Joe Sandbox Cloud Basic Analysis Report
Play interactive tourEdit tour

Analysis Report sihost.exe

Overview

General Information

Sample Name:sihost.exe
Analysis ID:345804
MD5:a21e7719d73d0322e2e7d61802cb8f80
SHA1:5310ba14a05256e4d93e0b04338f53b4e1d680cb
SHA256:8ee21a0ba8849d31c265b4090a9e2ebe8ba66f58a8f71d4e96509e8a78f7db00

Most interesting Screenshot:

Detection

Score:3
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Program does not show much activity (idle)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Startup

  • System is w10x64
  • sihost.exe (PID: 5936 cmdline: 'C:\Users\user\Desktop\sihost.exe' MD5: A21E7719D73D0322E2E7D61802CB8F80)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

  • Compliance
  • System Summary
  • Data Obfuscation
  • Malware Analysis System Evasion
  • Anti Debugging
  • HIPS / PFW / Operating System Protection Evasion
  • Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Compliance:

barindex
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: sihost.exeStatic PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Binary contains paths to debug symbols
Source: Binary string: sihost.pdbUGP source: sihost.exe
Source: Binary string: sihost.pdb source: sihost.exe
Source: C:\Users\user\Desktop\sihost.exeCode function: 0_2_00007FF7A8FB39700_2_00007FF7A8FB3970
Source: C:\Users\user\Desktop\sihost.exeCode function: 0_2_00007FF7A8FB11F00_2_00007FF7A8FB11F0
Source: C:\Users\user\Desktop\sihost.exeCode function: 0_2_00007FF7A8FB30E00_2_00007FF7A8FB30E0
Source: C:\Users\user\Desktop\sihost.exeCode function: 0_2_00007FF7A8FB38F00_2_00007FF7A8FB38F0
Source: C:\Users\user\Desktop\sihost.exeCode function: String function: 00007FF7A8FBD364 appears 36 times
Source: classification engineClassification label: clean3.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\sihost.exeCode function: 0_2_00007FF7A8FB11F0 CoInitializeEx,CreateEventW,CoCreateInstance,CoCreateInstance,CoCreateInstance,CreateEventW,WaitForSingleObject,SetEvent,CloseHandle,CoUninitialize,0_2_00007FF7A8FB11F0
Source: sihost.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\sihost.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: sihost.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: sihost.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: sihost.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: sihost.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: sihost.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: sihost.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: sihost.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: sihost.exeStatic PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: sihost.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: sihost.pdbUGP source: sihost.exe
Source: Binary string: sihost.pdb source: sihost.exe
Source: sihost.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: sihost.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: sihost.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: sihost.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: sihost.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: sihost.exeStatic PE information: section name: .didat
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\sihost.exeCode function: 0_2_00007FF7A8FB5F08 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF7A8FB5F08
Source: C:\Users\user\Desktop\sihost.exeCode function: 0_2_00007FF7A8FBBA1C GetProcessHeap,HeapFree,0_2_00007FF7A8FBBA1C
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\sihost.exeCode function: 0_2_00007FF7A8FB6AB8 SetUnhandledExceptionFilter,0_2_00007FF7A8FB6AB8
Source: C:\Users\user\Desktop\sihost.exeCode function: 0_2_00007FF7A8FB5F08 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF7A8FB5F08
Source: C:\Users\user\Desktop\sihost.exeCode function: 0_2_00007FF7A8FB68C0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7A8FB68C0
Source: C:\Users\user\Desktop\sihost.exeCode function: 0_2_00007FF7A8FB22E0 ConvertStringSecurityDescriptorToSecurityDescriptorW,SetSecurityDescriptorDacl,CoInitializeSecurity,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,GetLastError,LocalFree,SetLastError,LocalFree,0_2_00007FF7A8FB22E0
Source: C:\Users\user\Desktop\sihost.exeCode function: 0_2_00007FF7A8FB6768 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF7A8FB6768

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDeobfuscate/Decode Files or Information1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsObfuscated Files or Information1LSASS MemorySecurity Software Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerSystem Information Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 345804 Sample: sihost.exe Startdate: 29/01/2021 Architecture: WINDOWS Score: 3 4 sihost.exe 2->4         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
sihost.exe0%VirustotalBrowse
sihost.exe0%MetadefenderBrowse
sihost.exe0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:31.0.0 Emerald
Analysis ID:345804
Start date:29.01.2021
Start time:04:48:14
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 1m 55s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:sihost.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:1
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean3.winEXE@1/0@0/0
EGA Information:Failed
HDC Information:
  • Successful, ratio: 100% (good quality ratio 55.5%)
  • Quality average: 38.7%
  • Quality standard deviation: 40.2%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 46
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated
Warnings:
  • Execution Graph export aborted for target sihost.exe, PID 5936 because there are no executed function

Simulations

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):6.076931167824788
TrID:
  • Win64 Executable GUI (202006/5) 92.65%
  • Win64 Executable (generic) (12005/4) 5.51%
  • Generic Win/DOS Executable (2004/3) 0.92%
  • DOS Executable Generic (2002/1) 0.92%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:sihost.exe
File size:111616
MD5:a21e7719d73d0322e2e7d61802cb8f80
SHA1:5310ba14a05256e4d93e0b04338f53b4e1d680cb
SHA256:8ee21a0ba8849d31c265b4090a9e2ebe8ba66f58a8f71d4e96509e8a78f7db00
SHA512:e78793b58c358dafa0eecf3d2e7582186df0bbbc13d96a5475342c371946219ca544cf49ef3dd60d078c2ed0bbb614727f25774b84bddcf5a77a4181fcba184c
SSDEEP:3072:Y8JFdMPmFAXIf/9odiof3UWAWktyEyc6Lh7:YaPQy/9odio/UHyc6Lh
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......I..M..............A.3.......................u.......................,...../.......-.............Rich...........................

File Icon

Icon Hash:00828e8e8686b000

Static PE Info

General

Entrypoint:0x140005eb0
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x140000000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:0xEAD4601 [Thu Oct 20 23:04:33 1977 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:10
OS Version Minor:0
File Version Major:10
File Version Minor:0
Subsystem Version Major:10
Subsystem Version Minor:0
Import Hash:9ffe8029f721bd904f419f82a63d59a2
Instruction
dec eax
sub esp, 28h
call 00007FF80D176394h
dec eax
add esp, 28h
jmp 00007FF80D175953h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
cmp ecx, dword ptr [00015241h]
jne 00007FF80D175AF5h
dec eax
rol ecx, 10h
test cx, FFFFh
jne 00007FF80D175AE5h
ret
dec eax
ror ecx, 10h
jmp 00007FF80D175B54h
int3
int3
int3
int3
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
call dword ptr [0000E889h]
mov ecx, 00000001h
mov dword ptr [0001592Eh], eax
call 00007FF80D17646Eh
xor ecx, ecx
call dword ptr [0000E8A1h]
dec eax
mov ecx, ebx
call dword ptr [0000E8B0h]
cmp dword ptr [00015911h], 00000000h
jne 00007FF80D175AECh
mov ecx, 00000001h
call 00007FF80D17644Ah
call dword ptr [0000E967h]
dec eax
mov ecx, eax
mov edx, C0000409h
dec eax
add esp, 20h
pop ebx
dec eax
jmp dword ptr [0000E93Bh]
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 00000000h
Programming Language:
  • [IMP] VS2008 SP1 build 30729
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x192e80x280.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x1f0000x400.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x1c0000x17f4.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x200000x1dc.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x15bc00x54.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x146a80x28.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x145900x118.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x147180x4f0.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x191f00x60.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x120b00x12200False0.52114762931data6.09289641353IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata0x140000x69580x6a00False0.36538178066data5.16699763806IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x1b0000xe300x400False0.49609375data4.5430081864IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata0x1c0000x17f40x1800False0.48974609375data5.07853177648IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat0x1e0000x280x200False0.0546875data0.221871255204IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc0x1f0000x4000x400False0.453125data3.36364443668IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x200000x1dc0x200False0.69140625data4.86055316111IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
NameRVASizeTypeLanguageCountry
RT_VERSION0x1f0600x3a0dataEnglishUnited States
DLLImport
msvcp_win.dll?_Xlength_error@std@@YAXPEBD@Z
api-ms-win-crt-runtime-l1-1-0.dll_initterm, _initterm_e, _c_exit, _register_thread_local_exe_atexit_callback
api-ms-win-crt-private-l1-1-0.dll_o__configthreadlocale, _o__configure_wide_argv, _o__crt_atexit, _o__errno, _o__exit, _o__get_wide_winmain_command_line, _o__initialize_onexit_table, _o__initialize_wide_environment, _o__invalid_parameter_noinfo, _o__invalid_parameter_noinfo_noreturn, _o__purecall, _o__register_onexit_function, _o__seh_filter_exe, _o__set_app_type, _o__set_fmode, _o__set_new_mode, memmove, _o_exit, _o_free, _o_malloc, _o_terminate, __C_specific_handler, __CxxFrameHandler3, _CxxThrowException, _o___p__commode, _o__callnewh, _o___stdio_common_vswprintf, _o___stdio_common_vsnprintf_s, _o__cexit, __std_terminate, __CxxFrameHandler4, memcmp, memcpy, _o___std_exception_destroy, _o___std_exception_copy
api-ms-win-crt-string-l1-1-0.dllmemset
api-ms-win-core-libraryloader-l1-2-0.dllGetModuleFileNameA, GetProcAddress, GetModuleHandleW, GetModuleHandleExW
api-ms-win-core-synch-l1-2-0.dllInitOnceComplete, InitOnceBeginInitialize
api-ms-win-core-synch-l1-1-0.dllAcquireSRWLockExclusive, CreateEventW, ReleaseSRWLockExclusive, AcquireSRWLockShared, SetEvent, CreateMutexExW, LeaveCriticalSection, EnterCriticalSection, OpenSemaphoreW, WaitForSingleObjectEx, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InitializeCriticalSectionEx, ReleaseMutex, ReleaseSRWLockShared, WaitForSingleObject, ResetEvent, ReleaseSemaphore, CreateSemaphoreExW
api-ms-win-core-heap-l1-1-0.dllGetProcessHeap, HeapFree, HeapAlloc
api-ms-win-core-errorhandling-l1-1-0.dllSetUnhandledExceptionFilter, SetLastError, GetLastError, UnhandledExceptionFilter
api-ms-win-eventing-provider-l1-1-0.dllEventActivityIdControl, EventWriteTransfer, EventUnregister, EventSetInformation, EventRegister
api-ms-win-core-processthreads-l1-1-0.dllGetCurrentProcessId, SetProcessShutdownParameters, CreateThread, TerminateProcess, GetCurrentThreadId, GetStartupInfoW, GetCurrentProcess
api-ms-win-core-localization-l1-2-0.dllFormatMessageW
api-ms-win-core-debug-l1-1-0.dllOutputDebugStringW, DebugBreak, IsDebuggerPresent
api-ms-win-core-handle-l1-1-0.dllCloseHandle
api-ms-win-core-com-l1-1-0.dllCoTaskMemRealloc, CoGetMalloc, CoTaskMemFree, CoRevokeClassObject, CoInitializeEx, CoUninitialize, CoInitializeSecurity, CoCreateInstance, CoCreateFreeThreadedMarshaler, CoRegisterClassObject
api-ms-win-core-heap-l2-1-0.dllLocalAlloc, LocalFree
api-ms-win-security-sddl-l1-1-0.dllConvertStringSecurityDescriptorToSecurityDescriptorW
api-ms-win-core-synch-l1-2-1.dllWaitForMultipleObjects
CoreMessaging.dllCoreUICreate
api-ms-win-core-threadpool-l1-2-0.dllSetThreadpoolTimer, CloseThreadpoolTimer, WaitForThreadpoolTimerCallbacks, CreateThreadpoolTimer
api-ms-win-security-base-l1-1-0.dllSetSecurityDescriptorDacl, CopySid, GetSecurityDescriptorDacl, GetTokenInformation, MakeAbsoluteSD, GetLengthSid
api-ms-win-security-trustee-l1-1-0.dllBuildTrusteeWithSidW
api-ms-win-security-provider-l1-1-0.dllSetEntriesInAclW
api-ms-win-core-rtlsupport-l1-1-0.dllRtlLookupFunctionEntry, RtlCaptureContext, RtlVirtualUnwind
api-ms-win-core-processthreads-l1-1-1.dllIsProcessorFeaturePresent
api-ms-win-core-profile-l1-1-0.dllQueryPerformanceCounter
api-ms-win-core-sysinfo-l1-1-0.dllGetSystemTimeAsFileTime
api-ms-win-core-interlocked-l1-1-0.dllInitializeSListHead
api-ms-win-core-apiquery-l1-1-0.dllApiSetQueryApiSetPresence
api-ms-win-core-delayload-l1-1-1.dllResolveDelayLoadedAPI
api-ms-win-core-delayload-l1-1-0.dllDelayLoadFailureHook
DescriptionData
LegalCopyright Microsoft Corporation. All rights reserved.
InternalNamesihost.exe
FileVersion10.0.19041.746 (WinBuild.160101.0800)
CompanyNameMicrosoft Corporation
ProductNameMicrosoft Windows Operating System
ProductVersion10.0.19041.746
FileDescriptionShell Infrastructure Host
OriginalFilenamesihost.exe
Translation0x0409 0x04b0

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

0510s020406080100

Click to jump to process

Memory Usage

0510sMB

Click to jump to process

System Behavior

Analysis Process: sihost.exe PID: 5936 Parent PID: 5956

Function Logs

General

Start time:04:48:59
Start date:29/01/2021
Path:C:\Users\user\Desktop\sihost.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\sihost.exe'
Imagebase:0x7ff7a8fb0000
File size:111616 bytes
MD5 hash:A21E7719D73D0322E2E7D61802CB8F80
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Show Windows behavior

Registry Activities

Show Windows behavior

Process Activities

Show Windows behavior

Memory Activities

Show Windows behavior

System Activities

Disassembly

Code Analysis

Analysis Process: sihost.exe PID: 5936 Parent PID: 5956 sihost.exeCOMMON

Executed Functions

Non-executed Functions

Download Yara Rule
APIs
    • Part of subcall function 00007FF7A8FB2AB0: LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,?,?,00000001,?,00007FF7A8FB2370,?,?,?,?,?,?,00007FF7A8FB1314), ref: 00007FF7A8FB2B1F
  • ConvertStringSecurityDescriptorToSecurityDescriptorW.API-MS-WIN-SECURITY-SDDL-L1-1-0(?,?,?,?,?,?,00007FF7A8FB1314), ref: 00007FF7A8FB239C
    • Part of subcall function 00007FF7A8FB2730: MakeAbsoluteSD.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7A8FB23C5), ref: 00007FF7A8FB2799
    • Part of subcall function 00007FF7A8FB2730: LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7A8FB23C5), ref: 00007FF7A8FB27B6
    • Part of subcall function 00007FF7A8FB2730: MakeAbsoluteSD.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7A8FB23C5), ref: 00007FF7A8FB282D
    • Part of subcall function 00007FF7A8FB2600: GetTokenInformation.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,?,?,00007FF7A8FB23E1,?,?,?,?,?,?,00007FF7A8FB1314), ref: 00007FF7A8FB2637
    • Part of subcall function 00007FF7A8FB2600: LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,00007FF7A8FB23E1,?,?,?,?,?,?,00007FF7A8FB1314), ref: 00007FF7A8FB2653
    • Part of subcall function 00007FF7A8FB2600: GetTokenInformation.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,?,?,00007FF7A8FB23E1,?,?,?,?,?,?,00007FF7A8FB1314), ref: 00007FF7A8FB2686
    • Part of subcall function 00007FF7A8FB2600: GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,?,?,00007FF7A8FB23E1,?,?,?,?,?,?,00007FF7A8FB1314), ref: 00007FF7A8FB26A7
    • Part of subcall function 00007FF7A8FB2600: LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,00007FF7A8FB23E1,?,?,?,?,?,?,00007FF7A8FB1314), ref: 00007FF7A8FB26BB
    • Part of subcall function 00007FF7A8FB2600: CopySid.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,?,?,00007FF7A8FB23E1,?,?,?,?,?,?,00007FF7A8FB1314), ref: 00007FF7A8FB26E5
    • Part of subcall function 00007FF7A8FB2600: LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,00007FF7A8FB23E1,?,?,?,?,?,?,00007FF7A8FB1314), ref: 00007FF7A8FB2706
  • SetSecurityDescriptorDacl.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,?,?,?,00007FF7A8FB1314), ref: 00007FF7A8FB244B
  • CoInitializeSecurity.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF7A8FB2488
  • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,00007FF7A8FB1314), ref: 00007FF7A8FB24AA
  • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF7A8FB24BE
  • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF7A8FB24D7
  • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF7A8FB24EB
  • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF7A8FB2500
    • Part of subcall function 00007FF7A8FB2540: GetSecurityDescriptorDacl.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FF7A8FB2414), ref: 00007FF7A8FB257A
    • Part of subcall function 00007FF7A8FB2540: BuildTrusteeWithSidW.API-MS-WIN-SECURITY-TRUSTEE-L1-1-0 ref: 00007FF7A8FB25A7
    • Part of subcall function 00007FF7A8FB2540: SetEntriesInAclW.API-MS-WIN-SECURITY-PROVIDER-L1-1-0 ref: 00007FF7A8FB25D1
  • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,00007FF7A8FB1314), ref: 00007FF7A8FB8F22
  • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,00007FF7A8FB1314), ref: 00007FF7A8FB8F33
  • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,00007FF7A8FB1314), ref: 00007FF7A8FB8F41
  • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,00007FF7A8FB1314), ref: 00007FF7A8FB8FB2
Strings
Memory Dump Source
  • Source File: 00000000.00000002.653930338.00007FF7A8FB1000.00000020.00020000.sdmp, Offset: 00007FF7A8FB0000, based on PE: true
  • Associated: 00000000.00000002.653926180.00007FF7A8FB0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653941982.00007FF7A8FC4000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653945393.00007FF7A8FC5000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653951756.00007FF7A8FCB000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653954906.00007FF7A8FCC000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653958581.00007FF7A8FCF000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff7a8fb0000_sihost.jbxd
Similarity
  • API ID: Local$Free$Security$AllocDescriptor$AbsoluteDaclErrorInformationLastMakeToken$BuildConvertCopyEntriesInitializeLengthStringTrusteeWith
  • String ID: (A;;0xB;;;AN)$O:PSG:BUD:(A;;3;;;PS)(A;;3;;;SY)(A;;0xB;;;S-1-5-80-2676549577-1911656217-2625096541-4178041876-1366760775)(A;;0xB;;;S-1-5-80-90571$onecoreuap\shell\shellhost\exe\shellhost.cpp
  • API String ID: 901987046-35622315
  • Opcode ID: 760695b3ae05dd4d3257817174a5fdddf37e82aac08783e8333e28a089083ae7
  • Instruction ID: 83cdb89d2c422fdab732ee4621c2ae80335b342902e8d264ff429899c44ace92
  • Opcode Fuzzy Hash: 760695b3ae05dd4d3257817174a5fdddf37e82aac08783e8333e28a089083ae7
  • Instruction Fuzzy Hash: 8FA1617661AA83C9E710AF31E4541F9E7A5FB89B88F865431DA0E47B69CF3CD114C324
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.653930338.00007FF7A8FB1000.00000020.00020000.sdmp, Offset: 00007FF7A8FB0000, based on PE: true
  • Associated: 00000000.00000002.653926180.00007FF7A8FB0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653941982.00007FF7A8FC4000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653945393.00007FF7A8FC5000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653951756.00007FF7A8FCB000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653954906.00007FF7A8FCC000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653958581.00007FF7A8FCF000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff7a8fb0000_sihost.jbxd
Similarity
  • API ID: Create$Instance$Event$CloseHandleInitializeObjectSingleUninitializeWait
  • String ID: Cleanup$SIHostShutdownEvent$onecoreuap\shell\shellhost\exe\shellhost.cpp
  • API String ID: 813278334-1281824810
  • Opcode ID: e4c1b2ef6965b7bde888bc93b2af3b0cb65e3bbfcfe1d275ccda588bf5890afc
  • Instruction ID: 3758ecec3fe389a85dc0e955387f269ef5449d42d62ade1ecb327e94da7c02c4
  • Opcode Fuzzy Hash: e4c1b2ef6965b7bde888bc93b2af3b0cb65e3bbfcfe1d275ccda588bf5890afc
  • Instruction Fuzzy Hash: DD025172A1AA838AE710BF31E8441A9E760FB85B94FC24531DA4E47BB5DF3CD504C368
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.653930338.00007FF7A8FB1000.00000020.00020000.sdmp, Offset: 00007FF7A8FB0000, based on PE: true
  • Associated: 00000000.00000002.653926180.00007FF7A8FB0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653941982.00007FF7A8FC4000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653945393.00007FF7A8FC5000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653951756.00007FF7A8FCB000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653954906.00007FF7A8FCC000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653958581.00007FF7A8FCF000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff7a8fb0000_sihost.jbxd
Similarity
  • API ID: Heap$Process$ExclusiveLock$AcquireAddressAllocFreeHandleModuleProcRelease
  • String ID: RtlQueryFeatureConfiguration$ntdll.dll
  • API String ID: 3226637786-4111156962
  • Opcode ID: 1c9c2bc564f6a4e09dd9bef41ecb2e9d59238f70527084ec7129e2dfd2315b78
  • Instruction ID: 8ea1ec5d7e7d9d740750ad553607614fffc2e36132000abe35b40c717877fef6
  • Opcode Fuzzy Hash: 1c9c2bc564f6a4e09dd9bef41ecb2e9d59238f70527084ec7129e2dfd2315b78
  • Instruction Fuzzy Hash: EFE1BF76B1AA438AEB10AB36E804279F7E0FB48794F964535DD4E437A4DF3CE5408728
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
APIs
  • memset.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,00000000,?,?,00007FF7A8FC2772), ref: 00007FF7A8FB39A6
  • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,00000000,?,00000000,?,?,00007FF7A8FC2772), ref: 00007FF7A8FB9809
  • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,00000000,?,?,00007FF7A8FC2772), ref: 00007FF7A8FB9861
  • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,00000000,?,?,00007FF7A8FC2772), ref: 00007FF7A8FB9875
  • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,00000000,?,?,00007FF7A8FC2772), ref: 00007FF7A8FB9881
  • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,00000000,?,?,00007FF7A8FC2772), ref: 00007FF7A8FB9895
  • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,00000000,?,?,00007FF7A8FC2772), ref: 00007FF7A8FB98EE
  • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,00000000,?,?,00007FF7A8FC2772), ref: 00007FF7A8FB9902
Strings
Memory Dump Source
  • Source File: 00000000.00000002.653930338.00007FF7A8FB1000.00000020.00020000.sdmp, Offset: 00007FF7A8FB0000, based on PE: true
  • Associated: 00000000.00000002.653926180.00007FF7A8FB0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653941982.00007FF7A8FC4000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653945393.00007FF7A8FC5000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653951756.00007FF7A8FCB000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653954906.00007FF7A8FCC000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653958581.00007FF7A8FCF000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff7a8fb0000_sihost.jbxd
Similarity
  • API ID: Heap$Process$Free$AddressAllocProcmemset
  • String ID: NtQueryWnfStateData
  • API String ID: 2515388404-3685890079
  • Opcode ID: da938599f48b1cc46a465499f653e41572521585826ed0970a80182c896bdffe
  • Instruction ID: 1261575769963ead02c0c50cba2406c0242cd9272f8b1009de87be09a8785845
  • Opcode Fuzzy Hash: da938599f48b1cc46a465499f653e41572521585826ed0970a80182c896bdffe
  • Instruction Fuzzy Hash: 8F91C272A0AB828AEB14AF22E404679F7A0FB89B44F964135DB4D43764EF3CE594C714
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
APIs
Memory Dump Source
  • Source File: 00000000.00000002.653930338.00007FF7A8FB1000.00000020.00020000.sdmp, Offset: 00007FF7A8FB0000, based on PE: true
  • Associated: 00000000.00000002.653926180.00007FF7A8FB0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653941982.00007FF7A8FC4000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653945393.00007FF7A8FC5000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653951756.00007FF7A8FCB000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653954906.00007FF7A8FCC000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653958581.00007FF7A8FCF000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff7a8fb0000_sihost.jbxd
Similarity
  • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
  • String ID:
  • API String ID: 313767242-0
  • Opcode ID: 0fdeae89dbcdf5f976177e30e1cb9167db3b5695d9684be65b38a38a2f1c6953
  • Instruction ID: f287a8453deba17da63dd11109ac7e7c41d5692665f94f5d06eb3aa7d27ddc12
  • Opcode Fuzzy Hash: 0fdeae89dbcdf5f976177e30e1cb9167db3b5695d9684be65b38a38a2f1c6953
  • Instruction Fuzzy Hash: C7316572605B8289EB60AF70E8543EDB360FB54744F85443ADA4D47BA4DF3CD648C724
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
APIs
  • IsDebuggerPresent.API-MS-WIN-CORE-DEBUG-L1-1-0(?,?,?,00007FF7A8FB603D,?,?,?,?,?,?,00007FF7A8FB2A9D), ref: 00007FF7A8FB5F11
  • SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FF7A8FB603D,?,?,?,?,?,?,00007FF7A8FB2A9D), ref: 00007FF7A8FB5F29
  • UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FF7A8FB603D,?,?,?,?,?,?,00007FF7A8FB2A9D), ref: 00007FF7A8FB5F32
  • GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,00007FF7A8FB603D,?,?,?,?,?,?,00007FF7A8FB2A9D), ref: 00007FF7A8FB5F4B
Memory Dump Source
  • Source File: 00000000.00000002.653930338.00007FF7A8FB1000.00000020.00020000.sdmp, Offset: 00007FF7A8FB0000, based on PE: true
  • Associated: 00000000.00000002.653926180.00007FF7A8FB0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653941982.00007FF7A8FC4000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653945393.00007FF7A8FC5000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653951756.00007FF7A8FCB000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653954906.00007FF7A8FCC000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653958581.00007FF7A8FCF000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff7a8fb0000_sihost.jbxd
Similarity
  • API ID: ExceptionFilterUnhandled$CurrentDebuggerPresentProcess
  • String ID:
  • API String ID: 2506494423-0
  • Opcode ID: 8a4bbf019a2fe9f27894b3b5cec4757f8636bc0b8e582a255de52f2b032f2113
  • Instruction ID: 5ab3a530c1d475e84caef227e23b73eb8d3ead4c01b929f11072e877eb499c79
  • Opcode Fuzzy Hash: 8a4bbf019a2fe9f27894b3b5cec4757f8636bc0b8e582a255de52f2b032f2113
  • Instruction Fuzzy Hash: 2DF030B4D0A6478AF7043B72B819234E2A0FF69700FD71934C50A023B1DE3DA5858228
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
APIs
  • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7A8FC241F,?,?,?,00007FF7A8FB7CB4), ref: 00007FF7A8FBBA25
Memory Dump Source
  • Source File: 00000000.00000002.653930338.00007FF7A8FB1000.00000020.00020000.sdmp, Offset: 00007FF7A8FB0000, based on PE: true
  • Associated: 00000000.00000002.653926180.00007FF7A8FB0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653941982.00007FF7A8FC4000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653945393.00007FF7A8FC5000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653951756.00007FF7A8FCB000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653954906.00007FF7A8FCC000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653958581.00007FF7A8FCF000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff7a8fb0000_sihost.jbxd
Similarity
  • API ID: HeapProcess
  • String ID:
  • API String ID: 54951025-0
  • Opcode ID: 2fedca9d4ce82ba49ccab871be09b5bb32ffb5235eaf649fad600acd1e8ce6b5
  • Instruction ID: e19e4f174ff5b99236e7bb0179105d72e4c4d992b07f96da6d8af9077f3a395c
  • Opcode Fuzzy Hash: 2fedca9d4ce82ba49ccab871be09b5bb32ffb5235eaf649fad600acd1e8ce6b5
  • Instruction Fuzzy Hash: A2C01261A55A86C2E61467A37800074D6E1F75EB50F5A9430CE1905360DD3C51C18604
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
Memory Dump Source
  • Source File: 00000000.00000002.653930338.00007FF7A8FB1000.00000020.00020000.sdmp, Offset: 00007FF7A8FB0000, based on PE: true
  • Associated: 00000000.00000002.653926180.00007FF7A8FB0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653941982.00007FF7A8FC4000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653945393.00007FF7A8FC5000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653951756.00007FF7A8FCB000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653954906.00007FF7A8FCC000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653958581.00007FF7A8FCF000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff7a8fb0000_sihost.jbxd
Similarity
  • API ID:
  • String ID:
  • API String ID:
  • Opcode ID: cb22272001c8417edb50a5407fe96c1f1ec2f523b8e21c2e3d37b32b99193ccb
  • Instruction ID: 9a2c9536f4e21e454d28224bf2c4278e01d249ef67560ac2a4c391906d357c81
  • Opcode Fuzzy Hash: cb22272001c8417edb50a5407fe96c1f1ec2f523b8e21c2e3d37b32b99193ccb
  • Instruction Fuzzy Hash: 0851D573B196428BE3709F29E008A29F7E5FB55748F954235DA8C47BA0EB3DD842CB14
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
Memory Dump Source
  • Source File: 00000000.00000002.653930338.00007FF7A8FB1000.00000020.00020000.sdmp, Offset: 00007FF7A8FB0000, based on PE: true
  • Associated: 00000000.00000002.653926180.00007FF7A8FB0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653941982.00007FF7A8FC4000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653945393.00007FF7A8FC5000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653951756.00007FF7A8FCB000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653954906.00007FF7A8FCC000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653958581.00007FF7A8FCF000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff7a8fb0000_sihost.jbxd
Similarity
  • API ID:
  • String ID:
  • API String ID:
  • Opcode ID: ede2a90272eea01b061403ddb808be9309194adced01f86080406a4233bb545e
  • Instruction ID: 658086055dd08d2a70215848cb5868cc0e4e878f7fbf10bba92eeb21701d52b6
  • Opcode Fuzzy Hash: ede2a90272eea01b061403ddb808be9309194adced01f86080406a4233bb545e
  • Instruction Fuzzy Hash: 6FA00171A1A857D4EA48AB20A858021E234FB61304FC25531D00E519B09E2CA5108228
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
APIs
Memory Dump Source
  • Source File: 00000000.00000002.653930338.00007FF7A8FB1000.00000020.00020000.sdmp, Offset: 00007FF7A8FB0000, based on PE: true
  • Associated: 00000000.00000002.653926180.00007FF7A8FB0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653941982.00007FF7A8FC4000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653945393.00007FF7A8FC5000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653951756.00007FF7A8FCB000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653954906.00007FF7A8FCC000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653958581.00007FF7A8FCF000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff7a8fb0000_sihost.jbxd
Similarity
  • API ID: ExclusiveLock$Heap$AcquireProcessReleaseThreadpoolTimer$AllocCreatememcpy
  • String ID:
  • API String ID: 3526632141-0
  • Opcode ID: 8c42dbdbc4cc24dece61c4f7b4c15cbb4bf26c960fe64dc1ee3305ed573bf469
  • Instruction ID: e5f462d60e1f5c14ff0a064ffcdf0359fe4a3edef183befeaa3155988b39e0d5
  • Opcode Fuzzy Hash: 8c42dbdbc4cc24dece61c4f7b4c15cbb4bf26c960fe64dc1ee3305ed573bf469
  • Instruction Fuzzy Hash: 46B154B5A0EA478AEB10AB32E904174E764FF59B91FC64531C94E037B5DF3CA544C728
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.653930338.00007FF7A8FB1000.00000020.00020000.sdmp, Offset: 00007FF7A8FB0000, based on PE: true
  • Associated: 00000000.00000002.653926180.00007FF7A8FB0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653941982.00007FF7A8FC4000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653945393.00007FF7A8FC5000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653951756.00007FF7A8FCB000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653954906.00007FF7A8FCC000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653958581.00007FF7A8FCF000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff7a8fb0000_sihost.jbxd
Similarity
  • API ID: CurrentFormatMessageThread
  • String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%u)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $ReturnHr$[%hs(%hs)]$[%hs]
  • API String ID: 2411632146-3173542853
  • Opcode ID: f53d47efe7d1891f9300d07e027bf2e834312f544596f232afec77a3084d0fd1
  • Instruction ID: 4fc7ba448b1b746f75d61a02c2a4b5b21eaeaa8c72d3afeee122bd6c38fc0928
  • Opcode Fuzzy Hash: f53d47efe7d1891f9300d07e027bf2e834312f544596f232afec77a3084d0fd1
  • Instruction Fuzzy Hash: CA614CB1A0B64389EB54EF62A4185B9E3A0FF49B84FC20536DA4D53774DF3CE9408728
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
APIs
  • InitializeCriticalSectionAndSpinCount.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7A8FB63E5
  • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7A8FB63F3
  • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7A8FB6409
  • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7A8FB6426
  • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7A8FB643A
  • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7A8FB644E
  • CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7A8FB64E7
    • Part of subcall function 00007FF7A8FB68C0: IsProcessorFeaturePresent.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1 ref: 00007FF7A8FB68DC
    • Part of subcall function 00007FF7A8FB68C0: memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A8FB6900
    • Part of subcall function 00007FF7A8FB68C0: RtlCaptureContext.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FF7A8FB6909
    • Part of subcall function 00007FF7A8FB68C0: RtlLookupFunctionEntry.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FF7A8FB6923
    • Part of subcall function 00007FF7A8FB68C0: RtlVirtualUnwind.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FF7A8FB6964
    • Part of subcall function 00007FF7A8FB68C0: memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A8FB6997
    • Part of subcall function 00007FF7A8FB68C0: IsDebuggerPresent.API-MS-WIN-CORE-DEBUG-L1-1-0 ref: 00007FF7A8FB69B8
    • Part of subcall function 00007FF7A8FB68C0: SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7A8FB69D9
    • Part of subcall function 00007FF7A8FB68C0: UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7A8FB69E4
  • DeleteCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7A8FB652B
  • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF7A8FB653D
Strings
Memory Dump Source
  • Source File: 00000000.00000002.653930338.00007FF7A8FB1000.00000020.00020000.sdmp, Offset: 00007FF7A8FB0000, based on PE: true
  • Associated: 00000000.00000002.653926180.00007FF7A8FB0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653941982.00007FF7A8FC4000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653945393.00007FF7A8FC5000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653951756.00007FF7A8FCB000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653954906.00007FF7A8FCC000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653958581.00007FF7A8FCF000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff7a8fb0000_sihost.jbxd
Similarity
  • API ID: AddressHandleProc$CriticalExceptionFilterModulePresentSectionUnhandledmemset$CaptureCloseContextCountCreateDebuggerDeleteEntryEventFeatureFunctionInitializeLookupProcessorSpinUnwindVirtual
  • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
  • API String ID: 2631387040-1714406822
  • Opcode ID: 7415e4963e2dd81c5abb907ffdeeb348c6a0ad5ad5cf8cafdaad84c6374dbf74
  • Instruction ID: dd334cfec49ca892ae9c9dd86bf8e7b3d0b5e631787ab126b60159d2802bf421
  • Opcode Fuzzy Hash: 7415e4963e2dd81c5abb907ffdeeb348c6a0ad5ad5cf8cafdaad84c6374dbf74
  • Instruction Fuzzy Hash: 814169B4A0BB0381FB04BB36EC14275E3A1BF4A791FD61935C91D027B4DF2CE6558228
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.653930338.00007FF7A8FB1000.00000020.00020000.sdmp, Offset: 00007FF7A8FB0000, based on PE: true
  • Associated: 00000000.00000002.653926180.00007FF7A8FB0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653941982.00007FF7A8FC4000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653945393.00007FF7A8FC5000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653951756.00007FF7A8FCB000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653954906.00007FF7A8FCC000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653958581.00007FF7A8FCF000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff7a8fb0000_sihost.jbxd
Similarity
  • API ID: CloseCreateHandle$DescriptorEventSecurity$ConvertFreeLocalMultipleObjectsStringThreadWait
  • String ID: D:(A;;GA;;;SY)(A;;0x001F0003;;;WD)(A;;0x001F0003;;;AC)$NavigationServer Started$Stop NavigationServer$onecoreuap\shell\shellhost\exe\navigationservercomponent.cpp
  • API String ID: 1544938731-2453062237
  • Opcode ID: 6610182b16b07c5c35d4e798baaf1fff6b07e3e5847b71cdd66ddd3515378db0
  • Instruction ID: 0cb7f8691e10609c8203c852265d0c63e15d7c1b5c691d63900f5008454fe628
  • Opcode Fuzzy Hash: 6610182b16b07c5c35d4e798baaf1fff6b07e3e5847b71cdd66ddd3515378db0
  • Instruction Fuzzy Hash: 5F51507290AA4386E710AB24E4041ADFBA1FB89BA4F964331DA6D43BE8DF3CD505C754
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
APIs
  • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,00007FF7A8FB2DB9), ref: 00007FF7A8FB2FDF
  • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,00007FF7A8FB2DB9), ref: 00007FF7A8FB2FF3
  • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,00007FF7A8FB2DB9), ref: 00007FF7A8FB300B
Memory Dump Source
  • Source File: 00000000.00000002.653930338.00007FF7A8FB1000.00000020.00020000.sdmp, Offset: 00007FF7A8FB0000, based on PE: true
  • Associated: 00000000.00000002.653926180.00007FF7A8FB0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653941982.00007FF7A8FC4000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653945393.00007FF7A8FC5000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653951756.00007FF7A8FCB000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653954906.00007FF7A8FCC000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653958581.00007FF7A8FCF000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff7a8fb0000_sihost.jbxd
Similarity
  • API ID: Heap$Process$Alloc
  • String ID:
  • API String ID: 651230671-0
  • Opcode ID: cdefcb1db1d26c9dd182665a55606c090f7038fe7961fce3f256aa8402520a22
  • Instruction ID: 368c7027833512207fa828a3df0ed82c405f404cd5e8c9a1e7325ee7e1dc24bc
  • Opcode Fuzzy Hash: cdefcb1db1d26c9dd182665a55606c090f7038fe7961fce3f256aa8402520a22
  • Instruction Fuzzy Hash: 6E518171A0AB428AEB10AF76A408178F7A4FB49B84F968531CE5E137A5DF3CD541C318
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
APIs
  • AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FF7A8FB2CA5), ref: 00007FF7A8FB3531
  • ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FF7A8FB2CA5), ref: 00007FF7A8FB3555
  • AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FF7A8FB2CA5), ref: 00007FF7A8FB3575
  • AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7A8FB35A7
  • ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7A8FB36D6
  • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7A8FB3756
  • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7A8FB376A
  • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7A8FB3783
  • ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7A8FB385E
    • Part of subcall function 00007FF7A8FB3B50: GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7A8FB3B82
    • Part of subcall function 00007FF7A8FB3B50: CreateMutexExW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7A8FB3BC5
    • Part of subcall function 00007FF7A8FB3B50: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7A8FB3C29
    • Part of subcall function 00007FF7A8FB3B50: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7A8FB3C41
    • Part of subcall function 00007FF7A8FB3B50: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7A8FB3C59
    • Part of subcall function 00007FF7A8FB3B50: memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A8FB3CE9
Memory Dump Source
  • Source File: 00000000.00000002.653930338.00007FF7A8FB1000.00000020.00020000.sdmp, Offset: 00007FF7A8FB0000, based on PE: true
  • Associated: 00000000.00000002.653926180.00007FF7A8FB0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653941982.00007FF7A8FC4000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653945393.00007FF7A8FC5000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653951756.00007FF7A8FCB000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653954906.00007FF7A8FCC000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653958581.00007FF7A8FCF000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff7a8fb0000_sihost.jbxd
Similarity
  • API ID: ExclusiveHeapLock$Process$AcquireRelease$Alloc$CreateCurrentMutexmemset
  • String ID:
  • API String ID: 1725557183-0
  • Opcode ID: ff1a12a855fb292b664101693732647ba390d5763983d91ff92ac975b2711831
  • Instruction ID: 78a0e4c33118a8e74b2c2b9a5f0bf448a6993082f4f687d57fd7074cc90a24f5
  • Opcode Fuzzy Hash: ff1a12a855fb292b664101693732647ba390d5763983d91ff92ac975b2711831
  • Instruction Fuzzy Hash: 7AC14172706B868AEA149F25E4083B9E7A1FB58B84F968535CE5E03760EF3CE155C314
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
APIs
  • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7A8FB3B82
    • Part of subcall function 00007FF7A8FB42C0: _vsnwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7A8FB42FE
  • CreateMutexExW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7A8FB3BC5
    • Part of subcall function 00007FF7A8FB73AC: WaitForSingleObjectEx.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7A8FB73C5
  • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7A8FB3C29
  • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7A8FB3C41
  • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7A8FB3C59
  • memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7A8FB3CE9
  • InitializeCriticalSectionEx.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7A8FB3DC5
Strings
Memory Dump Source
  • Source File: 00000000.00000002.653930338.00007FF7A8FB1000.00000020.00020000.sdmp, Offset: 00007FF7A8FB0000, based on PE: true
  • Associated: 00000000.00000002.653926180.00007FF7A8FB0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653941982.00007FF7A8FC4000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653945393.00007FF7A8FC5000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653951756.00007FF7A8FCB000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653954906.00007FF7A8FCC000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653958581.00007FF7A8FCF000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff7a8fb0000_sihost.jbxd
Similarity
  • API ID: HeapProcess$AllocCreateCriticalCurrentInitializeMutexObjectSectionSingleWait_vsnwprintfmemset
  • String ID: Local\SM0:%d:%d:%hs$wil
  • API String ID: 1431277664-2303653343
  • Opcode ID: 1483fb3e8f9d19f524c847786b48dadb74f5e99ec2e02b259794cb69216782d0
  • Instruction ID: 85d8c3f797f6e3fd10f52fadd005a128d20245ad2acc1298e3cf4117dc4ae992
  • Opcode Fuzzy Hash: 1483fb3e8f9d19f524c847786b48dadb74f5e99ec2e02b259794cb69216782d0
  • Instruction Fuzzy Hash: 22A1AB7260AB829AE754EF31E4443A9F7A4FB88B40F894135DB8D43B61DF38E164C718
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
APIs
  • GetTokenInformation.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,?,?,00007FF7A8FB23E1,?,?,?,?,?,?,00007FF7A8FB1314), ref: 00007FF7A8FB2637
  • LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,00007FF7A8FB23E1,?,?,?,?,?,?,00007FF7A8FB1314), ref: 00007FF7A8FB2653
  • GetTokenInformation.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,?,?,00007FF7A8FB23E1,?,?,?,?,?,?,00007FF7A8FB1314), ref: 00007FF7A8FB2686
  • GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,?,?,00007FF7A8FB23E1,?,?,?,?,?,?,00007FF7A8FB1314), ref: 00007FF7A8FB26A7
  • LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,00007FF7A8FB23E1,?,?,?,?,?,?,00007FF7A8FB1314), ref: 00007FF7A8FB26BB
  • CopySid.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,?,?,00007FF7A8FB23E1,?,?,?,?,?,?,00007FF7A8FB1314), ref: 00007FF7A8FB26E5
  • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,00007FF7A8FB23E1,?,?,?,?,?,?,00007FF7A8FB1314), ref: 00007FF7A8FB2706
  • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,00007FF7A8FB23E1,?,?,?,?,?,?,00007FF7A8FB1314), ref: 00007FF7A8FB9139
Strings
Memory Dump Source
  • Source File: 00000000.00000002.653930338.00007FF7A8FB1000.00000020.00020000.sdmp, Offset: 00007FF7A8FB0000, based on PE: true
  • Associated: 00000000.00000002.653926180.00007FF7A8FB0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653941982.00007FF7A8FC4000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653945393.00007FF7A8FC5000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653951756.00007FF7A8FCB000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653954906.00007FF7A8FCC000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653958581.00007FF7A8FCF000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff7a8fb0000_sihost.jbxd
Similarity
  • API ID: Local$AllocFreeInformationToken$CopyLength
  • String ID: onecoreuap\shell\shellhost\exe\shellhost.cpp
  • API String ID: 3551734241-2852981126
  • Opcode ID: 28c0ce03c1d8bc68367d855ef1e3ca608391c157d7b91b875f9ab22a80bfb8ab
  • Instruction ID: dbb15856e19917929bcbdf30a41a1a29e51bdfb3a6425eae7d99f7b099d5cba0
  • Opcode Fuzzy Hash: 28c0ce03c1d8bc68367d855ef1e3ca608391c157d7b91b875f9ab22a80bfb8ab
  • Instruction Fuzzy Hash: 2E51917260AA83C6EB00AB21E454179FBA1FBC9780FA64131DA4E47B74DF3DD505C728
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.653930338.00007FF7A8FB1000.00000020.00020000.sdmp, Offset: 00007FF7A8FB0000, based on PE: true
  • Associated: 00000000.00000002.653926180.00007FF7A8FB0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653941982.00007FF7A8FC4000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653945393.00007FF7A8FC5000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653951756.00007FF7A8FCB000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653954906.00007FF7A8FCC000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653958581.00007FF7A8FCF000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff7a8fb0000_sihost.jbxd
Similarity
  • API ID: AddressProc$HandleModule
  • String ID: NtQueryWnfStateData$RtlSubscribeWnfStateChangeNotification$ntdll.dll
  • API String ID: 667068680-2039735580
  • Opcode ID: 06b5fdbebb0717c15d789168b9c6f29119ddb5cd3c1e206778cb9a04464b06b9
  • Instruction ID: 1d851f52b4a934adeed474a46fc1b6d8d830b77a1e372d1e3e36b37422251a4a
  • Opcode Fuzzy Hash: 06b5fdbebb0717c15d789168b9c6f29119ddb5cd3c1e206778cb9a04464b06b9
  • Instruction Fuzzy Hash: B1414A75A0AB4386EB10AF22E444278F7A4FB49B91FC64935D98D03774DF3CE5158728
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
APIs
  • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7A8FB9C43), ref: 00007FF7A8FBC212
Strings
Memory Dump Source
  • Source File: 00000000.00000002.653930338.00007FF7A8FB1000.00000020.00020000.sdmp, Offset: 00007FF7A8FB0000, based on PE: true
  • Associated: 00000000.00000002.653926180.00007FF7A8FB0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653941982.00007FF7A8FC4000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653945393.00007FF7A8FC5000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653951756.00007FF7A8FCB000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653954906.00007FF7A8FCC000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653958581.00007FF7A8FCF000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff7a8fb0000_sihost.jbxd
Similarity
  • API ID: ObjectSingleWait
  • String ID: wil
  • API String ID: 24740636-1589926490
  • Opcode ID: 1d9aae28c9eebaa832d58562fae093a3dfbb4da344bf33d463b3eae156b12af7
  • Instruction ID: 4daa50682c04c6bf3c75ed76c4e33b170aec11002a05f66b3d50823925beb671
  • Opcode Fuzzy Hash: 1d9aae28c9eebaa832d58562fae093a3dfbb4da344bf33d463b3eae156b12af7
  • Instruction Fuzzy Hash: 6B419431A0E5438BF3606BB1E40827AE661FF95781FD68131D90D86BB4CF3CE4059725
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
APIs
Memory Dump Source
  • Source File: 00000000.00000002.653930338.00007FF7A8FB1000.00000020.00020000.sdmp, Offset: 00007FF7A8FB0000, based on PE: true
  • Associated: 00000000.00000002.653926180.00007FF7A8FB0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653941982.00007FF7A8FC4000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653945393.00007FF7A8FC5000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653951756.00007FF7A8FCB000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653954906.00007FF7A8FCC000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653958581.00007FF7A8FCF000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff7a8fb0000_sihost.jbxd
Similarity
  • API ID: __scrt_acquire_startup_lock__scrt_get_show_window_mode__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock_initterm_o__cexit_o__exit_o__get_wide_winmain_command_line_register_thread_local_exe_atexit_callback
  • String ID:
  • API String ID: 3735939617-0
  • Opcode ID: 4b123af5bd5984ad40ee6a85ff30e261c3c6f67e915c0be045ab6e2aea5c87a5
  • Instruction ID: be01779cc7f69aef0fdf81bc35f20d75ed9a0b28a1b0ec1fb97ef54df1219fac
  • Opcode Fuzzy Hash: 4b123af5bd5984ad40ee6a85ff30e261c3c6f67e915c0be045ab6e2aea5c87a5
  • Instruction Fuzzy Hash: ED311731E0F2434AFE54BB75995A2B9E391AF49384FD74434E50E473F2DE2CA5088238
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.653930338.00007FF7A8FB1000.00000020.00020000.sdmp, Offset: 00007FF7A8FB0000, based on PE: true
  • Associated: 00000000.00000002.653926180.00007FF7A8FB0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653941982.00007FF7A8FC4000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653945393.00007FF7A8FC5000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653951756.00007FF7A8FCB000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653954906.00007FF7A8FCC000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653958581.00007FF7A8FCF000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff7a8fb0000_sihost.jbxd
Similarity
  • API ID: ErrorLast$CreateSemaphore
  • String ID: _p0$wil
  • API String ID: 4049970386-1814513734
  • Opcode ID: bd52d2ec7c5baf2bf4fd4973198c08698082c54ea4329ad1625e04f03ceb12c2
  • Instruction ID: 30a06d4a07028aaf7f9232b056e34da440bc9fe923aa24f3252e2bc85617c5a4
  • Opcode Fuzzy Hash: bd52d2ec7c5baf2bf4fd4973198c08698082c54ea4329ad1625e04f03ceb12c2
  • Instruction Fuzzy Hash: 18819271B1E7838AEB64AF709058279E6A0FF58780F969135DA4E07BA4DF3CD904C718
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
APIs
Memory Dump Source
  • Source File: 00000000.00000002.653930338.00007FF7A8FB1000.00000020.00020000.sdmp, Offset: 00007FF7A8FB0000, based on PE: true
  • Associated: 00000000.00000002.653926180.00007FF7A8FB0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653941982.00007FF7A8FC4000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653945393.00007FF7A8FC5000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653951756.00007FF7A8FCB000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653954906.00007FF7A8FCC000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653958581.00007FF7A8FCF000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff7a8fb0000_sihost.jbxd
Similarity
  • API ID: CurrentExclusiveLockThread$AcquireBeginEventInitInitializeOnceReleaseTransferWrite
  • String ID:
  • API String ID: 3645167636-0
  • Opcode ID: b364381a24827ceae5654547bf6c2426ff75cc91d35787ac2410c0c82a293acf
  • Instruction ID: c54762d08c6ac2de19d1fa7959378be40e3a1ee7a207a2ff0bbae778f84f52a2
  • Opcode Fuzzy Hash: b364381a24827ceae5654547bf6c2426ff75cc91d35787ac2410c0c82a293acf
  • Instruction Fuzzy Hash: 70E13776A0AB82DEEB109F71E4402ACB7B8FB48748F914136DA4D13B68DF38E554C754
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
APIs
Memory Dump Source
  • Source File: 00000000.00000002.653930338.00007FF7A8FB1000.00000020.00020000.sdmp, Offset: 00007FF7A8FB0000, based on PE: true
  • Associated: 00000000.00000002.653926180.00007FF7A8FB0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653941982.00007FF7A8FC4000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653945393.00007FF7A8FC5000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653951756.00007FF7A8FCB000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653954906.00007FF7A8FCC000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653958581.00007FF7A8FCF000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff7a8fb0000_sihost.jbxd
Similarity
  • API ID: CurrentExclusiveLockThread$AcquireBeginEventInitInitializeOnceReleaseTransferWrite
  • String ID:
  • API String ID: 3645167636-0
  • Opcode ID: 3b99c11b68b62a6296169b88afe9511415a8d45b2bdf2f41efb10d531ea9f7cb
  • Instruction ID: abbf4598b56e24e192615b71ecaa79046a5371767c7b04794153416dab78064b
  • Opcode Fuzzy Hash: 3b99c11b68b62a6296169b88afe9511415a8d45b2bdf2f41efb10d531ea9f7cb
  • Instruction Fuzzy Hash: 67E12576A0AB82DAEB10DF71E4402ACB7B4FB48748F924136DA4D13B68DF38E594C754
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
APIs
Memory Dump Source
  • Source File: 00000000.00000002.653930338.00007FF7A8FB1000.00000020.00020000.sdmp, Offset: 00007FF7A8FB0000, based on PE: true
  • Associated: 00000000.00000002.653926180.00007FF7A8FB0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653941982.00007FF7A8FC4000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653945393.00007FF7A8FC5000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653951756.00007FF7A8FCB000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653954906.00007FF7A8FCC000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653958581.00007FF7A8FCF000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff7a8fb0000_sihost.jbxd
Similarity
  • API ID: CurrentExclusiveLockThread$AcquireBeginEventInitInitializeOnceReleaseTransferWrite
  • String ID:
  • API String ID: 3645167636-0
  • Opcode ID: c1f507409c688761fce5bf49945d6a85dad11dd50042b803fd95f238bf1ab9fc
  • Instruction ID: 33192abe054e73cc8e74935df10dbcbd56e541a8dbb645b402672ab21bb46366
  • Opcode Fuzzy Hash: c1f507409c688761fce5bf49945d6a85dad11dd50042b803fd95f238bf1ab9fc
  • Instruction Fuzzy Hash: 9DE12576A0AB829AEB10DF71E4402ACB7B4FB48748F924136DA4D13B68DF38E554C764
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
APIs
  • LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,?,?,00000001,?,00007FF7A8FB2370,?,?,?,?,?,?,00007FF7A8FB1314), ref: 00007FF7A8FB2B1F
Strings
Memory Dump Source
  • Source File: 00000000.00000002.653930338.00007FF7A8FB1000.00000020.00020000.sdmp, Offset: 00007FF7A8FB0000, based on PE: true
  • Associated: 00000000.00000002.653926180.00007FF7A8FB0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653941982.00007FF7A8FC4000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653945393.00007FF7A8FC5000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653951756.00007FF7A8FCB000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653954906.00007FF7A8FCC000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653958581.00007FF7A8FCF000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff7a8fb0000_sihost.jbxd
Similarity
  • API ID: AllocLocal
  • String ID: onecore\internal\sdk\inc\wil\opensource\wil\resource.h$z
  • API String ID: 3494564517-2796241437
  • Opcode ID: a53eeddf7e7e2ad6c2a67a57b589d2597fb95408afff5762a7c25cb7f755296e
  • Instruction ID: ec8e55a201e526bcedab2ea1b4ddd680d409d9135d5493699060a8f02dde1d4c
  • Opcode Fuzzy Hash: a53eeddf7e7e2ad6c2a67a57b589d2597fb95408afff5762a7c25cb7f755296e
  • Instruction Fuzzy Hash: 2961B471B0A7438AEA116F319448179E6A0FF49BA0FD68631CA1E077F4DF3CA945C328
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
APIs
  • AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7A8FB2CC8
  • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7A8FB2D11
  • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7A8FB2D2E
  • ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7A8FB2DBD
    • Part of subcall function 00007FF7A8FB34B0: AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FF7A8FB2CA5), ref: 00007FF7A8FB3531
    • Part of subcall function 00007FF7A8FB34B0: ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FF7A8FB2CA5), ref: 00007FF7A8FB3555
    • Part of subcall function 00007FF7A8FB34B0: AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FF7A8FB2CA5), ref: 00007FF7A8FB3575
    • Part of subcall function 00007FF7A8FB34B0: AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7A8FB35A7
Strings
Memory Dump Source
  • Source File: 00000000.00000002.653930338.00007FF7A8FB1000.00000020.00020000.sdmp, Offset: 00007FF7A8FB0000, based on PE: true
  • Associated: 00000000.00000002.653926180.00007FF7A8FB0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653941982.00007FF7A8FC4000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653945393.00007FF7A8FC5000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653951756.00007FF7A8FCB000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653954906.00007FF7A8FCC000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653958581.00007FF7A8FCF000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff7a8fb0000_sihost.jbxd
Similarity
  • API ID: ExclusiveLock$Acquire$Release$AddressHandleModuleProc
  • String ID: RtlRegisterFeatureConfigurationChangeNotification$ntdll.dll
  • API String ID: 102641800-4023217342
  • Opcode ID: ee2412d7db40557a45387789a75830a12a228fb503252e49d9b0183459acf89f
  • Instruction ID: 01dc3ed26245c9dad99cae4fbdbe63d0755c03645fde39458ba5e3b706e47084
  • Opcode Fuzzy Hash: ee2412d7db40557a45387789a75830a12a228fb503252e49d9b0183459acf89f
  • Instruction Fuzzy Hash: 114112B890AA8785FB00AB32E8543B5E764BF59791FC64931C91D027B8DF7CE2448728
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
APIs
Memory Dump Source
  • Source File: 00000000.00000002.653930338.00007FF7A8FB1000.00000020.00020000.sdmp, Offset: 00007FF7A8FB0000, based on PE: true
  • Associated: 00000000.00000002.653926180.00007FF7A8FB0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653941982.00007FF7A8FC4000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653945393.00007FF7A8FC5000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653951756.00007FF7A8FCB000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653954906.00007FF7A8FCC000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653958581.00007FF7A8FCF000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff7a8fb0000_sihost.jbxd
Similarity
  • API ID: ExclusiveLock$AcquireRelease
  • String ID:
  • API String ID: 17069307-0
  • Opcode ID: e93bc8acb1d3f9c4cef6c863626d9d77ce554436c1da5fb311a4a4b050b791e9
  • Instruction ID: 248b415b8fdf1514ef840d1ed1fc209c7adf94bb010ae0778beeae2290eaddd1
  • Opcode Fuzzy Hash: e93bc8acb1d3f9c4cef6c863626d9d77ce554436c1da5fb311a4a4b050b791e9
  • Instruction Fuzzy Hash: F3514676A0AA078AEB10AF35E454169F774FB88B80F924432DA8D437B4DF3CE654C764
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
APIs
  • AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,00007FF7A8FB13BB), ref: 00007FF7A8FB9F44
  • ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,00007FF7A8FB13BB), ref: 00007FF7A8FB9F62
Memory Dump Source
  • Source File: 00000000.00000002.653930338.00007FF7A8FB1000.00000020.00020000.sdmp, Offset: 00007FF7A8FB0000, based on PE: true
  • Associated: 00000000.00000002.653926180.00007FF7A8FB0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653941982.00007FF7A8FC4000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653945393.00007FF7A8FC5000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653951756.00007FF7A8FCB000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653954906.00007FF7A8FCC000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653958581.00007FF7A8FCF000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff7a8fb0000_sihost.jbxd
Similarity
  • API ID: ExclusiveLock$AcquireRelease
  • String ID:
  • API String ID: 17069307-0
  • Opcode ID: 1ff3a4e5ac060620f3b5cc0ee19c925f944bba880737d9937d27927b204525db
  • Instruction ID: 194c4063661e097fd3c13cb60f1e01b89ea767075538e51edf78275e3c91822e
  • Opcode Fuzzy Hash: 1ff3a4e5ac060620f3b5cc0ee19c925f944bba880737d9937d27927b204525db
  • Instruction Fuzzy Hash: 7C517336A0A6838AEA70AF21E5043B9F760FF99B54F964031CA4D43B65DF3CD941C724
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
APIs
  • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FF7A8FBED27), ref: 00007FF7A8FC06FD
  • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FF7A8FBED27), ref: 00007FF7A8FC071D
  • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FF7A8FBED27), ref: 00007FF7A8FC073D
  • AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FF7A8FBED27), ref: 00007FF7A8FC074C
  • ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FF7A8FBED27), ref: 00007FF7A8FC07A4
  • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FF7A8FBED27), ref: 00007FF7A8FC07C9
Memory Dump Source
  • Source File: 00000000.00000002.653930338.00007FF7A8FB1000.00000020.00020000.sdmp, Offset: 00007FF7A8FB0000, based on PE: true
  • Associated: 00000000.00000002.653926180.00007FF7A8FB0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653941982.00007FF7A8FC4000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653945393.00007FF7A8FC5000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653951756.00007FF7A8FCB000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653954906.00007FF7A8FCC000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653958581.00007FF7A8FCF000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff7a8fb0000_sihost.jbxd
Similarity
  • API ID: Lock$AcquireCriticalExclusiveReleaseSectionShared$EnterLeave
  • String ID:
  • API String ID: 3221859647-0
  • Opcode ID: 32cca8bd6303ef6c1520b493af6ac73cc6445521006bcd9c169fb53c59c21cb3
  • Instruction ID: 17c1038ad21e4996124a52befe6349e34e028b453538f978a5fef075b5591a3f
  • Opcode Fuzzy Hash: 32cca8bd6303ef6c1520b493af6ac73cc6445521006bcd9c169fb53c59c21cb3
  • Instruction Fuzzy Hash: 99319775F0AB5286EA159F21A500079E760FF99F90F8A5930DE0E17B24CF3CD2468B14
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.653930338.00007FF7A8FB1000.00000020.00020000.sdmp, Offset: 00007FF7A8FB0000, based on PE: true
  • Associated: 00000000.00000002.653926180.00007FF7A8FB0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653941982.00007FF7A8FC4000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653945393.00007FF7A8FC5000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653951756.00007FF7A8FCB000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653954906.00007FF7A8FCC000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653958581.00007FF7A8FCF000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff7a8fb0000_sihost.jbxd
Similarity
  • API ID: ErrorLastOpenSemaphore
  • String ID: _p0$wil
  • API String ID: 1909229842-1814513734
  • Opcode ID: 3d2ea10408e8dd3bc156aecb2431916cd348c76b87bf1be38d89a6048e3f20e1
  • Instruction ID: 01bc148388c6c1556c0bd5840dd36a9ca6532688a264c49738d373844fb0737f
  • Opcode Fuzzy Hash: 3d2ea10408e8dd3bc156aecb2431916cd348c76b87bf1be38d89a6048e3f20e1
  • Instruction Fuzzy Hash: B97184B1B0E68389FE61AB719518279E390FF94B80FD64131DA4D47B65EE3CE901C328
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
APIs
  • _Init_thread_footer.LIBCMT ref: 00007FF7A8FB1ECD
    • Part of subcall function 00007FF7A8FB6550: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF7A8FB1ED2,?,?,?,?,?,?,?,00000000,00007FF7A8FB15CC), ref: 00007FF7A8FB6560
    • Part of subcall function 00007FF7A8FB6550: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF7A8FB1ED2,?,?,?,?,?,?,?,00000000,00007FF7A8FB15CC), ref: 00007FF7A8FB65A0
  • CoTaskMemRealloc.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,?,?,?,?,00000000,00007FF7A8FB15CC), ref: 00007FF7A8FB1F9F
  • CoGetMalloc.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,?,?,?,?,00000000,00007FF7A8FB15CC), ref: 00007FF7A8FB1FC1
    • Part of subcall function 00007FF7A8FB65B8: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF7A8FB1EA5,?,?,?,?,?,?,?,00000000,00007FF7A8FB15CC), ref: 00007FF7A8FB65C8
Strings
  • onecoreuap\shell\shellhost\exe\navigationservercomponent.cpp, xrefs: 00007FF7A8FB8DD0
Memory Dump Source
  • Source File: 00000000.00000002.653930338.00007FF7A8FB1000.00000020.00020000.sdmp, Offset: 00007FF7A8FB0000, based on PE: true
  • Associated: 00000000.00000002.653926180.00007FF7A8FB0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653941982.00007FF7A8FC4000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653945393.00007FF7A8FC5000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653951756.00007FF7A8FCB000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653954906.00007FF7A8FCC000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653958581.00007FF7A8FCF000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff7a8fb0000_sihost.jbxd
Similarity
  • API ID: CriticalSection$Enter$Init_thread_footerLeaveMallocReallocTask
  • String ID: onecoreuap\shell\shellhost\exe\navigationservercomponent.cpp
  • API String ID: 3282265001-3014600045
  • Opcode ID: daa2cccfbbef6b7ecab84808499301fcf2dbddc96a0b2fe801c55fa43830251f
  • Instruction ID: 9f878b7cfe1bdd8d519a4068d3c6edba550976cb703c5c54049838f84a61b9f2
  • Opcode Fuzzy Hash: daa2cccfbbef6b7ecab84808499301fcf2dbddc96a0b2fe801c55fa43830251f
  • Instruction Fuzzy Hash: B461A576B0AB4786EA10AB36E444179E360FB98BD4F924631DA5D437B5CF3CE584C324
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
APIs
  • MakeAbsoluteSD.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7A8FB23C5), ref: 00007FF7A8FB2799
  • LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7A8FB23C5), ref: 00007FF7A8FB27B6
  • MakeAbsoluteSD.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7A8FB23C5), ref: 00007FF7A8FB282D
  • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7A8FB23C5), ref: 00007FF7A8FB91B1
Strings
Memory Dump Source
  • Source File: 00000000.00000002.653930338.00007FF7A8FB1000.00000020.00020000.sdmp, Offset: 00007FF7A8FB0000, based on PE: true
  • Associated: 00000000.00000002.653926180.00007FF7A8FB0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653941982.00007FF7A8FC4000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653945393.00007FF7A8FC5000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653951756.00007FF7A8FCB000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653954906.00007FF7A8FCC000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653958581.00007FF7A8FCF000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff7a8fb0000_sihost.jbxd
Similarity
  • API ID: AbsoluteLocalMake$AllocFree
  • String ID: onecoreuap\shell\shellhost\exe\shellhost.cpp
  • API String ID: 2999037042-2852981126
  • Opcode ID: 2a1846a9aa70c975b5cc5bdfd288eda20e6496d6379007f384fbb365cced1ae5
  • Instruction ID: 335d7505bcbee229c5e368ec461d577d823ceacf70f7b3a3cae431df04a47b02
  • Opcode Fuzzy Hash: 2a1846a9aa70c975b5cc5bdfd288eda20e6496d6379007f384fbb365cced1ae5
  • Instruction Fuzzy Hash: 09415E72A06B428EE700DF61E8845ECBBB4FB48798B558135EA4D47B28DF38D554C744
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
APIs
  • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7A8FBB70E
    • Part of subcall function 00007FF7A8FB42C0: _vsnwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7A8FB42FE
  • CreateMutexExW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7A8FBB756
    • Part of subcall function 00007FF7A8FBDD20: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FF7A8FBB984,?,?,00000000,00007FF7A8FBCACB,?,?,?,?,?,00007FF7A8FB5B41), ref: 00007FF7A8FBDD42
    • Part of subcall function 00007FF7A8FBDD20: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FF7A8FBB984,?,?,00000000,00007FF7A8FBCACB,?,?,?,?,?,00007FF7A8FB5B41), ref: 00007FF7A8FBDD5A
Strings
Memory Dump Source
  • Source File: 00000000.00000002.653930338.00007FF7A8FB1000.00000020.00020000.sdmp, Offset: 00007FF7A8FB0000, based on PE: true
  • Associated: 00000000.00000002.653926180.00007FF7A8FB0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653941982.00007FF7A8FC4000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653945393.00007FF7A8FC5000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653951756.00007FF7A8FCB000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653954906.00007FF7A8FCC000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653958581.00007FF7A8FCF000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff7a8fb0000_sihost.jbxd
Similarity
  • API ID: ErrorLast$CreateCurrentMutexProcess_vsnwprintf
  • String ID: Local\SM0:%d:%d:%hs$wil$x
  • API String ID: 1672426814-630742106
  • Opcode ID: 9454a066d6a5b8527164cf54e420db0a7fcbd4e440fa2b626aac2dfae96c6c0c
  • Instruction ID: c004773f040922e5fd474f891e1d17d76051b04ffdd057ea13aa8addb6a56159
  • Opcode Fuzzy Hash: 9454a066d6a5b8527164cf54e420db0a7fcbd4e440fa2b626aac2dfae96c6c0c
  • Instruction Fuzzy Hash: D141A03261AA838AEB50AF31E8443FAE360FF88784F955031EA4E47BA5DE3CD505C714
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
APIs
  • InitOnceBeginInitialize.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF7A8FB28A7
  • EventWriteTransfer.API-MS-WIN-EVENTING-PROVIDER-L1-1-0 ref: 00007FF7A8FB2A81
    • Part of subcall function 00007FF7A8FB635C: _onexit.LIBCMT ref: 00007FF7A8FB6360
  • EventRegister.API-MS-WIN-EVENTING-PROVIDER-L1-1-0 ref: 00007FF7A8FB2946
  • EventSetInformation.API-MS-WIN-EVENTING-PROVIDER-L1-1-0 ref: 00007FF7A8FB2965
  • InitOnceComplete.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF7A8FB299F
Memory Dump Source
  • Source File: 00000000.00000002.653930338.00007FF7A8FB1000.00000020.00020000.sdmp, Offset: 00007FF7A8FB0000, based on PE: true
  • Associated: 00000000.00000002.653926180.00007FF7A8FB0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653941982.00007FF7A8FC4000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653945393.00007FF7A8FC5000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653951756.00007FF7A8FCB000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653954906.00007FF7A8FCC000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653958581.00007FF7A8FCF000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff7a8fb0000_sihost.jbxd
Similarity
  • API ID: Event$InitOnce$BeginCompleteInformationInitializeRegisterTransferWrite_onexit
  • String ID:
  • API String ID: 3270399283-0
  • Opcode ID: dad205ba0931ae5bf106e24c0b008e886a7e90ba2437931ad2f23927713e594b
  • Instruction ID: 7c7ef4343aa95c0edb8d3f9eb559870e2ea0b3702589d8a7de1f6c1a57c022f8
  • Opcode Fuzzy Hash: dad205ba0931ae5bf106e24c0b008e886a7e90ba2437931ad2f23927713e594b
  • Instruction Fuzzy Hash: F3513AB6609B86C5E710AF25E8443A9F7A4FB88B84F964536CA8D43734DF3CD145CB14
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
APIs
  • _o__errno.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,00007FF7A8FBB1E3), ref: 00007FF7A8FBE102
  • _o__invalid_parameter_noinfo.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,00007FF7A8FBB1E3), ref: 00007FF7A8FBE115
Memory Dump Source
  • Source File: 00000000.00000002.653930338.00007FF7A8FB1000.00000020.00020000.sdmp, Offset: 00007FF7A8FB0000, based on PE: true
  • Associated: 00000000.00000002.653926180.00007FF7A8FB0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653941982.00007FF7A8FC4000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653945393.00007FF7A8FC5000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653951756.00007FF7A8FCB000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653954906.00007FF7A8FCC000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653958581.00007FF7A8FCF000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff7a8fb0000_sihost.jbxd
Similarity
  • API ID: _o__errno_o__invalid_parameter_noinfo
  • String ID:
  • API String ID: 2671245207-0
  • Opcode ID: c65b1c8bdad96f9d462e49913f22fccb0ac67488db49391d0f0732af0f9ecda7
  • Instruction ID: 3baa33caf680775bfa38ec0608b0941ce42f468003e59b31a979768eaae174a8
  • Opcode Fuzzy Hash: c65b1c8bdad96f9d462e49913f22fccb0ac67488db49391d0f0732af0f9ecda7
  • Instruction Fuzzy Hash: EF019230F0F6438AFA903B71A94C179E550AF59BC0FDA8430DE0E07BAEDE2CD4015228
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
APIs
  • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000,00007FF7A8FB1D0C,?,?,?,00007FF7A8FB1928), ref: 00007FF7A8FB1E09
  • ?_Xlength_error@std@@YAXPEBD@Z.MSVCP_WIN(?,?,00000000,00007FF7A8FB1D0C,?,?,?,00007FF7A8FB1928), ref: 00007FF7A8FB8CBF
    • Part of subcall function 00007FF7A8FB6724: _o_malloc.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF7A8FB673E
  • _o__invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000,00007FF7A8FB1D0C,?,?,?,00007FF7A8FB1928), ref: 00007FF7A8FB8D4F
Strings
Memory Dump Source
  • Source File: 00000000.00000002.653930338.00007FF7A8FB1000.00000020.00020000.sdmp, Offset: 00007FF7A8FB0000, based on PE: true
  • Associated: 00000000.00000002.653926180.00007FF7A8FB0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653941982.00007FF7A8FC4000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653945393.00007FF7A8FC5000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653951756.00007FF7A8FCB000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653954906.00007FF7A8FCC000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653958581.00007FF7A8FCF000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff7a8fb0000_sihost.jbxd
Similarity
  • API ID: Xlength_error@std@@_o__invalid_parameter_noinfo_noreturn_o_mallocmemmove
  • String ID: vector<T> too long
  • API String ID: 3359078463-3788999226
  • Opcode ID: 7d6ddc7acb0c455971ebd3b46f19e113e08f19f99cbf18466f106090f25d0fd0
  • Instruction ID: 10d3320e8859e7a80b03c346003bdafb6a497c49f8ad293280f01f23604910ab
  • Opcode Fuzzy Hash: 7d6ddc7acb0c455971ebd3b46f19e113e08f19f99cbf18466f106090f25d0fd0
  • Instruction Fuzzy Hash: EB41D2B2B16A8645EE10AB35E908178E751AB49BF4FA14331DA7D07BE8DE3CE0918314
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.653930338.00007FF7A8FB1000.00000020.00020000.sdmp, Offset: 00007FF7A8FB0000, based on PE: true
  • Associated: 00000000.00000002.653926180.00007FF7A8FB0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653941982.00007FF7A8FC4000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653945393.00007FF7A8FC5000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653951756.00007FF7A8FCB000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653954906.00007FF7A8FCC000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653958581.00007FF7A8FCF000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff7a8fb0000_sihost.jbxd
Similarity
  • API ID: CoreCreate
  • String ID: NavigationServer Started$Stop NavigationServer$onecoreuap\shell\shellhost\exe\navigationservercomponent.cpp
  • API String ID: 463350625-3709697362
  • Opcode ID: f6af4c8227fe30335ef4bf2510a0547321695e7665f3056c9c8603154c3e7948
  • Instruction ID: 97d81291ad860d131671c97f4a30a787f3741c04391449048f0f06bdc88286f0
  • Opcode Fuzzy Hash: f6af4c8227fe30335ef4bf2510a0547321695e7665f3056c9c8603154c3e7948
  • Instruction Fuzzy Hash: 16415F3161EB4385E710AB35E494179FB60FB88B84F925432DA4E83775DE3CD544D724
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
APIs
  • GetSecurityDescriptorDacl.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FF7A8FB2414), ref: 00007FF7A8FB257A
  • BuildTrusteeWithSidW.API-MS-WIN-SECURITY-TRUSTEE-L1-1-0 ref: 00007FF7A8FB25A7
  • SetEntriesInAclW.API-MS-WIN-SECURITY-PROVIDER-L1-1-0 ref: 00007FF7A8FB25D1
Strings
Memory Dump Source
  • Source File: 00000000.00000002.653930338.00007FF7A8FB1000.00000020.00020000.sdmp, Offset: 00007FF7A8FB0000, based on PE: true
  • Associated: 00000000.00000002.653926180.00007FF7A8FB0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653941982.00007FF7A8FC4000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653945393.00007FF7A8FC5000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653951756.00007FF7A8FCB000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653954906.00007FF7A8FCC000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653958581.00007FF7A8FCF000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff7a8fb0000_sihost.jbxd
Similarity
  • API ID: BuildDaclDescriptorEntriesSecurityTrusteeWith
  • String ID: onecoreuap\shell\shellhost\exe\shellhost.cpp
  • API String ID: 1068116444-2852981126
  • Opcode ID: c101999a337754b80e5eebc61a5308e622c64c1e06125e68f879dac7f3e0e8e1
  • Instruction ID: 517c79c9d8dc32ce320b70d59401d47ffe4b0bd19e0b91289079242f4c37b467
  • Opcode Fuzzy Hash: c101999a337754b80e5eebc61a5308e622c64c1e06125e68f879dac7f3e0e8e1
  • Instruction Fuzzy Hash: DD217F72A09743C6E720AF21E4542ADFBA0FB88B80F968135DA4D47765CF3CD644CB64
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.653930338.00007FF7A8FB1000.00000020.00020000.sdmp, Offset: 00007FF7A8FB0000, based on PE: true
  • Associated: 00000000.00000002.653926180.00007FF7A8FB0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653941982.00007FF7A8FC4000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653945393.00007FF7A8FC5000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653951756.00007FF7A8FCB000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653954906.00007FF7A8FCC000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653958581.00007FF7A8FCF000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff7a8fb0000_sihost.jbxd
Similarity
  • API ID: AddressHandleModuleProc
  • String ID: RtlDisownModuleHeapAllocation$ntdll.dll
  • API String ID: 1646373207-704576883
  • Opcode ID: cc0cf7c3f5ab74096ccc32eb93e052a423ffeb3581dfd02b3e81863a1fb1ad7d
  • Instruction ID: 2804059d35fe61d12b1904719c9ef02da1d6986fa13493c2731703e7b964cc0f
  • Opcode Fuzzy Hash: cc0cf7c3f5ab74096ccc32eb93e052a423ffeb3581dfd02b3e81863a1fb1ad7d
  • Instruction Fuzzy Hash: 0D01FBB4A0BB4785EE44EB62F584074E3A4BF4DB91FDA8535C90D06770EF3CE1408628
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.653930338.00007FF7A8FB1000.00000020.00020000.sdmp, Offset: 00007FF7A8FB0000, based on PE: true
  • Associated: 00000000.00000002.653926180.00007FF7A8FB0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653941982.00007FF7A8FC4000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653945393.00007FF7A8FC5000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653951756.00007FF7A8FCB000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653954906.00007FF7A8FCC000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653958581.00007FF7A8FCF000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff7a8fb0000_sihost.jbxd
Similarity
  • API ID: AddressHandleModuleProc
  • String ID: RaiseFailFastException$kernelbase.dll
  • API String ID: 1646373207-919018592
  • Opcode ID: dc85d8d27abdf46fcdec8c3a65483979fc51fb53e2b4322168ca3c074bc24615
  • Instruction ID: 53701c56d20434ec8e6842a327ed288272fff3e8a739b3335e06e15ecfbfdb0c
  • Opcode Fuzzy Hash: dc85d8d27abdf46fcdec8c3a65483979fc51fb53e2b4322168ca3c074bc24615
  • Instruction Fuzzy Hash: A0F03075A1968282E604AB12F944079FB60FB49BC0F859535DD1D07B64CF3CD5418714
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.653930338.00007FF7A8FB1000.00000020.00020000.sdmp, Offset: 00007FF7A8FB0000, based on PE: true
  • Associated: 00000000.00000002.653926180.00007FF7A8FB0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653941982.00007FF7A8FC4000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653945393.00007FF7A8FC5000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653951756.00007FF7A8FCB000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653954906.00007FF7A8FCC000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653958581.00007FF7A8FCF000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff7a8fb0000_sihost.jbxd
Similarity
  • API ID: AddressHandleModuleProc
  • String ID: RtlDllShutdownInProgress$ntdll.dll
  • API String ID: 1646373207-582119455
  • Opcode ID: f3d0ec9e2f5ed1fd06a06a1b91fee2ad70e83c818209e2449acb32378a8b3163
  • Instruction ID: d86fb84b0219a226bd2ec78fdc65fa040eff4890e0466b4b0059c4a19e0988b3
  • Opcode Fuzzy Hash: f3d0ec9e2f5ed1fd06a06a1b91fee2ad70e83c818209e2449acb32378a8b3163
  • Instruction Fuzzy Hash: 7AF0A9B4E0BB4BD5FE54AB22A844134E7A4BF5D741FD64935C80D02370EF3CA2549728
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
APIs
  • _o__errno.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,-00000040,00007FF7A8FC240D,?,?,?,00007FF7A8FB7CB4), ref: 00007FF7A8FB8750
  • memset.API-MS-WIN-CRT-STRING-L1-1-0(?,?,-00000040,00007FF7A8FC240D,?,?,?,00007FF7A8FB7CB4), ref: 00007FF7A8FB8776
  • _o__errno.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,-00000040,00007FF7A8FC240D,?,?,?,00007FF7A8FB7CB4), ref: 00007FF7A8FB8785
  • _o__invalid_parameter_noinfo.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,-00000040,00007FF7A8FC240D,?,?,?,00007FF7A8FB7CB4), ref: 00007FF7A8FB8797
Memory Dump Source
  • Source File: 00000000.00000002.653930338.00007FF7A8FB1000.00000020.00020000.sdmp, Offset: 00007FF7A8FB0000, based on PE: true
  • Associated: 00000000.00000002.653926180.00007FF7A8FB0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653941982.00007FF7A8FC4000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653945393.00007FF7A8FC5000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653951756.00007FF7A8FCB000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653954906.00007FF7A8FCC000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653958581.00007FF7A8FCF000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff7a8fb0000_sihost.jbxd
Similarity
  • API ID: _o__errno$_o__invalid_parameter_noinfomemset
  • String ID:
  • API String ID: 1330570140-0
  • Opcode ID: 6077a958416cbf2634d1214659d021019bcf06e55ff4da37f20ab35ae5e13075
  • Instruction ID: 18ba8ec5e37624850654ae2d2c4bda0ecfad18dfe6cb0a97ee31b22a6dcc3728
  • Opcode Fuzzy Hash: 6077a958416cbf2634d1214659d021019bcf06e55ff4da37f20ab35ae5e13075
  • Instruction Fuzzy Hash: B3019675E1E64389FA107FB1A6082B9D590EF44BC0F9A8530DE0D43BA6DF2CD4504729
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
APIs
  • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7A8FC2004,?,?,?,?,?,?,?,?,00007FF7A8FB5B85), ref: 00007FF7A8FC1F61
  • AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7A8FC2004,?,?,?,?,?,?,?,?,00007FF7A8FB5B85), ref: 00007FF7A8FC1F70
  • ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7A8FC2004,?,?,?,?,?,?,?,?,00007FF7A8FB5B85), ref: 00007FF7A8FC1FA7
  • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7A8FC2004,?,?,?,?,?,?,?,?,00007FF7A8FB5B85), ref: 00007FF7A8FC1FBB
Memory Dump Source
  • Source File: 00000000.00000002.653930338.00007FF7A8FB1000.00000020.00020000.sdmp, Offset: 00007FF7A8FB0000, based on PE: true
  • Associated: 00000000.00000002.653926180.00007FF7A8FB0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653941982.00007FF7A8FC4000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653945393.00007FF7A8FC5000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653951756.00007FF7A8FCB000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653954906.00007FF7A8FCC000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653958581.00007FF7A8FCF000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff7a8fb0000_sihost.jbxd
Similarity
  • API ID: CriticalExclusiveLockSection$AcquireEnterLeaveRelease
  • String ID:
  • API String ID: 1115728412-0
  • Opcode ID: d774d1fb070c6ca4d59524acdb4b0e89d1b63fe542750b6de2cbce8be67dcd41
  • Instruction ID: 6fe656dc7ce566338d5489e5ee7986ab27c815643043af7510a13b2df21528a2
  • Opcode Fuzzy Hash: d774d1fb070c6ca4d59524acdb4b0e89d1b63fe542750b6de2cbce8be67dcd41
  • Instruction Fuzzy Hash: DE018472A09B8382DE549B21A140078EB60FB9AF80B4A9630DE4E13B24DF3CD590C704
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
APIs
  • _o__errno.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,00007FF7A8FC13A6), ref: 00007FF7A8FC3063
  • _o__invalid_parameter_noinfo.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,00007FF7A8FC13A6), ref: 00007FF7A8FC3076
  • _o__errno.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,00007FF7A8FC13A6), ref: 00007FF7A8FC3089
  • memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,00007FF7A8FC13A6), ref: 00007FF7A8FC30A2
Memory Dump Source
  • Source File: 00000000.00000002.653930338.00007FF7A8FB1000.00000020.00020000.sdmp, Offset: 00007FF7A8FB0000, based on PE: true
  • Associated: 00000000.00000002.653926180.00007FF7A8FB0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653941982.00007FF7A8FC4000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653945393.00007FF7A8FC5000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653951756.00007FF7A8FCB000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653954906.00007FF7A8FCC000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653958581.00007FF7A8FCF000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff7a8fb0000_sihost.jbxd
Similarity
  • API ID: _o__errno$_o__invalid_parameter_noinfomemmove
  • String ID:
  • API String ID: 2571840558-0
  • Opcode ID: 6ad04910ffd00424692759f966fa8a582d1949166d1cdcd3adabfffed080e197
  • Instruction ID: e97b00eb02e575ac97ab0a162ecd9251caa736ceddff6e25e973cedc32612e42
  • Opcode Fuzzy Hash: 6ad04910ffd00424692759f966fa8a582d1949166d1cdcd3adabfffed080e197
  • Instruction Fuzzy Hash: 4DF089B2E5B74786FE503BF16444579D590AF2D785FC64834CD0E473A1DE2C6644523C
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
APIs
  • InitializeCriticalSectionEx.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7A8FB1130), ref: 00007FF7A8FB5206
  • InitializeCriticalSectionEx.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7A8FB1130), ref: 00007FF7A8FB523A
Strings
Memory Dump Source
  • Source File: 00000000.00000002.653930338.00007FF7A8FB1000.00000020.00020000.sdmp, Offset: 00007FF7A8FB0000, based on PE: true
  • Associated: 00000000.00000002.653926180.00007FF7A8FB0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653941982.00007FF7A8FC4000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653945393.00007FF7A8FC5000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653951756.00007FF7A8FCB000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653954906.00007FF7A8FCC000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653958581.00007FF7A8FCF000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff7a8fb0000_sihost.jbxd
Similarity
  • API ID: CriticalInitializeSection
  • String ID: WilStaging_02
  • API String ID: 32694325-3875344107
  • Opcode ID: 2bfc6fe8ecbdc230abc1b42a5d0ec1ecca6d7c0fb9048f28d98f7b740431201a
  • Instruction ID: 2c3ecea6b80e62449c8c747fe27de79a3fd28dd44e983ef58dfda145fcba37f6
  • Opcode Fuzzy Hash: 2bfc6fe8ecbdc230abc1b42a5d0ec1ecca6d7c0fb9048f28d98f7b740431201a
  • Instruction Fuzzy Hash: 6921D532625BA192E348CB28E94039DB7A8F759F84F65921AE79813B60DF7591B3C700
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
APIs
  • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF7A8FBB3F3,?,?,?,00007FF7A8FBCADF,?,?,?,?,?,00007FF7A8FB5B41), ref: 00007FF7A8FBB8B5
  • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF7A8FBB3F3,?,?,?,00007FF7A8FBCADF,?,?,?,?,?,00007FF7A8FB5B41), ref: 00007FF7A8FBB8C9
  • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF7A8FBB3F3,?,?,?,00007FF7A8FBCADF,?,?,?,?,?,00007FF7A8FB5B41), ref: 00007FF7A8FBB8ED
  • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF7A8FBB3F3,?,?,?,00007FF7A8FBCADF,?,?,?,?,?,00007FF7A8FB5B41), ref: 00007FF7A8FBB901
Memory Dump Source
  • Source File: 00000000.00000002.653930338.00007FF7A8FB1000.00000020.00020000.sdmp, Offset: 00007FF7A8FB0000, based on PE: true
  • Associated: 00000000.00000002.653926180.00007FF7A8FB0000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653941982.00007FF7A8FC4000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653945393.00007FF7A8FC5000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653951756.00007FF7A8FCB000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.653954906.00007FF7A8FCC000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.653958581.00007FF7A8FCF000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_7ff7a8fb0000_sihost.jbxd
Similarity
  • API ID: Heap$FreeProcess
  • String ID:
  • API String ID: 3859560861-0
  • Opcode ID: 0cc06ab650aa64920a75d08c8ab35af528eaa4bddd00f1d113b514ea5b55380e
  • Instruction ID: 918b2b79c02d2d7c048c92b899189f4cfa21f2ebde4eb96342aa4ad89d77c8fa
  • Opcode Fuzzy Hash: 0cc06ab650aa64920a75d08c8ab35af528eaa4bddd00f1d113b514ea5b55380e
  • Instruction Fuzzy Hash: D5113A72A05B81C6E7009F66F4040ACFBB0F759F80B9A8125DB4D03B68DF38E596C744
Uniqueness

Uniqueness Score: -1.00%