Windows
Analysis Report
SIHClient.exe
Overview
General Information
Detection
Score: | 5 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 80% |
Signatures
Classification
- System is w10x64
SIHClient.exe (PID: 5084 cmdline:
"C:\Users\ user\Deskt op\SIHClie nt.exe" -i nstall MD5: 8AEE6ED82E9C28DE53ABF8C95767D49A)
SIHClient.exe (PID: 6292 cmdline:
"C:\Users\ user\Deskt op\SIHClie nt.exe" /i nstall MD5: 8AEE6ED82E9C28DE53ABF8C95767D49A)
SIHClient.exe (PID: 1100 cmdline:
"C:\Users\ user\Deskt op\SIHClie nt.exe" /l oad MD5: 8AEE6ED82E9C28DE53ABF8C95767D49A)
- cleanup
- • Cryptography
- • Compliance
- • Spreading
- • System Summary
- • Data Obfuscation
- • Malware Analysis System Evasion
- • Anti Debugging
- • HIPS / PFW / Operating System Protection Evasion
- • Language, Device and Operating System Detection
Click to jump to signature section
There are no malicious signatures, click here to show all signatures.
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: |
Source: | Key opened: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Code function: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Classification label: |
Source: | Code function: |
Source: | Code function: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Code function: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 2 Command and Scripting Interpreter | Path Interception | 1 Process Injection | 1 Process Injection | OS Credential Dumping | 11 System Time Discovery | Remote Services | 1 Archive Collected Data | Exfiltration Over Other Network Medium | 2 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Deobfuscate/Decode Files or Information | LSASS Memory | 3 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | 1 Timestomp | Security Account Manager | 1 File and Directory Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 1 Obfuscated Files or Information | NTDS | 14 System Information Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse | ||
0% | ReversingLabs |
Joe Sandbox Version: | 34.0.0 Boulder Opal |
Analysis ID: | 601286 |
Start date and time: | 2022-04-01 07:44:50 +02:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 5m 15s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | SIHClient.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Run name: | Cmdline fuzzy |
Number of analysed new started processes analysed: | 19 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | CLEAN |
Classification: | clean5.winEXE@3/0@0/0 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): MpCmdRun.exe, a udiodg.exe, BackgroundTransfer Host.exe, WMIADAP.exe, backgro undTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe - Excluded domains from analysis
(whitelisted): ris.api.iris.m icrosoft.com, client.wns.windo ws.com, fs.microsoft.com, sls. update.microsoft.com, displayc atalog.mp.microsoft.com, img-p rod-cms-rt-microsoft-com.akama ized.net, arc.msn.com - Execution Graph export aborted
for target SIHClient.exe, PID 5084 because there are no exe cuted function - Not all processes where analyz
ed, report is missing behavior information
File type: | |
Entropy (8bit): | 6.291367203090324 |
TrID: |
|
File name: | SIHClient.exe |
File size: | 363728 |
MD5: | 8aee6ed82e9c28de53abf8c95767d49a |
SHA1: | 8df79adeeefe41c118fc518fc33719a953207d77 |
SHA256: | d970ddc3faf1d1d4bdd194210aaa952e4ee4b33fa242c6569e5e415122e8b430 |
