNEL32 ref: 00000158709E239F
WriteFile.KERNEL32 ref: 00000158709E23E5
GetLastError.KERNEL32 ref: 00000158709E249B

Memory Dump Source

Source File: 0000001E.00000002.2722834758.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709d0000_svchost.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction ID: 30429b6e85d52d015e3732def11cd14d4559421b5eb639c62a2224f3fa9bfba5
Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction Fuzzy Hash: 66D1CF77714A80C9E711CF65D8403DC3BA1F398799F24421ADE59ABBA9EE34C927CB40

Function 00000158709D14A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000158709D14C5
HeapFree.KERNEL32 ref: 00000158709D14D4
GetProcessHeap.KERNEL32 ref: 00000158709D14E1
HeapFree.KERNEL32 ref: 00000158709D14F0
GetProcessHeap.KERNEL32 ref: 00000158709D1500

Memory Dump Source

Source File: 0000001E.00000002.2722834758.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709d0000_svchost.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
Instruction ID: 6c2322820e03c340fe85ce000d17cb2736a86ce4299153c466e268a4634f297b
Opcode Fuzzy Hash: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
Instruction Fuzzy Hash: CF014C3B608E94D6D705DF66ED0428A77A1F78CFC2F144429EA4967729DE38C462CB40

Function 00000158709E2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32 ref: 00000158709E2A9C
GetLastError.KERNEL32 ref: 00000158709E2B27

Memory Dump Source

Source File: 0000001E.00000002.2722834758.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709d0000_svchost.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction ID: 9698fe35d1373322723ac282d06d8dd41e13e0f968837ab8ea655e484caeaefb
Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction Fuzzy Hash: 45918E7B610A54C5F7609F65DC403ED3BA0B789B8AF38411DDE4A7B6A5DE34C8A38B00

Function 00000158709D7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00000158709D798C
GetCurrentThreadId.KERNEL32 ref: 00000158709D799A
GetCurrentProcessId.KERNEL32 ref: 00000158709D79A6
QueryPerformanceCounter.KERNEL32 ref: 00000158709D79B6

Memory Dump Source

Source File: 0000001E.00000002.2722834758.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709d0000_svchost.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction ID: d83516dcc5bf840c11a0c3c522cc2f90a05092959f30cd3160fc22130dc72981
Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction Fuzzy Hash: A9115A3A714F00CAEB00CF60EC543A833A4F79D769F540E21EA6D5A7A4DF78D5A98780

Function 00000158709D253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00000158709D2620
StrCpyW.SHLWAPI ref: 00000158709D2639

Strings

\\.\pipe\, xrefs: 00000158709D262B

Memory Dump Source

Source File: 0000001E.00000002.2722834758.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709d0000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction ID: f47752b0ae6f6901657473cb0ccd733c6e7a9ca02a6f2b5df069b7bf189e1af2
Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction Fuzzy Hash: C571C23A248F89C6E7349E25DC443EA7794F3DDB86F640026DD496BB8ADE35C646CB00

Function 00000158709A9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 00000158709A9EB7

Strings

RCC, xrefs: 00000158709A9E85
MOC, xrefs: 00000158709A9E7C

Memory Dump Source

Source File: 0000001E.00000002.2721983767.00000158709A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709a0000_svchost.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 489574c67d8b5b6cc54a2877ae297f4e8f41fd0bb560a578f5265c3132118aee
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: 3761497A608B44CAEB20DF65D8403DD77A0F388B89F244215EF492BB99DF38D556DB40

Function 00000158709D2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00000158709D2416
StrCpyW.SHLWAPI ref: 00000158709D242D

Strings

\\.\pipe\, xrefs: 00000158709D2421

Memory Dump Source

Source File: 0000001E.00000002.2722834758.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709d0000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction ID: babde32fb5154fc8530fc586cff3b7450ac821e147294971176bd01e01761f2d
Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction Fuzzy Hash: B051E63A24CB89C1E6359B29E8583EA7751F3ED782F640125DD492BB6BCE39C5068F40

Function 00000158709E26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00000158709E2807
GetLastError.KERNEL32 ref: 00000158709E2829

Strings

U, xrefs: 00000158709E27B3

Memory Dump Source

Source File: 0000001E.00000002.2722834758.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709d0000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction ID: 21ff62e2b89e22826b140db66bb7822c727ad4cd8fe966186e5f0310e84707f2
Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction Fuzzy Hash: 8841A037219A80C2DB208F25E8443EAB7A0F79C795F644025EE4D9B798EF3CC952CB40

Function 00000158709D94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 00000158709D94F0
RaiseException.KERNEL32 ref: 00000158709D9531

Strings

csm, xrefs: 00000158709D951E

Memory Dump Source

Source File: 0000001E.00000002.2722834758.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709d0000_svchost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction ID: 20f4be22c22dfa457ef3525fbc3f7e3b2bed3974d008a9829f0cdff42773ce01
Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction Fuzzy Hash: 8D112B36218F84C2EB619B15F94039977E5F788B95F684224EE8D1BB69DF3CC952CB00

Function 00000158709A7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 00000158709A737C

Strings

ierarchy Descriptor', xrefs: 00000158709A7381
riptor at (, xrefs: 00000158709A7364

Memory Dump Source

Source File: 0000001E.00000002.2721983767.00000158709A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709a0000_svchost.jbxd

Similarity

API ID: __std_exception_copy
String ID: ierarchy Descriptor'$riptor at (
API String ID: 592178966-758928094
Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction ID: 3b3cf7cab3b32b493eb2ba88bbe49323af7bffc66ca1579de9ffd3a8dc560e24
Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction Fuzzy Hash: 13E086B1640F44D0DF018F61EC403D873A0DB9CB68BA89122D95C5A311FE38D5FAC700

Function 00000158709A73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 00000158709A73D8

Strings

Locator', xrefs: 00000158709A73DD
riptor at (, xrefs: 00000158709A73C0

Memory Dump Source

Source File: 0000001E.00000002.2721983767.00000158709A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709a0000_svchost.jbxd

Similarity

API ID: __std_exception_copy
String ID: Locator'$riptor at (
API String ID: 592178966-4215709766
Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction ID: 8b563b15b0da3dea3b2a42213421ba672c2fb53560027d55dbb8324bba71f4a8
Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction Fuzzy Hash: EDE08671600F44D0DF028F61D8403D87360E79CB68B989122C94C5A311EE38D5E6C700

Function 00000158709D1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000158709D1C2D
HeapAlloc.KERNEL32 ref: 00000158709D1C3B
GetProcessHeap.KERNEL32 ref: 00000158709D1C77
HeapFree.KERNEL32 ref: 00000158709D1C85

Part of subcall function 00000158709D152C: StrCmpIW.SHLWAPI ref: 00000158709D155D

Memory Dump Source

Source File: 0000001E.00000002.2722834758.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709d0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction ID: 29c7f6ae37fee443e275d0900ba1dffe24d5f51a1d6125abf64e6308baa90841
Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction Fuzzy Hash: B2118E3A615F48C1EA048B66A8043A977A0E7CDFC2F2840289E8D6B766DE38C852C700

Function 00000158709D1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000158709D126E
HeapAlloc.KERNEL32 ref: 00000158709D127D
GetProcessHeap.KERNEL32 ref: 00000158709D1297
HeapAlloc.KERNEL32 ref: 00000158709D12A8

Memory Dump Source

Source File: 0000001E.00000002.2722834758.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_158709d0000_svchost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction ID: 0df0b71972fc614dcc7a18976dac37df89d2385fd46c5fb6c76c0ed9fa5f8c47
Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction Fuzzy Hash: 24E0653A601A04C6E7058F52DC0838E3AE1FBCDF56F14C014C9090B361DF7D88A6CB50

Analysis Process: dwm.exePID: 984, Parent PID: 7188COMMON

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	95.2%
Signature Coverage:	0%
Total number of Nodes:	124
Total number of Limit Nodes:	16

Executed Functions

Function 0000026DB16D1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000026DB16D1633
HeapAlloc.KERNEL32 ref: 0000026DB16D1642

Part of subcall function 0000026DB16D1268: GetProcessHeap.KERNEL32 ref: 0000026DB16D126E
Part of subcall function 0000026DB16D1268: HeapAlloc.KERNEL32 ref: 0000026DB16D127D
Part of subcall function 0000026DB16D1268: GetProcessHeap.KERNEL32 ref: 0000026DB16D1297
Part of subcall function 0000026DB16D1268: HeapAlloc.KERNEL32 ref: 0000026DB16D12A8

RegOpenKeyExW.ADVAPI32 ref: 0000026DB16D16B2
RegOpenKeyExW.ADVAPI32 ref: 0000026DB16D16DF
RegCloseKey.ADVAPI32 ref: 0000026DB16D16F9
RegOpenKeyExW.ADVAPI32 ref: 0000026DB16D1719
RegCloseKey.ADVAPI32 ref: 0000026DB16D1734
RegOpenKeyExW.ADVAPI32 ref: 0000026DB16D1754
RegCloseKey.ADVAPI32 ref: 0000026DB16D176F
RegOpenKeyExW.ADVAPI32 ref: 0000026DB16D178F
RegCloseKey.ADVAPI32 ref: 0000026DB16D17AA
RegOpenKeyExW.ADVAPI32 ref: 0000026DB16D17CA
RegCloseKey.ADVAPI32 ref: 0000026DB16D17E5
RegOpenKeyExW.ADVAPI32 ref: 0000026DB16D1805
RegCloseKey.ADVAPI32 ref: 0000026DB16D1820
RegOpenKeyExW.ADVAPI32 ref: 0000026DB16D1840
RegCloseKey.ADVAPI32 ref: 0000026DB16D185B
RegOpenKeyExW.ADVAPI32 ref: 0000026DB16D187B
RegCloseKey.ADVAPI32 ref: 0000026DB16D1896
RegCloseKey.ADVAPI32 ref: 0000026DB16D18A0

Part of subcall function 0000026DB16D12BC: RegQueryInfoKeyW.ADVAPI32 ref: 0000026DB16D1319
Part of subcall function 0000026DB16D12BC: GetProcessHeap.KERNEL32 ref: 0000026DB16D1327
Part of subcall function 0000026DB16D12BC: HeapAlloc.KERNEL32 ref: 0000026DB16D1338
Part of subcall function 0000026DB16D12BC: RegEnumValueW.ADVAPI32 ref: 0000026DB16D1397
Part of subcall function 0000026DB16D12BC: GetProcessHeap.KERNEL32 ref: 0000026DB16D13DF
Part of subcall function 0000026DB16D12BC: HeapAlloc.KERNEL32 ref: 0000026DB16D13ED
Part of subcall function 0000026DB16D12BC: GetProcessHeap.KERNEL32 ref: 0000026DB16D140A
Part of subcall function 0000026DB16D12BC: HeapFree.KERNEL32 ref: 0000026DB16D1418
Part of subcall function 0000026DB16D12BC: lstrlenW.KERNEL32 ref: 0000026DB16D1421
Part of subcall function 0000026DB16D12BC: GetProcessHeap.KERNEL32 ref: 0000026DB16D142F
Part of subcall function 0000026DB16D12BC: HeapAlloc.KERNEL32 ref: 0000026DB16D143D

Strings

SOFTWARE\dialerconfig, xrefs: 0000026DB16D1692
pid, xrefs: 0000026DB16D1712
paths, xrefs: 0000026DB16D1788
process_names, xrefs: 0000026DB16D174D
startup, xrefs: 0000026DB16D16D5
udp, xrefs: 0000026DB16D1874
tcp_remote, xrefs: 0000026DB16D1839
tcp_local, xrefs: 0000026DB16D17FE
service_names, xrefs: 0000026DB16D17C3

Memory Dump Source

Source File: 0000001F.00000002.2767423019.0000026DB16D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16d0000_dwm.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction ID: 4ce60c9cfab9b5366f898af9bc43f1963af320a3cfcb6bf805752a04d3ff00ad
Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction Fuzzy Hash: 57712B37B10A18C6EB509F66EC5869923B5F798B8CF425211DE4E87B6CEF76C544C380

Function 0000026DB16D3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 0000026DB16D379E
GetCurrentProcess.KERNEL32 ref: 0000026DB16D37CC
VirtualProtectEx.KERNEL32 ref: 0000026DB16D37EE
GetCurrentProcess.KERNEL32 ref: 0000026DB16D3809
VirtualProtectEx.KERNEL32 ref: 0000026DB16D382A

Strings

wr, xrefs: 0000026DB16D37FF

Memory Dump Source

Source File: 0000001F.00000002.2767423019.0000026DB16D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16d0000_dwm.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID: wr
API String ID: 1092925422-2678910430
Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction ID: a5bfad009d77d4f236170802a3cd6a43ef16cd8bdcb0cf630a703b92f7e835be
Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction Fuzzy Hash: 84118B76B00B4882EF549B22E80C26967B0FB88B89F460128DE8903798EF3EC605C744

Function 0000026DB16D5B30 Relevance: 9.2, APIs: 6, Instructions: 240
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 0000026DB16D5B6B
GetThreadContext.KERNEL32 ref: 0000026DB16D5CD5

Part of subcall function 0000026DB16D5960: GetCurrentThreadId.KERNEL32 ref: 0000026DB16D5964

Memory Dump Source

Source File: 0000001F.00000002.2767423019.0000026DB16D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16d0000_dwm.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: aba7c51250b0bd2785b454d2868164715ffdc60c22b63475f1bba81942d6465a
Instruction ID: d32536d4505a5c157cb9107ef26c06028ea8f41c32301a1541970d7f654dc29e
Opcode Fuzzy Hash: aba7c51250b0bd2785b454d2868164715ffdc60c22b63475f1bba81942d6465a
Instruction Fuzzy Hash: 43D18976605B8881DB709B0AE89835A77B0F3C9B88F114216EECD47BA9DF3DC551CB80

Function 0000026DB16D50D0 Relevance: 7.8, APIs: 5, Instructions: 318
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 0000026DB16D5156

Memory Dump Source

Source File: 0000001F.00000002.2767423019.0000026DB16D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16d0000_dwm.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: a9eeae0eee8a65d3360f20c0190c6c2044be682fe56af66e10426f66e33a6bd7
Instruction ID: 0be94f0c496fe40b7e2810e11e0833423463446b708cc81adc7848cfe4bc36ee
Opcode Fuzzy Hash: a9eeae0eee8a65d3360f20c0190c6c2044be682fe56af66e10426f66e33a6bd7
Instruction Fuzzy Hash: C902D932A19B8886E760CB56F89475AB7B1F3C5788F114016EA8E87BACDF7DC454CB40

Function 0000026DB16D39E0 Relevance: 4.6, APIs: 3, Instructions: 64
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32 ref: 0000026DB16D3A66
VirtualAlloc.KERNEL32 ref: 0000026DB16D3AA0

Memory Dump Source

Source File: 0000001F.00000002.2767423019.0000026DB16D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16d0000_dwm.jbxd

Similarity

API ID: Virtual$AllocQuery
String ID:
API String ID: 31662377-0
Opcode ID: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
Instruction ID: 3b48648ec94fa092fe4efad0f9a845e9b6d15b3daaeba4c17bc1270e402ca5cd
Opcode Fuzzy Hash: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
Instruction Fuzzy Hash: 31313272F19A8881EA70DB16E85935E67A0F38878CF150565F9CD06BACDF7EC2408B85

Function 0000026DB16D328C Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 0000026DB16D32AE
PathFindFileNameW.SHLWAPI ref: 0000026DB16D32BD

Part of subcall function 0000026DB16D3844: StrCmpNIW.SHLWAPI ref: 0000026DB16D385C

Part of subcall function 0000026DB16D3790: GetModuleHandleW.KERNEL32 ref: 0000026DB16D379E
Part of subcall function 0000026DB16D3790: GetCurrentProcess.KERNEL32 ref: 0000026DB16D37CC
Part of subcall function 0000026DB16D3790: VirtualProtectEx.KERNEL32 ref: 0000026DB16D37EE
Part of subcall function 0000026DB16D3790: GetCurrentProcess.KERNEL32 ref: 0000026DB16D3809
Part of subcall function 0000026DB16D3790: VirtualProtectEx.KERNEL32 ref: 0000026DB16D382A

CreateThread.KERNEL32 ref: 0000026DB16D330B

Part of subcall function 0000026DB16D1D14: GetCurrentThread.KERNEL32 ref: 0000026DB16D1D1F

Memory Dump Source

Source File: 0000001F.00000002.2767423019.0000026DB16D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16d0000_dwm.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction ID: beae08deab80b084e2f725f676bd954daefd8a7d270af60b78aa60878441051e
Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction Fuzzy Hash: B41192B2F1068C82FB60AB22FE0D36923A4B75434CF934168D906816DDEF7BC244C6D0

Function 0000026DB16D4DF0 Relevance: 4.5, APIs: 3, Instructions: 23
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0000026DB16D4DF4
VirtualProtect.KERNEL32 ref: 0000026DB16D4E37
FlushInstructionCache.KERNEL32 ref: 0000026DB16D4E4C

Memory Dump Source

Source File: 0000001F.00000002.2767423019.0000026DB16D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16d0000_dwm.jbxd

Similarity

API ID: CacheCurrentFlushInstructionProcessProtectVirtual
String ID:
API String ID: 3733156554-0
Opcode ID: efc513032ac2f8104d68ff6d1779eae6f51007478eb3e1ac0120cc0a77f626c8
Instruction ID: 3d6453755da34854a45dfe5c773d63dc72ce5a17786c93c6050d11d114495951
Opcode Fuzzy Hash: efc513032ac2f8104d68ff6d1779eae6f51007478eb3e1ac0120cc0a77f626c8
Instruction Fuzzy Hash: CEF0D036B19B08C1D631DB06E85575AABA0F3887DCF154115FA8D47B6DCE3EC5908B80

Function 0000026DB16A273C Relevance: 3.2, APIs: 2, Instructions: 187
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 0000026DB16A27DB
LoadLibraryA.KERNELBASE ref: 0000026DB16A285E

Memory Dump Source

Source File: 0000001F.00000002.2767375526.0000026DB16A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16a0000_dwm.jbxd

Similarity

API ID: AllocLibraryLoadVirtual
String ID:
API String ID: 3550616410-0
Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction ID: 07f0f15155d3b63fe84f44c856708faa1704cd92427126b808b8d471c6300ea4
Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction Fuzzy Hash: 9E615532F6129887DB14CF16C80872DB392F754FA8F1A8139EE190378CCA39D85AC780

Function 0000026DB16D1ABC Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000026DB16D1628: GetProcessHeap.KERNEL32 ref: 0000026DB16D1633
Part of subcall function 0000026DB16D1628: HeapAlloc.KERNEL32 ref: 0000026DB16D1642
Part of subcall function 0000026DB16D1628: RegOpenKeyExW.ADVAPI32 ref: 0000026DB16D16B2
Part of subcall function 0000026DB16D1628: RegOpenKeyExW.ADVAPI32 ref: 0000026DB16D16DF
Part of subcall function 0000026DB16D1628: RegCloseKey.ADVAPI32 ref: 0000026DB16D16F9
Part of subcall function 0000026DB16D1628: RegOpenKeyExW.ADVAPI32 ref: 0000026DB16D1719
Part of subcall function 0000026DB16D1628: RegCloseKey.ADVAPI32 ref: 0000026DB16D1734
Part of subcall function 0000026DB16D1628: RegOpenKeyExW.ADVAPI32 ref: 0000026DB16D1754
Part of subcall function 0000026DB16D1628: RegCloseKey.ADVAPI32 ref: 0000026DB16D176F
Part of subcall function 0000026DB16D1628: RegOpenKeyExW.ADVAPI32 ref: 0000026DB16D178F
Part of subcall function 0000026DB16D1628: RegCloseKey.ADVAPI32 ref: 0000026DB16D17AA
Part of subcall function 0000026DB16D1628: RegOpenKeyExW.ADVAPI32 ref: 0000026DB16D17CA

Sleep.KERNEL32 ref: 0000026DB16D1AD7
SleepEx.KERNELBASE ref: 0000026DB16D1ADD

Part of subcall function 0000026DB16D1628: RegCloseKey.ADVAPI32 ref: 0000026DB16D17E5
Part of subcall function 0000026DB16D1628: RegOpenKeyExW.ADVAPI32 ref: 0000026DB16D1805
Part of subcall function 0000026DB16D1628: RegCloseKey.ADVAPI32 ref: 0000026DB16D1820
Part of subcall function 0000026DB16D1628: RegOpenKeyExW.ADVAPI32 ref: 0000026DB16D1840
Part of subcall function 0000026DB16D1628: RegCloseKey.ADVAPI32 ref: 0000026DB16D185B
Part of subcall function 0000026DB16D1628: RegOpenKeyExW.ADVAPI32 ref: 0000026DB16D187B
Part of subcall function 0000026DB16D1628: RegCloseKey.ADVAPI32 ref: 0000026DB16D1896
Part of subcall function 0000026DB16D1628: RegCloseKey.ADVAPI32 ref: 0000026DB16D18A0

Memory Dump Source

Source File: 0000001F.00000002.2767423019.0000026DB16D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16d0000_dwm.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction ID: 9ab9c7c3dc2898fd20a131f18e933c9410a2ef9eabe600e11c67b36a472d32f7
Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction Fuzzy Hash: C53115B1F10649C1FF509B27DE693A913A4AB54BC8F0A54219E09877DEFF96C451C390

Non-executed Functions

Function 0000026DB16D2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 0000026DB16D2BD0
lstrlenW.KERNEL32 ref: 0000026DB16D2E0A

Part of subcall function 0000026DB16D199C: OpenProcess.KERNEL32 ref: 0000026DB16D19C2
Part of subcall function 0000026DB16D199C: K32GetModuleFileNameExW.KERNEL32 ref: 0000026DB16D19E0
Part of subcall function 0000026DB16D199C: PathFindFileNameW.SHLWAPI ref: 0000026DB16D19EF
Part of subcall function 0000026DB16D199C: lstrlenW.KERNEL32 ref: 0000026DB16D19FB
Part of subcall function 0000026DB16D199C: StrCpyW.SHLWAPI ref: 0000026DB16D1A0E
Part of subcall function 0000026DB16D199C: CloseHandle.KERNEL32 ref: 0000026DB16D1A1C

GetProcAddress.KERNEL32 ref: 0000026DB16D2BE5

Part of subcall function 0000026DB16D152C: StrCmpIW.SHLWAPI ref: 0000026DB16D155D

Part of subcall function 0000026DB16D3844: StrCmpNIW.SHLWAPI ref: 0000026DB16D385C

StrCmpNIW.SHLWAPI ref: 0000026DB16D2C28
lstrlenW.KERNEL32 ref: 0000026DB16D2D50

Strings

ntdll.dll, xrefs: 0000026DB16D2BC9
NtQueryObject, xrefs: 0000026DB16D2BDB
\Device\Nsi, xrefs: 0000026DB16D2C1B

Memory Dump Source

Source File: 0000001F.00000002.2767423019.0000026DB16D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16d0000_dwm.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction ID: f061ad95e55fc97d5369ddb75918f1acae21ca7b815b603edbd11f341a23fd41
Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction Fuzzy Hash: 80B1A172B10A5896EBA4CF26DC587A963A5FB44B8CF46501AEE095779CDF36CC40C7C0

Function 0000026DB16D7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 0000026DB16D7DAC
RtlCaptureContext.NTDLL ref: 0000026DB16D7DD9
RtlLookupFunctionEntry.NTDLL ref: 0000026DB16D7DF3
RtlVirtualUnwind.NTDLL ref: 0000026DB16D7E34
IsDebuggerPresent.KERNEL32 ref: 0000026DB16D7E88
SetUnhandledExceptionFilter.KERNEL32 ref: 0000026DB16D7EA9
UnhandledExceptionFilter.KERNEL32 ref: 0000026DB16D7EB4

Memory Dump Source

Source File: 0000001F.00000002.2767423019.0000026DB16D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16d0000_dwm.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction ID: a44980cde4e59342962f7947f53dae7cc18474da5eac7b5d5cd06663a62caf82
Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction Fuzzy Hash: 6931AB73704B848AEB608F61E8843EE7360F78470CF85412ADA4E47B98EF39C648C740

Function 0000026DB16DD2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 0000026DB16DD31D
RtlLookupFunctionEntry.NTDLL ref: 0000026DB16DD335
RtlVirtualUnwind.NTDLL ref: 0000026DB16DD370
IsDebuggerPresent.KERNEL32 ref: 0000026DB16DD3A9
SetUnhandledExceptionFilter.KERNEL32 ref: 0000026DB16DD3B3
UnhandledExceptionFilter.KERNEL32 ref: 0000026DB16DD3BE

Memory Dump Source

Source File: 0000001F.00000002.2767423019.0000026DB16D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16d0000_dwm.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction ID: 7dbb111ec5903a8c84558684a7ad943c46906c24a6f9754f8a798c5606a36e66
Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction Fuzzy Hash: 44317E33714B848AEB60DF26EC443AE73A4F789758F550226EA9D43BA8DF39C545CB40

Function 0000026DB16D12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000026DB16D1319
GetProcessHeap.KERNEL32 ref: 0000026DB16D1327
HeapAlloc.KERNEL32 ref: 0000026DB16D1338
RegEnumValueW.ADVAPI32 ref: 0000026DB16D1397

Part of subcall function 0000026DB16D152C: StrCmpIW.SHLWAPI ref: 0000026DB16D155D

GetProcessHeap.KERNEL32 ref: 0000026DB16D13DF
HeapAlloc.KERNEL32 ref: 0000026DB16D13ED
GetProcessHeap.KERNEL32 ref: 0000026DB16D140A
HeapFree.KERNEL32 ref: 0000026DB16D1418
lstrlenW.KERNEL32 ref: 0000026DB16D1421
GetProcessHeap.KERNEL32 ref: 0000026DB16D142F
HeapAlloc.KERNEL32 ref: 0000026DB16D143D
StrCpyW.SHLWAPI ref: 0000026DB16D145F
GetProcessHeap.KERNEL32 ref: 0000026DB16D1476
HeapFree.KERNEL32 ref: 0000026DB16D1484

Strings

d, xrefs: 0000026DB16D135A

Memory Dump Source

Source File: 0000001F.00000002.2767423019.0000026DB16D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16d0000_dwm.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction ID: 783d29d2bda3d253132f4994b95c9cc293394daab674e68720b3b73a17300f3c
Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction Fuzzy Hash: 50516A32B10B88C6EB51CF66E94839A77A1F388B99F454224DA490772CDF3DC049C780

Function 0000026DB16D1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 0000026DB16D1D1F

Part of subcall function 0000026DB16D1FD4: GetModuleHandleA.KERNEL32 ref: 0000026DB16D1FEC
Part of subcall function 0000026DB16D1FD4: GetProcAddress.KERNEL32 ref: 0000026DB16D1FFD

Part of subcall function 0000026DB16D5B30: GetCurrentThreadId.KERNEL32 ref: 0000026DB16D5B6B

Strings

ntdll.dll, xrefs: 0000026DB16D1D2D
NtQueryDirectoryFileEx, xrefs: 0000026DB16D1D9C
sechost.dll, xrefs: 0000026DB16D1E39
EnumServiceGroupW, xrefs: 0000026DB16D1DF0
NtEnumerateValueKey, xrefs: 0000026DB16D1DD6
advapi32.dll, xrefs: 0000026DB16D1DF7, 0000026DB16D1E18
NtDeviceIoControlFile, xrefs: 0000026DB16D1E56
NtEnumerateKey, xrefs: 0000026DB16D1DB9
NtQuerySystemInformation, xrefs: 0000026DB16D1D45
EnumServicesStatusExW, xrefs: 0000026DB16D1E11, 0000026DB16D1E32
NtQueryDirectoryFile, xrefs: 0000026DB16D1D7F
NtResumeThread, xrefs: 0000026DB16D1D62

Memory Dump Source

Source File: 0000001F.00000002.2767423019.0000026DB16D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16d0000_dwm.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction ID: 5ca48a310db2dafeee8d07d252f49e53e2c646e65f9d6de92084b7a15179caae
Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction Fuzzy Hash: 4431D2B5F00A4EA0EA00EBAAEC597E42321B75478CFC35117980D4657EAF7AC649C7D0

Function 0000026DB16A6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000026DB16A6938
__scrt_acquire_startup_lock.LIBCMT ref: 0000026DB16A698A
_RTC_Initialize.LIBCMT ref: 0000026DB16A69B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000026DB16A69DE
__scrt_release_startup_lock.LIBCMT ref: 0000026DB16A6A09

Strings

scriptor', xrefs: 0000026DB16A6B39, 0000026DB16A6BB2, 0000026DB16A6BEC
`eh vector vbase copy constructor iterator', xrefs: 0000026DB16A69EE
`dynamic initializer for ', xrefs: 0000026DB16A69C7
`eh vector copy constructor iterator', xrefs: 0000026DB16A6A3B

Memory Dump Source

Source File: 0000001F.00000002.2767375526.0000026DB16A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16a0000_dwm.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
API String ID: 190073905-1786718095
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: 3a6fecc462d4599d32a4f435162b826d9bb8301b484b22a45ca561f754a01f80
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: A2810231F2024D86FA94AB269C5D39962D0EBA578CF4BA0259F054379EDF3BC84D8780

Function 0000026DB16DCE28 Relevance: 18.1, APIs: 12, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 0000026DB16DCE37
FlsGetValue.KERNEL32(?,?,?,0000026DB16E0A6B,?,?,?,0000026DB16E045C,?,?,?,0000026DB16DC84F), ref: 0000026DB16DCE4C
FlsSetValue.KERNEL32(?,?,?,0000026DB16E0A6B,?,?,?,0000026DB16E045C,?,?,?,0000026DB16DC84F), ref: 0000026DB16DCE6D
FlsSetValue.KERNEL32(?,?,?,0000026DB16E0A6B,?,?,?,0000026DB16E045C,?,?,?,0000026DB16DC84F), ref: 0000026DB16DCE9A
FlsSetValue.KERNEL32(?,?,?,0000026DB16E0A6B,?,?,?,0000026DB16E045C,?,?,?,0000026DB16DC84F), ref: 0000026DB16DCEAB
FlsSetValue.KERNEL32(?,?,?,0000026DB16E0A6B,?,?,?,0000026DB16E045C,?,?,?,0000026DB16DC84F), ref: 0000026DB16DCEBC
SetLastError.KERNEL32 ref: 0000026DB16DCED7
FlsGetValue.KERNEL32(?,?,?,?,?,?,?,0000026DB16E0A6B,?,?,?,0000026DB16E045C,?,?,?,0000026DB16DC84F), ref: 0000026DB16DCF0D
FlsSetValue.KERNEL32(?,?,00000001,0000026DB16DECCC,?,?,?,?,0000026DB16DBF9F,?,?,?,?,?,0000026DB16D7AB0), ref: 0000026DB16DCF2C

Part of subcall function 0000026DB16DD6CC: HeapAlloc.KERNEL32 ref: 0000026DB16DD721

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000026DB16E0A6B,?,?,?,0000026DB16E045C,?,?,?,0000026DB16DC84F), ref: 0000026DB16DCF54

Part of subcall function 0000026DB16DD744: HeapFree.KERNEL32 ref: 0000026DB16DD75A
Part of subcall function 0000026DB16DD744: GetLastError.KERNEL32 ref: 0000026DB16DD764

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000026DB16E0A6B,?,?,?,0000026DB16E045C,?,?,?,0000026DB16DC84F), ref: 0000026DB16DCF65
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000026DB16E0A6B,?,?,?,0000026DB16E045C,?,?,?,0000026DB16DC84F), ref: 0000026DB16DCF76

Memory Dump Source

Source File: 0000001F.00000002.2767423019.0000026DB16D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16d0000_dwm.jbxd

Similarity

API ID: Value$ErrorLast$Heap$AllocFree
String ID:
API String ID: 570795689-0
Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction ID: 1dfd4429d99dc5b3bfe79a887dc16bb6e87e9ad2ea3952576508cef4c5d25d48
Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction Fuzzy Hash: 49419570F0128C41FA69A7379D5D37922429F957FCF170B68A936466EEFE6BC84182C0

Function 0000026DB16D2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 0000026DB16D2259
GetCurrentProcessId.KERNEL32 ref: 0000026DB16D2263

Part of subcall function 0000026DB16D1934: OpenProcess.KERNEL32 ref: 0000026DB16D1952
Part of subcall function 0000026DB16D1934: IsWow64Process.KERNEL32 ref: 0000026DB16D1968
Part of subcall function 0000026DB16D1934: CloseHandle.KERNEL32 ref: 0000026DB16D1983

CreateFileW.KERNEL32 ref: 0000026DB16D22BC
WriteFile.KERNEL32 ref: 0000026DB16D22E4
ReadFile.KERNEL32 ref: 0000026DB16D2303
CloseHandle.KERNEL32 ref: 0000026DB16D230C

Strings

\\.\pipe\dialerchildproc32, xrefs: 0000026DB16D2293
\\.\pipe\dialerchildproc64, xrefs: 0000026DB16D228C

Memory Dump Source

Source File: 0000001F.00000002.2767423019.0000026DB16D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16d0000_dwm.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction ID: 614e3c959a348e1a0bd1af7f8105fb8c116d018bd81af7a4b925cfae25fccb79
Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction Fuzzy Hash: 59213832B14A5882EB10CB25E94835A67A0F799BA8F910315EA5903AA8CF7DC589CB40

Function 0000026DB16DA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 0000026DB16DA5A1

Part of subcall function 0000026DB16DB414: __GetUnwindTryBlock.LIBCMT ref: 0000026DB16DB457
Part of subcall function 0000026DB16DB414: __SetUnwindTryBlock.LIBVCRUNTIME ref: 0000026DB16DB47C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 0000026DB16DA679
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 0000026DB16DA8CE
std::bad_alloc::bad_alloc.LIBCMT ref: 0000026DB16DA9DA

Strings

csm, xrefs: 0000026DB16DA69C
csm, xrefs: 0000026DB16DA5BB
csm, xrefs: 0000026DB16DA622

Memory Dump Source

Source File: 0000001F.00000002.2767423019.0000026DB16D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16d0000_dwm.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction ID: cb15ce58358aa12ddbad5d6868dfc74487d81a3d160813501bf1dccd4f5a7ce6
Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction Fuzzy Hash: 57E1A272F08B888AEB20DF66D84939D77A0F745B9CF160115EE8997BADCB35C481C781

Function 0000026DB16A9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 0000026DB16A99A1

Part of subcall function 0000026DB16AA814: __GetUnwindTryBlock.LIBCMT ref: 0000026DB16AA857
Part of subcall function 0000026DB16AA814: __SetUnwindTryBlock.LIBVCRUNTIME ref: 0000026DB16AA87C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 0000026DB16A9A79
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 0000026DB16A9CCE
std::bad_alloc::bad_alloc.LIBCMT ref: 0000026DB16A9DDA

Strings

csm, xrefs: 0000026DB16A9A22
csm, xrefs: 0000026DB16A99BB
csm, xrefs: 0000026DB16A9A9C

Memory Dump Source

Source File: 0000001F.00000002.2767375526.0000026DB16A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16a0000_dwm.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction ID: 8b2dbfb1c0290860a701e07f0150c360fa714c78082b514e8e4bc3028f1fecd3
Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction Fuzzy Hash: 4DE1C232B20B488AEB60DF65D88839D77A4F74578CF220116EF8957B9DCB36C499C780

Function 0000026DB16DF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 0000026DB16DF510
GetProcAddress.KERNEL32 ref: 0000026DB16DF51C

Strings

api-ms-, xrefs: 0000026DB16DF45A
ext-ms-, xrefs: 0000026DB16DF46D

Memory Dump Source

Source File: 0000001F.00000002.2767423019.0000026DB16D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16d0000_dwm.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction ID: 23862d01230f99906d7ba31e603bacaa232843ea2f24dfae770fb89b3f623dbd
Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction Fuzzy Hash: 0E41D432B12A1891FB16CB17AD0C7597391BB55BE8F4B42299D0E8778DEE3AC446C3C0

Function 0000026DB16D104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000026DB16D10B1
RegEnumValueW.ADVAPI32 ref: 0000026DB16D1117
GetProcessHeap.KERNEL32 ref: 0000026DB16D115A
HeapAlloc.KERNEL32 ref: 0000026DB16D1168
GetProcessHeap.KERNEL32 ref: 0000026DB16D1185
HeapFree.KERNEL32 ref: 0000026DB16D1193

Strings

d, xrefs: 0000026DB16D10D6

Memory Dump Source

Source File: 0000001F.00000002.2767423019.0000026DB16D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16d0000_dwm.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction ID: 80980c4cf32087191c45bf0831024f043970d1b07aacf444f87c9caeb67ac13b
Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction Fuzzy Hash: CC416F33614B88C6E760CF22E84879E77A1F389B9DF458129DA8907B5CDF79C549CB40

Function 0000026DB16DD068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,0000026DB16DC7DE,?,?,?,?,?,?,?,?,0000026DB16DCF9D,?,?,00000001), ref: 0000026DB16DD087
FlsSetValue.KERNEL32(?,?,?,0000026DB16DC7DE,?,?,?,?,?,?,?,?,0000026DB16DCF9D,?,?,00000001), ref: 0000026DB16DD0A6
FlsSetValue.KERNEL32(?,?,?,0000026DB16DC7DE,?,?,?,?,?,?,?,?,0000026DB16DCF9D,?,?,00000001), ref: 0000026DB16DD0CE
FlsSetValue.KERNEL32(?,?,?,0000026DB16DC7DE,?,?,?,?,?,?,?,?,0000026DB16DCF9D,?,?,00000001), ref: 0000026DB16DD0DF
FlsSetValue.KERNEL32(?,?,?,0000026DB16DC7DE,?,?,?,?,?,?,?,?,0000026DB16DCF9D,?,?,00000001), ref: 0000026DB16DD0F0

Strings

1%, xrefs: 0000026DB16DD0CE
Y%, xrefs: 0000026DB16DD0A6

Memory Dump Source

Source File: 0000001F.00000002.2767423019.0000026DB16D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16d0000_dwm.jbxd

Similarity

API ID: Value
String ID: 1%$Y%
API String ID: 3702945584-1395475152
Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction ID: 4aa6b3a8704498592abd708b5eb6e15fef0dbd7259eb9a06b53c85cb51cfc9dc
Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction Fuzzy Hash: 94119830F0468C41FA6877379D5D37962419B947FCF1643249839877DEDE6BC842C280

Function 0000026DB16D7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000026DB16D7538
__scrt_acquire_startup_lock.LIBCMT ref: 0000026DB16D758A
_RTC_Initialize.LIBCMT ref: 0000026DB16D75B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000026DB16D75DE
__scrt_release_startup_lock.LIBCMT ref: 0000026DB16D7609

Memory Dump Source

Source File: 0000001F.00000002.2767423019.0000026DB16D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16d0000_dwm.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: 442f895a101040b9a6ca9aa65b692f4df1b749e70d04fc0ed39d60586071f16d
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: 7F810631F0024D86FB589B67AC4D3A923D0B79578CF5745259E284379EEB3BC84587C2

Function 0000026DB16D9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 0000026DB16D9E49
GetLastError.KERNEL32 ref: 0000026DB16D9E57
LoadLibraryExW.KERNEL32 ref: 0000026DB16D9E81
FreeLibrary.KERNEL32 ref: 0000026DB16D9EC7
GetProcAddress.KERNEL32 ref: 0000026DB16D9ED3

Strings

api-ms-, xrefs: 0000026DB16D9E69

Memory Dump Source

Source File: 0000001F.00000002.2767423019.0000026DB16D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16d0000_dwm.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction ID: 6ca346e454cfd92a7849e01f24f1a2e046116f5d531bd515520c9fa46ff87167
Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction Fuzzy Hash: EA31E832B12648E1EE16DF43EC0875963A4BB48BA8F5B06259D1D4B39CDF3AC445C380

Function 0000026DB16E3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 0000026DB16E3DE5
GetLastError.KERNEL32 ref: 0000026DB16E3DF1
CloseHandle.KERNEL32 ref: 0000026DB16E3E09
CreateFileW.KERNEL32 ref: 0000026DB16E3E34
WriteConsoleW.KERNEL32 ref: 0000026DB16E3E53

Strings

CONOUT$, xrefs: 0000026DB16E3E15

Memory Dump Source

Source File: 0000001F.00000002.2767423019.0000026DB16D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16d0000_dwm.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction ID: 6ffd71a2568f34f4d0a4be1afeabc81a42479b8ea2c55d714e7d91cc3bbf7f53
Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction Fuzzy Hash: 4F118F32B10B84C6E7508B56EC4831977A0F798FE9F454325EA5A877A8DF7AC91487C0

Function 0000026DB16D2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000026DB16D2F27
HeapAlloc.KERNEL32 ref: 0000026DB16D2F3A
StrCmpNIW.SHLWAPI ref: 0000026DB16D2FAF
GetProcessHeap.KERNEL32 ref: 0000026DB16D3015
HeapFree.KERNEL32 ref: 0000026DB16D3023

Strings

dialer, xrefs: 0000026DB16D2FA8

Memory Dump Source

Source File: 0000001F.00000002.2767423019.0000026DB16D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16d0000_dwm.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction ID: 518d90a15e203b60b77fc06b985c2e5cd065da236590d968bda13b6ce4ccb7ae
Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction Fuzzy Hash: 7E31D432B01B5992EB15CF1BED4876967A0FB54B88F0A45289F4847B5DEF36C4A1C780

Function 0000026DB16DCFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000026DB16DCFAF
FlsSetValue.KERNEL32(?,?,?,0000026DB16DD6B5,?,?,?,?,0000026DB16DD778), ref: 0000026DB16DCFE5
FlsSetValue.KERNEL32(?,?,?,0000026DB16DD6B5,?,?,?,?,0000026DB16DD778), ref: 0000026DB16DD012
FlsSetValue.KERNEL32(?,?,?,0000026DB16DD6B5,?,?,?,?,0000026DB16DD778), ref: 0000026DB16DD023
FlsSetValue.KERNEL32(?,?,?,0000026DB16DD6B5,?,?,?,?,0000026DB16DD778), ref: 0000026DB16DD034
SetLastError.KERNEL32 ref: 0000026DB16DD04F

Memory Dump Source

Source File: 0000001F.00000002.2767423019.0000026DB16D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16d0000_dwm.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction ID: aadf191c3bc430bf2b71899c07df16868e5666ad7837e1ceb6418e549bce8ab6
Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction Fuzzy Hash: 19117230F0028C81FA64A7379D4D3692241AF997FCF164764A836877DEEE6BC842C2C0

Function 0000026DB16D199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 0000026DB16D19C2
K32GetModuleFileNameExW.KERNEL32 ref: 0000026DB16D19E0
PathFindFileNameW.SHLWAPI ref: 0000026DB16D19EF
lstrlenW.KERNEL32 ref: 0000026DB16D19FB
StrCpyW.SHLWAPI ref: 0000026DB16D1A0E
CloseHandle.KERNEL32 ref: 0000026DB16D1A1C

Memory Dump Source

Source File: 0000001F.00000002.2767423019.0000026DB16D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16d0000_dwm.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction ID: 2ef424fd71c33c3275d9d0364e62af2e3daa73f11d3374b53f5eb61c150a89b5
Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction Fuzzy Hash: F5016932B00A4882EB60DB53E84C39963A1F798BC9F894135DE4943758DF3EC989C780

Function 0000026DB16D36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000026DB16D36E4
GetCurrentProcess.KERNEL32 ref: 0000026DB16D36F2
VirtualProtectEx.KERNEL32 ref: 0000026DB16D3714
GetCurrentProcess.KERNEL32 ref: 0000026DB16D3732
VirtualProtectEx.KERNEL32 ref: 0000026DB16D3753
TerminateThread.KERNEL32 ref: 0000026DB16D3762

Memory Dump Source

Source File: 0000001F.00000002.2767423019.0000026DB16D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16d0000_dwm.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction ID: 9b693a77c80fedb0c5e290b7f00261e59e3aa41f474713aacdf3ed26c8cd5b2a
Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction Fuzzy Hash: 85012D76B11B4882FB649B22EC0C72967B0BB55B8AF460528CD4907758EF3EC148C784

Function 0000026DB16D8FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000026DB16D9013
_IsNonwritableInCurrentImage.LIBCMT ref: 0000026DB16D90A8
RtlUnwindEx.NTDLL ref: 0000026DB16D90F7

Strings

csm, xrefs: 0000026DB16D908E
f, xrefs: 0000026DB16D9026

Memory Dump Source

Source File: 0000001F.00000002.2767423019.0000026DB16D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16d0000_dwm.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
Instruction ID: a8ddc4b7fa55c18ae27fb7ec41ef27b85f914138bcb2f2a1d9efbdd7369d3ae6
Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
Instruction Fuzzy Hash: 2851DF32B016098AEB14DF27EC4CB5937A6F355B9DF528528EE1A4778CEB36C841C780

Function 0000026DB16D1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 0000026DB16D1A60
StrCmpNIW.SHLWAPI ref: 0000026DB16D1A7A
lstrlenW.KERNEL32 ref: 0000026DB16D1A89
StrCpyW.SHLWAPI ref: 0000026DB16D1A9E

Strings

\\?\, xrefs: 0000026DB16D1A6E

Memory Dump Source

Source File: 0000001F.00000002.2767423019.0000026DB16D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16d0000_dwm.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction ID: 6cb0346c15be34064597705ea3373a5a206949c9eb0e788294d4bcc24a6b25ad
Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction Fuzzy Hash: 40F0AF33B0064882EB208B21FC8875967A0F758B9CFC94120CA494795CDF7EC68DCB40

Function 0000026DB16D3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 0000026DB16D3066
StrCpyW.SHLWAPI ref: 0000026DB16D3076
StrCatW.SHLWAPI ref: 0000026DB16D3082
PathCombineW.SHLWAPI ref: 0000026DB16D3090

Strings

\\.\pipe\, xrefs: 0000026DB16D305C

Memory Dump Source

Source File: 0000001F.00000002.2767423019.0000026DB16D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16d0000_dwm.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction ID: 3bbfbd0405c91b612498a7494207a9781375a7c4c5686d7bd9aa336d4ec1e5e2
Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction Fuzzy Hash: AFF08C72B04B8882EA108F13FD0C1196260BB58FD8F89A230EE4A47B1CDF3DC5498780

Function 0000026DB16DBC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 0000026DB16DBCBD
GetProcAddress.KERNEL32 ref: 0000026DB16DBCD3
FreeLibrary.KERNEL32 ref: 0000026DB16DBCFA

Strings

CorExitProcess, xrefs: 0000026DB16DBCCC
mscoree.dll, xrefs: 0000026DB16DBCB4

Memory Dump Source

Source File: 0000001F.00000002.2767423019.0000026DB16D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16d0000_dwm.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction ID: 0f3e6374350b6b08af56951c568dee6a3c39e094098c9b90a3b4e8b2bce32597
Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction Fuzzy Hash: 6DF06272B1160881EB148B25EC4C3596320FB9976DF950319CA6A451ECCF2EC144C780

Function 0000026DB16D5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000026DB16D5726

Memory Dump Source

Source File: 0000001F.00000002.2767423019.0000026DB16D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16d0000_dwm.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 0c7f3a11ae4e5ff47235e902b7b6ce7055ed727b420134bb2449cab27e882fd8
Instruction ID: 7290aec49ca32193504c701ef8a2b982d3efc03b80afbc7b78ee5f1d21fe62db
Opcode Fuzzy Hash: 0c7f3a11ae4e5ff47235e902b7b6ce7055ed727b420134bb2449cab27e882fd8
Instruction Fuzzy Hash: A9619C36A19B88C6E7608B16E84832A77F1F389798F121115EA8D47BACDF7EC554CB40

Function 0000026DB16E4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 0000026DB16E412C
_set_statfp.LIBCMT ref: 0000026DB16E4147
_set_statfp.LIBCMT ref: 0000026DB16E4163
_set_statfp.LIBCMT ref: 0000026DB16E419F

Memory Dump Source

Source File: 0000001F.00000002.2767423019.0000026DB16D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16d0000_dwm.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: 2b69298bfac46e0e9955329393b1e83c6515748aae9c4a278b795cb3214705fd
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: 2B115133F14B5911FE641578DC5D3F611417BAC3BDFDB0724A976C66DE9A2AC8418280

Function 0000026DB16B3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 0000026DB16B352C
_set_statfp.LIBCMT ref: 0000026DB16B3547
_set_statfp.LIBCMT ref: 0000026DB16B3563
_set_statfp.LIBCMT ref: 0000026DB16B359F

Memory Dump Source

Source File: 0000001F.00000002.2767375526.0000026DB16A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16a0000_dwm.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: 593f35775e50da7d32896c4b2545752251af864b4640db53a9cca433e2b3f410
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: 4511C273F20E1951FBA41569EC5F36B11806B5837CF4B8638AA76063EFCB2ACB4542D0

Function 0000026DB16AF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000026DB16AF124

Strings

or copy constructor iterator', xrefs: 0000026DB16AF25A, 0000026DB16AF275
Tuesday, xrefs: 0000026DB16AF0F4
Wednesday, xrefs: 0000026DB16AF1ED

Memory Dump Source

Source File: 0000001F.00000002.2767375526.0000026DB16A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16a0000_dwm.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: Tuesday$Wednesday$or copy constructor iterator'
API String ID: 3215553584-4202648911
Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction ID: 5ebd46b730b06b6c3a7c5ba3bded52db2250872c8954f7079273c702de355f0d
Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction Fuzzy Hash: 5061E736F2024C42FA659B65DC5C36E6AA1F78278DF538595CA0A037ACDB37D849C382

Function 0000026DB16DAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 0000026DB16DAA68
_CallSETranslator.LIBVCRUNTIME ref: 0000026DB16DAAB7

Strings

MOC, xrefs: 0000026DB16DAA7C
RCC, xrefs: 0000026DB16DAA85

Memory Dump Source

Source File: 0000001F.00000002.2767423019.0000026DB16D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16d0000_dwm.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 69a9012ee5ea0548b0d2bbdee781d3d077830e5aa702081f5ddeea3bace69942
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: 57617C33B05B888AEB20DF66D84439D77A0F344B9CF094215EF4957BA8DB39D595C780

Function 0000026DB16DAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000026DB16DADA0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 0000026DB16DAE88

Strings

csm, xrefs: 0000026DB16DAEDA
csm, xrefs: 0000026DB16DADC2

Memory Dump Source

Source File: 0000001F.00000002.2767423019.0000026DB16D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16d0000_dwm.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: 327da065cc4a45ab55e3526cc89f2f74f37924d3f51ae6d31c598fe3f463d74a
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: 73519472B083888AEB748F27D98835977A0F394B8DF168155DA5987BEDCB39D450C780

Function 0000026DB16AA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000026DB16AA1A0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 0000026DB16AA288

Strings

csm, xrefs: 0000026DB16AA1C2
csm, xrefs: 0000026DB16AA2DA

Memory Dump Source

Source File: 0000001F.00000002.2767375526.0000026DB16A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16a0000_dwm.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: 39c8cd57d63b7f08941b248c3afec0bb9246d15bfd564bc99c248fffc6297a81
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: 5051A232B20388CAEB748F15984835C77A0F755B8CF198117DA99C7BD9CB7AD468C780

Function 0000026DB16A8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000026DB16A8413
_IsNonwritableInCurrentImage.LIBCMT ref: 0000026DB16A84A8

Strings

f, xrefs: 0000026DB16A8426
csm, xrefs: 0000026DB16A848E

Memory Dump Source

Source File: 0000001F.00000002.2767375526.0000026DB16A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16a0000_dwm.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: ba0babd600ad823bb9d1fc2a7acd5a32e61694e61a44cef9269ad75d2de4c871
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: 5D51D332F212088AEB94DF15E80CB5937A9F350B9DF628124DE864378CEB36CC48C784

Function 0000026DB16A83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000026DB16A8413
_IsNonwritableInCurrentImage.LIBCMT ref: 0000026DB16A84A8

Strings

f, xrefs: 0000026DB16A8426
csm, xrefs: 0000026DB16A848E

Memory Dump Source

Source File: 0000001F.00000002.2767375526.0000026DB16A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16a0000_dwm.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction ID: 47f39dc684159c25b116328b957df09f68f0ed95ef83e230d460e5f3f8123675
Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction Fuzzy Hash: 6E31CE32B217449AE754DF11EC4CB5A77A8F340B8DF268018EE9A4378DDB3AC944C784

Function 0000026DB16E2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 0000026DB16E20D7
WriteFile.KERNEL32 ref: 0000026DB16E239F
WriteFile.KERNEL32 ref: 0000026DB16E23E5
GetLastError.KERNEL32 ref: 0000026DB16E249B

Memory Dump Source

Source File: 0000001F.00000002.2767423019.0000026DB16D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16d0000_dwm.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction ID: 91fbc802da0b0297f9476339cf9a4bd1c78bf95e9cf061a25798af8d89c02c3e
Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction Fuzzy Hash: D0D1F173B15A88C9E711CFA9D84839C3BB2F35879CF91821ACE5997B9DDA35C506C380

Function 0000026DB16D14A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000026DB16D14C5
HeapFree.KERNEL32 ref: 0000026DB16D14D4
GetProcessHeap.KERNEL32 ref: 0000026DB16D14E1
HeapFree.KERNEL32 ref: 0000026DB16D14F0
GetProcessHeap.KERNEL32 ref: 0000026DB16D1500

Memory Dump Source

Source File: 0000001F.00000002.2767423019.0000026DB16D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16d0000_dwm.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
Instruction ID: 8684bb06715233c5d01a5712643569e94e2febd60b731d297dff651c11180fa2
Opcode Fuzzy Hash: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
Instruction Fuzzy Hash: 0F015A33A11B98C6E705DF6AED0818E77A1F798F8AF464529EA4A43729DE39C051C780

Function 0000026DB16E2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32 ref: 0000026DB16E2A9C
GetLastError.KERNEL32 ref: 0000026DB16E2B27

Memory Dump Source

Source File: 0000001F.00000002.2767423019.0000026DB16D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16d0000_dwm.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction ID: 14595e801368312b2b4d049948148bbe312ee04c196abcc8c76a6b5ef54d77ac
Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction Fuzzy Hash: B791C373F1065885FB609F65DC883AD3BA2B758B8CF96420DDE0A5769CDB36C486C780

Function 0000026DB16D7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 0000026DB16D798C
GetCurrentThreadId.KERNEL32 ref: 0000026DB16D799A
GetCurrentProcessId.KERNEL32 ref: 0000026DB16D79A6
QueryPerformanceCounter.KERNEL32 ref: 0000026DB16D79B6

Memory Dump Source

Source File: 0000001F.00000002.2767423019.0000026DB16D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16d0000_dwm.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction ID: b3c880933e97eaa639dd4f6a8f64ed9772496b6a4d29c3b49defe1f114df9023
Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction Fuzzy Hash: 89112E32B10F0589EB00CF65EC583A833A4F75976CF450E25EA6D467A8DF79C198C380

Function 0000026DB16D253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000026DB16D2620
StrCpyW.SHLWAPI ref: 0000026DB16D2639

Strings

\\.\pipe\, xrefs: 0000026DB16D262B

Memory Dump Source

Source File: 0000001F.00000002.2767423019.0000026DB16D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16d0000_dwm.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction ID: 298022a7acc73565e250f33f8b31f08b428c813ca84fb372204810daa8dcb42c
Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction Fuzzy Hash: A971AF36B0078996E7749E27DC483BA67A4F389B88F57002ADD0A53B8DDB76C645C780

Function 0000026DB16A9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 0000026DB16A9EB7

Strings

MOC, xrefs: 0000026DB16A9E7C
RCC, xrefs: 0000026DB16A9E85

Memory Dump Source

Source File: 0000001F.00000002.2767375526.0000026DB16A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16a0000_dwm.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: e0b3fd25bbba28315ba649b84fa609878df92712a1dc12a9c2592f7d9f34f948
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: A6615832B10B888AEB20DF65D84439D77A0F744B8CF154216EF4917B9DDB39D599C780

Function 0000026DB16D2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000026DB16D2416
StrCpyW.SHLWAPI ref: 0000026DB16D242D

Strings

\\.\pipe\, xrefs: 0000026DB16D2421

Memory Dump Source

Source File: 0000001F.00000002.2767423019.0000026DB16D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16d0000_dwm.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction ID: 0c2d0216a09e7878ccb6a2058fb5a8597ee3a79d05e1c0a718a1d56be4797acd
Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction Fuzzy Hash: 2F510532B0438991E675DF2BE89C3AA6761F385788F860129DE4A03B9DCA3BC545C7C0

Function 0000026DB16E26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 0000026DB16E2807
GetLastError.KERNEL32 ref: 0000026DB16E2829

Strings

U, xrefs: 0000026DB16E27B3

Memory Dump Source

Source File: 0000001F.00000002.2767423019.0000026DB16D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16d0000_dwm.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction ID: 410ec2598750b0416dfc0247b74c10f1dc0129761037cd2abae50b5229506de2
Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction Fuzzy Hash: 3C41C473B14A8886DB20CF25EC483AA77A1F798798F824125EE4D87798EB7DC545C780

Function 0000026DB16D94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 0000026DB16D94F0
RaiseException.KERNEL32 ref: 0000026DB16D9531

Strings

csm, xrefs: 0000026DB16D951E

Memory Dump Source

Source File: 0000001F.00000002.2767423019.0000026DB16D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16d0000_dwm.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction ID: 6597dff648576a4e1a734d6d6906ea731fc3c42b6a67da9cd1ec9f65bfd95259
Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction Fuzzy Hash: 71113A32615B8482EB618F16F848359B7E5FB88B98F594220EE8D07B6DDF3EC551CB40

Function 0000026DB16A7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 0000026DB16A737C

Strings

ierarchy Descriptor', xrefs: 0000026DB16A7381
riptor at (, xrefs: 0000026DB16A7364

Memory Dump Source

Source File: 0000001F.00000002.2767375526.0000026DB16A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16a0000_dwm.jbxd

Similarity

API ID: __std_exception_copy
String ID: ierarchy Descriptor'$riptor at (
API String ID: 592178966-758928094
Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction ID: afbb4bd82e327e952dd37b9e92ac0c03032dd50679c374ef09ccae5e46efb32c
Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction Fuzzy Hash: F8E08671B50B8890DF019F21EC452D833A4DB5AB68B599122DA5C06315FA38D1F9C340

Function 0000026DB16A73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 0000026DB16A73D8

Strings

Locator', xrefs: 0000026DB16A73DD
riptor at (, xrefs: 0000026DB16A73C0

Memory Dump Source

Source File: 0000001F.00000002.2767375526.0000026DB16A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16a0000_dwm.jbxd

Similarity

API ID: __std_exception_copy
String ID: Locator'$riptor at (
API String ID: 592178966-4215709766
Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction ID: 573625d22f3197b235dd74c315a9913689c20fc06301d169117061f96ebbf3f0
Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction Fuzzy Hash: F4E08671B10B4880DF029F21D8411D87364E75AB58B899122CA4C06315EA38D1E9C340

Function 0000026DB16D1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000026DB16D1C2D
HeapAlloc.KERNEL32 ref: 0000026DB16D1C3B
GetProcessHeap.KERNEL32 ref: 0000026DB16D1C77
HeapFree.KERNEL32 ref: 0000026DB16D1C85

Part of subcall function 0000026DB16D152C: StrCmpIW.SHLWAPI ref: 0000026DB16D155D

Memory Dump Source

Source File: 0000001F.00000002.2767423019.0000026DB16D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16d0000_dwm.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction ID: d475f02128de9ffa17f94c88c8097d29b2a1ac63b93d49f67c48d5d7655aa532
Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction Fuzzy Hash: CF11BF36B11B48C1EA04CB6BE80826973A0FB88FC9F4A4128CE4D43769DE7AC442C380

Function 0000026DB16D1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000026DB16D126E
HeapAlloc.KERNEL32 ref: 0000026DB16D127D
GetProcessHeap.KERNEL32 ref: 0000026DB16D1297
HeapAlloc.KERNEL32 ref: 0000026DB16D12A8

Memory Dump Source

Source File: 0000001F.00000002.2767423019.0000026DB16D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB16D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_26db16d0000_dwm.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction ID: d156c2d851116e99625aeddfa7d07a7ba4cbc1913b20b34856ab55b3619dfbea
Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction Fuzzy Hash: 1DE06D36B2160886EB058F66DC0C38E36E1FB99F1AF86C128C90907355DF7EC499C790

Analysis Process: svchost.exePID: 364, Parent PID: 7188COMMON

Execution Graph

Execution Coverage:	0.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	81
Total number of Limit Nodes:	2

Executed Functions

Function 000002A3F0661628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000002A3F0661633
HeapAlloc.KERNEL32 ref: 000002A3F0661642

Part of subcall function 000002A3F0661268: GetProcessHeap.KERNEL32 ref: 000002A3F066126E
Part of subcall function 000002A3F0661268: HeapAlloc.KERNEL32 ref: 000002A3F066127D
Part of subcall function 000002A3F0661268: GetProcessHeap.KERNEL32 ref: 000002A3F0661297
Part of subcall function 000002A3F0661268: HeapAlloc.KERNEL32 ref: 000002A3F06612A8

RegOpenKeyExW.ADVAPI32 ref: 000002A3F06616B2
RegOpenKeyExW.ADVAPI32 ref: 000002A3F06616DF
RegCloseKey.ADVAPI32 ref: 000002A3F06616F9
RegOpenKeyExW.ADVAPI32 ref: 000002A3F0661719
RegCloseKey.ADVAPI32 ref: 000002A3F0661734
RegOpenKeyExW.ADVAPI32 ref: 000002A3F0661754
RegCloseKey.ADVAPI32 ref: 000002A3F066176F
RegOpenKeyExW.ADVAPI32 ref: 000002A3F066178F
RegCloseKey.ADVAPI32 ref: 000002A3F06617AA
RegOpenKeyExW.ADVAPI32 ref: 000002A3F06617CA
RegCloseKey.ADVAPI32 ref: 000002A3F06617E5
RegOpenKeyExW.ADVAPI32 ref: 000002A3F0661805
RegCloseKey.ADVAPI32 ref: 000002A3F0661820
RegOpenKeyExW.ADVAPI32 ref: 000002A3F0661840
RegCloseKey.ADVAPI32 ref: 000002A3F066185B
RegOpenKeyExW.ADVAPI32 ref: 000002A3F066187B
RegCloseKey.ADVAPI32 ref: 000002A3F0661896
RegCloseKey.ADVAPI32 ref: 000002A3F06618A0

Part of subcall function 000002A3F06612BC: RegQueryInfoKeyW.ADVAPI32 ref: 000002A3F0661319
Part of subcall function 000002A3F06612BC: GetProcessHeap.KERNEL32 ref: 000002A3F0661327
Part of subcall function 000002A3F06612BC: HeapAlloc.KERNEL32 ref: 000002A3F0661338
Part of subcall function 000002A3F06612BC: RegEnumValueW.ADVAPI32 ref: 000002A3F0661397
Part of subcall function 000002A3F06612BC: GetProcessHeap.KERNEL32 ref: 000002A3F06613DF
Part of subcall function 000002A3F06612BC: HeapAlloc.KERNEL32 ref: 000002A3F06613ED
Part of subcall function 000002A3F06612BC: GetProcessHeap.KERNEL32 ref: 000002A3F066140A
Part of subcall function 000002A3F06612BC: HeapFree.KERNEL32 ref: 000002A3F0661418
Part of subcall function 000002A3F06612BC: lstrlenW.KERNEL32 ref: 000002A3F0661421
Part of subcall function 000002A3F06612BC: GetProcessHeap.KERNEL32 ref: 000002A3F066142F
Part of subcall function 000002A3F06612BC: HeapAlloc.KERNEL32 ref: 000002A3F066143D

Strings

paths, xrefs: 000002A3F0661788
pid, xrefs: 000002A3F0661712
startup, xrefs: 000002A3F06616D5
SOFTWARE\dialerconfig, xrefs: 000002A3F0661692
udp, xrefs: 000002A3F0661874
process_names, xrefs: 000002A3F066174D
tcp_remote, xrefs: 000002A3F0661839
service_names, xrefs: 000002A3F06617C3
tcp_local, xrefs: 000002A3F06617FE

Memory Dump Source

Source File: 00000020.00000002.2717085041.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3f0660000_svchost.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction ID: d6e49efe3d81a32690fa77fe862616ae2cfdfda5e723070bc013a806f6e0db3f
Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction Fuzzy Hash: 5E71EB26B20A508BEB90DF69EC5865D2374F7A7B88F041121F94E9BF69EE34C644C741

Function 000002A3F066328C Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 000002A3F06632AE
PathFindFileNameW.SHLWAPI ref: 000002A3F06632BD

Part of subcall function 000002A3F0663844: StrCmpNIW.SHLWAPI ref: 000002A3F066385C

Part of subcall function 000002A3F0663790: GetModuleHandleW.KERNEL32 ref: 000002A3F066379E
Part of subcall function 000002A3F0663790: GetCurrentProcess.KERNEL32 ref: 000002A3F06637CC
Part of subcall function 000002A3F0663790: VirtualProtectEx.KERNEL32 ref: 000002A3F06637EE
Part of subcall function 000002A3F0663790: GetCurrentProcess.KERNEL32 ref: 000002A3F0663809
Part of subcall function 000002A3F0663790: VirtualProtectEx.KERNEL32 ref: 000002A3F066382A

CreateThread.KERNEL32 ref: 000002A3F066330B

Part of subcall function 000002A3F0661D14: GetCurrentThread.KERNEL32 ref: 000002A3F0661D1F

Memory Dump Source

Source File: 00000020.00000002.2717085041.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3f0660000_svchost.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction ID: 7e9bf6ca3dc4cd1ea628d8b54d7181c9f962757dd9737672e5874ad7b75af4a2
Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction Fuzzy Hash: 53110370F306918BFAE0DB29AE4D3AD2294EB67348F504138B906D9E91FF78C2448642

Function 000002A3F0661ABC Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000002A3F0661628: GetProcessHeap.KERNEL32 ref: 000002A3F0661633
Part of subcall function 000002A3F0661628: HeapAlloc.KERNEL32 ref: 000002A3F0661642
Part of subcall function 000002A3F0661628: RegOpenKeyExW.ADVAPI32 ref: 000002A3F06616B2
Part of subcall function 000002A3F0661628: RegOpenKeyExW.ADVAPI32 ref: 000002A3F06616DF
Part of subcall function 000002A3F0661628: RegCloseKey.ADVAPI32 ref: 000002A3F06616F9
Part of subcall function 000002A3F0661628: RegOpenKeyExW.ADVAPI32 ref: 000002A3F0661719
Part of subcall function 000002A3F0661628: RegCloseKey.ADVAPI32 ref: 000002A3F0661734
Part of subcall function 000002A3F0661628: RegOpenKeyExW.ADVAPI32 ref: 000002A3F0661754
Part of subcall function 000002A3F0661628: RegCloseKey.ADVAPI32 ref: 000002A3F066176F
Part of subcall function 000002A3F0661628: RegOpenKeyExW.ADVAPI32 ref: 000002A3F066178F
Part of subcall function 000002A3F0661628: RegCloseKey.ADVAPI32 ref: 000002A3F06617AA
Part of subcall function 000002A3F0661628: RegOpenKeyExW.ADVAPI32 ref: 000002A3F06617CA

Sleep.KERNEL32 ref: 000002A3F0661AD7
SleepEx.KERNELBASE ref: 000002A3F0661ADD

Part of subcall function 000002A3F0661628: RegCloseKey.ADVAPI32 ref: 000002A3F06617E5
Part of subcall function 000002A3F0661628: RegOpenKeyExW.ADVAPI32 ref: 000002A3F0661805
Part of subcall function 000002A3F0661628: RegCloseKey.ADVAPI32 ref: 000002A3F0661820
Part of subcall function 000002A3F0661628: RegOpenKeyExW.ADVAPI32 ref: 000002A3F0661840
Part of subcall function 000002A3F0661628: RegCloseKey.ADVAPI32 ref: 000002A3F066185B
Part of subcall function 000002A3F0661628: RegOpenKeyExW.ADVAPI32 ref: 000002A3F066187B
Part of subcall function 000002A3F0661628: RegCloseKey.ADVAPI32 ref: 000002A3F0661896
Part of subcall function 000002A3F0661628: RegCloseKey.ADVAPI32 ref: 000002A3F06618A0

Memory Dump Source

Source File: 00000020.00000002.2717085041.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3f0660000_svchost.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction ID: 18493aa65fc7477a11afd4ac97f0363bec50394c762ef9b304816d61159171c0
Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction Fuzzy Hash: 6631B451B205414BEFD0DB2ADE6936D53A4EBA7BC4F0C5431AE0ACFA95FE34C6518212

Function 000002A3EFFC273C Relevance: 1.7, APIs: 1, Instructions: 187
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 000002A3EFFC285E

Memory Dump Source

Source File: 00000020.00000002.2709411289.000002A3EFFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3EFFC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3effc0000_svchost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction ID: 0f6afa320c4a75fa81fbb62ff1d4a206d0eb164a0ac9f5765956537095b3a2cd
Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction Fuzzy Hash: 10613432B012A087DB68CF15C60872D7392FB95BA4F188123EE5983BC8DE78D953D709

Non-executed Functions

Function 000002A3F0662B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 000002A3F0662BD0
lstrlenW.KERNEL32 ref: 000002A3F0662E0A

Part of subcall function 000002A3F066199C: OpenProcess.KERNEL32 ref: 000002A3F06619C2
Part of subcall function 000002A3F066199C: K32GetModuleFileNameExW.KERNEL32 ref: 000002A3F06619E0
Part of subcall function 000002A3F066199C: PathFindFileNameW.SHLWAPI ref: 000002A3F06619EF
Part of subcall function 000002A3F066199C: lstrlenW.KERNEL32 ref: 000002A3F06619FB
Part of subcall function 000002A3F066199C: StrCpyW.SHLWAPI ref: 000002A3F0661A0E
Part of subcall function 000002A3F066199C: CloseHandle.KERNEL32 ref: 000002A3F0661A1C

GetProcAddress.KERNEL32 ref: 000002A3F0662BE5

Part of subcall function 000002A3F066152C: StrCmpIW.SHLWAPI ref: 000002A3F066155D

Part of subcall function 000002A3F0663844: StrCmpNIW.SHLWAPI ref: 000002A3F066385C

StrCmpNIW.SHLWAPI ref: 000002A3F0662C28
lstrlenW.KERNEL32 ref: 000002A3F0662D50

Strings

NtQueryObject, xrefs: 000002A3F0662BDB
ntdll.dll, xrefs: 000002A3F0662BC9
\Device\Nsi, xrefs: 000002A3F0662C1B

Memory Dump Source

Source File: 00000020.00000002.2717085041.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3f0660000_svchost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction ID: e7264185e6627ca7a152c45ea673191d5828ce264668469caef4e6d9760e183d
Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction Fuzzy Hash: 1CB17161B20A528BEBD4CF29D85876D63A4FB67B88F045035F9499BF94EE35CA40C341

Function 000002A3F0667D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000002A3F0667DAC
RtlCaptureContext.NTDLL ref: 000002A3F0667DD9
RtlLookupFunctionEntry.NTDLL ref: 000002A3F0667DF3
RtlVirtualUnwind.NTDLL ref: 000002A3F0667E34
IsDebuggerPresent.KERNEL32 ref: 000002A3F0667E88
SetUnhandledExceptionFilter.KERNEL32 ref: 000002A3F0667EA9
UnhandledExceptionFilter.KERNEL32 ref: 000002A3F0667EB4

Memory Dump Source

Source File: 00000020.00000002.2717085041.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3f0660000_svchost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction ID: 8a2399726a7e03ffd8de5c654530bf9e493a26281a99b78894901c300c8f31c7
Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction Fuzzy Hash: 7A315E72725B808AEBA0DF64E8543ED7360F796744F44443AEA4D87B95EF38C648C711

Function 000002A3F066D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000002A3F066D31D
RtlLookupFunctionEntry.NTDLL ref: 000002A3F066D335
RtlVirtualUnwind.NTDLL ref: 000002A3F066D370
IsDebuggerPresent.KERNEL32 ref: 000002A3F066D3A9
SetUnhandledExceptionFilter.KERNEL32 ref: 000002A3F066D3B3
UnhandledExceptionFilter.KERNEL32 ref: 000002A3F066D3BE

Memory Dump Source

Source File: 00000020.00000002.2717085041.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3f0660000_svchost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction ID: 4648a46d89f0ed24374a6d89c06c8292b8bddab6eb90024b74db4ccdf504cc36
Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction Fuzzy Hash: 04315D32B24B808ADBA0CB29E8443AE73A4F79A754F500125FA9D87B55EF38C245CB01

Function 000002A3F06612BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000002A3F0661319
GetProcessHeap.KERNEL32 ref: 000002A3F0661327
HeapAlloc.KERNEL32 ref: 000002A3F0661338
RegEnumValueW.ADVAPI32 ref: 000002A3F0661397

Part of subcall function 000002A3F066152C: StrCmpIW.SHLWAPI ref: 000002A3F066155D

GetProcessHeap.KERNEL32 ref: 000002A3F06613DF
HeapAlloc.KERNEL32 ref: 000002A3F06613ED
GetProcessHeap.KERNEL32 ref: 000002A3F066140A
HeapFree.KERNEL32 ref: 000002A3F0661418
lstrlenW.KERNEL32 ref: 000002A3F0661421
GetProcessHeap.KERNEL32 ref: 000002A3F066142F
HeapAlloc.KERNEL32 ref: 000002A3F066143D
StrCpyW.SHLWAPI ref: 000002A3F066145F
GetProcessHeap.KERNEL32 ref: 000002A3F0661476
HeapFree.KERNEL32 ref: 000002A3F0661484

Strings

d, xrefs: 000002A3F066135A

Memory Dump Source

Source File: 00000020.00000002.2717085041.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3f0660000_svchost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction ID: 6d6c9081a9e9c9d4ad7192b94bb72c94a9a7c429cca7302e1de0babd91853f21
Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction Fuzzy Hash: A2516E32B10B848BEB94CF6AE94C35A77A1F79AB99F444134EA494BB18EF3CC145C701

Function 000002A3F0661D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 000002A3F0661D1F

Part of subcall function 000002A3F0661FD4: GetModuleHandleA.KERNEL32 ref: 000002A3F0661FEC
Part of subcall function 000002A3F0661FD4: GetProcAddress.KERNEL32 ref: 000002A3F0661FFD

Part of subcall function 000002A3F0665B30: GetCurrentThreadId.KERNEL32 ref: 000002A3F0665B6B

Strings

ntdll.dll, xrefs: 000002A3F0661D2D
sechost.dll, xrefs: 000002A3F0661E39
NtQueryDirectoryFileEx, xrefs: 000002A3F0661D9C
NtDeviceIoControlFile, xrefs: 000002A3F0661E56
EnumServiceGroupW, xrefs: 000002A3F0661DF0
EnumServicesStatusExW, xrefs: 000002A3F0661E11, 000002A3F0661E32
NtEnumerateKey, xrefs: 000002A3F0661DB9
NtQuerySystemInformation, xrefs: 000002A3F0661D45
advapi32.dll, xrefs: 000002A3F0661DF7, 000002A3F0661E18
NtEnumerateValueKey, xrefs: 000002A3F0661DD6
NtResumeThread, xrefs: 000002A3F0661D62
NtQueryDirectoryFile, xrefs: 000002A3F0661D7F

Memory Dump Source

Source File: 00000020.00000002.2717085041.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3f0660000_svchost.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction ID: f24ac17cebfaa1330c927da688690566a7c830514d95f9ff872cdd76f91d0775
Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction Fuzzy Hash: 3531B9A4F30947ABEAC1DB5DED596E82360FB23748F840533B4099AD61FE788349C352

Function 000002A3EFFC6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002A3EFFC6938
__scrt_acquire_startup_lock.LIBCMT ref: 000002A3EFFC698A
_RTC_Initialize.LIBCMT ref: 000002A3EFFC69B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002A3EFFC69DE
__scrt_release_startup_lock.LIBCMT ref: 000002A3EFFC6A09

Strings

`eh vector copy constructor iterator', xrefs: 000002A3EFFC6A3B
`dynamic initializer for ', xrefs: 000002A3EFFC69C7
`eh vector vbase copy constructor iterator', xrefs: 000002A3EFFC69EE
scriptor', xrefs: 000002A3EFFC6B39, 000002A3EFFC6BB2, 000002A3EFFC6BEC

Memory Dump Source

Source File: 00000020.00000002.2709411289.000002A3EFFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3EFFC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3effc0000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
API String ID: 190073905-1786718095
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: dc9269e48c0f5cace3bc677973e2ab88cdbd6d3f94d8d7241233d29b055281a4
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: C581022170826187FB54EB6597483992290EF87B80F588027BA0DC7796DFF9CB47830B

Function 000002A3F066CE28 Relevance: 18.1, APIs: 12, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 000002A3F066CE37
FlsGetValue.KERNEL32(?,?,?,000002A3F0670A6B,?,?,?,000002A3F067045C,?,?,?,000002A3F066C84F), ref: 000002A3F066CE4C
FlsSetValue.KERNEL32(?,?,?,000002A3F0670A6B,?,?,?,000002A3F067045C,?,?,?,000002A3F066C84F), ref: 000002A3F066CE6D
FlsSetValue.KERNEL32(?,?,?,000002A3F0670A6B,?,?,?,000002A3F067045C,?,?,?,000002A3F066C84F), ref: 000002A3F066CE9A
FlsSetValue.KERNEL32(?,?,?,000002A3F0670A6B,?,?,?,000002A3F067045C,?,?,?,000002A3F066C84F), ref: 000002A3F066CEAB
FlsSetValue.KERNEL32(?,?,?,000002A3F0670A6B,?,?,?,000002A3F067045C,?,?,?,000002A3F066C84F), ref: 000002A3F066CEBC
SetLastError.KERNEL32 ref: 000002A3F066CED7
FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000002A3F0670A6B,?,?,?,000002A3F067045C,?,?,?,000002A3F066C84F), ref: 000002A3F066CF0D
FlsSetValue.KERNEL32(?,?,00000001,000002A3F066ECCC,?,?,?,?,000002A3F066BF9F,?,?,?,?,?,000002A3F0667AB0), ref: 000002A3F066CF2C

Part of subcall function 000002A3F066D6CC: HeapAlloc.KERNEL32 ref: 000002A3F066D721

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002A3F0670A6B,?,?,?,000002A3F067045C,?,?,?,000002A3F066C84F), ref: 000002A3F066CF54

Part of subcall function 000002A3F066D744: HeapFree.KERNEL32 ref: 000002A3F066D75A
Part of subcall function 000002A3F066D744: GetLastError.KERNEL32 ref: 000002A3F066D764

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002A3F0670A6B,?,?,?,000002A3F067045C,?,?,?,000002A3F066C84F), ref: 000002A3F066CF65
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002A3F0670A6B,?,?,?,000002A3F067045C,?,?,?,000002A3F066C84F), ref: 000002A3F066CF76

Memory Dump Source

Source File: 00000020.00000002.2717085041.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3f0660000_svchost.jbxd

Similarity

API ID: Value$ErrorLast$Heap$AllocFree
String ID:
API String ID: 570795689-0
Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction ID: f1e0c32bd247f23febaa2d1440be5bafbc7f5de1e564a85961e4f744f3d8ce33
Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction Fuzzy Hash: B9415E20B21A484BF9E8E72D9D5D33D1292DFB77B0F540634B526CEED6FD7886418202

Function 000002A3F0662244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessIdOfThread.KERNEL32 ref: 000002A3F0662259
GetCurrentProcessId.KERNEL32 ref: 000002A3F0662263

Part of subcall function 000002A3F0661934: OpenProcess.KERNEL32 ref: 000002A3F0661952
Part of subcall function 000002A3F0661934: IsWow64Process.KERNEL32 ref: 000002A3F0661968
Part of subcall function 000002A3F0661934: CloseHandle.KERNEL32 ref: 000002A3F0661983

CreateFileW.KERNEL32 ref: 000002A3F06622BC
WriteFile.KERNEL32 ref: 000002A3F06622E4
ReadFile.KERNEL32 ref: 000002A3F0662303
CloseHandle.KERNEL32 ref: 000002A3F066230C

Strings

\\.\pipe\dialerchildproc64, xrefs: 000002A3F066228C
\\.\pipe\dialerchildproc32, xrefs: 000002A3F0662293

Memory Dump Source

Source File: 00000020.00000002.2717085041.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3f0660000_svchost.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction ID: a19daec8a18c35cea35f3239cae1c3faf59040c82aea722701d635c2e9829244
Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction Fuzzy Hash: B1213036B24B4187FB50CB29E94835977A0F7977A4F500225FA5986FA8EF7CC249CB01

Function 000002A3EFFC9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000002A3EFFC99A1

Part of subcall function 000002A3EFFCA814: __GetUnwindTryBlock.LIBCMT ref: 000002A3EFFCA857
Part of subcall function 000002A3EFFCA814: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000002A3EFFCA87C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000002A3EFFC9A79
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000002A3EFFC9CCE
std::bad_alloc::bad_alloc.LIBCMT ref: 000002A3EFFC9DDA

Strings

csm, xrefs: 000002A3EFFC9A9C
csm, xrefs: 000002A3EFFC9A22
csm, xrefs: 000002A3EFFC99BB

Memory Dump Source

Source File: 00000020.00000002.2709411289.000002A3EFFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3EFFC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3effc0000_svchost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction ID: 756abd358e7a4783bdb9069bfade4474d8c2165fbc66eb76eb7e7523a4ab8011
Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction Fuzzy Hash: 5AE19F327047608BEB60DB25D68839D3BA0FB46B88F100117FE8997B95EF74C292C706

Function 000002A3F066A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000002A3F066A5A1

Part of subcall function 000002A3F066B414: __GetUnwindTryBlock.LIBCMT ref: 000002A3F066B457
Part of subcall function 000002A3F066B414: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000002A3F066B47C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000002A3F066A679
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000002A3F066A8CE
std::bad_alloc::bad_alloc.LIBCMT ref: 000002A3F066A9DA

Strings

csm, xrefs: 000002A3F066A622
csm, xrefs: 000002A3F066A5BB
csm, xrefs: 000002A3F066A69C

Memory Dump Source

Source File: 00000020.00000002.2717085041.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3f0660000_svchost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction ID: aa4e658e917060183268f1c8c89f55de4d13d97c418d00fdcdb57fe31860dc90
Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction Fuzzy Hash: 46E17072B207408BEBA0DF69D84439DB7A4F767798F101125EE899BB55EF34C681CB02

Function 000002A3F066F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32 ref: 000002A3F066F510
GetProcAddress.KERNEL32 ref: 000002A3F066F51C

Strings

ext-ms-, xrefs: 000002A3F066F46D
api-ms-, xrefs: 000002A3F066F45A

Memory Dump Source

Source File: 00000020.00000002.2717085041.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3f0660000_svchost.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction ID: 61af6b0a54addee8a0ecf1aaa533085d9c45a3ae1263d377a5430f1ccd05ebfc
Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction Fuzzy Hash: B641B322B35A004BEA95CB1EAD0875A23D5F767BA0F454135BD0ACBF85FE38C6458342

Function 000002A3F066104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99
memoryregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000002A3F06610B1
RegEnumValueW.ADVAPI32 ref: 000002A3F0661117
GetProcessHeap.KERNEL32 ref: 000002A3F066115A
HeapAlloc.KERNEL32 ref: 000002A3F0661168
GetProcessHeap.KERNEL32 ref: 000002A3F0661185
HeapFree.KERNEL32 ref: 000002A3F0661193

Strings

d, xrefs: 000002A3F06610D6

Memory Dump Source

Source File: 00000020.00000002.2717085041.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3f0660000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction ID: a57b92eb83caeb59451c4dd08226f081d89081f5fb86dd51c534ee38d9341f93
Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction Fuzzy Hash: F5416633614B84CBE790CF25E84875EB7A1F396B98F448125EB894BB58EF38C545CB41

Function 000002A3F066D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FlsGetValue.KERNEL32(?,?,?,000002A3F066C7DE,?,?,?,?,?,?,?,?,000002A3F066CF9D,?,?,00000001), ref: 000002A3F066D087
FlsSetValue.KERNEL32(?,?,?,000002A3F066C7DE,?,?,?,?,?,?,?,?,000002A3F066CF9D,?,?,00000001), ref: 000002A3F066D0A6
FlsSetValue.KERNEL32(?,?,?,000002A3F066C7DE,?,?,?,?,?,?,?,?,000002A3F066CF9D,?,?,00000001), ref: 000002A3F066D0CE
FlsSetValue.KERNEL32(?,?,?,000002A3F066C7DE,?,?,?,?,?,?,?,?,000002A3F066CF9D,?,?,00000001), ref: 000002A3F066D0DF
FlsSetValue.KERNEL32(?,?,?,000002A3F066C7DE,?,?,?,?,?,?,?,?,000002A3F066CF9D,?,?,00000001), ref: 000002A3F066D0F0

Strings

Y%, xrefs: 000002A3F066D0A6
1%, xrefs: 000002A3F066D0CE

Memory Dump Source

Source File: 00000020.00000002.2717085041.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3f0660000_svchost.jbxd

Similarity

API ID: Value
String ID: 1%$Y%
API String ID: 3702945584-1395475152
Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction ID: ac8d096a898dd5730031bc9e1ba0e049e1f0257e5f93eefe9e65e4ec58292f3b
Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction Fuzzy Hash: FC113020F242444BF9E4DB2D9E5936D5245EB777F0F244234B929CEEDAFE7886428602

Function 000002A3F0667510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002A3F0667538
__scrt_acquire_startup_lock.LIBCMT ref: 000002A3F066758A
_RTC_Initialize.LIBCMT ref: 000002A3F06675B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002A3F06675DE
__scrt_release_startup_lock.LIBCMT ref: 000002A3F0667609

Memory Dump Source

Source File: 00000020.00000002.2717085041.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3f0660000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: 8d697aec170fad2f7e85e90d89f1eeed496da71b7a4a8009cf33773665725167
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: 89814A21F306418FFAE4DB6DAC6939D2690EBA7780F144535B905CBE96FE38CB458702

Function 000002A3F0669DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 000002A3F0669E49
GetLastError.KERNEL32 ref: 000002A3F0669E57
LoadLibraryExW.KERNEL32 ref: 000002A3F0669E81
FreeLibrary.KERNEL32 ref: 000002A3F0669EC7
GetProcAddress.KERNEL32 ref: 000002A3F0669ED3

Strings

api-ms-, xrefs: 000002A3F0669E69

Memory Dump Source

Source File: 00000020.00000002.2717085041.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3f0660000_svchost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction ID: 4aec6992857ec9459b33fbbd1df24a7ccaf45efe0a0ea625233a08a79b74cc52
Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction Fuzzy Hash: 5031EB21B22640DBEF91DB0AAC087592298FB67B60F590535BD1D8FB50FF39C6458312

Function 000002A3F0673DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000002A3F0673DE5
GetLastError.KERNEL32 ref: 000002A3F0673DF1
CloseHandle.KERNEL32 ref: 000002A3F0673E09
CreateFileW.KERNEL32 ref: 000002A3F0673E34
WriteConsoleW.KERNEL32 ref: 000002A3F0673E53

Strings

CONOUT$, xrefs: 000002A3F0673E15

Memory Dump Source

Source File: 00000020.00000002.2717085041.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3f0660000_svchost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction ID: add0cb81a92618d40f986f0cde770ccea769e84635dcd21c0a004aec72a4038a
Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction Fuzzy Hash: 50118121B20A408BEB90CB1AED5831967A4F7AAFE4F440235FA59C7B94EF38C6448741

Function 000002A3F0663790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000002A3F066379E
GetCurrentProcess.KERNEL32 ref: 000002A3F06637CC
VirtualProtectEx.KERNEL32 ref: 000002A3F06637EE
GetCurrentProcess.KERNEL32 ref: 000002A3F0663809
VirtualProtectEx.KERNEL32 ref: 000002A3F066382A

Strings

wr, xrefs: 000002A3F06637FF

Memory Dump Source

Source File: 00000020.00000002.2717085041.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3f0660000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID: wr
API String ID: 1092925422-2678910430
Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction ID: 3f74865dcc16d314186019eeb74bf5e6ff4b2034cf18aa14283d1b7df7a44b63
Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction Fuzzy Hash: 8C117C26B207408BFF94DB29E90826962A0F75BB85F440038FE8987B54FF3DC605C705

Function 000002A3F0665B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002A3F0665B6B
GetThreadContext.KERNEL32 ref: 000002A3F0665CD5

Part of subcall function 000002A3F0665960: GetCurrentThreadId.KERNEL32 ref: 000002A3F0665964

Memory Dump Source

Source File: 00000020.00000002.2717085041.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3f0660000_svchost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
Instruction ID: 8e4faef13cc65b4df83bcb70224ef88637d80fa51eeabec05ec18b16e28f9ac7
Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
Instruction Fuzzy Hash: C5D1AF76615B4886DBB0DB0AE89535E77A0F7DAB84F100126EACD8BB65DF3CC641CB01

Function 000002A3F0662F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002A3F0662F27
HeapAlloc.KERNEL32 ref: 000002A3F0662F3A
StrCmpNIW.SHLWAPI ref: 000002A3F0662FAF
GetProcessHeap.KERNEL32 ref: 000002A3F0663015
HeapFree.KERNEL32 ref: 000002A3F0663023

Strings

dialer, xrefs: 000002A3F0662FA8

Memory Dump Source

Source File: 00000020.00000002.2717085041.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3f0660000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction ID: ea9854439b511021aae1834001287969d1888a578fed51192c4f0273032b74c8
Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction Fuzzy Hash: 87319521B11B518BEB94CF1A9D4876D67A0FB67B88F084030BE488BF55FF34C5658701

Function 000002A3F066CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000002A3F066CFAF
FlsSetValue.KERNEL32(?,?,?,000002A3F066D6B5,?,?,?,?,000002A3F066D778), ref: 000002A3F066CFE5
FlsSetValue.KERNEL32(?,?,?,000002A3F066D6B5,?,?,?,?,000002A3F066D778), ref: 000002A3F066D012
FlsSetValue.KERNEL32(?,?,?,000002A3F066D6B5,?,?,?,?,000002A3F066D778), ref: 000002A3F066D023
FlsSetValue.KERNEL32(?,?,?,000002A3F066D6B5,?,?,?,?,000002A3F066D778), ref: 000002A3F066D034
SetLastError.KERNEL32 ref: 000002A3F066D04F

Memory Dump Source

Source File: 00000020.00000002.2717085041.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3f0660000_svchost.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction ID: 947d3cf771b2348594020022dc32aacc64b00baa03c3a342095d6466a6564fa0
Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction Fuzzy Hash: 38113020F216444BFAD4D7299E5D32D1282EBB77B4F540634B936CFED6FD7886418602

Function 000002A3F066199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000002A3F06619C2
K32GetModuleFileNameExW.KERNEL32 ref: 000002A3F06619E0
PathFindFileNameW.SHLWAPI ref: 000002A3F06619EF
lstrlenW.KERNEL32 ref: 000002A3F06619FB
StrCpyW.SHLWAPI ref: 000002A3F0661A0E
CloseHandle.KERNEL32 ref: 000002A3F0661A1C

Memory Dump Source

Source File: 00000020.00000002.2717085041.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3f0660000_svchost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction ID: c550c66311b3ef4270f20c8bfef90b432a44ad43bf1d2da68e71925a700b0db7
Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction Fuzzy Hash: 5D016D21B20A408BEB90DB5AA84C75963A1F79ABC4F884035FE4987B55EF3CC689C741

Function 000002A3F06636C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000002A3F06636E4
GetCurrentProcess.KERNEL32 ref: 000002A3F06636F2
VirtualProtectEx.KERNEL32 ref: 000002A3F0663714
GetCurrentProcess.KERNEL32 ref: 000002A3F0663732
VirtualProtectEx.KERNEL32 ref: 000002A3F0663753
TerminateThread.KERNEL32 ref: 000002A3F0663762

Memory Dump Source

Source File: 00000020.00000002.2717085041.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3f0660000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction ID: ac31b1d2c87613b3d1a4613d73019e2fecec1a5e9f17726b67783639fbd08a0f
Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction Fuzzy Hash: EE010C65B217408BEFA4DB2AED4C71967A0FB67B85F040434E94986B54FF3DC2448705

Function 000002A3F0669005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002A3F0669013
_IsNonwritableInCurrentImage.LIBCMT ref: 000002A3F06690A8
RtlUnwindEx.NTDLL ref: 000002A3F06690F7

Strings

csm, xrefs: 000002A3F066908E
f, xrefs: 000002A3F0669026

Memory Dump Source

Source File: 00000020.00000002.2717085041.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3f0660000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: 25a10d7dd65eceb9c08ab646dbd368edc3832f33ef66c5238f1c828468f6184d
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: AB516132B215018FDB94DB19D84C75D6769F367B84F208134EE068BB48FE75DA41C751

Function 000002A3F0668FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002A3F0669013
_IsNonwritableInCurrentImage.LIBCMT ref: 000002A3F06690A8
RtlUnwindEx.NTDLL ref: 000002A3F06690F7

Strings

csm, xrefs: 000002A3F066908E
f, xrefs: 000002A3F0669026

Memory Dump Source

Source File: 00000020.00000002.2717085041.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3f0660000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction ID: 0183a1ec81c6fe5fc289bf6d038e9c0e67ef63b1d30c9ccc84fcdc7c2ff0671c
Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction Fuzzy Hash: 33319C31B206408BEB94DB19EC4C71D7768F363B88F148124BE468BB49EF39CA41C756

Function 000002A3F0661A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000002A3F0661A60
StrCmpNIW.SHLWAPI ref: 000002A3F0661A7A
lstrlenW.KERNEL32 ref: 000002A3F0661A89
StrCpyW.SHLWAPI ref: 000002A3F0661A9E

Strings

\\?\, xrefs: 000002A3F0661A6E

Memory Dump Source

Source File: 00000020.00000002.2717085041.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3f0660000_svchost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction ID: 2723efdd31ef81cf0b780c40f8ffb03886298e9d5556f209259b56203b058ea2
Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction Fuzzy Hash: C0F0A922B1064087EBA0CB58FD887596360F75AB98F844030FA498AD54EF3CC74DC701

Function 000002A3F066BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000002A3F066BCBD
GetProcAddress.KERNEL32 ref: 000002A3F066BCD3
FreeLibrary.KERNEL32 ref: 000002A3F066BCFA

Strings

mscoree.dll, xrefs: 000002A3F066BCB4
CorExitProcess, xrefs: 000002A3F066BCCC

Memory Dump Source

Source File: 00000020.00000002.2717085041.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3f0660000_svchost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction ID: 3cb81280d6639494041b71beabffd4b8f748a6a3d86e386e790f439f9726afb7
Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction Fuzzy Hash: 56F04461721B05C7EF50CB2CAC483595320EB9B765F541225BA6A899E4EF38C2448741

Function 000002A3F0663044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 000002A3F0663066
StrCpyW.SHLWAPI ref: 000002A3F0663076
StrCatW.SHLWAPI ref: 000002A3F0663082
PathCombineW.SHLWAPI ref: 000002A3F0663090

Strings

\\.\pipe\, xrefs: 000002A3F066305C

Memory Dump Source

Source File: 00000020.00000002.2717085041.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3f0660000_svchost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction ID: bc7fcf44eccac469d712f6677f5295184d23beb7ce9fd1912fc011b3c1582562
Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction Fuzzy Hash: 35F05E20B24B9087EE84CB1BBD081196261EB5BFD0F046130FE468BF58EE38C649C701

Function 000002A3F06650D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002A3F0665156

Memory Dump Source

Source File: 00000020.00000002.2717085041.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3f0660000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
Instruction ID: 1a5c3ceabbb9674ab88b816016c5392cd132a216a6156abeb41612a421397731
Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
Instruction Fuzzy Hash: 8902BB32619B848ADBA0CB59E89535EB7A0F3D6794F100125FA8E87B68EF7CC544CB01

Function 000002A3F0665710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002A3F0665726

Memory Dump Source

Source File: 00000020.00000002.2717085041.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3f0660000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
Instruction ID: fdf0353c2c9d7431a73655fa855ee1d883f357c26d152c9830ae0b22cfb9d9d6
Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
Instruction Fuzzy Hash: CF619136A29644CBEAA0CB19E95931E77E4F396784F100125F68D8BF64EF78C540CB01

Function 000002A3EFFD3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000002A3EFFD352C
_set_statfp.LIBCMT ref: 000002A3EFFD3547
_set_statfp.LIBCMT ref: 000002A3EFFD3563
_set_statfp.LIBCMT ref: 000002A3EFFD359F

Memory Dump Source

Source File: 00000020.00000002.2709411289.000002A3EFFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3EFFC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3effc0000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: b3d2515fd7531a192da7560432244ddb1d5725737d85a7ce7cb71133a17b834d
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: 3E11A762710A1BD3FA549728E74D36911C06F5BBB4F48472BBB66862D6CEF6CB434202

Function 000002A3F0674104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000002A3F067412C
_set_statfp.LIBCMT ref: 000002A3F0674147
_set_statfp.LIBCMT ref: 000002A3F0674163
_set_statfp.LIBCMT ref: 000002A3F067419F

Memory Dump Source

Source File: 00000020.00000002.2717085041.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3f0660000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: 778c29c2b52a37e8828e8148e915df3a772d082812edea363ef07373fae80013
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: E4116D22F34A501BF6E5A56CDC5D3751144EB7B3B8E890634B97686ED6EF34CAC14203

Function 000002A3EFFCF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000002A3EFFCF124

Strings

Wednesday, xrefs: 000002A3EFFCF1ED
Tuesday, xrefs: 000002A3EFFCF0F4
or copy constructor iterator', xrefs: 000002A3EFFCF25A, 000002A3EFFCF275

Memory Dump Source

Source File: 00000020.00000002.2709411289.000002A3EFFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3EFFC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3effc0000_svchost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: Tuesday$Wednesday$or copy constructor iterator'
API String ID: 3215553584-4202648911
Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction ID: 72e7a858243a0862991be92073fd25fa4d2ae0b65c3be1701e8c213c550465a5
Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction Fuzzy Hash: 0861922670026043F769CB65E74C369AAA0EF83B50F554417FA0A977E4DFF4CB47822A

Function 000002A3F066AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 000002A3F066AA68
_CallSETranslator.LIBVCRUNTIME ref: 000002A3F066AAB7

Strings

MOC, xrefs: 000002A3F066AA7C
RCC, xrefs: 000002A3F066AA85

Memory Dump Source

Source File: 00000020.00000002.2717085041.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3f0660000_svchost.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 0c64597300c946a2c78553bcffee072166d80c1db9bdc91f256f0f9a0b87a364
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: EA617D32B10B448BE750DF69D84439DB7A0F356B88F044226EF495BB99EF38C655CB01

Function 000002A3EFFCA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002A3EFFCA1A0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000002A3EFFCA288

Strings

csm, xrefs: 000002A3EFFCA2DA
csm, xrefs: 000002A3EFFCA1C2

Memory Dump Source

Source File: 00000020.00000002.2709411289.000002A3EFFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3EFFC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3effc0000_svchost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: 7d3f4da836a6d3a3b3a2b9affbb5badf6e48be98e05b9c20b87d266e2fd35715
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: 3A51B3322002A0CBEB74CF65966835877A0FF56B84F144117EA49D7BC5CFB9E652C70A

Function 000002A3F066AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002A3F066ADA0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000002A3F066AE88

Strings

csm, xrefs: 000002A3F066AEDA
csm, xrefs: 000002A3F066ADC2

Memory Dump Source

Source File: 00000020.00000002.2717085041.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3f0660000_svchost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: 6f1cb0b0e2f77e083062affd172c0089a59e910c1f2d4a4a0f9650168a2628ac
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: 7C518272A203808FEBA4CF19994835DB7A0F767B84F144125FA598BF95EF38D650CB02

Function 000002A3EFFC8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002A3EFFC8413
_IsNonwritableInCurrentImage.LIBCMT ref: 000002A3EFFC84A8

Strings

csm, xrefs: 000002A3EFFC848E
f, xrefs: 000002A3EFFC8426

Memory Dump Source

Source File: 00000020.00000002.2709411289.000002A3EFFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3EFFC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3effc0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: 18d4462e912e04e262cb9d845cbb99dddd9bdd6a83f29b90a56fac2c5e1f1e45
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: 3251D13270162087DB14CF15D648B283795FB42FA8F168427EA0683788EFF5CB42C70A

Function 000002A3EFFC83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002A3EFFC8413
_IsNonwritableInCurrentImage.LIBCMT ref: 000002A3EFFC84A8

Strings

csm, xrefs: 000002A3EFFC848E
f, xrefs: 000002A3EFFC8426

Memory Dump Source

Source File: 00000020.00000002.2709411289.000002A3EFFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3EFFC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3effc0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction ID: 638603215c4bd4605fef7f0d1933761329d4d304d81e6a47645db0f5dcc0997b
Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction Fuzzy Hash: 35318C7130165087E714DF11E948B1937A4FB42B98F168417BE5A87788DFB9CB42C70A

Function 000002A3F0672058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000002A3F06720D7
WriteFile.KERNEL32 ref: 000002A3F067239F
WriteFile.KERNEL32 ref: 000002A3F06723E5
GetLastError.KERNEL32 ref: 000002A3F067249B

Memory Dump Source

Source File: 00000020.00000002.2717085041.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3f0660000_svchost.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction ID: 1dea74a7b9dd16eb4baa4bb49ba0bef5543a7e9b7916fd59b1bcb17493166bde
Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction Fuzzy Hash: F9D1D172B24A808EE751CF79D84839C3BB1F366798F144226EE5997F99EE34C606C341

Function 000002A3F06614A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002A3F06614C5
HeapFree.KERNEL32 ref: 000002A3F06614D4
GetProcessHeap.KERNEL32 ref: 000002A3F06614E1
HeapFree.KERNEL32 ref: 000002A3F06614F0
GetProcessHeap.KERNEL32 ref: 000002A3F0661500

Memory Dump Source

Source File: 00000020.00000002.2717085041.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3f0660000_svchost.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
Instruction ID: d536798ee46fa44b5ad918a9dcf1e87bae4019f298dbc0d8180429603494c22b
Opcode Fuzzy Hash: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
Instruction Fuzzy Hash: 13014C32A20A90CBDB44DF6AED0C14A67A0F79AF81F484435FA4987B29EE38C251C741

Function 000002A3F0672980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32 ref: 000002A3F0672A9C
GetLastError.KERNEL32 ref: 000002A3F0672B27

Memory Dump Source

Source File: 00000020.00000002.2717085041.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3f0660000_svchost.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction ID: a4cb1103299b726bc7b01eccba19e47c4a24c67d0d3a46935793449ef8735077
Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction Fuzzy Hash: A491A662F206518EF7A1DF6D9C4836D2BA0F727B8CF144125EE0697E95EE34C685C702

Function 000002A3F0667960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000002A3F066798C
GetCurrentThreadId.KERNEL32 ref: 000002A3F066799A
GetCurrentProcessId.KERNEL32 ref: 000002A3F06679A6
QueryPerformanceCounter.KERNEL32 ref: 000002A3F06679B6

Memory Dump Source

Source File: 00000020.00000002.2717085041.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3f0660000_svchost.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction ID: 64750482dc4921f28b12e3224374007b2b1ae6a2ef3d88e21d4456c50efc5c58
Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction Fuzzy Hash: 70112421B20F018AEF40CF64EC583A833A4F76A758F440D31FA6D86B54EF78C2948341

Function 000002A3F066253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000002A3F0662620
StrCpyW.SHLWAPI ref: 000002A3F0662639

Strings

\\.\pipe\, xrefs: 000002A3F066262B

Memory Dump Source

Source File: 00000020.00000002.2717085041.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3f0660000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction ID: fb96a1d8bf94e82a1d2f4f61f31f1e99a0b6281a65b0fdd7fc554e0c5c89d442
Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction Fuzzy Hash: BF719336B20B824BD7A4DE299C487AD6A94F3A7788F440035ED099BF89EE35C7458701

Function 000002A3EFFC9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 000002A3EFFC9EB7

Strings

MOC, xrefs: 000002A3EFFC9E7C
RCC, xrefs: 000002A3EFFC9E85

Memory Dump Source

Source File: 00000020.00000002.2709411289.000002A3EFFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3EFFC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3effc0000_svchost.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 1c071c4e189e1926709cb0ed332f7ab93af7b290c7f773ceed20fa96e7bdadd9
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: 3C617633600B948AEB20DF65D18439D7BA0FB49B88F044217EF4957B98EFB8D296C705

Function 000002A3F0662330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000002A3F0662416
StrCpyW.SHLWAPI ref: 000002A3F066242D

Strings

\\.\pipe\, xrefs: 000002A3F0662421

Memory Dump Source

Source File: 00000020.00000002.2717085041.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3f0660000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction ID: 5f936f7cd74c6ad8cabcdb3786854e477f79e51e7e3fe2a465b702ceea4c6f09
Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction Fuzzy Hash: D351E722B24B828BE7B4CF2EA85C36E5691F3A7744F440135ED4A87F49EE39C6448742

Function 000002A3F06726F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000002A3F0672807
GetLastError.KERNEL32 ref: 000002A3F0672829

Strings

U, xrefs: 000002A3F06727B3

Memory Dump Source

Source File: 00000020.00000002.2717085041.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3f0660000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction ID: 4a4f14ede015f19fba4b8dc1191ceb6a241eb7a7a156b13a3e921accdb9fad5b
Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction Fuzzy Hash: 4041A472B24A418ADB60CF29E84839967A0F7AA794F404035FE4DC7B94EF7CC645C741

Function 000002A3F06694A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000002A3F06694F0
RaiseException.KERNEL32 ref: 000002A3F0669531

Strings

csm, xrefs: 000002A3F066951E

Memory Dump Source

Source File: 00000020.00000002.2717085041.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3f0660000_svchost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction ID: 4dfaae02607e1d63d71d13f1f569e1bfbbce690b7281460ac2c766a79d4aa6aa
Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction Fuzzy Hash: 44113032614B4086EBA1CF19F84435977E5F79AB94F584220EE8D4BB59EF3CC655C700

Function 000002A3EFFC7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000002A3EFFC737C

Strings

riptor at (, xrefs: 000002A3EFFC7364
ierarchy Descriptor', xrefs: 000002A3EFFC7381

Memory Dump Source

Source File: 00000020.00000002.2709411289.000002A3EFFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3EFFC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3effc0000_svchost.jbxd

Similarity

API ID: __std_exception_copy
String ID: ierarchy Descriptor'$riptor at (
API String ID: 592178966-758928094
Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction ID: 537a0299432303b2994cf101a968846695946c7fbee4695c8a398a611903422e
Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction Fuzzy Hash: 65E08661740B44D1DF02CF22E94429833A0DF59B68F889123A95C46311FF78D3EAC302

Function 000002A3EFFC73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000002A3EFFC73D8

Strings

riptor at (, xrefs: 000002A3EFFC73C0
Locator', xrefs: 000002A3EFFC73DD

Memory Dump Source

Source File: 00000020.00000002.2709411289.000002A3EFFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3EFFC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3effc0000_svchost.jbxd

Similarity

API ID: __std_exception_copy
String ID: Locator'$riptor at (
API String ID: 592178966-4215709766
Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction ID: 3fa43d97622781504111e28302cccdffe62b838d3364dff2f09d1e1dee9b6f76
Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction Fuzzy Hash: DCE08661740B44C5DF01CF21D5402987360EF59B58F889123D94C46311FF78D2E6C301

Function 000002A3F0661BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002A3F0661C2D
HeapAlloc.KERNEL32 ref: 000002A3F0661C3B
GetProcessHeap.KERNEL32 ref: 000002A3F0661C77
HeapFree.KERNEL32 ref: 000002A3F0661C85

Part of subcall function 000002A3F066152C: StrCmpIW.SHLWAPI ref: 000002A3F066155D

Memory Dump Source

Source File: 00000020.00000002.2717085041.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3f0660000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction ID: 899d41f3a461e795506a272869949aa2b30dded974880c644d390ca07638d0fa
Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction Fuzzy Hash: DC116325B21B448AEA84DB5EA80C22D67A1F79BFC0F584035EE4D9BB65EE38D5419301

Function 000002A3F0661268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002A3F066126E
HeapAlloc.KERNEL32 ref: 000002A3F066127D
GetProcessHeap.KERNEL32 ref: 000002A3F0661297
HeapAlloc.KERNEL32 ref: 000002A3F06612A8

Memory Dump Source

Source File: 00000020.00000002.2717085041.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2a3f0660000_svchost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction ID: 11941aba65ac1e048ab5c377d395697b824e5f1c455e2688e9b7b208c8c371a4
Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction Fuzzy Hash: B4E03935B216048BEB44CB6AD80C34A36E1EB9AB06F848024990947751FF7D8599C751

Analysis Process: svchost.exePID: 372, Parent PID: 7188COMMON

Execution Graph

Execution Coverage:	0.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	94
Total number of Limit Nodes:	3

Executed Functions

Function 000002C9AFBB1268 Relevance: 5.0, APIs: 4, Instructions: 21
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000002C9AFBB126E
HeapAlloc.KERNEL32 ref: 000002C9AFBB127D
GetProcessHeap.KERNEL32 ref: 000002C9AFBB1297
HeapAlloc.KERNEL32 ref: 000002C9AFBB12A8

Memory Dump Source

Source File: 00000021.00000002.2709765969.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction ID: 02946ca36f3402e0facbaf146cdc26c741fd4d6ec5d6214b8e74fb746398ebee
Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction Fuzzy Hash: 14E0397660160486FB048B62D80CB4A36F2EB9DF06F049024890D07351DF7EC4DAC750

Function 000002C9AFBB328C Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 000002C9AFBB32AE
PathFindFileNameW.SHLWAPI ref: 000002C9AFBB32BD

Part of subcall function 000002C9AFBB3844: StrCmpNIW.SHLWAPI ref: 000002C9AFBB385C

Part of subcall function 000002C9AFBB3790: GetModuleHandleW.KERNEL32 ref: 000002C9AFBB379E
Part of subcall function 000002C9AFBB3790: GetCurrentProcess.KERNEL32 ref: 000002C9AFBB37CC
Part of subcall function 000002C9AFBB3790: VirtualProtectEx.KERNEL32 ref: 000002C9AFBB37EE
Part of subcall function 000002C9AFBB3790: GetCurrentProcess.KERNEL32 ref: 000002C9AFBB3809
Part of subcall function 000002C9AFBB3790: VirtualProtectEx.KERNEL32 ref: 000002C9AFBB382A

CreateThread.KERNEL32 ref: 000002C9AFBB330B

Part of subcall function 000002C9AFBB1D14: GetCurrentThread.KERNEL32 ref: 000002C9AFBB1D1F

Memory Dump Source

Source File: 00000021.00000002.2709765969.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction ID: c458215bf1c98ccd866853aa7addd53556b79060b5fbedb0ec5efbadb8ed66bb
Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction Fuzzy Hash: 19114073B14A4182FBA09B21F95DF5F22B4E754345F584135994E819E1EF7BC4C48711

Function 000002C9AFBB1ABC Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000002C9AFBB1628: GetProcessHeap.KERNEL32 ref: 000002C9AFBB1633
Part of subcall function 000002C9AFBB1628: HeapAlloc.KERNEL32 ref: 000002C9AFBB1642
Part of subcall function 000002C9AFBB1628: RegOpenKeyExW.ADVAPI32 ref: 000002C9AFBB16B2
Part of subcall function 000002C9AFBB1628: RegOpenKeyExW.ADVAPI32 ref: 000002C9AFBB16DF
Part of subcall function 000002C9AFBB1628: RegCloseKey.ADVAPI32 ref: 000002C9AFBB16F9
Part of subcall function 000002C9AFBB1628: RegOpenKeyExW.ADVAPI32 ref: 000002C9AFBB1719
Part of subcall function 000002C9AFBB1628: RegCloseKey.ADVAPI32 ref: 000002C9AFBB1734
Part of subcall function 000002C9AFBB1628: RegOpenKeyExW.ADVAPI32 ref: 000002C9AFBB1754
Part of subcall function 000002C9AFBB1628: RegCloseKey.ADVAPI32 ref: 000002C9AFBB176F
Part of subcall function 000002C9AFBB1628: RegOpenKeyExW.ADVAPI32 ref: 000002C9AFBB178F
Part of subcall function 000002C9AFBB1628: RegCloseKey.ADVAPI32 ref: 000002C9AFBB17AA
Part of subcall function 000002C9AFBB1628: RegOpenKeyExW.ADVAPI32 ref: 000002C9AFBB17CA

Sleep.KERNEL32 ref: 000002C9AFBB1AD7
SleepEx.KERNELBASE ref: 000002C9AFBB1ADD

Part of subcall function 000002C9AFBB1628: RegCloseKey.ADVAPI32 ref: 000002C9AFBB17E5
Part of subcall function 000002C9AFBB1628: RegOpenKeyExW.ADVAPI32 ref: 000002C9AFBB1805
Part of subcall function 000002C9AFBB1628: RegCloseKey.ADVAPI32 ref: 000002C9AFBB1820
Part of subcall function 000002C9AFBB1628: RegOpenKeyExW.ADVAPI32 ref: 000002C9AFBB1840
Part of subcall function 000002C9AFBB1628: RegCloseKey.ADVAPI32 ref: 000002C9AFBB185B
Part of subcall function 000002C9AFBB1628: RegOpenKeyExW.ADVAPI32 ref: 000002C9AFBB187B
Part of subcall function 000002C9AFBB1628: RegCloseKey.ADVAPI32 ref: 000002C9AFBB1896
Part of subcall function 000002C9AFBB1628: RegCloseKey.ADVAPI32 ref: 000002C9AFBB18A0

Memory Dump Source

Source File: 00000021.00000002.2709765969.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction ID: 3d133a6c6fa1ba24d341f0a0208eb16f7f20b030103285e457f08171ed4ff97b
Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction Fuzzy Hash: 1C310E67211A4182FF64AF26DA4DBAD23B4EB84BC0F1864319E0D876F5FF26C8D1C210

Function 000002C9AFBB3844 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpNIW.SHLWAPI ref: 000002C9AFBB385C

Strings

dialer, xrefs: 000002C9AFBB3855

Memory Dump Source

Source File: 00000021.00000002.2709765969.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afbb0000_svchost.jbxd

Similarity

API ID:
String ID: dialer
API String ID: 0-3528709123
Opcode ID: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
Instruction ID: 5e1fd6351878a2edf60ad03a3be0d6f5b9d20302d487fb4c1c3225ad09be24c8
Opcode Fuzzy Hash: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
Instruction Fuzzy Hash: A1D0A76231120586FF14DFAA8CCCF692370EB0C744F8C4034CD0801590DB1BC9DE9710

Function 000002C9AFB8273C Relevance: 1.7, APIs: 1, Instructions: 187
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 000002C9AFB8285E

Memory Dump Source

Source File: 00000021.00000002.2708939219.000002C9AFB80000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFB80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afb80000_svchost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction ID: 1b49d16d77b95f286320a700e7c5b27fe5fa868e61b97a2f1d58080ae6c7f6b4
Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction Fuzzy Hash: FC61D177B016908BEB54CF15D44CB2DB3A2FBA4BA4F588135DE5D07788DA39D892C780

Function 000002C9AFBBCA0C Relevance: 1.3, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapAlloc.KERNEL32 ref: 000002C9AFBBCA4A

Memory Dump Source

Source File: 00000021.00000002.2709765969.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: aac0828ce12dfb82e5a667a172eb8e62085a22ffbd2f9ceececb1565634b64c0
Instruction ID: 727ecce194b6517732949ef698da1e08856636cdb64d2bf3e63d098a7802fa24
Opcode Fuzzy Hash: aac0828ce12dfb82e5a667a172eb8e62085a22ffbd2f9ceececb1565634b64c0
Instruction Fuzzy Hash: C1F0379771124585FE54E7B1A85DF6D23B04B88BA0F0856305D7E852C6DA5ED4C18660

Non-executed Functions

Function 000002C9AFBB2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 000002C9AFBB2BD0
lstrlenW.KERNEL32 ref: 000002C9AFBB2E0A

Part of subcall function 000002C9AFBB199C: OpenProcess.KERNEL32 ref: 000002C9AFBB19C2
Part of subcall function 000002C9AFBB199C: K32GetModuleFileNameExW.KERNEL32 ref: 000002C9AFBB19E0
Part of subcall function 000002C9AFBB199C: PathFindFileNameW.SHLWAPI ref: 000002C9AFBB19EF
Part of subcall function 000002C9AFBB199C: lstrlenW.KERNEL32 ref: 000002C9AFBB19FB
Part of subcall function 000002C9AFBB199C: StrCpyW.SHLWAPI ref: 000002C9AFBB1A0E
Part of subcall function 000002C9AFBB199C: CloseHandle.KERNEL32 ref: 000002C9AFBB1A1C

GetProcAddress.KERNEL32 ref: 000002C9AFBB2BE5

Part of subcall function 000002C9AFBB152C: StrCmpIW.SHLWAPI ref: 000002C9AFBB155D

Part of subcall function 000002C9AFBB3844: StrCmpNIW.SHLWAPI ref: 000002C9AFBB385C

StrCmpNIW.SHLWAPI ref: 000002C9AFBB2C28
lstrlenW.KERNEL32 ref: 000002C9AFBB2D50

Strings

\Device\Nsi, xrefs: 000002C9AFBB2C1B
NtQueryObject, xrefs: 000002C9AFBB2BDB
ntdll.dll, xrefs: 000002C9AFBB2BC9

Memory Dump Source

Source File: 00000021.00000002.2709765969.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction ID: f40ce59f2efed65c9b010051d6776aa73714aa356de280d759f93c21df0a69b0
Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction Fuzzy Hash: 5DB18D67210A9086FBAA9F26D45CBAE63B5FB44B84F44502AEE0D53B94DF36CCC1C740

Function 000002C9AFBB7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000002C9AFBB7DAC
RtlCaptureContext.NTDLL ref: 000002C9AFBB7DD9
RtlLookupFunctionEntry.NTDLL ref: 000002C9AFBB7DF3
RtlVirtualUnwind.NTDLL ref: 000002C9AFBB7E34
IsDebuggerPresent.KERNEL32 ref: 000002C9AFBB7E88
SetUnhandledExceptionFilter.KERNEL32 ref: 000002C9AFBB7EA9
UnhandledExceptionFilter.KERNEL32 ref: 000002C9AFBB7EB4

Memory Dump Source

Source File: 00000021.00000002.2709765969.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction ID: d133edbc506ad9ae8d55e42da47199501f0e6beb05cb4ed51f66a82066bfc72d
Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction Fuzzy Hash: 91311A73205A808AFB609F64E848BEE6375F788744F44442ADA4D57A94EF39C589C710

Function 000002C9AFBBD2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000002C9AFBBD31D
RtlLookupFunctionEntry.NTDLL ref: 000002C9AFBBD335
RtlVirtualUnwind.NTDLL ref: 000002C9AFBBD370
IsDebuggerPresent.KERNEL32 ref: 000002C9AFBBD3A9
SetUnhandledExceptionFilter.KERNEL32 ref: 000002C9AFBBD3B3
UnhandledExceptionFilter.KERNEL32 ref: 000002C9AFBBD3BE

Memory Dump Source

Source File: 00000021.00000002.2709765969.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction ID: 85b0b215ee8e3942453a5d595db1f318e2a7e201c596e557a4c5a41d0126749f
Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction Fuzzy Hash: 6D315E33214B8086EB60DF29E84CBAE73B4F789794F500126EA9D47B95DF39C586CB00

Function 000002C9AFBB1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000002C9AFBB1633
HeapAlloc.KERNEL32 ref: 000002C9AFBB1642

Part of subcall function 000002C9AFBB1268: GetProcessHeap.KERNEL32 ref: 000002C9AFBB126E
Part of subcall function 000002C9AFBB1268: HeapAlloc.KERNEL32 ref: 000002C9AFBB127D
Part of subcall function 000002C9AFBB1268: GetProcessHeap.KERNEL32 ref: 000002C9AFBB1297
Part of subcall function 000002C9AFBB1268: HeapAlloc.KERNEL32 ref: 000002C9AFBB12A8

RegOpenKeyExW.ADVAPI32 ref: 000002C9AFBB16B2
RegOpenKeyExW.ADVAPI32 ref: 000002C9AFBB16DF
RegCloseKey.ADVAPI32 ref: 000002C9AFBB16F9
RegOpenKeyExW.ADVAPI32 ref: 000002C9AFBB1719
RegCloseKey.ADVAPI32 ref: 000002C9AFBB1734
RegOpenKeyExW.ADVAPI32 ref: 000002C9AFBB1754
RegCloseKey.ADVAPI32 ref: 000002C9AFBB176F
RegOpenKeyExW.ADVAPI32 ref: 000002C9AFBB178F
RegCloseKey.ADVAPI32 ref: 000002C9AFBB17AA
RegOpenKeyExW.ADVAPI32 ref: 000002C9AFBB17CA
RegCloseKey.ADVAPI32 ref: 000002C9AFBB17E5
RegOpenKeyExW.ADVAPI32 ref: 000002C9AFBB1805
RegCloseKey.ADVAPI32 ref: 000002C9AFBB1820
RegOpenKeyExW.ADVAPI32 ref: 000002C9AFBB1840
RegCloseKey.ADVAPI32 ref: 000002C9AFBB185B
RegOpenKeyExW.ADVAPI32 ref: 000002C9AFBB187B
RegCloseKey.ADVAPI32 ref: 000002C9AFBB1896
RegCloseKey.ADVAPI32 ref: 000002C9AFBB18A0

Part of subcall function 000002C9AFBB12BC: RegQueryInfoKeyW.ADVAPI32 ref: 000002C9AFBB1319
Part of subcall function 000002C9AFBB12BC: GetProcessHeap.KERNEL32 ref: 000002C9AFBB1327
Part of subcall function 000002C9AFBB12BC: HeapAlloc.KERNEL32 ref: 000002C9AFBB1338
Part of subcall function 000002C9AFBB12BC: RegEnumValueW.ADVAPI32 ref: 000002C9AFBB1397
Part of subcall function 000002C9AFBB12BC: GetProcessHeap.KERNEL32 ref: 000002C9AFBB13DF
Part of subcall function 000002C9AFBB12BC: HeapAlloc.KERNEL32 ref: 000002C9AFBB13ED
Part of subcall function 000002C9AFBB12BC: GetProcessHeap.KERNEL32 ref: 000002C9AFBB140A
Part of subcall function 000002C9AFBB12BC: HeapFree.KERNEL32 ref: 000002C9AFBB1418
Part of subcall function 000002C9AFBB12BC: lstrlenW.KERNEL32 ref: 000002C9AFBB1421
Part of subcall function 000002C9AFBB12BC: GetProcessHeap.KERNEL32 ref: 000002C9AFBB142F
Part of subcall function 000002C9AFBB12BC: HeapAlloc.KERNEL32 ref: 000002C9AFBB143D

Strings

paths, xrefs: 000002C9AFBB1788
startup, xrefs: 000002C9AFBB16D5
process_names, xrefs: 000002C9AFBB174D
tcp_local, xrefs: 000002C9AFBB17FE
SOFTWARE\dialerconfig, xrefs: 000002C9AFBB1692
service_names, xrefs: 000002C9AFBB17C3
tcp_remote, xrefs: 000002C9AFBB1839
pid, xrefs: 000002C9AFBB1712
udp, xrefs: 000002C9AFBB1874

Memory Dump Source

Source File: 00000021.00000002.2709765969.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction ID: 7bc5544605b8bb29d9d22844264ad75da65fd45ea84d007b71f284991407313f
Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction Fuzzy Hash: 0D71D827710A1086FB109F66E89CF9E23B5FB88B88F415121DE4E57B69DF3AC495C740

Function 000002C9AFBB12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000002C9AFBB1319
GetProcessHeap.KERNEL32 ref: 000002C9AFBB1327
HeapAlloc.KERNEL32 ref: 000002C9AFBB1338
RegEnumValueW.ADVAPI32 ref: 000002C9AFBB1397

Part of subcall function 000002C9AFBB152C: StrCmpIW.SHLWAPI ref: 000002C9AFBB155D

GetProcessHeap.KERNEL32 ref: 000002C9AFBB13DF
HeapAlloc.KERNEL32 ref: 000002C9AFBB13ED
GetProcessHeap.KERNEL32 ref: 000002C9AFBB140A
HeapFree.KERNEL32 ref: 000002C9AFBB1418
lstrlenW.KERNEL32 ref: 000002C9AFBB1421
GetProcessHeap.KERNEL32 ref: 000002C9AFBB142F
HeapAlloc.KERNEL32 ref: 000002C9AFBB143D
StrCpyW.SHLWAPI ref: 000002C9AFBB145F
GetProcessHeap.KERNEL32 ref: 000002C9AFBB1476
HeapFree.KERNEL32 ref: 000002C9AFBB1484

Strings

d, xrefs: 000002C9AFBB135A

Memory Dump Source

Source File: 00000021.00000002.2709765969.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction ID: 3d1a5935da443fba4cfa22ded9a11958e274965ae6b1c0c8bbf3cd067de71fae
Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction Fuzzy Hash: 3D511877604B848AEB54CF62E54CB5E77B2F789F99F444124DA4D07768DF39C09A8B00

Function 000002C9AFBB1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 000002C9AFBB1D1F

Part of subcall function 000002C9AFBB1FD4: GetModuleHandleA.KERNEL32 ref: 000002C9AFBB1FEC
Part of subcall function 000002C9AFBB1FD4: GetProcAddress.KERNEL32 ref: 000002C9AFBB1FFD

Part of subcall function 000002C9AFBB5B30: GetCurrentThreadId.KERNEL32 ref: 000002C9AFBB5B6B

Strings

advapi32.dll, xrefs: 000002C9AFBB1DF7, 000002C9AFBB1E18
EnumServiceGroupW, xrefs: 000002C9AFBB1DF0
NtQueryDirectoryFile, xrefs: 000002C9AFBB1D7F
NtEnumerateKey, xrefs: 000002C9AFBB1DB9
NtEnumerateValueKey, xrefs: 000002C9AFBB1DD6
NtResumeThread, xrefs: 000002C9AFBB1D62
NtDeviceIoControlFile, xrefs: 000002C9AFBB1E56
EnumServicesStatusExW, xrefs: 000002C9AFBB1E11, 000002C9AFBB1E32
sechost.dll, xrefs: 000002C9AFBB1E39
NtQueryDirectoryFileEx, xrefs: 000002C9AFBB1D9C
ntdll.dll, xrefs: 000002C9AFBB1D2D
NtQuerySystemInformation, xrefs: 000002C9AFBB1D45

Memory Dump Source

Source File: 00000021.00000002.2709765969.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction ID: bd217bfbf6eb61ce800cc4c79a049b29e8618bdc513bc47cd3ed92e4f45f524d
Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction Fuzzy Hash: 7331936A60098AA0FA05EF65EC5DFDD6330F708385FC45023D86D139759F7A86DAC351

Function 000002C9AFB86910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002C9AFB86938
__scrt_acquire_startup_lock.LIBCMT ref: 000002C9AFB8698A
_RTC_Initialize.LIBCMT ref: 000002C9AFB869B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002C9AFB869DE
__scrt_release_startup_lock.LIBCMT ref: 000002C9AFB86A09

Strings

`eh vector copy constructor iterator', xrefs: 000002C9AFB86A3B
`dynamic initializer for ', xrefs: 000002C9AFB869C7
`eh vector vbase copy constructor iterator', xrefs: 000002C9AFB869EE
scriptor', xrefs: 000002C9AFB86B39, 000002C9AFB86BB2, 000002C9AFB86BEC

Memory Dump Source

Source File: 00000021.00000002.2708939219.000002C9AFB80000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFB80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afb80000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
API String ID: 190073905-1786718095
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: 3b0bcfbc6097c036aae0528868285f8b4af87e6efa3b75491bc5fed42e7aa859
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: EE81E3337002418AFA54AB65D88DFAD22F2EBC9B84F5480259A4D477D6EF3BCDC58780

Function 000002C9AFBBCE28 Relevance: 18.1, APIs: 12, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 000002C9AFBBCE37
FlsGetValue.KERNEL32(?,?,?,000002C9AFBC0A6B,?,?,?,000002C9AFBC045C,?,?,?,000002C9AFBBC84F), ref: 000002C9AFBBCE4C
FlsSetValue.KERNEL32(?,?,?,000002C9AFBC0A6B,?,?,?,000002C9AFBC045C,?,?,?,000002C9AFBBC84F), ref: 000002C9AFBBCE6D
FlsSetValue.KERNEL32(?,?,?,000002C9AFBC0A6B,?,?,?,000002C9AFBC045C,?,?,?,000002C9AFBBC84F), ref: 000002C9AFBBCE9A
FlsSetValue.KERNEL32(?,?,?,000002C9AFBC0A6B,?,?,?,000002C9AFBC045C,?,?,?,000002C9AFBBC84F), ref: 000002C9AFBBCEAB
FlsSetValue.KERNEL32(?,?,?,000002C9AFBC0A6B,?,?,?,000002C9AFBC045C,?,?,?,000002C9AFBBC84F), ref: 000002C9AFBBCEBC
SetLastError.KERNEL32 ref: 000002C9AFBBCED7
FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000002C9AFBC0A6B,?,?,?,000002C9AFBC045C,?,?,?,000002C9AFBBC84F), ref: 000002C9AFBBCF0D
FlsSetValue.KERNEL32(?,?,00000001,000002C9AFBBECCC,?,?,?,?,000002C9AFBBBF9F,?,?,?,?,?,000002C9AFBB7AB0), ref: 000002C9AFBBCF2C

Part of subcall function 000002C9AFBBD6CC: HeapAlloc.KERNEL32 ref: 000002C9AFBBD721

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002C9AFBC0A6B,?,?,?,000002C9AFBC045C,?,?,?,000002C9AFBBC84F), ref: 000002C9AFBBCF54

Part of subcall function 000002C9AFBBD744: HeapFree.KERNEL32 ref: 000002C9AFBBD75A
Part of subcall function 000002C9AFBBD744: GetLastError.KERNEL32 ref: 000002C9AFBBD764

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002C9AFBC0A6B,?,?,?,000002C9AFBC045C,?,?,?,000002C9AFBBC84F), ref: 000002C9AFBBCF65
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002C9AFBC0A6B,?,?,?,000002C9AFBC045C,?,?,?,000002C9AFBBC84F), ref: 000002C9AFBBCF76

Memory Dump Source

Source File: 00000021.00000002.2709765969.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: Value$ErrorLast$Heap$AllocFree
String ID:
API String ID: 570795689-0
Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction ID: 1e0c9809fb35d835cfe5748f91c3c6cc249f9640fd7f840ff51d24447d742410
Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction Fuzzy Hash: AB41A3A330124486FA68E771595DF6D23B29B897B0F244734A87E4A6E6DE2BD4C18601

Function 000002C9AFBB2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessIdOfThread.KERNEL32 ref: 000002C9AFBB2259
GetCurrentProcessId.KERNEL32 ref: 000002C9AFBB2263

Part of subcall function 000002C9AFBB1934: OpenProcess.KERNEL32 ref: 000002C9AFBB1952
Part of subcall function 000002C9AFBB1934: IsWow64Process.KERNEL32 ref: 000002C9AFBB1968
Part of subcall function 000002C9AFBB1934: CloseHandle.KERNEL32 ref: 000002C9AFBB1983

CreateFileW.KERNEL32 ref: 000002C9AFBB22BC
WriteFile.KERNEL32 ref: 000002C9AFBB22E4
ReadFile.KERNEL32 ref: 000002C9AFBB2303
CloseHandle.KERNEL32 ref: 000002C9AFBB230C

Strings

\\.\pipe\dialerchildproc64, xrefs: 000002C9AFBB228C
\\.\pipe\dialerchildproc32, xrefs: 000002C9AFBB2293

Memory Dump Source

Source File: 00000021.00000002.2709765969.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction ID: 59c4b00715b41af638ef0cc38557a4ec5d6ec558463e506295746c32e2e5ebc4
Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction Fuzzy Hash: AF211836614A4083FB108B25F48CB6E67B1F789BA5F544215EA9D02AA8DF7DC58ACB00

Function 000002C9AFBBA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000002C9AFBBA5A1

Part of subcall function 000002C9AFBBB414: __GetUnwindTryBlock.LIBCMT ref: 000002C9AFBBB457
Part of subcall function 000002C9AFBBB414: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000002C9AFBBB47C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000002C9AFBBA679
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000002C9AFBBA8CE
std::bad_alloc::bad_alloc.LIBCMT ref: 000002C9AFBBA9DA

Strings

csm, xrefs: 000002C9AFBBA622
csm, xrefs: 000002C9AFBBA5BB
csm, xrefs: 000002C9AFBBA69C

Memory Dump Source

Source File: 00000021.00000002.2709765969.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction ID: 448c7d1acf4989fd402f052fba8c8c8c1a12d963704075dae7ad1702d6c3b9c9
Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction Fuzzy Hash: C2E13773A04B808AFB609B65D88CB9D7BB8F745B98F100126EE8D57B99CB35D5D1C700

Function 000002C9AFB89944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000002C9AFB899A1

Part of subcall function 000002C9AFB8A814: __GetUnwindTryBlock.LIBCMT ref: 000002C9AFB8A857
Part of subcall function 000002C9AFB8A814: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000002C9AFB8A87C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000002C9AFB89A79
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000002C9AFB89CCE
std::bad_alloc::bad_alloc.LIBCMT ref: 000002C9AFB89DDA

Strings

csm, xrefs: 000002C9AFB89A22
csm, xrefs: 000002C9AFB899BB
csm, xrefs: 000002C9AFB89A9C

Memory Dump Source

Source File: 00000021.00000002.2708939219.000002C9AFB80000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFB80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afb80000_svchost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction ID: e1543482f496544ac01f3d265fa18983b7e679a16db81be37ed29f5814919603
Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction Fuzzy Hash: 51E16973604B808AFB609B65D48CB9D7BB4F785B98F100115EE8E57B9ACB36C4D1C780

Function 000002C9AFBBF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 000002C9AFBBF510
GetProcAddress.KERNEL32 ref: 000002C9AFBBF51C

Strings

ext-ms-, xrefs: 000002C9AFBBF46D
api-ms-, xrefs: 000002C9AFBBF45A

Memory Dump Source

Source File: 00000021.00000002.2709765969.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction ID: 301f57847b70330022c145fbc2a4b8a83493534866993c33952b4f2a280b91e3
Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction Fuzzy Hash: C541D223311A0095FA16DBA6A81CF5E23B1FB49BE0F5941399D0EC7795EF3AC4C68310

Function 000002C9AFBB104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000002C9AFBB10B1
RegEnumValueW.ADVAPI32 ref: 000002C9AFBB1117
GetProcessHeap.KERNEL32 ref: 000002C9AFBB115A
HeapAlloc.KERNEL32 ref: 000002C9AFBB1168
GetProcessHeap.KERNEL32 ref: 000002C9AFBB1185
HeapFree.KERNEL32 ref: 000002C9AFBB1193

Strings

d, xrefs: 000002C9AFBB10D6

Memory Dump Source

Source File: 00000021.00000002.2709765969.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction ID: f2c39bd5b50fffd7ac432d25aef4ddcec333aec918135e9fc63ebff3934d6b33
Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction Fuzzy Hash: 21411873214B849AE760CF61E44CB9E77B1F389B99F448129DA8D07A58DF39C589CB40

Function 000002C9AFBBD068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,000002C9AFBBC7DE,?,?,?,?,?,?,?,?,000002C9AFBBCF9D,?,?,00000001), ref: 000002C9AFBBD087
FlsSetValue.KERNEL32(?,?,?,000002C9AFBBC7DE,?,?,?,?,?,?,?,?,000002C9AFBBCF9D,?,?,00000001), ref: 000002C9AFBBD0A6
FlsSetValue.KERNEL32(?,?,?,000002C9AFBBC7DE,?,?,?,?,?,?,?,?,000002C9AFBBCF9D,?,?,00000001), ref: 000002C9AFBBD0CE
FlsSetValue.KERNEL32(?,?,?,000002C9AFBBC7DE,?,?,?,?,?,?,?,?,000002C9AFBBCF9D,?,?,00000001), ref: 000002C9AFBBD0DF
FlsSetValue.KERNEL32(?,?,?,000002C9AFBBC7DE,?,?,?,?,?,?,?,?,000002C9AFBBCF9D,?,?,00000001), ref: 000002C9AFBBD0F0

Strings

Y%, xrefs: 000002C9AFBBD0A6
1%, xrefs: 000002C9AFBBD0CE

Memory Dump Source

Source File: 00000021.00000002.2709765969.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: Value
String ID: 1%$Y%
API String ID: 3702945584-1395475152
Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction ID: f49d3e6c2ec92abad68370475c6992c089fb5492afa3ab8c21b3b13878c83f78
Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction Fuzzy Hash: C711C42270424446FA68A776596DF6D62719B483F0F684334A83E4B7EADE2EC4C28600

Function 000002C9AFBB7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002C9AFBB7538
__scrt_acquire_startup_lock.LIBCMT ref: 000002C9AFBB758A
_RTC_Initialize.LIBCMT ref: 000002C9AFBB75B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002C9AFBB75DE
__scrt_release_startup_lock.LIBCMT ref: 000002C9AFBB7609

Memory Dump Source

Source File: 00000021.00000002.2709765969.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: 643e7d9664bf6d483a2f22f1908bd072748fd4b4a36835f2e68cc5f5e3c2ff4e
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: F981C2637102418AFB54AB6A985DF9D26B1EB897C0F344435EA4D477E6EB3BC8C68700

Function 000002C9AFBB9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 000002C9AFBB9E49
GetLastError.KERNEL32 ref: 000002C9AFBB9E57
LoadLibraryExW.KERNEL32 ref: 000002C9AFBB9E81
FreeLibrary.KERNEL32 ref: 000002C9AFBB9EC7
GetProcAddress.KERNEL32 ref: 000002C9AFBB9ED3

Strings

api-ms-, xrefs: 000002C9AFBB9E69

Memory Dump Source

Source File: 00000021.00000002.2709765969.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction ID: fcd3ae759f9c2431972a02713780172aaa2b766f0442892340e32bfce9334084
Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction Fuzzy Hash: 8D31C623312A40E9FE16DB52A48CF6D23B4B748BA0F5945359D2D4B795EF3AC4C9C310

Function 000002C9AFBC3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000002C9AFBC3DE5
GetLastError.KERNEL32 ref: 000002C9AFBC3DF1
CloseHandle.KERNEL32 ref: 000002C9AFBC3E09
CreateFileW.KERNEL32 ref: 000002C9AFBC3E34
WriteConsoleW.KERNEL32 ref: 000002C9AFBC3E53

Strings

CONOUT$, xrefs: 000002C9AFBC3E15

Memory Dump Source

Source File: 00000021.00000002.2709765969.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction ID: bb92da9f2f9668f7b5f227acd491ce29b4c739cb6a3fe036e66b21ed50e3b565
Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction Fuzzy Hash: 26116032310B4086F7508B52E84CB1E66B0F78CFE9F444214EA5E877A4CF39C8968744

Function 000002C9AFBB3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000002C9AFBB379E
GetCurrentProcess.KERNEL32 ref: 000002C9AFBB37CC
VirtualProtectEx.KERNEL32 ref: 000002C9AFBB37EE
GetCurrentProcess.KERNEL32 ref: 000002C9AFBB3809
VirtualProtectEx.KERNEL32 ref: 000002C9AFBB382A

Strings

wr, xrefs: 000002C9AFBB37FF

Memory Dump Source

Source File: 00000021.00000002.2709765969.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID: wr
API String ID: 1092925422-2678910430
Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction ID: ef878f88f891a9cc0226c17ba60389822e2f4aefb6b623b1cf9ed56202d8aa50
Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction Fuzzy Hash: D4113926704B4182FF149B22E40CB6E62B1FB88B85F490039DE8D07794EF3EC586C704

Function 000002C9AFBB5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002C9AFBB5B6B
GetThreadContext.KERNEL32 ref: 000002C9AFBB5CD5

Part of subcall function 000002C9AFBB5960: GetCurrentThreadId.KERNEL32 ref: 000002C9AFBB5964

Memory Dump Source

Source File: 00000021.00000002.2709765969.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
Instruction ID: acbe2cf2811988f5ba6ec771451debd2ae620033772eca01979c4297e866113d
Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
Instruction Fuzzy Hash: 06D17777205B8885FA70DB1AE49C75EB7B0F788B84F100126EA8D47BA9DF39C591CB41

Function 000002C9AFBB2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002C9AFBB2F27
HeapAlloc.KERNEL32 ref: 000002C9AFBB2F3A
StrCmpNIW.SHLWAPI ref: 000002C9AFBB2FAF
GetProcessHeap.KERNEL32 ref: 000002C9AFBB3015
HeapFree.KERNEL32 ref: 000002C9AFBB3023

Strings

dialer, xrefs: 000002C9AFBB2FA8

Memory Dump Source

Source File: 00000021.00000002.2709765969.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction ID: 3f6427f0b897d203a8ff72d7fd6559241d5c4eb05b59a6866c1d13554c4c1640
Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction Fuzzy Hash: 50319C27701B5586FA16DF16A54CB2E67B1FB58B81F088030EE4C47B65EF3AC4E18300

Function 000002C9AFBBCFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000002C9AFBBCFAF
FlsSetValue.KERNEL32(?,?,?,000002C9AFBBD6B5,?,?,?,?,000002C9AFBBD778), ref: 000002C9AFBBCFE5
FlsSetValue.KERNEL32(?,?,?,000002C9AFBBD6B5,?,?,?,?,000002C9AFBBD778), ref: 000002C9AFBBD012
FlsSetValue.KERNEL32(?,?,?,000002C9AFBBD6B5,?,?,?,?,000002C9AFBBD778), ref: 000002C9AFBBD023
FlsSetValue.KERNEL32(?,?,?,000002C9AFBBD6B5,?,?,?,?,000002C9AFBBD778), ref: 000002C9AFBBD034
SetLastError.KERNEL32 ref: 000002C9AFBBD04F

Memory Dump Source

Source File: 00000021.00000002.2709765969.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction ID: 4c62b697f470108bf8016cd8e8b79f0d9d7ea9fe1ab87fbd884b39be9c05a4f3
Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction Fuzzy Hash: AE11932330168046FA64A771595DF6D2272AB897F0F544734E83E4BBE6DE6FC4C28700

Function 000002C9AFBB199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000002C9AFBB19C2
K32GetModuleFileNameExW.KERNEL32 ref: 000002C9AFBB19E0
PathFindFileNameW.SHLWAPI ref: 000002C9AFBB19EF
lstrlenW.KERNEL32 ref: 000002C9AFBB19FB
StrCpyW.SHLWAPI ref: 000002C9AFBB1A0E
CloseHandle.KERNEL32 ref: 000002C9AFBB1A1C

Memory Dump Source

Source File: 00000021.00000002.2709765969.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction ID: 776edabdd31d2c5d842730da3b0799cc3ee2df483632f5256c09317c09dc20e3
Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction Fuzzy Hash: 99010522700A4486FA549B52A89CB5A63A6B788FC5F884035DE5D43765DF3EC98A8740

Function 000002C9AFBB36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000002C9AFBB36E4
GetCurrentProcess.KERNEL32 ref: 000002C9AFBB36F2
VirtualProtectEx.KERNEL32 ref: 000002C9AFBB3714
GetCurrentProcess.KERNEL32 ref: 000002C9AFBB3732
VirtualProtectEx.KERNEL32 ref: 000002C9AFBB3753
TerminateThread.KERNEL32 ref: 000002C9AFBB3762

Memory Dump Source

Source File: 00000021.00000002.2709765969.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction ID: c0c06ac6c320f4d94ed766a2d209336057b8d35aa10f5fab456b044bee74afef
Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction Fuzzy Hash: 4C012566711B4086FB249B22E84CF1E63B1FB49B86F080429CE4D07BA5EF3EC5898700

Function 000002C9AFBB8FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002C9AFBB9013
_IsNonwritableInCurrentImage.LIBCMT ref: 000002C9AFBB90A8
RtlUnwindEx.NTDLL ref: 000002C9AFBB90F7

Strings

f, xrefs: 000002C9AFBB9026
csm, xrefs: 000002C9AFBB908E

Memory Dump Source

Source File: 00000021.00000002.2709765969.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
Instruction ID: b69ce0b1e87cbfa36c7383619914696123ecf9d697f90beebf9ef022a96452c7
Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
Instruction Fuzzy Hash: 54517533611600AEFB14DB25E84CF5D37BAF389B88F618534EA5A47788EB76D981D700

Function 000002C9AFBB1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000002C9AFBB1A60
StrCmpNIW.SHLWAPI ref: 000002C9AFBB1A7A
lstrlenW.KERNEL32 ref: 000002C9AFBB1A89
StrCpyW.SHLWAPI ref: 000002C9AFBB1A9E

Strings

\\?\, xrefs: 000002C9AFBB1A6E

Memory Dump Source

Source File: 00000021.00000002.2709765969.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction ID: f283fdb3b92fc894e6690af3394c64b1a34685d570d531e0bad4563ff6af074a
Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction Fuzzy Hash: 43F0372331464192FB608B25E8CCB5E6771F78CB89F848021DA4D46969DB2EC6CECB00

Function 000002C9AFBB3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 000002C9AFBB3066
StrCpyW.SHLWAPI ref: 000002C9AFBB3076
StrCatW.SHLWAPI ref: 000002C9AFBB3082
PathCombineW.SHLWAPI ref: 000002C9AFBB3090

Strings

\\.\pipe\, xrefs: 000002C9AFBB305C

Memory Dump Source

Source File: 00000021.00000002.2709765969.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction ID: f7ca05bdc7977dee71d5ca1fcdca8066930d71e5797bde6381781ac8edae85d8
Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction Fuzzy Hash: EEF05826604B8082FA008B1AB91CB1E6272AB8CFC0F488130EE4E07B58DF2DC4CA8700

Function 000002C9AFBBBC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000002C9AFBBBCBD
GetProcAddress.KERNEL32 ref: 000002C9AFBBBCD3
FreeLibrary.KERNEL32 ref: 000002C9AFBBBCFA

Strings

mscoree.dll, xrefs: 000002C9AFBBBCB4
CorExitProcess, xrefs: 000002C9AFBBBCCC

Memory Dump Source

Source File: 00000021.00000002.2709765969.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction ID: f2a47d8069daa03cbdfb4fc500137e4405ce41ebda65f3332e0620529a28fee1
Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction Fuzzy Hash: 0FF0626231160481FF148B24E84CF5E6331EB8C7A1F544229CA6E456E4CF2EC4CA8340

Function 000002C9AFBB50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002C9AFBB5156

Memory Dump Source

Source File: 00000021.00000002.2709765969.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
Instruction ID: cd5e9ef4991b1375355821580fedef02432e755ef5f93ed8371006dc914d02aa
Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
Instruction Fuzzy Hash: CC02A537219B8486EBA0CB55E49C75EB7B0F3C5794F104026EA8E87BA8DB7DC494CB01

Function 000002C9AFBB5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002C9AFBB5726

Memory Dump Source

Source File: 00000021.00000002.2709765969.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
Instruction ID: b1e56fe467506e00194dc39c0ce9e023ccecf8e5b3013ee0fe0790cfdca5572d
Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
Instruction Fuzzy Hash: 9C619477619B44CAF664CB56E44CB1EB7B0F388794F101126EA8E47BA8DB7EC580CB01

Function 000002C9AFBC4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000002C9AFBC412C
_set_statfp.LIBCMT ref: 000002C9AFBC4147
_set_statfp.LIBCMT ref: 000002C9AFBC4163
_set_statfp.LIBCMT ref: 000002C9AFBC419F

Memory Dump Source

Source File: 00000021.00000002.2709765969.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: 43f043c85b949e32156fdd24b1a541c876183ad398725a0a0309fc5fe978a674
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: 24117323A20B5191F6741568D45EBEF19716B7CBB8F1A0624B9BE076D6CA36CBC34210

Function 000002C9AFB93504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000002C9AFB9352C
_set_statfp.LIBCMT ref: 000002C9AFB93547
_set_statfp.LIBCMT ref: 000002C9AFB93563
_set_statfp.LIBCMT ref: 000002C9AFB9359F

Memory Dump Source

Source File: 00000021.00000002.2708939219.000002C9AFB80000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFB80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afb80000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: 584721eeace041210264c613900405bf356980670474624f32815c5f773a9f2e
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: 4F11A537A14F5112FAA81628E4DEB7D31B96B5C374F4D8638A97F467E6CB2AC8C14200

Function 000002C9AFBB9650 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000002C9AFBB966F
SetLastError.KERNEL32 ref: 000002C9AFBB96F6

Memory Dump Source

Source File: 00000021.00000002.2709765969.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 46c896f13dff0714c7ccebb8ca9383bb675cc38bcf091c92c481f4a556b8b138
Instruction ID: 5f0923b011051a372b952a564947fdf115005ff3d78fbbe4d72771c375e561f8
Opcode Fuzzy Hash: 46c896f13dff0714c7ccebb8ca9383bb675cc38bcf091c92c481f4a556b8b138
Instruction Fuzzy Hash: 6D1130226116814AFF54AB25AC8CF6D22B5AB48BE0F184634D96F177E9DB2AD8C1C700

Function 000002C9AFB8F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000002C9AFB8F124

Strings

or copy constructor iterator', xrefs: 000002C9AFB8F25A, 000002C9AFB8F275
Wednesday, xrefs: 000002C9AFB8F1ED
Tuesday, xrefs: 000002C9AFB8F0F4

Memory Dump Source

Source File: 00000021.00000002.2708939219.000002C9AFB80000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFB80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afb80000_svchost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: Tuesday$Wednesday$or copy constructor iterator'
API String ID: 3215553584-4202648911
Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction ID: a80c000d8ef14b9d6fe3a44cdcf1669d2b1a24a1138b778100ebe55983d3a4d3
Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction Fuzzy Hash: F561DF7760064086FA69EF68E58CF6E6AB1F7C5780F504525DA4E07BE5DB3AC8C2C380

Function 000002C9AFBBAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 000002C9AFBBAA68
_CallSETranslator.LIBVCRUNTIME ref: 000002C9AFBBAAB7

Strings

RCC, xrefs: 000002C9AFBBAA85
MOC, xrefs: 000002C9AFBBAA7C

Memory Dump Source

Source File: 00000021.00000002.2709765969.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 7787783f401279bfe4e8df883c0c88822366a1d2909154027994fd102b4f05f2
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: FF613437A04A848AFB209F65D48CB9D7BB4F348B88F044225EE8E17B98DB79D595C700

Function 000002C9AFBBAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002C9AFBBADA0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000002C9AFBBAE88

Strings

csm, xrefs: 000002C9AFBBADC2
csm, xrefs: 000002C9AFBBAEDA

Memory Dump Source

Source File: 00000021.00000002.2709765969.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: 31b3f26767cfbd5d33780d55b243f7a0c5bb21e67230fd46beb19b15dbfd1668
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: 93516A736002808AFB648B25D58CB9D77B8F354B85F188236DE9D87B95CB3AD4D1CB00

Function 000002C9AFB8A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002C9AFB8A1A0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000002C9AFB8A288

Strings

csm, xrefs: 000002C9AFB8A2DA
csm, xrefs: 000002C9AFB8A1C2

Memory Dump Source

Source File: 00000021.00000002.2708939219.000002C9AFB80000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFB80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afb80000_svchost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: 7b8fdedeeafb5845af0b84257af6053867f2343152da48e03d6904e7ebe51b51
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: 92514633100680DAFB749F25954CB9C7BB8F395B94F188216DA9D87A95CB3AD4E1CB80

Function 000002C9AFB88405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002C9AFB88413
_IsNonwritableInCurrentImage.LIBCMT ref: 000002C9AFB884A8

Strings

f, xrefs: 000002C9AFB88426
csm, xrefs: 000002C9AFB8848E

Memory Dump Source

Source File: 00000021.00000002.2708939219.000002C9AFB80000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFB80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afb80000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: 5d92dd77b88c1299c49392ec59f61ae634460a69dbcd5fa06ed6980f75ea2f6d
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: B851A6336026008BFB24CB25E44CFAD37B5F394B98F548124DA1E43B88EB36C9C18B84

Function 000002C9AFB883E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002C9AFB88413
_IsNonwritableInCurrentImage.LIBCMT ref: 000002C9AFB884A8

Strings

f, xrefs: 000002C9AFB88426
csm, xrefs: 000002C9AFB8848E

Memory Dump Source

Source File: 00000021.00000002.2708939219.000002C9AFB80000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFB80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afb80000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction ID: b5f06c17726c17de06e8691df94384e4d09eaa0d6f39528b41e7222bcd2034c0
Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction Fuzzy Hash: B631443321164097FB15DB12E88CB6D77B4F780B98F198114AE9E07B98DB3AC981C784

Function 000002C9AFBC2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000002C9AFBC20D7
WriteFile.KERNEL32 ref: 000002C9AFBC239F
WriteFile.KERNEL32 ref: 000002C9AFBC23E5
GetLastError.KERNEL32 ref: 000002C9AFBC249B

Memory Dump Source

Source File: 00000021.00000002.2709765969.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction ID: b1df6fcf169da0f2c23391fb39f062101cbcfe82657cda599936ba6838e77f1a
Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction Fuzzy Hash: 22D1CE73B14A808AF711CFA9D448BAD3BB2F358B98F148216CE5D97B99DA35C587C340

Function 000002C9AFBB14A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002C9AFBB14C5
HeapFree.KERNEL32 ref: 000002C9AFBB14D4
GetProcessHeap.KERNEL32 ref: 000002C9AFBB14E1
HeapFree.KERNEL32 ref: 000002C9AFBB14F0
GetProcessHeap.KERNEL32 ref: 000002C9AFBB1500

Memory Dump Source

Source File: 00000021.00000002.2709765969.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
Instruction ID: a2a34c977606bb5db8cb26bfa32343d6a48bbb56a8d614ebbf91cc22d333de4d
Opcode Fuzzy Hash: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
Instruction Fuzzy Hash: C3014833600A90CAE704DF66E90CA4E67B2F78DF82F055425EA4E43729DF39C092C740

Function 000002C9AFBC2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32 ref: 000002C9AFBC2A9C
GetLastError.KERNEL32 ref: 000002C9AFBC2B27

Memory Dump Source

Source File: 00000021.00000002.2709765969.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction ID: d82a3a815fee0c5bf6d1b581ba1ffa9b532a3d0fc2d0fcfd032ed3bc37568c9c
Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction Fuzzy Hash: C091AD77B10A9089FB649F65988CBAF2BB0F748B88F144119DE4E67A95DB36C4C3C700

Function 000002C9AFBB7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000002C9AFBB798C
GetCurrentThreadId.KERNEL32 ref: 000002C9AFBB799A
GetCurrentProcessId.KERNEL32 ref: 000002C9AFBB79A6
QueryPerformanceCounter.KERNEL32 ref: 000002C9AFBB79B6

Memory Dump Source

Source File: 00000021.00000002.2709765969.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction ID: f05fb5dbfbf4ee90067a77cd8bcd11faeac36253877019b48f621463aab47820
Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction Fuzzy Hash: 72111822710B018AFB009B60E8597AD33B4F719B58F441E21DA6D86BA4DB79C1D98380

Function 000002C9AFBB253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000002C9AFBB2620
StrCpyW.SHLWAPI ref: 000002C9AFBB2639

Strings

\\.\pipe\, xrefs: 000002C9AFBB262B

Memory Dump Source

Source File: 00000021.00000002.2709765969.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction ID: 13dfc45ee8999d7752e4719eb8d1bfecabdd7e5a4ea9021741c5b3d42762be55
Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction Fuzzy Hash: AC71C43720078185F7669E2A985CBAE67B4F38A7C4F440036DD0E53B89DE36C985C704

Function 000002C9AFB89E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 000002C9AFB89EB7

Strings

RCC, xrefs: 000002C9AFB89E85
MOC, xrefs: 000002C9AFB89E7C

Memory Dump Source

Source File: 00000021.00000002.2708939219.000002C9AFB80000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFB80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afb80000_svchost.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 27acea5d09c819c127276e176587bd16326fc826214980c41f4223065fe66240
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: C4614533600A848AFB24DF65D488B9D7BB0F388B88F044215EF5D17B99DB3AD195C780

Function 000002C9AFBB2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000002C9AFBB2416
StrCpyW.SHLWAPI ref: 000002C9AFBB242D

Strings

\\.\pipe\, xrefs: 000002C9AFBB2421

Memory Dump Source

Source File: 00000021.00000002.2709765969.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction ID: 4c95c1796a1b4e1a75a41bf22f50aef86c02afe1ac56ce1888579ab8e65249d8
Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction Fuzzy Hash: 8751B13320878181F6769F29A56CBAEA7B1F389780F850135DE5D13F99DA3BC585C740

Function 000002C9AFBC26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000002C9AFBC2807
GetLastError.KERNEL32 ref: 000002C9AFBC2829

Strings

U, xrefs: 000002C9AFBC27B3

Memory Dump Source

Source File: 00000021.00000002.2709765969.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction ID: 2e468e8aefd2390e0960d30601159bd550b6bdbf4601160216b1694b950bacf8
Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction Fuzzy Hash: EF418F73715A8086EB20DF25E84CBAEA7B1F798794F514022EE4D87798EB7DC582C740

Function 000002C9AFBB94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000002C9AFBB94F0
RaiseException.KERNEL32 ref: 000002C9AFBB9531

Strings

csm, xrefs: 000002C9AFBB951E

Memory Dump Source

Source File: 00000021.00000002.2709765969.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction ID: 51ce7f104e7bba36b85a7a272c82e181c09526865ff15b60026bb4d9741eae8e
Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction Fuzzy Hash: 1F112B33218B8086FB618B15E44875EB7E5FB88B94F584221EE8C07758DF3DC591CB00

Function 000002C9AFB87356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000002C9AFB8737C

Strings

riptor at (, xrefs: 000002C9AFB87364
ierarchy Descriptor', xrefs: 000002C9AFB87381

Memory Dump Source

Source File: 00000021.00000002.2708939219.000002C9AFB80000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFB80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afb80000_svchost.jbxd

Similarity

API ID: __std_exception_copy
String ID: ierarchy Descriptor'$riptor at (
API String ID: 592178966-758928094
Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction ID: bf2ad28687dfe8ea3e6816bc925912ec73efb18b2860a6cd4dafdd41f8202739
Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction Fuzzy Hash: B2E08662680B4891FF018F21E8887AC33B0DB98B64B8891229D5C07311FB38D1E9C300

Function 000002C9AFB873B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000002C9AFB873D8

Strings

Locator', xrefs: 000002C9AFB873DD
riptor at (, xrefs: 000002C9AFB873C0

Memory Dump Source

Source File: 00000021.00000002.2708939219.000002C9AFB80000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFB80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afb80000_svchost.jbxd

Similarity

API ID: __std_exception_copy
String ID: Locator'$riptor at (
API String ID: 592178966-4215709766
Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction ID: c07c44a9c34dfa32fee402106a4bc7daecd6475f583d3be07aec4fc8fa65f362
Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction Fuzzy Hash: 3AE08662640B4880FF018F21D4846AC73B0E758B54B889122CA4C07311EB38D1E5C300

Function 000002C9AFBB1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002C9AFBB1C2D
HeapAlloc.KERNEL32 ref: 000002C9AFBB1C3B
GetProcessHeap.KERNEL32 ref: 000002C9AFBB1C77
HeapFree.KERNEL32 ref: 000002C9AFBB1C85

Part of subcall function 000002C9AFBB152C: StrCmpIW.SHLWAPI ref: 000002C9AFBB155D

Memory Dump Source

Source File: 00000021.00000002.2709765969.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction ID: bc5ed3c553f8fad100e9731cf1632dc5c2dcdcc26d6bce90e57f3112b7a8f725
Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction Fuzzy Hash: D5114826601B8485FA54DB66A80CB2E77B1FB89FC1F285028DE4D57B76DF3AC482C340

Analysis Process: svchost.exePID: 772, Parent PID: 7188COMMON

Execution Graph

Execution Coverage:	0.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	81
Total number of Limit Nodes:	4

Executed Functions

Function 000002C06FD4104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99
memoryregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000002C06FD410B1
RegEnumValueW.ADVAPI32 ref: 000002C06FD41117
GetProcessHeap.KERNEL32 ref: 000002C06FD4115A
HeapAlloc.KERNEL32 ref: 000002C06FD41168
GetProcessHeap.KERNEL32 ref: 000002C06FD41185
HeapFree.KERNEL32 ref: 000002C06FD41193

Strings

d, xrefs: 000002C06FD410D6

Memory Dump Source

Source File: 00000022.00000002.2717734299.000002C06FD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06FD40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_2c06fd40000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction ID: 5b73f61b0c74de695f112d37e4006b8e7370b6798754f90282f408be911c45d4
Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction Fuzzy Hash: 22418333214B84C6FB61CF21E488B9E77A6F389B98F148115DB8A07B58DF39D459CB00

Function 000002C06FD4328C Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 000002C06FD432AE
PathFindFileNameW.SHLWAPI ref: 000002C06FD432BD

Part of subcall function 000002C06FD43844: StrCmpNIW.SHLWAPI ref: 000002C06FD4385C

Part of subcall function 000002C06FD43790: GetModuleHandleW.KERNEL32 ref: 000002C06FD4379E
Part of subcall function 000002C06FD43790: GetCurrentProcess.KERNEL32 ref: 000002C06FD437CC
Part of subcall function 000002C06FD43790: VirtualProtectEx.KERNEL32 ref: 000002C06FD437EE
Part of subcall function 000002C06FD43790: GetCurrentProcess.KERNEL32 ref: 000002C06FD43809
Part of subcall function 000002C06FD43790: VirtualProtectEx.KERNEL32 ref: 000002C06FD4382A

CreateThread.KERNEL32 ref: 000002C06FD4330B

Part of subcall function 000002C06FD41D14: GetCurrentThread.KERNEL32 ref: 000002C06FD41D1F

Memory Dump Source

Source File: 00000022.00000002.2717734299.000002C06FD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06FD40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_2c06fd40000_svchost.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction ID: 5557b667f06bec5261fb59547d169d9df883b485d8ac4d7f7340c84304a1904e
Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction Fuzzy Hash: 2011C030610200C2FF60BF28F8CEF5D22DFAB55749F704124E90A82590EF7BE0789610

Function 000002C06FD41ABC Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000002C06FD41628: GetProcessHeap.KERNEL32 ref: 000002C06FD41633
Part of subcall function 000002C06FD41628: HeapAlloc.KERNEL32 ref: 000002C06FD41642
Part of subcall function 000002C06FD41628: RegOpenKeyExW.ADVAPI32 ref: 000002C06FD416B2
Part of subcall function 000002C06FD41628: RegOpenKeyExW.ADVAPI32 ref: 000002C06FD416DF
Part of subcall function 000002C06FD41628: RegCloseKey.ADVAPI32 ref: 000002C06FD416F9
Part of subcall function 000002C06FD41628: RegOpenKeyExW.ADVAPI32 ref: 000002C06FD41719
Part of subcall function 000002C06FD41628: RegCloseKey.ADVAPI32 ref: 000002C06FD41734
Part of subcall function 000002C06FD41628: RegOpenKeyExW.ADVAPI32 ref: 000002C06FD41754
Part of subcall function 000002C06FD41628: RegCloseKey.ADVAPI32 ref: 000002C06FD4176F
Part of subcall function 000002C06FD41628: RegOpenKeyExW.ADVAPI32 ref: 000002C06FD4178F
Part of subcall function 000002C06FD41628: RegCloseKey.ADVAPI32 ref: 000002C06FD417AA
Part of subcall function 000002C06FD41628: RegOpenKeyExW.ADVAPI32 ref: 000002C06FD417CA

Sleep.KERNEL32 ref: 000002C06FD41AD7
SleepEx.KERNELBASE ref: 000002C06FD41ADD

Part of subcall function 000002C06FD41628: RegCloseKey.ADVAPI32 ref: 000002C06FD417E5
Part of subcall function 000002C06FD41628: RegOpenKeyExW.ADVAPI32 ref: 000002C06FD41805
Part of subcall function 000002C06FD41628: RegCloseKey.ADVAPI32 ref: 000002C06FD41820
Part of subcall function 000002C06FD41628: RegOpenKeyExW.ADVAPI32 ref: 000002C06FD41840
Part of subcall function 000002C06FD41628: RegCloseKey.ADVAPI32 ref: 000002C06FD4185B
Part of subcall function 000002C06FD41628: RegOpenKeyExW.ADVAPI32 ref: 000002C06FD4187B
Part of subcall function 000002C06FD41628: RegCloseKey.ADVAPI32 ref: 000002C06FD41896
Part of subcall function 000002C06FD41628: RegCloseKey.ADVAPI32 ref: 000002C06FD418A0

Memory Dump Source

Source File: 00000022.00000002.2717734299.000002C06FD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06FD40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_2c06fd40000_svchost.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction ID: 416f17fdec569be69bdaa96ec92e87237991dca4c06b2f921ec5727e7a504340
Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction Fuzzy Hash: 6531E161210641D2FF529F26DAC9BAD23EFAB45BC4F2464219E0987BD5FF36E871C210

Function 000002C06FD43844 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpNIW.SHLWAPI ref: 000002C06FD4385C

Strings

dialer, xrefs: 000002C06FD43855

Memory Dump Source

Source File: 00000022.00000002.2717734299.000002C06FD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06FD40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_2c06fd40000_svchost.jbxd

Similarity

API ID:
String ID: dialer
API String ID: 0-3528709123
Opcode ID: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
Instruction ID: eea1c37edd9a2c7a6367f319b2426d74f6525a99311fafc593295ecfd6f5889e
Opcode Fuzzy Hash: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
Instruction Fuzzy Hash: 86D0A760311205CBFF54DFAAC8CDF6C639AEB08744FDC4020C90001150DB2BA9FDA710

Function 000002C06F7B273C Relevance: 1.7, APIs: 1, Instructions: 187
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 000002C06F7B285E

Memory Dump Source

Source File: 00000022.00000002.2716251170.000002C06F7B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06F7B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_2c06f7b0000_svchost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction ID: c74763199557573ee21cf50daf6970a883384bf5152a0e18b4061da6f84da58c
Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction Fuzzy Hash: 2B613332B02291C7FB56CF559488B2DF3AAF755BA4F288121DE5D13788DA39D972C700

Non-executed Functions

Function 000002C06F7B6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002C06F7B6938
__scrt_acquire_startup_lock.LIBCMT ref: 000002C06F7B698A
_RTC_Initialize.LIBCMT ref: 000002C06F7B69B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002C06F7B69DE
__scrt_release_startup_lock.LIBCMT ref: 000002C06F7B6A09

Strings

`eh vector copy constructor iterator', xrefs: 000002C06F7B6A3B
`eh vector vbase copy constructor iterator', xrefs: 000002C06F7B69EE
`dynamic initializer for ', xrefs: 000002C06F7B69C7
scriptor', xrefs: 000002C06F7B6B39, 000002C06F7B6BB2, 000002C06F7B6BEC

Memory Dump Source

Source File: 00000022.00000002.2716251170.000002C06F7B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06F7B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_2c06f7b0000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
API String ID: 190073905-1786718095
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: b4a5d01f42281bc93223997a5fb6c3cf1ff2202b2b11c74289c8ce0a1e91c913
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: E781C461600241CAFB50AFE5ACCDF5DE2ACEB87780F7490659B0587796DB3BCB668700

Function 000002C06F7B9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000002C06F7B99A1

Part of subcall function 000002C06F7BA814: __GetUnwindTryBlock.LIBCMT ref: 000002C06F7BA857
Part of subcall function 000002C06F7BA814: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000002C06F7BA87C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000002C06F7B9A79
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000002C06F7B9CCE
std::bad_alloc::bad_alloc.LIBCMT ref: 000002C06F7B9DDA

Strings

csm, xrefs: 000002C06F7B99BB
csm, xrefs: 000002C06F7B9A22
csm, xrefs: 000002C06F7B9A9C

Memory Dump Source

Source File: 00000022.00000002.2716251170.000002C06F7B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06F7B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_2c06f7b0000_svchost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction ID: 35caf141b2f3d798d5cb5ab4e110afd774785aae392f99717540b21b1c225da5
Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction Fuzzy Hash: FCE1B272604B40CAFB60DFA5D4C8B9DB7B8F766798F200115EE9957B99CB35C2A1C700

Function 000002C06F7C3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000002C06F7C352C
_set_statfp.LIBCMT ref: 000002C06F7C3547
_set_statfp.LIBCMT ref: 000002C06F7C3563
_set_statfp.LIBCMT ref: 000002C06F7C359F

Memory Dump Source

Source File: 00000022.00000002.2716251170.000002C06F7B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06F7B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_2c06f7b0000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: 52df65138fb024a4e51a5a863b3c083e8c200634c173810125eb53a83c3b5e6b
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: 6E112C32650E01CDFAE41DF8F4CFB6D90886B59370F794638AA76063D6CB2ACB604201

Function 000002C06F7BF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000002C06F7BF124

Strings

or copy constructor iterator', xrefs: 000002C06F7BF25A, 000002C06F7BF275
Wednesday, xrefs: 000002C06F7BF1ED
Tuesday, xrefs: 000002C06F7BF0F4

Memory Dump Source

Source File: 00000022.00000002.2716251170.000002C06F7B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06F7B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_2c06f7b0000_svchost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: Tuesday$Wednesday$or copy constructor iterator'
API String ID: 3215553584-4202648911
Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction ID: 3a2c35e90514f7f626b7ffb703298c8873b3bbd6ebdf358830a21a6a4eee67b5
Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction Fuzzy Hash: 6161B83A500644C6F6699FE9E5CCFEDE6A8E747B40F748815DA0A177A4DB36CB61C300

Function 000002C06F7BA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002C06F7BA1A0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000002C06F7BA288

Strings

csm, xrefs: 000002C06F7BA1C2
csm, xrefs: 000002C06F7BA2DA

Memory Dump Source

Source File: 00000022.00000002.2716251170.000002C06F7B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06F7B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_2c06f7b0000_svchost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: 3a80fb5763e54d777fbfc394f4b853dbc391fe6af0bad3f4c9a79944c3d625de
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: 7C518E32104281CAFB649F95949CB5CB7A8F396B84F28411ADF9987BD5CB3AD6B1C700

Function 000002C06F7B8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002C06F7B8413
_IsNonwritableInCurrentImage.LIBCMT ref: 000002C06F7B84A8

Strings

f, xrefs: 000002C06F7B8426
csm, xrefs: 000002C06F7B848E

Memory Dump Source

Source File: 00000022.00000002.2716251170.000002C06F7B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06F7B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_2c06f7b0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: eee125fda93c6652dd047afdae2af78c910ab50d7945a0b0c9339754d9fe974c
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: 3E51E132709202CAFB15CF95E48CF5CB39DF742B98F708024EA1643788EB36DA528704

Function 000002C06F7B83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002C06F7B8413
_IsNonwritableInCurrentImage.LIBCMT ref: 000002C06F7B84A8

Strings

f, xrefs: 000002C06F7B8426
csm, xrefs: 000002C06F7B848E

Memory Dump Source

Source File: 00000022.00000002.2716251170.000002C06F7B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06F7B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_2c06f7b0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction ID: 12b57857d640d0d716391cc1e35f31a82321f17d190bcbb5cde68e292acf8282
Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction Fuzzy Hash: 69319F32209742DAFB15DF95E888F5DB7ACF741B98F258014EE5A07784DB3ACA62C704

Function 000002C06F7B9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 000002C06F7B9EB7

Strings

MOC, xrefs: 000002C06F7B9E7C
RCC, xrefs: 000002C06F7B9E85

Memory Dump Source

Source File: 00000022.00000002.2716251170.000002C06F7B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06F7B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_2c06f7b0000_svchost.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 484794cded1398cd759f362327a470871452240848fb4352c55ea9a1594bca32
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: 32616733604B84CAFB20DFA5D084B9DB7B4F765B88F244215EE5917B98DB39D2A5C700

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	Drive: Drive Modification, File: File Modification, Firmware: Firmware Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report xmr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe

C:\Users\user\AppData\Local\Microsoft\Vault\UserProfileRoaming\Latest.dat

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gmllbled.gz3.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_juzgyfll.bs2.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pqbalilt.lva.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yyc01ryo.1ig.ps1

C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask

C:\Windows\System32\winevt\Logs\Application.evtx

C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx

C:\Windows\System32\winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx

C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx

Windows Analysis Report
xmr.exe

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre