Create Interactive Tour

Windows Analysis Report userinit.exe

Overview

General Information

Sample Name:	userinit.exe
Analysis ID:	437306
MD5:	582a919ca5f944aa83895a5c633c122c
SHA1:	6d0c6aea6bce05166761085b1d612558f81d877a
SHA256:	eda7ee39d4db8142a1e0788e205e80ae798035d60273e74981e09e98c8d0e740
Infos:
Most interesting Screenshot:

Detection

Score:	4
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to launch a program with higher privileges

Detected potential crypto function

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Classification

Process Tree

System is w10x64

userinit.exe (PID: 5720 cmdline: 'C:\Users\user\Desktop\userinit.exe' MD5: 582A919CA5F944AA83895A5C633C122C)

explorer.exe (PID: 3704 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

• Compliance
• Networking
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: userinit.exe

Static PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: userinit.pdb source: userinit.exe
Source:	Binary string: userinit.pdbGCTL source: userinit.exe

Source: explorer.exe, 00000002.00000002.212696191.0000000002BB0000.00000002.00000001.sdmp

String found in binary or memory: http://www.%s.comPA

Source: C:\Users\user\Desktop\userinit.exe	Code function: 0_2_00007FF7CACF3810	0_2_00007FF7CACF3810
Source: C:\Users\user\Desktop\userinit.exe	Code function: 0_2_00007FF7CACF3508	0_2_00007FF7CACF3508
Source: C:\Users\user\Desktop\userinit.exe	Code function: 0_2_00007FF7CACF1AA0	0_2_00007FF7CACF1AA0
Source: C:\Users\user\Desktop\userinit.exe	Code function: 0_2_00007FF7CACF2160	0_2_00007FF7CACF2160
Source: C:\Users\user\Desktop\userinit.exe	Code function: 0_2_00007FF7CACF2AF4	0_2_00007FF7CACF2AF4

Source: userinit.exe

Binary or memory string: OriginalFilename vs userinit.exe

Source: classification engine

Classification label: clean4.winEXE@3/0@0/0

Source: C:\Users\user\Desktop\userinit.exe	Process created: C:\Windows\explorer.exe
Source: C:\Users\user\Desktop\userinit.exe	Process created: C:\Windows\explorer.exe			Jump to behavior

Source: userinit.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\userinit.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\userinit.exe 'C:\Users\user\Desktop\userinit.exe'
Source: C:\Users\user\Desktop\userinit.exe	Process created: C:\Windows\explorer.exe C:\Windows\Explorer.EXE
Source: C:\Users\user\Desktop\userinit.exe	Process created: C:\Windows\explorer.exe C:\Windows\Explorer.EXE	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: userinit.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: userinit.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: userinit.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: userinit.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: userinit.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: userinit.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: userinit.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: userinit.exe

Static PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source: userinit.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: userinit.pdb source: userinit.exe
Source:	Binary string: userinit.pdbGCTL source: userinit.exe

Source: userinit.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: userinit.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: userinit.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: userinit.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: userinit.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: userinit.exe

Static PE information: 0xDAB0D298 [Sun Apr 7 12:35:36 2086 UTC]

Source: userinit.exe

Static PE information: section name: .didat

Source: C:\Windows\explorer.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\userinit.exe

Code function: 0_2_00007FF7CACF4210 DelayLoadFailureHook,LdrResolveDelayLoadedAPI,

0_2_00007FF7CACF4210

Source: C:\Users\user\Desktop\userinit.exe

Code function: 0_2_00007FF7CACF5134 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00007FF7CACF5134

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\userinit.exe	Code function: 0_2_00007FF7CACF4840 SetUnhandledExceptionFilter,_o__set_new_mode,	0_2_00007FF7CACF4840
Source: C:\Users\user\Desktop\userinit.exe	Code function: 0_2_00007FF7CACF5134 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF7CACF5134
Source: C:\Users\user\Desktop\userinit.exe	Code function: 0_2_00007FF7CACF4E50 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7CACF4E50
Source: C:\Users\user\Desktop\userinit.exe	Code function: 0_2_00007FF7CACF5048 SetUnhandledExceptionFilter,	0_2_00007FF7CACF5048

Source: C:\Users\user\Desktop\userinit.exe

Code function: 0_2_00007FF7CACF1AA0 _o__wcsicmp,_o__wcsicmp,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,LoadLibraryExW,GetProcAddress,LocalAlloc,memmove,memset,WaitForSingleObject,CloseHandle,LocalFree,CreateProcessW,GetLastError,LoadLibraryExW,GetProcAddress,LocalAlloc,memmove,memset,LocalFree,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,RtlGetActiveConsoleId,LoadStringW,LoadStringW,

0_2_00007FF7CACF1AA0

Source: C:\Users\user\Desktop\userinit.exe

Code function: 0_2_00007FF7CACF4CF4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF7CACF4CF4

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Exploitation for Privilege Escalation1	Process Injection1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Process Injection1	Timestomp1	LSASS Memory	Query Registry1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Security Software Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	File and Directory Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	System Information Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Link
userinit.exe	0%	Virustotal	Browse
userinit.exe	0%	Metadefender	Browse
userinit.exe	0%	ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.%s.comPA	explorer.exe, 00000002.00000002.212696191.0000000002BB0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	low

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	437306
Start date:	20.06.2021
Start time:	11:06:27
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 2m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	userinit.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean4.winEXE@3/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 85.3% (good quality ratio 47.7%) Quality average: 39.5% Quality standard deviation: 41.6%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:07:18	API Interceptor	1x Sleep call for process: userinit.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	5.4587467520347674
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	userinit.exe
File size:	34816
MD5:	582a919ca5f944aa83895a5c633c122c
SHA1:	6d0c6aea6bce05166761085b1d612558f81d877a
SHA256:	eda7ee39d4db8142a1e0788e205e80ae798035d60273e74981e09e98c8d0e740
SHA512:	d4a4550d886ff49b4c3e382c1f30d260300cd29ead7716161a79a489292825e72015871556167e1ef51e47d95c3795de8108a2177b4a41559965dde25b2a51cd
SSDEEP:	768:i/J8uwEySKG/sMFii+6vLkkSSZ8q0NJNfKN6onrN:8J8uwEy+/sMFiPkXZZ0NbKN5nrN
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........\|...............v.......v.......e.......v...............v.......v.......vb......v`......v......Rich...........................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x1400049e0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0xDAB0D298 [Sun Apr 7 12:35:36 2086 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	10
OS Version Minor:	0
File Version Major:	10
File Version Minor:	0
Subsystem Version Major:	10
Subsystem Version Minor:	0
Import Hash:	de7486657f39757c768dee3094e10ff8

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FDE9CD0CEE0h
dec eax
add esp, 28h
jmp 00007FDE9CD0CA43h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
cmp ecx, dword ptr [000045F9h]
jne 00007FDE9CD0CBE5h
dec eax
rol ecx, 10h
test cx, FFFFh
jne 00007FDE9CD0CBD5h
ret
dec eax
ror ecx, 10h
jmp 00007FDE9CD0D344h
int3
int3
int3
int3
int3
int3
int3
dec eax
sub esp, 28h
call 00007FDE9CD0D608h
test eax, eax
je 00007FDE9CD0CBF3h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007FDE9CD0CBD7h
dec eax
cmp ecx, eax
je 00007FDE9CD0CBE6h
xor eax, eax
dec eax
cmpxchg dword ptr [0000463Ch], ecx
jne 00007FDE9CD0CBC0h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007FDE9CD0CBC9h
int3
int3
int3
int3
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
movzx eax, byte ptr [00004654h]
test ecx, ecx
mov ebx, 00000001h
cmove eax, ebx
mov byte ptr [00004644h], al
call 00007FDE9CD0D42Bh
call 00007FDE9CD0CF16h
test al, al
jne 00007FDE9CD0CBD6h
xor al, al
jmp 00007FDE9CD0CBE6h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7a88	0x208	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0x780	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xa000	0x33c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd000	0x74	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x6fe0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x6080	0x118	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x6198	0x358	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x76bc	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x46a4	0x4800	False	0.522026909722	data	6.01952638856	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x6000	0x29da	0x2a00	False	0.357235863095	data	4.22618852865	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x750	0x200	False	0.091796875	data	0.430258832786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0xa000	0x33c	0x400	False	0.4716796875	data	3.55134710275	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat	0xb000	0xc8	0x200	False	0.158203125	data	1.18158667042	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xc000	0x780	0x800	False	0.4365234375	data	4.00412475237	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd000	0x74	0x200	False	0.220703125	data	1.36397493022	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
MUI	0xc6b8	0xc8	data	English	United States
RT_VERSION	0xc310	0x3a4	data	English	United States
RT_MANIFEST	0xc0f0	0x21b	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
ntdll.dll	RtlCaptureContext, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlGetActiveConsoleId
api-ms-win-core-file-l1-1-0.dll	CompareFileTime, GetFileAttributesExW
api-ms-win-core-processenvironment-l1-1-0.dll	SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetEnvironmentVariableW, SearchPathW
api-ms-win-core-registry-l1-1-0.dll	RegOpenKeyExW, RegQueryValueExW, RegCloseKey, RegQueryInfoKeyW, RegEnumValueW
api-ms-win-core-errorhandling-l1-1-0.dll	UnhandledExceptionFilter, GetLastError, SetUnhandledExceptionFilter, SetLastError
api-ms-win-core-processthreads-l1-1-0.dll	TerminateProcess, GetStartupInfoW, GetCurrentThread, GetCurrentProcess, GetCurrentThreadId, SetThreadPriority, CreateThread, GetCurrentProcessId, CreateProcessW
api-ms-win-eventing-classicprovider-l1-1-0.dll	RegisterTraceGuidsW, GetTraceEnableLevel, GetTraceEnableFlags, UnregisterTraceGuids, TraceMessage, GetTraceLoggerHandle
api-ms-win-core-synch-l1-1-0.dll	WaitForSingleObject, OpenEventW
api-ms-win-core-heap-l2-1-0.dll	LocalFree, LocalAlloc
api-ms-win-core-string-l2-1-0.dll	CharNextW
api-ms-win-core-sysinfo-l1-1-0.dll	GetSystemDirectoryW, GetSystemTimeAsFileTime
api-ms-win-core-synch-l1-2-0.dll	Sleep
api-ms-win-core-handle-l1-1-0.dll	CloseHandle
api-ms-win-core-heap-l1-1-0.dll	HeapSetInformation
api-ms-win-core-libraryloader-l1-2-0.dll	FreeLibrary, LoadLibraryExW, GetModuleHandleW, LoadStringW, GetProcAddress
api-ms-win-crt-runtime-l1-1-0.dll	_c_exit, _register_thread_local_exe_atexit_callback, _initterm, _initterm_e
api-ms-win-crt-private-l1-1-0.dll	_o___p__commode, _o__cexit, _o__configthreadlocale, _o__configure_narrow_argv, _o__crt_atexit, _o__exit, _o__get_narrow_winmain_command_line, _o__initialize_narrow_environment, _o__initialize_onexit_table, memmove, _o__register_onexit_function, _o__seh_filter_exe, _o__set_app_type, _o__set_fmode, _o__set_new_mode, _o__wcsicmp, _o__wtoi, _o_exit, _o_terminate, __C_specific_handler, memcmp
api-ms-win-crt-string-l1-1-0.dll	memset
api-ms-win-core-profile-l1-1-0.dll	QueryPerformanceCounter
api-ms-win-core-interlocked-l1-1-0.dll	InitializeSListHead
api-ms-win-core-debug-l1-1-0.dll	IsDebuggerPresent
api-ms-win-core-processthreads-l1-1-1.dll	IsProcessorFeaturePresent
api-ms-win-core-delayload-l1-1-1.dll	ResolveDelayLoadedAPI
api-ms-win-core-delayload-l1-1-0.dll	DelayLoadFailureHook
api-ms-win-core-apiquery-l1-1-0.dll	ApiSetQueryApiSetPresence

Version Infos

Description	Data
LegalCopyright	Microsoft Corporation. All rights reserved.
InternalName	userinit
FileVersion	10.0.19041.1 (WinBuild.160101.0800)
CompanyName	Microsoft Corporation
ProductName	Microsoft Windows Operating System
ProductVersion	10.0.19041.1
FileDescription	Userinit Logon Application
OriginalFilename	USERINIT.EXE
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

• userinit.exe
• explorer.exe

Click to jump to process

Memory Usage

• userinit.exe
• explorer.exe

Click to jump to process

Behavior

• userinit.exe
• explorer.exe

Click to jump to process

System Behavior

Analysis Process: userinit.exe PID: 5720 Parent PID: 5644

Function Logs

General

Start time:	11:07:17
Start date:	20/06/2021
Path:	C:\Users\user\Desktop\userinit.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\userinit.exe'
Imagebase:	0x7ff7cacf0000
File size:	34816 bytes
MD5 hash:	582A919CA5F944AA83895A5C633C122C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

Key Opened

Key Value Queried

Show Windows behavior

Mutex Activities

Show Windows behavior

Process Activities

Process Created

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Show Windows behavior

LPC Port Activities

Chronological Activities

Analysis Process: explorer.exe PID: 3704 Parent PID: 5720

Function Logs

General

Start time:	11:07:18
Start date:	20/06/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff714890000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Show Windows behavior

Timing Activities

Show Windows behavior

Windows UI Activities

Show Windows behavior

LPC Port Activities

Chronological Activities

Disassembly

Code Analysis

Analysis Process: userinit.exe PID: 5720 Parent PID: 5644 userinit.exeCOMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	21.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	51.7%
Total number of Nodes:	393
Total number of Limit Nodes:	8

Callgraph

Hide Legend

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00007FF7CACF1AA0, Relevance: 65.1, APIs: 27, Strings: 10, Instructions: 395
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_o__wcsicmp.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF7CACF1AF6
_o__wcsicmp.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF7CACF1B17
ExpandEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7CACF1B37
ExpandEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7CACF1B6C
LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7CACF1BD4
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7CACF1BF3
LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF7CACF1C32
memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF7CACF1CBF
memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7CACF1CCE
WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7CACF1D24
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF7CACF1D34
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF7CACF1D43
CreateProcessW.KERNELBASE ref: 00007FF7CACF1DEB
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7CACF1E02
LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7CACF1E45
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7CACF1E64
LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF7CACF1E9A
memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF7CACF1F2A
memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7CACF1F39
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF7CACF1FA1
WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7CACF1FC9
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF7CACF1FDA
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF7CACF1FF0
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7CACF2049

Part of subcall function 00007FF7CACF13F8: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0 ref: 00007FF7CACF146A

RtlGetActiveConsoleId.NTDLL ref: 00007FF7CACF2071
LoadStringW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7CACF20E2
LoadStringW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7CACF20FF

Strings

explorer.exe, xrefs: 00007FF7CACF1B0D
", xrefs: 00007FF7CACF1C97
", xrefs: 00007FF7CACF1CA0
open, xrefs: 00007FF7CACF1CE1
ShellExecuteExW, xrefs: 00007FF7CACF1BE9, 00007FF7CACF1E5A
shell32.dll, xrefs: 00007FF7CACF1BC8, 00007FF7CACF1E3C
explorer, xrefs: 00007FF7CACF1AE1
%SystemRoot%\Explorer.EXE, xrefs: 00007FF7CACF1B65
, xrefs: 00007FF7CACF1DC4
runas, xrefs: 00007FF7CACF1F4F

Memory Dump Source

Source File: 00000000.00000002.210520613.00007FF7CACF1000.00000020.00020000.sdmp, Offset: 00007FF7CACF0000, based on PE: true

Associated: 00000000.00000002.210516117.00007FF7CACF0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.210526536.00007FF7CACF6000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.210534126.00007FF7CACF9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.210537343.00007FF7CACFA000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7cacf0000_userinit.jbxd

Similarity

API ID: LoadLocal$CloseHandle$AddressAllocEnvironmentErrorExpandFreeLastLibraryObjectProcSingleStringStringsWait_o__wcsicmpmemmovememset$ActiveConsoleCreateMessageProcessTrace
String ID: $"$"$%SystemRoot%\Explorer.EXE$ShellExecuteExW$explorer$explorer.exe$open$runas$shell32.dll
API String ID: 3801008283-886464932
Opcode ID: 3671fb4684cd894fdc8cddf77b9f5508a1caa0134d8b2da5796cf419b21a5702
Instruction ID: 59e8f2d70f980aebdb3016f1f83b208544031ca6262391c630caa0229f5f09c8
Opcode Fuzzy Hash: 3671fb4684cd894fdc8cddf77b9f5508a1caa0134d8b2da5796cf419b21a5702
Instruction Fuzzy Hash: 48022C66A0468386FB20AF25FC702B9A7A0FB45BA6F849175DB0E07794DF3CD545C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CACF2160, Relevance: 52.8, APIs: 22, Strings: 8, Instructions: 325
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF7CACF21BE
_o__wcsicmp.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF7CACF2209
RegOpenKeyExW.KERNELBASE ref: 00007FF7CACF2248
LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF7CACF2269
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7CACF22DE
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF7CACF22F0
RegOpenKeyExW.KERNELBASE ref: 00007FF7CACF23E6

Strings

explorer.exe, xrefs: 00007FF7CACF2503
vmapplet, xrefs: 00007FF7CACF25E0
ppishell.exe, xrefs: 00007FF7CACF251D
Software\Microsoft\Windows NT\CurrentVersion\Winlogon, xrefs: 00007FF7CACF230C
shell, xrefs: 00007FF7CACF21FF, 00007FF7CACF24CF
explorer, xrefs: 00007FF7CACF24E9
Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells\AvailableShells, xrefs: 00007FF7CACF223A
Software\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 00007FF7CACF23D8

Memory Dump Source

Source File: 00000000.00000002.210520613.00007FF7CACF1000.00000020.00020000.sdmp, Offset: 00007FF7CACF0000, based on PE: true

Associated: 00000000.00000002.210516117.00007FF7CACF0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.210526536.00007FF7CACF6000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.210534126.00007FF7CACF9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.210537343.00007FF7CACFA000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7cacf0000_userinit.jbxd

Similarity

API ID: Local$AllocOpen$CloseFree_o__wcsicmp
String ID: Software\Microsoft\Windows NT\CurrentVersion\Winlogon$Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells\AvailableShells$Software\Microsoft\Windows\CurrentVersion\Policies\System$explorer$explorer.exe$ppishell.exe$shell$vmapplet
API String ID: 3259011260-3257140396
Opcode ID: 4e2518c447c17fca4c72f974f4facb013e122bda8730122c5649995d94aa8e68
Instruction ID: 6c695c10e2408a7d152b2312b1247b3d6040ad672b435bbd6b2ffa8f7b0658ce
Opcode Fuzzy Hash: 4e2518c447c17fca4c72f974f4facb013e122bda8730122c5649995d94aa8e68
Instruction Fuzzy Hash: 26E14F72A046438AFB20AF65F8301B9FAA4FB49BAAB8091B5DF4D43754DF38D5458720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CACF3810, Relevance: 49.3, APIs: 21, Strings: 7, Instructions: 320
registrythreadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegisterTraceGuidsW.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0 ref: 00007FF7CACF38C6
HeapSetInformation.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7CACF3910
SetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7CACF39CD
SetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7CACF39E2
SetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7CACF39F7
SetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7CACF3A68
SetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7CACF3ADF
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF7CACF3B0C
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF7CACF3B1B
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF7CACF3B2A
GetCurrentThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7CACF3B36
SetThreadPriority.KERNELBASE ref: 00007FF7CACF3B4A
RtlGetActiveConsoleId.NTDLL ref: 00007FF7CACF3B5F
CreateThread.KERNELBASE ref: 00007FF7CACF3BA9
WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7CACF3BC5
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF7CACF3C08
RegOpenKeyExW.KERNELBASE ref: 00007FF7CACF3C34
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7CACF3C77
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7CACF3CCA
FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7CACF3CDE
UnregisterTraceGuids.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0 ref: 00007FF7CACF3D08

Strings

UserInitLogonServer, xrefs: 00007FF7CACF3942, 00007FF7CACF39C6
proquota.exe, xrefs: 00007FF7CACF3C93
UserInitMprLogonScript, xrefs: 00007FF7CACF395D, 00007FF7CACF39F0
UserInitLogonScript, xrefs: 00007FF7CACF394E, 00007FF7CACF39DB
SEE_MASK_NOZONECHECKS, xrefs: 00007FF7CACF3A61, 00007FF7CACF3AD8
EnableProfileQuota, xrefs: 00007FF7CACF3C69
Software\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 00007FF7CACF3C26

Memory Dump Source

Source File: 00000000.00000002.210520613.00007FF7CACF1000.00000020.00020000.sdmp, Offset: 00007FF7CACF0000, based on PE: true

Associated: 00000000.00000002.210516117.00007FF7CACF0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.210526536.00007FF7CACF6000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.210534126.00007FF7CACF9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.210537343.00007FF7CACFA000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7cacf0000_userinit.jbxd

Similarity

API ID: EnvironmentVariable$Free$LocalThread$CloseGuidsTrace$ActiveConsoleCreateCurrentHandleHeapInformationLibraryObjectOpenPriorityQueryRegisterSingleUnregisterValueWait
String ID: EnableProfileQuota$SEE_MASK_NOZONECHECKS$Software\Microsoft\Windows\CurrentVersion\Policies\System$UserInitLogonScript$UserInitLogonServer$UserInitMprLogonScript$proquota.exe
API String ID: 1507677608-207743033
Opcode ID: b2cf6fbce3b4c5daabd5f248a9ad3e5b679487909a31867431a04e140a59309a
Instruction ID: a209b377ad7d0a379a934d07cb5d99ada475accaba273b940971ac3fab9c23b4
Opcode Fuzzy Hash: b2cf6fbce3b4c5daabd5f248a9ad3e5b679487909a31867431a04e140a59309a
Instruction Fuzzy Hash: 04E12A25A08A4396FB20AF61FC302B9BBA1FB49B66B8541B5CB1E07754DF3CE445C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CACF3508, Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 175
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE ref: 00007FF7CACF3563
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7CACF35A7
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7CACF35B8
RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7CACF35E8
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7CACF3628
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7CACF3648
SetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7CACF3663
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7CACF3678

Strings

UseAlternateShell, xrefs: 00007FF7CACF35A0
system\currentcontrolset\control\safeboot\option, xrefs: 00007FF7CACF354F
AlternateShell, xrefs: 00007FF7CACF3621
SEE_MASK_NOZONECHECKS, xrefs: 00007FF7CACF365C
system\currentcontrolset\control\safeboot, xrefs: 00007FF7CACF35DE
shell, xrefs: 00007FF7CACF372A, 00007FF7CACF3757
AppSetup, xrefs: 00007FF7CACF36AC, 00007FF7CACF36CC
explorer, xrefs: 00007FF7CACF3746

Memory Dump Source

Source File: 00000000.00000002.210520613.00007FF7CACF1000.00000020.00020000.sdmp, Offset: 00007FF7CACF0000, based on PE: true

Associated: 00000000.00000002.210516117.00007FF7CACF0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.210526536.00007FF7CACF6000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.210534126.00007FF7CACF9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.210537343.00007FF7CACFA000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7cacf0000_userinit.jbxd

Similarity

API ID: CloseOpenQueryValue$EnvironmentErrorLastVariable
String ID: AlternateShell$AppSetup$SEE_MASK_NOZONECHECKS$UseAlternateShell$explorer$shell$system\currentcontrolset\control\safeboot$system\currentcontrolset\control\safeboot\option
API String ID: 3616681137-4279120229
Opcode ID: ce15510e2db2788dd4d7b0c8398f2c13418dab4e0f7ffe930aa35abfd04bb8a5
Instruction ID: 9cc93235482ab0fce2bf526396345def5b380ded0a973c7a12145ca9213a9c76
Opcode Fuzzy Hash: ce15510e2db2788dd4d7b0c8398f2c13418dab4e0f7ffe930aa35abfd04bb8a5
Instruction Fuzzy Hash: 39815C36A1868296F730AF10F8702AAFBA0FB89B66F845176EB5D43754DF3CD5048B10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CACF4210, Relevance: 1.5, APIs: 1, Instructions: 12
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrResolveDelayLoadedAPI.NTDLL ref: 00007FF7CACF423B

Memory Dump Source

Source File: 00000000.00000002.210520613.00007FF7CACF1000.00000020.00020000.sdmp, Offset: 00007FF7CACF0000, based on PE: true

Associated: 00000000.00000002.210516117.00007FF7CACF0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.210526536.00007FF7CACF6000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.210534126.00007FF7CACF9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.210537343.00007FF7CACFA000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7cacf0000_userinit.jbxd

Similarity

API ID: DelayLoadedResolve
String ID:
API String ID: 841769287-0
Opcode ID: 93bb99eb02f8b2f20dfc0d081ec6c061b469aa61c3ab15fae47f36d67b42f284
Instruction ID: 08cfee7eb545aa8036e5baada3b7d47cfb949c8ebd619366db2465f3bbc4a7fe
Opcode Fuzzy Hash: 93bb99eb02f8b2f20dfc0d081ec6c061b469aa61c3ab15fae47f36d67b42f284
Instruction Fuzzy Hash: ECE0B674908A8286E760AF00FC602A8BB60FB49B66FC041B2DA4D53324DB3CE1548B14

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CACF4840, Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNELBASE ref: 00007FF7CACF4849

Memory Dump Source

Source File: 00000000.00000002.210520613.00007FF7CACF1000.00000020.00020000.sdmp, Offset: 00007FF7CACF0000, based on PE: true

Associated: 00000000.00000002.210516117.00007FF7CACF0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.210526536.00007FF7CACF6000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.210534126.00007FF7CACF9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.210537343.00007FF7CACFA000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7cacf0000_userinit.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: d11b5a4f9c4712badee40a5d4a63f2025afce6ab620ec5fbd4adf4bf31438fa7
Instruction ID: 616a74297e4922554549f569b8b87697df038f4ebe7f90ad375dc1e76ab5ba2c
Opcode Fuzzy Hash: d11b5a4f9c4712badee40a5d4a63f2025afce6ab620ec5fbd4adf4bf31438fa7
Instruction Fuzzy Hash: FDC04800E0E48781F928BBA9AC720B890A18F84322F9140B1D30A052829E1CA0D656B2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CACF3D60, Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 104
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE ref: 00007FF7CACF3D8D
RegQueryValueExW.KERNELBASE ref: 00007FF7CACF3DC8
RegCloseKey.KERNELBASE ref: 00007FF7CACF3DD8
RegOpenKeyExW.KERNELBASE ref: 00007FF7CACF3E04
RegQueryValueExW.KERNELBASE ref: 00007FF7CACF3E3F
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7CACF3E4F
RegOpenKeyExW.KERNELBASE ref: 00007FF7CACF3E7B
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7CACF3EB6
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7CACF3EC6
RegOpenKeyExW.KERNELBASE ref: 00007FF7CACF3EF2
RegQueryValueExW.KERNELBASE ref: 00007FF7CACF3F2D
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7CACF3F3D

Strings

Software\Microsoft\Windows NT\CurrentVersion\Winlogon, xrefs: 00007FF7CACF3D7F, 00007FF7CACF3DF6
RunLogonScriptSync, xrefs: 00007FF7CACF3DC1, 00007FF7CACF3E38, 00007FF7CACF3EAF, 00007FF7CACF3F26
Software\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 00007FF7CACF3E6D, 00007FF7CACF3EE4

Memory Dump Source

Source File: 00000000.00000002.210520613.00007FF7CACF1000.00000020.00020000.sdmp, Offset: 00007FF7CACF0000, based on PE: true

Associated: 00000000.00000002.210516117.00007FF7CACF0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.210526536.00007FF7CACF6000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.210534126.00007FF7CACF9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.210537343.00007FF7CACFA000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7cacf0000_userinit.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: RunLogonScriptSync$Software\Microsoft\Windows NT\CurrentVersion\Winlogon$Software\Microsoft\Windows\CurrentVersion\Policies\System
API String ID: 3677997916-9610738
Opcode ID: 4765b1ef0356130dd7c0c661ee016ef5ae3e84bbe7283ee852593ccbbe96a689
Instruction ID: d35c1479da1d2178484f886f21d2008b809983e03699d2814aee872861eb29ef
Opcode Fuzzy Hash: 4765b1ef0356130dd7c0c661ee016ef5ae3e84bbe7283ee852593ccbbe96a689
Instruction Fuzzy Hash: 85514E36614F82CAE7209F24FC606E9BB64FB49BADB805661EB5D03B58DF38C158C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CACF4860, Relevance: 13.6, APIs: 9, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF7CACF486F
__scrt_acquire_startup_lock.LIBCMT ref: 00007FF7CACF4884
__scrt_release_startup_lock.LIBCMT ref: 00007FF7CACF48F2
_register_thread_local_exe_atexit_callback.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7CACF4940
__scrt_get_show_window_mode.LIBCMT ref: 00007FF7CACF4945
_o__get_narrow_winmain_command_line.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF7CACF494D
__scrt_is_managed_app.LIBCMT ref: 00007FF7CACF4968
_o__cexit.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF7CACF4976
_o__exit.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF7CACF49CB

Memory Dump Source

Source File: 00000000.00000002.210520613.00007FF7CACF1000.00000020.00020000.sdmp, Offset: 00007FF7CACF0000, based on PE: true

Associated: 00000000.00000002.210516117.00007FF7CACF0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.210526536.00007FF7CACF6000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.210534126.00007FF7CACF9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.210537343.00007FF7CACFA000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7cacf0000_userinit.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_get_show_window_mode__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock_o__cexit_o__exit_o__get_narrow_winmain_command_line_register_thread_local_exe_atexit_callback
String ID:
API String ID: 440016081-0
Opcode ID: c13b7957b7959a2ec58412d2dfc6139ab77b22aea6d3fcbf5a511fa15e3523a5
Instruction ID: 5f108f3b841acf03be83da76f4350f7c4cf2f22217b09e9bdabd8353c5dc36c3
Opcode Fuzzy Hash: c13b7957b7959a2ec58412d2dfc6139ab77b22aea6d3fcbf5a511fa15e3523a5
Instruction Fuzzy Hash: 10313721E0C14342FA34BF65BE323B992919F41367FC540B4EB4D4B2D7DE2CE5448268

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CACF3460, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7CACF3477
Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF7CACF3492
OpenEventW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7CACF34AE
WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7CACF34C8
SleepEx.KERNEL32 ref: 00007FF7CACF34D9
FindCloseChangeNotification.KERNELBASE ref: 00007FF7CACF34E8

Strings

ShellReadyEvent, xrefs: 00007FF7CACF34A0

Memory Dump Source

Source File: 00000000.00000002.210520613.00007FF7CACF1000.00000020.00020000.sdmp, Offset: 00007FF7CACF0000, based on PE: true

Associated: 00000000.00000002.210516117.00007FF7CACF0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.210526536.00007FF7CACF6000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.210534126.00007FF7CACF9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.210537343.00007FF7CACFA000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7cacf0000_userinit.jbxd

Similarity

API ID: Sleep$ChangeCloseErrorEventFindLastNotificationObjectOpenSingleWait
String ID: ShellReadyEvent
API String ID: 2687421862-1261732978
Opcode ID: 10a495b60e8e428bbd2be499752901390e2e49cd04536530c5dc126d06addbfe
Instruction ID: 83c6799d242c0eb2b0df9405d9f09095d7d8c872a10da0357bf862e686641d23
Opcode Fuzzy Hash: 10a495b60e8e428bbd2be499752901390e2e49cd04536530c5dc126d06addbfe
Instruction Fuzzy Hash: 2601C031908A8386F6256F65BC741B8FEA1FB8DB62F9591B0DB2E02390CF3CD4458610

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF7CACF2AF4, Relevance: 53.0, APIs: 24, Strings: 6, Instructions: 548registrymemoryCOMMON

Download Yara Rule

APIs

LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF7CACF2BBA
GetFileAttributesExW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7CACF2C45
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7CACF2C59
RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7CACF2C91
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7CACF2CCC
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7CACF2CDC
GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7CACF2D12
LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF7CACF2D32
GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7CACF2D5B
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF7CACF2EE6
LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF7CACF2F13
SetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7CACF30A3
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF7CACF30B3
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF7CACF30C2
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF7CACF30D7

Strings

\NETLOGON, xrefs: 00007FF7CACF2C25, 00007FF7CACF2F3C
USERDNSDOMAIN, xrefs: 00007FF7CACF2D09, 00007FF7CACF2D51
Allow-LogonScript-NetbiosDisabled, xrefs: 00007FF7CACF2CC5
PATH, xrefs: 00007FF7CACF309C, 00007FF7CACF32DF
\repl\import\scripts, xrefs: 00007FF7CACF3206
SOFTWARE\Policies\Microsoft\Windows\System, xrefs: 00007FF7CACF2C83

Memory Dump Source

Source File: 00000000.00000002.210520613.00007FF7CACF1000.00000020.00020000.sdmp, Offset: 00007FF7CACF0000, based on PE: true

Associated: 00000000.00000002.210516117.00007FF7CACF0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.210526536.00007FF7CACF6000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.210534126.00007FF7CACF9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.210537343.00007FF7CACFA000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7cacf0000_userinit.jbxd

Similarity

API ID: Local$Free$AllocEnvironmentVariable$AttributesCloseErrorFileLastOpenQueryValue
String ID: Allow-LogonScript-NetbiosDisabled$PATH$SOFTWARE\Policies\Microsoft\Windows\System$USERDNSDOMAIN$\NETLOGON$\repl\import\scripts
API String ID: 4015385786-3418099841
Opcode ID: 627a114f3c00b09b00ef0ec4e8859f7e0e534448e4d6d46adfa038e879fdf565
Instruction ID: cc3ef70c97a2bc07e594e121a74f9f1cef1fb0607ab03314c7c621ac1ddf8424
Opcode Fuzzy Hash: 627a114f3c00b09b00ef0ec4e8859f7e0e534448e4d6d46adfa038e879fdf565
Instruction Fuzzy Hash: 03328321B0864396FB24AF55B8342B8E6A1FB85B66F8481B1CF1E57794CF3DE446C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CACF4E50, Relevance: 13.6, APIs: 9, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1 ref: 00007FF7CACF4E6C
memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7CACF4E90
RtlCaptureContext.NTDLL ref: 00007FF7CACF4E99
RtlLookupFunctionEntry.NTDLL ref: 00007FF7CACF4EB3
RtlVirtualUnwind.NTDLL ref: 00007FF7CACF4EF4
memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7CACF4F27
IsDebuggerPresent.API-MS-WIN-CORE-DEBUG-L1-1-0 ref: 00007FF7CACF4F48
SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7CACF4F69
UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7CACF4F74

Memory Dump Source

Source File: 00000000.00000002.210520613.00007FF7CACF1000.00000020.00020000.sdmp, Offset: 00007FF7CACF0000, based on PE: true

Associated: 00000000.00000002.210516117.00007FF7CACF0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.210526536.00007FF7CACF6000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.210534126.00007FF7CACF9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.210537343.00007FF7CACFA000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7cacf0000_userinit.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: e0b8972ff7a70815053e7c724945b1b0a32d63dd51f2c1a529038b7d9801c354
Instruction ID: a9a3ad0d6981f86b8e8ee030742bff38d0ad343bfdb2802c598c7acdd5414565
Opcode Fuzzy Hash: e0b8972ff7a70815053e7c724945b1b0a32d63dd51f2c1a529038b7d9801c354
Instruction Fuzzy Hash: 4A313D72609A828AFB70AF60F8603E9B365FB44755F844039DB4E47A99DF3CD5488724

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CACF5134, Relevance: 6.0, APIs: 4, Instructions: 21COMMON

Download Yara Rule

APIs

IsDebuggerPresent.API-MS-WIN-CORE-DEBUG-L1-1-0(?,?,00000000,00007FF7CACF526D,?,?,?,?,?,?,00007FF7CACF1A21), ref: 00007FF7CACF513D
SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF7CACF526D,?,?,?,?,?,?,00007FF7CACF1A21), ref: 00007FF7CACF5155
UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF7CACF526D,?,?,?,?,?,?,00007FF7CACF1A21), ref: 00007FF7CACF515E
GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,00000000,00007FF7CACF526D,?,?,?,?,?,?,00007FF7CACF1A21), ref: 00007FF7CACF5177

Memory Dump Source

Source File: 00000000.00000002.210520613.00007FF7CACF1000.00000020.00020000.sdmp, Offset: 00007FF7CACF0000, based on PE: true

Associated: 00000000.00000002.210516117.00007FF7CACF0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.210526536.00007FF7CACF6000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.210534126.00007FF7CACF9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.210537343.00007FF7CACFA000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7cacf0000_userinit.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CurrentDebuggerPresentProcess
String ID:
API String ID: 2506494423-0
Opcode ID: dd926c364275d3360961f7cc15aa94a42270551985408ec8dcf3464d3fe8a9ce
Instruction ID: d83765bc9a7ffe30bd7b107036a88d80b84f0a9a1b8a0bb9cfeff9f793d3e114
Opcode Fuzzy Hash: dd926c364275d3360961f7cc15aa94a42270551985408ec8dcf3464d3fe8a9ce
Instruction Fuzzy Hash: 7DF0C964E086478AFFB87F71BC352B4E251AF58727F8050B4CB1E462A2DF3DE4858624

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CACF5048, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210520613.00007FF7CACF1000.00000020.00020000.sdmp, Offset: 00007FF7CACF0000, based on PE: true

Associated: 00000000.00000002.210516117.00007FF7CACF0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.210526536.00007FF7CACF6000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.210534126.00007FF7CACF9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.210537343.00007FF7CACFA000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7cacf0000_userinit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9df67833994c74a3163f04f3aaf58e4c3cf2f499fd52d2db9b0209ccdeddc690
Instruction ID: 8ad62632e19b20cc38f9b195ba2f9c781792befcb32fd1a8edd8cb623759501b
Opcode Fuzzy Hash: 9df67833994c74a3163f04f3aaf58e4c3cf2f499fd52d2db9b0209ccdeddc690
Instruction Fuzzy Hash: 74A0012194884BD0FAA4AF00FC701A0A630AB60322BC440B1D20D410A19E3CE5508264

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CACF3F5C, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 98registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,00000000,?,00007FF7CACF22AB), ref: 00007FF7CACF3FAD
RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,00000000,?,00007FF7CACF22AB), ref: 00007FF7CACF3FDC
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,00000000,?,00007FF7CACF22AB), ref: 00007FF7CACF4028
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,00000000,?,00007FF7CACF22AB), ref: 00007FF7CACF405E
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,00000000,?,00007FF7CACF22AB), ref: 00007FF7CACF409C
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,00000000,?,00007FF7CACF22AB), ref: 00007FF7CACF40AC

Strings

Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells, xrefs: 00007FF7CACF3FD2
shell, xrefs: 00007FF7CACF3FF9
Software\Microsoft\Windows NT\CurrentVersion\Winlogon, xrefs: 00007FF7CACF3F99
DefaultShell, xrefs: 00007FF7CACF404F

Memory Dump Source

Source File: 00000000.00000002.210520613.00007FF7CACF1000.00000020.00020000.sdmp, Offset: 00007FF7CACF0000, based on PE: true

Associated: 00000000.00000002.210516117.00007FF7CACF0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.210526536.00007FF7CACF6000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.210534126.00007FF7CACF9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.210537343.00007FF7CACFA000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7cacf0000_userinit.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: DefaultShell$Software\Microsoft\Windows NT\CurrentVersion\Winlogon$Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells$shell
API String ID: 3677997916-136753063
Opcode ID: 7858074df4e10e24586f10750b9ef7d979d44be245a17e1228396b058c6a1270
Instruction ID: e41a6830579b5cd1ba3ba65674e498cb79f61521b3c9eeedbb72515f1b8b5100
Opcode Fuzzy Hash: 7858074df4e10e24586f10750b9ef7d979d44be245a17e1228396b058c6a1270
Instruction Fuzzy Hash: A8417132614B82CBE7209F25EC605AC7BA4F749BA9B915171EF0D43B14DF39D949C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CACF1898, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 87registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7CACF18E1
RegQueryInfoKeyW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7CACF1959
CompareFileTime.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7CACF197D
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7CACF19A4
LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7CACF19C0
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7CACF19DE
FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF7CACF1A01

Strings

RegenerateUserEnvironment, xrefs: 00007FF7CACF19D4
shell32.dll, xrefs: 00007FF7CACF19B7
Volatile Environment, xrefs: 00007FF7CACF18D1

Memory Dump Source

Source File: 00000000.00000002.210520613.00007FF7CACF1000.00000020.00020000.sdmp, Offset: 00007FF7CACF0000, based on PE: true

Associated: 00000000.00000002.210516117.00007FF7CACF0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.210526536.00007FF7CACF6000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.210534126.00007FF7CACF9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.210537343.00007FF7CACFA000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7cacf0000_userinit.jbxd

Similarity

API ID: Library$AddressCloseCompareFileFreeInfoLoadOpenProcQueryTime
String ID: RegenerateUserEnvironment$Volatile Environment$shell32.dll
API String ID: 824502923-3236955824
Opcode ID: 2f3634f14421d4b585d8319558cf01f56c5642d7bd9f4db8640153dadd26c789
Instruction ID: 6556130945a561e2c7a408ec1edaf530ad037f113d953287613aa7b1f16e66f2
Opcode Fuzzy Hash: 2f3634f14421d4b585d8319558cf01f56c5642d7bd9f4db8640153dadd26c789
Instruction Fuzzy Hash: 4941EC32608B828AFB209F64F8A02EAB7A4FB89765F905176DB4D03764DF3CD544CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CACF29DC, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7CACF2A16
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7CACF2A51
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7CACF2A61
RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7CACF2A8D
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7CACF2AC8
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7CACF2AD8

Strings

HideLegacyLogonScripts, xrefs: 00007FF7CACF2A4A, 00007FF7CACF2AC1
Software\Microsoft\Windows NT\CurrentVersion\Winlogon, xrefs: 00007FF7CACF2A08
Software\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 00007FF7CACF2A7F

Memory Dump Source

Source File: 00000000.00000002.210520613.00007FF7CACF1000.00000020.00020000.sdmp, Offset: 00007FF7CACF0000, based on PE: true

Associated: 00000000.00000002.210516117.00007FF7CACF0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.210526536.00007FF7CACF6000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.210534126.00007FF7CACF9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.210537343.00007FF7CACFA000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7cacf0000_userinit.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: HideLegacyLogonScripts$Software\Microsoft\Windows NT\CurrentVersion\Winlogon$Software\Microsoft\Windows\CurrentVersion\Policies\System
API String ID: 3677997916-1061083731
Opcode ID: 807509616fe7760d1741dbd0e01b0cfa376816c5fe136a25777ab2c94a1d921c
Instruction ID: e213e93803006625e66389ae1ba04210b4fa146a89ed24fbc57d9e62388334c0
Opcode Fuzzy Hash: 807509616fe7760d1741dbd0e01b0cfa376816c5fe136a25777ab2c94a1d921c
Instruction Fuzzy Hash: BA315036610B82CAE7209F24E8605E8BBA4FB48BADF815271EB5D03B14DF38C559CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CACF15C8, Relevance: 9.1, APIs: 6, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7CACF15E4
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7CACF1619

Part of subcall function 00007FF7CACF13F8: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0 ref: 00007FF7CACF146A

LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF7CACF164B
GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7CACF169D
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7CACF16CF
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF7CACF1740

Memory Dump Source

Source File: 00000000.00000002.210520613.00007FF7CACF1000.00000020.00020000.sdmp, Offset: 00007FF7CACF0000, based on PE: true

Associated: 00000000.00000002.210516117.00007FF7CACF0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.210526536.00007FF7CACF6000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.210534126.00007FF7CACF9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.210537343.00007FF7CACFA000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7cacf0000_userinit.jbxd

Similarity

API ID: EnvironmentErrorLastLocalVariable$AllocFreeMessageTrace
String ID:
API String ID: 1850701359-0
Opcode ID: eabd62337342e66fa472a93f139bb365c86e98a87e26ad5ca02775a4f01bd9a0
Instruction ID: 88c09cb7e362c1d597d4d27c40bec78b7973b3640d49155a81699c2b938a53d5
Opcode Fuzzy Hash: eabd62337342e66fa472a93f139bb365c86e98a87e26ad5ca02775a4f01bd9a0
Instruction Fuzzy Hash: 7A413225A0868385FB24AF55F834278A6A1FB88B6AF9440B5CB0D437A5DF3CD545CB24

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CACF1770, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7CACF15C8: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7CACF15E4
Part of subcall function 00007FF7CACF15C8: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7CACF1619

LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF7CACF17D4

Strings

PATH, xrefs: 00007FF7CACF178E, 00007FF7CACF1866

Memory Dump Source

Source File: 00000000.00000002.210520613.00007FF7CACF1000.00000020.00020000.sdmp, Offset: 00007FF7CACF0000, based on PE: true

Associated: 00000000.00000002.210516117.00007FF7CACF0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.210526536.00007FF7CACF6000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.210534126.00007FF7CACF9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.210537343.00007FF7CACFA000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7cacf0000_userinit.jbxd

Similarity

API ID: AllocEnvironmentErrorLastLocalVariable
String ID: PATH
API String ID: 2429098489-1036084923
Opcode ID: 7da99daa9d6e0992d2e76a31abb92a0fcb8881839cf1d9b865885f2e3c5e5ead
Instruction ID: 0676346dc4f9b8fe682c538a3a4e9d238acf64261b11e06815f54665c130f522
Opcode Fuzzy Hash: 7da99daa9d6e0992d2e76a31abb92a0fcb8881839cf1d9b865885f2e3c5e5ead
Instruction Fuzzy Hash: EE318F62A08A8385FA20AF12BD341B8E7A1EB45BB2F998575DF1D173A5DF3CE441C350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CACF27C8, Relevance: 6.2, APIs: 4, Instructions: 150memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF7CACF282D
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF7CACF28F2
CharNextW.API-MS-WIN-CORE-STRING-L2-1-0 ref: 00007FF7CACF2914

Memory Dump Source

Source File: 00000000.00000002.210520613.00007FF7CACF1000.00000020.00020000.sdmp, Offset: 00007FF7CACF0000, based on PE: true

Associated: 00000000.00000002.210516117.00007FF7CACF0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.210526536.00007FF7CACF6000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.210534126.00007FF7CACF9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.210537343.00007FF7CACFA000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7cacf0000_userinit.jbxd

Similarity

API ID: Local$AllocCharFreeNext
String ID:
API String ID: 422492427-0
Opcode ID: 38999f0cdbad300d6fda5663c7c60c71649f3953fe1fa07f7674ca3d42c94aec
Instruction ID: 38ad93a9c6353c3134e238853e097840691b62037554c9c0b9802afb8247ca97
Opcode Fuzzy Hash: 38999f0cdbad300d6fda5663c7c60c71649f3953fe1fa07f7674ca3d42c94aec
Instruction Fuzzy Hash: B5518061B0868342FA34BF16BC34279E691BB84BA6F944175DF4E037A5DE3CE4438714

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CACF265C, Relevance: 6.1, APIs: 4, Instructions: 86memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF7CACF2683
SearchPathW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7CACF26E9
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7CACF271F
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF7CACF2797

Part of subcall function 00007FF7CACF1484: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0 ref: 00007FF7CACF14B4

Memory Dump Source

Source File: 00000000.00000002.210520613.00007FF7CACF1000.00000020.00020000.sdmp, Offset: 00007FF7CACF0000, based on PE: true

Associated: 00000000.00000002.210516117.00007FF7CACF0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.210526536.00007FF7CACF6000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.210534126.00007FF7CACF9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.210537343.00007FF7CACFA000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7cacf0000_userinit.jbxd

Similarity

API ID: Local$AllocErrorFreeLastMessagePathSearchTrace
String ID:
API String ID: 1310823647-0
Opcode ID: a26e1181dfde8ae14beaf9ae0e051144d4827136ac4adf754b7674f59ee49d86
Instruction ID: d0733b21e69d55074f76ab4ec8c20e1e11c8ecf16d449d34c8d3745dcd42f16a
Opcode Fuzzy Hash: a26e1181dfde8ae14beaf9ae0e051144d4827136ac4adf754b7674f59ee49d86
Instruction Fuzzy Hash: 3F414F7160878385FA34AF05F834279AAA1EB89BAAF944175DB4D037A5CF3CD542CB24

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report userinit.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: userinit.exe PID: 5720 Parent PID: 5644

General

File Activities

File Opened

File Attributes Queried

Volume Information Queried

Device IO

Section Activities

Sections loaded by Windows