SHA512: | 55abdc4b0908413cd6aeeea6fef677e0b6c9f53868b992bb9d555ac997ff10ae3319a6fe769b6a514d6ccbdfeee0b287dc42cc7ae946aebe20b77bbd2b58fb18 |
SSDEEP: | 6144:bEz/gXy/yq1bPid3Qk6Sa+0ej9bv9gOlS4OeAWjDpMSEXK+00teFkTMjFr:bEDKy0CtlG1veOUZQ2a+58WTYr |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:...~.y.~.y.~.y.w.....y.j.}.l.y.j.z.}.y.~.x...y.j.x.}.y.j.q...y.j.|.[.y.j.....y.j.....y.j.{...y.Rich~.y........................ |
Icon Hash: | 00828e8e8686b000 |
Entrypoint: | 0x1400395d0 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x140000000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
DLL Characteristics: | GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA |
Time Stamp: | 0x6FF0BBED [Fri Jul 6 15:55:25 2029 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 10 |
OS Version Minor: | 0 |
File Version Major: | 10 |
File Version Minor: | 0 |
Subsystem Version Major: | 10 |
Subsystem Version Minor: | 0 |
Import Hash: | 8a9daf162bb80653251f03ba60c68346 |
Signature Valid: | true |
Signature Issuer: | CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US |
Signature Validation Error: | The operation completed successfully |
Error Number: | 0 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | 02268E6FDDE7F2D06838DFDB7B75889B |
Thumbprint SHA-1: | 7B2177E03D07812A5A5842565A647DB565F77BB8 |
Thumbprint SHA-256: | 9BBDE7210C366F12F75022F81F39BFB13547B2A32BEB7B0E6959DB964AD2E84E |
Serial: | 33000002F49E469C54137B85E00000000002F4 |
Instruction |
---|
dec eax |
sub esp, 28h |
call 00007FADE8AB470Ch |
dec eax |
add esp, 28h |
jmp 00007FADE8AB3E73h |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
nop word ptr [eax+eax+00000000h] |
dec eax |
cmp ecx, dword ptr [0001C439h] |
jne 00007FADE8AB4025h |
dec eax |
rol ecx, 10h |
test cx, FFFFh |
jne 00007FADE8AB4015h |
ret |
dec eax |
ror ecx, 10h |
jmp 00007FADE8AB4184h |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
jmp 00007FADE8AB4ABCh |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
dec eax |
sub esp, 38h |
dec eax |
mov dword ptr [esp+20h], FFFFFFFEh |
call 00007FADE8AB40ABh |
nop |
jmp 00007FADE8AB4014h |
xor eax, eax |
dec eax |
add esp, 38h |
ret |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
dec esp |
mov dword ptr [esp+18h], eax |
dec esp |
mov dword ptr [esp+20h], ecx |
push ebx |
push ebp |
push esi |
push edi |
dec eax |
sub esp, 38h |
dec ecx |
mov esi, eax |
dec eax |
lea ebp, dword ptr [esp+78h] |
dec eax |
mov ebx, edx |
dec eax |
mov edi, ecx |
call 00007FADE8AB3C64h |
dec eax |
mov dword ptr [esp+28h], ebp |
dec esp |
mov ecx, esi |
dec eax |
and dword ptr [esp+20h], 00000000h |
dec esp |
mov eax, ebx |
dec eax |
mov edx, edi |
dec eax |
mov ecx, dword ptr [eax] |
call 00007FADE8AB4E12h |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x51340 | 0x474 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x5b000 | 0x500 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x57000 | 0x231c | .pdata |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x55a00 | 0x32d0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x5c000 | 0x298 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x4a930 | 0x54 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x3f8b0 | 0x118 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x3f9c8 | 0xb00 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x510a8 | 0xc0 | .rdata |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x3c379 | 0x3c400 | False | 0.501604642116 | data | 6.3091707051 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.wpp_sf | 0x3e000 | 0x86 | 0x200 | False | 0.255859375 | data | 1.95295120882 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x3f000 | 0x151ae | 0x15200 | False | 0.357572115385 | data | 4.85475408256 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x55000 | 0x1618 | 0xe00 | False | 0.313616071429 | data | 3.71460427153 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.pdata | 0x57000 | 0x231c | 0x2400 | False | 0.518988715278 | data | 5.50748530651 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.didat | 0x5a000 | 0x78 | 0x200 | False | 0.1015625 | data | 0.791454022548 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x5b000 | 0x500 | 0x600 | False | 0.384114583333 | data | 2.91484619843 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x5c000 | 0x298 | 0x400 | False | 0.458984375 | data | 4.06111320428 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
MUI | 0x5b438 | 0xc8 | data | English | United States |
RT_VERSION | 0x5b0b0 | 0x388 | data | English | United States |
DLL | Import |
---|---|
msvcp_win.dll | ?_Xinvalid_argument@std@@YAXPEBD@Z, ?_Addfac@_Locimp@locale@std@@AEAAXPEAVfacet@23@_K@Z, ?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ, ?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z, ?_Xout_of_range@std@@YAXPEBD@Z, ?_Xbad_function_call@std@@YAXXZ, ?_New_Locimp@_Locimp@locale@std@@CAPEAV123@AEBV123@@Z, ?id@?$codecvt@GDU_Mbstatet@@@std@@2V0locale@2@A, ??4?$_Yarn@D@std@@QEAAAEAV01@PEBD@Z, ??1?$codecvt@GDU_Mbstatet@@@std@@MEAA@XZ, ??0?$codecvt@GDU_Mbstatet@@@std@@QEAA@_K@Z, ?_Incref@facet@locale@std@@UEAAXXZ, ?out@?$codecvt@GDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBG1AEAPEBGPEAD3AEAPEAD@Z, ??Bid@locale@std@@QEAA_KXZ, ?_Xlength_error@std@@YAXPEBD@Z |
api-ms-win-crt-runtime-l1-1-0.dll | _c_exit, _initterm_e, _initterm, _register_thread_local_exe_atexit_callback |
api-ms-win-crt-private-l1-1-0.dll | _o__register_onexit_function, _o__seh_filter_exe, _o__set_app_type, _o__set_errno, _o__set_fmode, _o__set_new_mode, memmove, _o__wsplitpath_s, _o__wtoi, _o__wtoi64, _o__wtol, _o_exit, _o_free, _o_iswalnum, _o_iswalpha, _o_malloc, _o_qsort, _o_rand, _o_srand, _o_strncpy_s, _o_strtol, _o_terminate, _o_towlower, _o_wcscpy_s, _o_wcstoul, __C_specific_handler, __CxxFrameHandler3, _o__get_initial_wide_environment, _CxxThrowException, wcsrchr, _o__exit, _o__invalid_parameter_noinfo_noreturn, _o__errno, _o__invalid_parameter_noinfo, _o__initialize_wide_environment, _o__initialize_onexit_table, _o__crt_atexit, _o__configure_wide_argv, _o__configthreadlocale, _o__cexit, _o__callnewh, _o___stdio_common_vswprintf, _o___stdio_common_vsprintf_s, _o___stdio_common_vsnprintf_s, _o___std_exception_destroy, _o___std_exception_copy, _o___p__commode, _o___p___wargv, _o___p___argc, strchr, __std_terminate, __CxxFrameHandler4, memcmp, wcsstr, memcpy |
api-ms-win-crt-string-l1-1-0.dll | memset |
RPCRT4.dll | RpcStringFreeA, UuidCreate, UuidToStringA, UuidFromStringW |
api-ms-win-core-com-l1-1-0.dll | StringFromGUID2, CoTaskMemAlloc, CoCreateInstance, CoUninitialize, CoCreateGuid, CoInitializeEx, IIDFromString, CoTaskMemFree |
ntdll.dll | RtlGetDeviceFamilyInfoEnum, EtwTraceMessageVa, RtlIsStateSeparationEnabled |
api-ms-win-core-processthreads-l1-1-3.dll | GetProcessInformation |
api-ms-win-core-processthreads-l1-1-0.dll | GetCurrentThreadId, TerminateProcess, GetCurrentProcess, GetCurrentProcessId |
api-ms-win-core-synch-l1-2-0.dll | Sleep |
api-ms-win-eventing-provider-l1-1-0.dll | EventRegister, EventUnregister, EventSetInformation, EventWriteTransfer |
api-ms-win-core-debug-l1-1-0.dll | DebugBreak, IsDebuggerPresent, OutputDebugStringW |
api-ms-win-core-errorhandling-l1-1-0.dll | SetUnhandledExceptionFilter, GetLastError, SetLastError, UnhandledExceptionFilter |
api-ms-win-core-string-l1-1-0.dll | WideCharToMultiByte, MultiByteToWideChar, CompareStringW |
api-ms-win-core-rtlsupport-l1-1-0.dll | RtlVirtualUnwind, RtlCaptureContext, RtlLookupFunctionEntry |
api-ms-win-core-processthreads-l1-1-1.dll | IsProcessorFeaturePresent |
api-ms-win-core-profile-l1-1-0.dll | QueryPerformanceCounter |
api-ms-win-core-sysinfo-l1-1-0.dll | GetLocalTime, GetSystemDirectoryW, GetSystemTimeAsFileTime, GetSystemTime, GetTickCount64, GetSystemWindowsDirectoryW, GetVersionExW |
api-ms-win-core-interlocked-l1-1-0.dll | InitializeSListHead |
api-ms-win-core-libraryloader-l1-2-0.dll | GetModuleHandleW, FreeLibrary, GetModuleHandleExW, GetProcAddress, GetModuleFileNameA, LoadResource |
api-ms-win-core-heap-l1-1-0.dll | HeapFree, HeapAlloc, GetProcessHeap, HeapReAlloc |
api-ms-win-core-memory-l1-1-0.dll | UnmapViewOfFile, CreateFileMappingW, MapViewOfFileEx, MapViewOfFile |
api-ms-win-core-registry-l1-1-0.dll | RegDeleteValueW, RegQueryValueExW, RegEnumValueW, RegQueryInfoKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, RegCloseKey, RegOpenKeyExW |
api-ms-win-core-processenvironment-l1-1-0.dll | ExpandEnvironmentStringsW |
api-ms-win-core-sysinfo-l1-2-0.dll | GetNativeSystemInfo, GetProductInfo |
OLEAUT32.dll | SysStringLen, VariantInit, SysFreeString, SysAllocStringLen, SysAllocString, VariantClear |
api-ms-win-stateseparation-helpers-l1-1-0.dll | GetPersistedRegistryLocationW |
api-ms-win-core-timezone-l1-1-0.dll | FileTimeToSystemTime, SystemTimeToFileTime |
api-ms-win-security-base-l1-1-0.dll | CopySid, SetSecurityDescriptorDacl, CheckTokenMembership, DuplicateTokenEx, FreeSid, AllocateAndInitializeSid, RevertToSelf, InitializeSecurityDescriptor, ImpersonateLoggedOnUser, CreateWellKnownSid, IsValidSid, GetTokenInformation, InitializeAcl, GetLengthSid, AddAccessAllowedAceEx |
api-ms-win-security-sddl-l1-1-0.dll | ConvertSidToStringSidW, ConvertStringSidToSidW |
api-ms-win-core-heap-l2-1-0.dll | LocalAlloc, LocalFree |
api-ms-win-core-file-l1-1-0.dll | GetFileTime, CreateDirectoryW, FindNextFileW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetFileAttributesW, DeleteFileW, FindClose, GetDriveTypeW, GetFileType, SetFileTime, GetFinalPathNameByHandleW, GetFileSize, GetFileInformationByHandle, SetFileAttributesW, LocalFileTimeToFileTime, GetVolumePathNameW, ReadFile, SetFilePointer, SetFileInformationByHandle, WriteFile, CompareFileTime, GetFileSizeEx, CreateFileW, GetVolumeInformationW, FindFirstFileW, GetFileAttributesExW, GetTempFileNameW |
api-ms-win-core-version-l1-1-0.dll | GetFileVersionInfoExW, GetFileVersionInfoSizeExW, VerQueryValueW |
api-ms-win-core-libraryloader-l1-2-1.dll | LoadLibraryW, FindResourceW |
api-ms-win-core-kernel32-legacy-l1-1-0.dll | DosDateTimeToFileTime |
api-ms-win-core-synch-l1-1-0.dll | WaitForSingleObjectEx, CreateMutexW, ReleaseMutex, CreateSemaphoreExW, LeaveCriticalSection, CreateMutexExW, WaitForSingleObject, EnterCriticalSection, ReleaseSemaphore, DeleteCriticalSection, OpenMutexW, InitializeCriticalSection, OpenSemaphoreW |
api-ms-win-core-localization-l1-2-0.dll | GetLocaleInfoW, FormatMessageW |
api-ms-win-core-handle-l1-1-0.dll | CloseHandle |
api-ms-win-core-file-l2-1-0.dll | MoveFileExW |
api-ms-win-core-shlwapi-legacy-l1-1-0.dll | PathIsUNCW, PathStripToRootW, PathIsRelativeW, PathIsRootW |
api-ms-win-shell-shdirectory-l1-1-0.dll | |
api-ms-win-eventing-controller-l1-1-0.dll | ControlTraceW, StartTraceW, EnableTraceEx2 |
api-ms-win-core-file-l1-2-1.dll | GetCompressedFileSizeW |
api-ms-win-eventing-consumer-l1-1-0.dll | CloseTrace |
api-ms-win-core-shlwapi-obsolete-l1-1-0.dll | StrChrW, StrRChrW |
api-ms-win-core-namespace-l1-1-0.dll | CreateBoundaryDescriptorW, OpenPrivateNamespaceW, CreatePrivateNamespaceW, AddSIDToBoundaryDescriptor, DeleteBoundaryDescriptor, ClosePrivateNamespace |
WINHTTP.dll | WinHttpConnect, WinHttpReadData, WinHttpAddRequestHeaders, WinHttpQueryAuthSchemes, WinHttpOpenRequest, WinHttpOpen, WinHttpSetOption, WinHttpQueryOption, WinHttpReceiveResponse, WinHttpSetTimeouts, WinHttpQueryHeaders, WinHttpCrackUrl, WinHttpCloseHandle, WinHttpSetStatusCallback, WinHttpSendRequest |
WS2_32.dll | inet_addr, getnameinfo |
DNSAPI.dll | DnsSetNrptRules, DnsRemoveNrptRule, DnsFreeNrptRuleNamesList, DnsGetNrptRuleNamesList, DnsQuery_W, DnsFree, DnsFreeNrptRule |
api-ms-win-core-apiquery-l1-1-0.dll | ApiSetQueryApiSetPresence |
Cabinet.dll | |
api-ms-win-core-localization-obsolete-l1-2-0.dll | CompareStringA, EnumUILanguagesW |
CRYPT32.dll | CertGetCertificateChain, CertFreeCertificateChain, CryptHashPublicKeyInfo, CertFindCertificateInStore, CertOpenStore, CertVerifyCertificateChainPolicy, CertCloseStore, CertGetCertificateContextProperty, CertGetEnhancedKeyUsage, CertControlStore, CertFreeCertificateContext |
api-ms-win-security-cryptoapi-l1-1-0.dll | CryptAcquireContextW, CryptDestroyHash, CryptReleaseContext, CryptGetHashParam, CryptCreateHash, CryptHashData |
api-ms-win-core-delayload-l1-1-1.dll | ResolveDelayLoadedAPI |
api-ms-win-core-delayload-l1-1-0.dll | DelayLoadFailureHook |
Description | Data |
---|---|
LegalCopyright | Microsoft Corporation. All rights reserved. |
InternalName | SIH Client |
FileVersion | 10.0.19041.1503 (WinBuild.160101.0800) |
CompanyName | Microsoft Corporation |
ProductName | Microsoft Windows Operating System |
ProductVersion | 10.0.19041.1503 |
FileDescription | SIH Client |
OriginalFilename | sihclient.exe |
Translation | 0x0409 0x04b0 |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Click to jump to process
Target ID: | 1 |
Start time: | 09:45:57 |
Start date: | 01/04/2022 |
Path: | C:\Users\user\Desktop\SIHClient.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff619550000 |
File size: | 363728 bytes |
MD5 hash: | 8AEE6ED82E9C28DE53ABF8C95767D49A |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Target ID: | 4 |
Start time: | 09:46:00 |
Start date: | 01/04/2022 |
Path: | C:\Users\user\Desktop\SIHClient.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff619550000 |
File size: | 363728 bytes |
MD5 hash: | 8AEE6ED82E9C28DE53ABF8C95767D49A |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Target ID: | 6 |
Start time: | 09:46:03 |
Start date: | 01/04/2022 |
Path: | C:\Users\user\Desktop\SIHClient.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff619550000 |
File size: | 363728 bytes |
MD5 hash: | 8AEE6ED82E9C28DE53ABF8C95767D49A |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |