Create Interactive Tour

Windows Analysis Report
taskhost.exe

Overview

General Information

Sample Name:	taskhost.exe
Analysis ID:	771762
MD5:	7016acd1d0c1cc6acf45cbc6c90d0575
SHA1:	5647c86f30318b232b3819ded08fc5a9a171e0d9
SHA256:	b79e0890e5acffe7966bb32a6aaa415d6e334d0df5452debe6a867bb03451ea6
Infos:

Detection

Score:	5
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Uses code obfuscation techniques (call, push, ret)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to call native functions

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Program does not show much activity (idle)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

taskhost.exe (PID: 4844 cmdline: C:\Users\user\Desktop\taskhost.exe MD5: 7016ACD1D0C1CC6ACF45CBC6C90D0575)

cleanup

Joe Sandbox Signatures

• Compliance
• Software Vulnerabilities
• System Summary
• Data Obfuscation
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: taskhost.exe

Static PE information: certificate valid

Source: taskhost.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:

Binary string: taskhost.pdb source: taskhost.exe

Source: C:\Users\user\Desktop\taskhost.exe	Code function: 4x nop then int3		0_2_00007FF72705C63C
Source: C:\Users\user\Desktop\taskhost.exe	Code function: 4x nop then xor r13d, r13d		0_2_00007FF727052AF0

Source: taskhost.exe

Binary or memory string: OriginalFilename vs taskhost.exe

Source: C:\Users\user\Desktop\taskhost.exe	Code function: 0_2_00007FF727052240		0_2_00007FF727052240
Source: C:\Users\user\Desktop\taskhost.exe	Code function: 0_2_00007FF727051290		0_2_00007FF727051290

Source: C:\Users\user\Desktop\taskhost.exe	Code function: 0_2_00007FF727051290 SetUnhandledExceptionFilter,NtSetInformationProcess,CoInitializeEx,CreateEventW,memset,RpcStringBindingComposeW,RpcBindingFromStringBindingW,RpcStringFreeW,AllocateAndInitializeSid,RpcBindingSetAuthInfoExW,FreeSid,NdrClientCall3,NdrClientCall3,GetCurrentThreadId,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,memset,ResetEvent,RpcAsyncInitializeHandle,Ndr64AsyncClientCall,WaitForSingleObject,RpcAsyncCompleteCall,CoUninitialize,GetProcessHeap,HeapFree,CloseHandle,NdrClientCall3,RpcBindingFree,GetLastError,GetLastError,RpcBindingFree,GetLastError,RpcAsyncCancelCall,WaitForSingleObject,GetLastError,Sleep,Sleep,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,		0_2_00007FF727051290
Source: C:\Users\user\Desktop\taskhost.exe	Code function: 0_2_00007FF7270522E0 NtdllDefWindowProc_W,PostQuitMessage,		0_2_00007FF7270522E0

Source: taskhost.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\taskhost.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: classification engine

Classification label: clean5.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\taskhost.exe

Code function: 0_2_00007FF727051F00 CoCreateInstance,GetCurrentThread,GetThreadPriority,GetCurrentThread,SetThreadPriority,GetCurrentThread,SetThreadPriority,

0_2_00007FF727051F00

Source: initial sample

Static PE information: Valid certificate with Microsoft Issuer

Source: taskhost.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: taskhost.exe

Static PE information: certificate valid

Source: taskhost.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: taskhost.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: taskhost.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: taskhost.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: taskhost.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: taskhost.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: taskhost.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: taskhost.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: taskhost.pdb source: taskhost.exe

Source: C:\Users\user\Desktop\taskhost.exe	Code function: 0_2_00007FF72705647B push rbx; ret		0_2_00007FF7270564C5
Source: C:\Users\user\Desktop\taskhost.exe	Code function: 0_2_00007FF7270564A3 push rbx; ret		0_2_00007FF7270564C5

Source: taskhost.exe

Static PE information: section name: .didat

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\taskhost.exe

Code function: 0_2_00007FF727052440 SysAllocString,SysAllocString,InitializeCriticalSection,memset,RegGetValueW,CreateThread,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,wcsstr,IsDebuggerPresent,DbgPrintEx,CloseHandle,GetLastError,SetEvent,

0_2_00007FF727052440

Source: C:\Users\user\Desktop\taskhost.exe

Code function: 0_2_00007FF727051290 SetUnhandledExceptionFilter,NtSetInformationProcess,CoInitializeEx,CreateEventW,memset,RpcStringBindingComposeW,RpcBindingFromStringBindingW,RpcStringFreeW,AllocateAndInitializeSid,RpcBindingSetAuthInfoExW,FreeSid,NdrClientCall3,NdrClientCall3,GetCurrentThreadId,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,memset,ResetEvent,RpcAsyncInitializeHandle,Ndr64AsyncClientCall,WaitForSingleObject,RpcAsyncCompleteCall,CoUninitialize,GetProcessHeap,HeapFree,CloseHandle,NdrClientCall3,RpcBindingFree,GetLastError,GetLastError,RpcBindingFree,GetLastError,RpcAsyncCancelCall,WaitForSingleObject,GetLastError,Sleep,Sleep,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00007FF727051290

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\taskhost.exe

Code function: 0_2_00007FF727054EE0 LdrResolveDelayLoadedAPI,

0_2_00007FF727054EE0

Source: C:\Users\user\Desktop\taskhost.exe	Code function: 0_2_00007FF727051290 SetUnhandledExceptionFilter,NtSetInformationProcess,CoInitializeEx,CreateEventW,memset,RpcStringBindingComposeW,RpcBindingFromStringBindingW,RpcStringFreeW,AllocateAndInitializeSid,RpcBindingSetAuthInfoExW,FreeSid,NdrClientCall3,NdrClientCall3,GetCurrentThreadId,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,memset,ResetEvent,RpcAsyncInitializeHandle,Ndr64AsyncClientCall,WaitForSingleObject,RpcAsyncCompleteCall,CoUninitialize,GetProcessHeap,HeapFree,CloseHandle,NdrClientCall3,RpcBindingFree,GetLastError,GetLastError,RpcBindingFree,GetLastError,RpcAsyncCancelCall,WaitForSingleObject,GetLastError,Sleep,Sleep,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,		0_2_00007FF727051290
Source: C:\Users\user\Desktop\taskhost.exe	Code function: 0_2_00007FF727052970 SetUnhandledExceptionFilter,		0_2_00007FF727052970

Source: C:\Users\user\Desktop\taskhost.exe

Code function: 0_2_00007FF727053260 malloc,InitializeSecurityDescriptor,IsValidSid,GetLengthSid,malloc,CopySid,SetSecurityDescriptorOwner,free,GetSecurityDescriptorGroup,IsValidSid,GetLengthSid,malloc,CopySid,SetSecurityDescriptorGroup,free,GetSecurityDescriptorDacl,GetAclInformation,malloc,memcpy_s,SetSecurityDescriptorDacl,free,CoInitializeSecurity,free,free,free,GetSecurityDescriptorOwner,free,free,free,free,free,

0_2_00007FF727053260

Source: C:\Users\user\Desktop\taskhost.exe

0_2_00007FF727051290

Source: C:\Users\user\Desktop\taskhost.exe

Code function: 0_2_00007FF727052990 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,

0_2_00007FF727052990

Source: C:\Users\user\Desktop\taskhost.exe	Code function: 0_2_00007FF727051290 SetUnhandledExceptionFilter,NtSetInformationProcess,CoInitializeEx,CreateEventW,memset,RpcStringBindingComposeW,RpcBindingFromStringBindingW,RpcStringFreeW,AllocateAndInitializeSid,RpcBindingSetAuthInfoExW,FreeSid,NdrClientCall3,NdrClientCall3,GetCurrentThreadId,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,memset,ResetEvent,RpcAsyncInitializeHandle,Ndr64AsyncClientCall,WaitForSingleObject,RpcAsyncCompleteCall,CoUninitialize,GetProcessHeap,HeapFree,CloseHandle,NdrClientCall3,RpcBindingFree,GetLastError,GetLastError,RpcBindingFree,GetLastError,RpcAsyncCancelCall,WaitForSingleObject,GetLastError,Sleep,Sleep,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,		0_2_00007FF727051290
Source: C:\Users\user\Desktop\taskhost.exe	Code function: 0_2_00007FF727063300 RpcBindingFree,		0_2_00007FF727063300

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	2 Obfuscated Files or Information	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	2 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
taskhost.exe	0%	ReversingLabs
taskhost.exe	0%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	771762
Start date and time:	2022-12-21 23:36:35 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 2m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	taskhost.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean5.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 90.2% (good quality ratio 59.8%) Quality average: 50% Quality standard deviation: 42.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 17 Number of non-executed functions: 29
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.055814819440736
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	taskhost.exe
File size:	89344
MD5:	7016acd1d0c1cc6acf45cbc6c90d0575
SHA1:	5647c86f30318b232b3819ded08fc5a9a171e0d9
SHA256:	b79e0890e5acffe7966bb32a6aaa415d6e334d0df5452debe6a867bb03451ea6
SHA512:	a6024c58fb6ed460b5c27b0aa2245425135c5f5c45a98f0f32ab651d2b1fc0da3ba07ee38d333e0e619609c2e0c54c8550874b8967283f70b16b39ce873deb9f
SSDEEP:	1536:G94iupJRlYWC8f+G/UH+wp0FDYvftV6CTONh6qN/mAP2S/:GBQJRlYW/hszYYvfeCTOP6qF9j/
TLSH:	2F934AAF672404F2D26281B8C4CA83B7E7B2F6545911575F5A60C35E2F237A3AF26F01
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k...............rE.....,...........F...,.......,.......,.......,.......,.......,.......Rich............PE..d....@PT.........."

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x140002e60
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x545040F5 [Wed Oct 29 01:20:53 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	3
File Version Major:	6
File Version Minor:	3
Subsystem Version Major:	6
Subsystem Version Minor:	3
Import Hash:	b936ec29c8bee60694f9bc8cce4a892d

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	7/1/2014 1:32:01 PM 10/1/2015 1:32:01 PM
Subject Chain	CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:	3
Thumbprint MD5:	61B45818C53EA18CEB2F52DDCEFDF7CC
Thumbprint SHA-1:	DF3B9B7E5AEA1AA0B82EA25F542A6A00963AB890
Thumbprint SHA-256:	28274B4C2F38DE427980C82A040E0E7A00E12B5EC6576DFC025D549421B14195
Serial:	330000004EA1D80770A9BBE94400000000004E

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FCA1507C74Ch
dec eax
add esp, 28h
jmp 00007FCA1507CC33h
int3
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], esi
dec eax
mov dword ptr [esp+18h], edi
inc ecx
push esp
inc ecx
push esi
inc ecx
push edi
dec eax
sub esp, 000000B0h
inc ebp
xor edi, edi
inc esp
mov dword ptr [esp+20h], edi
dec eax
lea ecx, dword ptr [esp+40h]
call dword ptr [000103A9h]
nop
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ebx, dword ptr [eax+08h]
inc ebp
mov esi, edi
xor eax, eax
dec eax
cmpxchg dword ptr [0000D14Dh], ebx
jne 00007FCA15080D74h
mov edi, 00000001h
mov eax, dword ptr [0000D160h]
cmp eax, edi
je 00007FCA15080D84h
mov eax, dword ptr [0000D152h]
test eax, eax
jne 00007FCA15080D92h
mov dword ptr [0000D144h], edi
dec esp
lea esp, dword ptr [000039E1h]
dec eax
lea ebx, dword ptr [000039C2h]
dec eax
mov dword ptr [esp+30h], ebx
inc ecx
mov eax, edi
mov dword ptr [esp+24h], eax
dec ecx
cmp ebx, esp
jnc 00007FCA1507CC4Fh
test eax, eax
jne 00007FCA15080D5Bh
dec eax
mov esi, dword ptr [ebx]
dec eax
test esi, esi
je 00007FCA1507CC34h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x134f8	0x1cc	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x16000	0x8c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x11000	0x1194	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x13800	0x2500
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x17000	0x1b0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xdc24	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x57e0	0x94	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x13000	0x4f0	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xd804	0xe0	.text
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xef14	0xf000	False	0.5000325520833333	data	5.972433434103113	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x10000	0x8a4	0xa00	False	0.083984375	data	1.0393834461621136	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x11000	0x1194	0x1200	False	0.4416232638888889	PEX Binary Archive	4.644878693479405	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata	0x13000	0x1910	0x1a00	False	0.32421875	data	4.4785251016058645	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat	0x15000	0xb8	0x200	False	0.140625	data	0.9933999993885394	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x16000	0x8c8	0xa00	False	0.4125	data	4.162451415874829	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x17000	0x1b0	0x200	False	0.6640625	data	4.513035989971991	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
MUI	0x16800	0xc8	data	English	United States
RT_VERSION	0x16450	0x3b0	data	English	United States
RT_MANIFEST	0x160f0	0x35b	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
msvcrt.dll	_purecall, calloc, ??0exception@@QEAA@XZ, ??0exception@@QEAA@AEBQEBD@Z, ??1exception@@UEAA@XZ, ?what@exception@@UEBAPEBDXZ, _XcptFilter, _onexit, __dllonexit, malloc, _unlock, _lock, free, ?terminate@@YAXXZ, _commode, memcpy_s, memmove_s, wcsstr, _fmode, ??0exception@@QEAA@AEBV0@@Z, _wcmdln, __C_specific_handler, _initterm, __setusermatherr, _cexit, _exit, ??0exception@@QEAA@AEBQEBDH@Z, _callnewh, _CxxThrowException, exit, __CxxFrameHandler3, __set_app_type, ??1type_info@@UEAA@XZ, __wgetmainargs, _amsg_exit, memset
api-ms-win-eventing-classicprovider-l1-1-0.dll	GetTraceEnableFlags, GetTraceLoggerHandle, UnregisterTraceGuids, RegisterTraceGuidsW, TraceMessage, GetTraceEnableLevel
api-ms-win-core-heap-l1-2-0.dll	HeapReAlloc, HeapAlloc, HeapSize, HeapFree, GetProcessHeap, HeapDestroy
api-ms-win-core-errorhandling-l1-1-1.dll	GetLastError, SetUnhandledExceptionFilter, UnhandledExceptionFilter
api-ms-win-core-synch-l1-2-0.dll	WaitForSingleObject, LeaveCriticalSection, SetEvent, ResetEvent, CreateEventW, Sleep, DeleteCriticalSection, InitializeCriticalSection, EnterCriticalSection, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, InitializeSRWLock
api-ms-win-core-processthreads-l1-1-2.dll	GetCurrentProcess, GetCurrentThread, GetCurrentThreadId, GetCurrentProcessId, SetProcessShutdownParameters, CreateThread, TerminateProcess, GetStartupInfoW, SetThreadPriority, GetExitCodeThread, GetThreadPriority
api-ms-win-core-libraryloader-l1-2-0.dll	GetModuleHandleW, LoadStringW
api-ms-win-core-profile-l1-1-0.dll	QueryPerformanceCounter
api-ms-win-core-sysinfo-l1-2-1.dll	GetSystemTimeAsFileTime, GetTickCount
api-ms-win-core-rtlsupport-l1-2-0.dll	RtlLookupFunctionEntry, RtlCaptureContext, RtlVirtualUnwind
RPCRT4.dll	Ndr64AsyncClientCall, NdrClientCall3, RpcAsyncInitializeHandle, RpcStringFreeW, RpcBindingFree, RpcBindingFromStringBindingW, RpcAsyncCancelCall, RpcBindingSetAuthInfoExW, RpcAsyncCompleteCall, RpcStringBindingComposeW
api-ms-win-core-com-l1-1-1.dll	CoCreateInstance, CoCancelCall, CoEnableCallCancellation, CoDisableCallCancellation, CoInitializeEx, CoInitializeSecurity, CoUninitialize
api-ms-win-security-base-l1-2-0.dll	GetAclInformation, AddAce, FreeSid, AllocateAndInitializeSid, InitializeAcl, GetSecurityDescriptorOwner, IsValidSid, GetLengthSid, CopySid, GetSidSubAuthority, SetSecurityDescriptorOwner, InitializeSid, GetSidLengthRequired, GetSecurityDescriptorGroup, SetSecurityDescriptorGroup, InitializeSecurityDescriptor, MakeAbsoluteSD, GetSecurityDescriptorControl, GetSecurityDescriptorSacl, SetSecurityDescriptorDacl, GetSecurityDescriptorDacl
api-ms-win-core-handle-l1-1-0.dll	CloseHandle
api-ms-win-core-debug-l1-1-1.dll	OutputDebugStringA, IsDebuggerPresent
api-ms-win-core-registry-l1-1-0.dll	RegGetValueW
OLEAUT32.dll	SysAllocString, SysFreeString
api-ms-win-core-threadpool-legacy-l1-1-0.dll	DeleteTimerQueueTimer, CreateTimerQueueTimer
ntdll.dll	EtwTraceMessage, NtSetInformationProcess, RtlUnhandledExceptionFilter, DbgPrintEx
api-ms-win-core-heap-obsolete-l1-1-0.dll	LocalFree
api-ms-win-core-apiquery-l1-1-0.dll	ApiSetQueryApiSetPresence
api-ms-win-core-delayload-l1-1-1.dll	DelayLoadFailureHook, ResolveDelayLoadedAPI

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

• taskhost.exe

Click to jump to process

Memory Usage

• taskhost.exe

Click to jump to process

System Behavior

Analysis Process: taskhost.exePID: 4844, Parent PID: 3452

Function Logs

General

Target ID:	0
Start time:	23:37:24
Start date:	21/12/2022
Path:	C:\Users\user\Desktop\taskhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\taskhost.exe
Imagebase:	0x7ff727050000
File size:	89344 bytes
MD5 hash:	7016ACD1D0C1CC6ACF45CBC6C90D0575
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

Key Value Queried

Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

Process Information Set

Show Windows behavior

Thread Activities

Thread Created

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window Created

Window UI Enumerated

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

Analysis Process: taskhost.exePID: 4844, Parent PID: 3452COMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	8.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	25.1%
Total number of Nodes:	1028
Total number of Limit Nodes:	10

Executed Functions

Function 00007FF727051290 Relevance: 89.7, APIs: 49, Strings: 2, Instructions: 415
memorysleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-1 ref: 00007FF7270512E7
NtSetInformationProcess.NTDLL ref: 00007FF727051303
CoInitializeEx.API-MS-WIN-CORE-COM-L1-1-1 ref: 00007FF72705130D

Part of subcall function 00007FF727053D40: SetProcessShutdownParameters.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2 ref: 00007FF727053D9B

CreateEventW.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF727051337
memset.MSVCRT ref: 00007FF727051356
RpcStringBindingComposeW.RPCRT4 ref: 00007FF72705138E
RpcBindingFromStringBindingW.RPCRT4 ref: 00007FF7270513A7
RpcStringFreeW.RPCRT4 ref: 00007FF7270513B3
AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF7270513EF
RpcBindingSetAuthInfoExW.RPCRT4 ref: 00007FF727051446
FreeSid.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF727051452
NdrClientCall3.RPCRT4 ref: 00007FF727051499
NdrClientCall3.RPCRT4 ref: 00007FF7270514CB
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2 ref: 00007FF7270514DB
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-2-0 ref: 00007FF7270514FE
HeapFree.API-MS-WIN-CORE-HEAP-L1-2-0 ref: 00007FF72705150C
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-2-0 ref: 00007FF727051520
HeapFree.API-MS-WIN-CORE-HEAP-L1-2-0 ref: 00007FF72705152E
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-2-0 ref: 00007FF727051542
HeapFree.API-MS-WIN-CORE-HEAP-L1-2-0 ref: 00007FF727051550
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-2-0 ref: 00007FF727051560
HeapFree.API-MS-WIN-CORE-HEAP-L1-2-0 ref: 00007FF727051570
memset.MSVCRT ref: 00007FF72705158B
ResetEvent.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF727051598
RpcAsyncInitializeHandle.RPCRT4 ref: 00007FF7270515A7
Ndr64AsyncClientCall.RPCRT4 ref: 00007FF7270515EE
WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF727051602
RpcAsyncCompleteCall.RPCRT4 ref: 00007FF727051619
CoUninitialize.API-MS-WIN-CORE-COM-L1-1-1 ref: 00007FF727051B0A
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-2-0 ref: 00007FF727051B46
HeapFree.API-MS-WIN-CORE-HEAP-L1-2-0 ref: 00007FF727051B56
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF727051B64
NdrClientCall3.RPCRT4 ref: 00007FF727051B83
RpcBindingFree.RPCRT4 ref: 00007FF727051B96
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-1 ref: 00007FF7270572D8
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-1 ref: 00007FF7270572E5
RpcBindingFree.RPCRT4 ref: 00007FF7270572FD
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-1 ref: 00007FF727057309
RpcAsyncCancelCall.RPCRT4 ref: 00007FF72705731C
WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF727057336
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-1 ref: 00007FF727057344
Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF727057378
Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF72705739B

Strings

ncalrpc, xrefs: 00007FF72705136B
ubpmtaskhostchannel, xrefs: 00007FF727051364

Memory Dump Source

Source File: 00000000.00000002.237913977.00007FF727051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF727050000, based on PE: true

Associated: 00000000.00000002.237908138.00007FF727050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237927801.00007FF727060000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237932983.00007FF727061000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff727050000_taskhost.jbxd

Similarity

API ID: Heap$Free$Process$Binding$AsyncClientErrorLast$CallCall3InitializeString$EventHandleObjectSingleSleepWaitmemset$AllocateAuthCancelCloseCompleteComposeCreateCurrentExceptionFilterFromInfoInformationNdr64ParametersResetShutdownThreadUnhandledUninitialize
String ID: ncalrpc$ubpmtaskhostchannel
API String ID: 1043982389-1698924819
Opcode ID: 9821cb267bc7500ecc067c2ce31d79d8a6b341be9b074067151a93ca951169ce
Instruction ID: 9d73acc4e6383c582205fcbb0fce285eea2bc241e53332a8600ffa959baf23f5
Opcode Fuzzy Hash: 9821cb267bc7500ecc067c2ce31d79d8a6b341be9b074067151a93ca951169ce
Instruction Fuzzy Hash: F5127B31A08B4286FB30AF65E950169B7A1FB46B54FD44139DA4D87AA4DF3CE40ACF60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF727053260 Relevance: 47.1, APIs: 31, Instructions: 639
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00007FF7270532D1
InitializeSecurityDescriptor.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF7270532ED
IsValidSid.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF727053310
GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF727053321
malloc.MSVCRT ref: 00007FF72705332C
CopySid.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF727053347
SetSecurityDescriptorOwner.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF727053360
GetSecurityDescriptorGroup.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF72705340B
IsValidSid.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF72705342A
GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF72705343B
malloc.MSVCRT ref: 00007FF727053446
CopySid.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF727053461
SetSecurityDescriptorGroup.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF72705347A
free.MSVCRT ref: 00007FF72705348C

Part of subcall function 00007FF727052AF0: IsValidSid.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF727052B28

Part of subcall function 00007FF727052AF0: IsValidSid.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF727052CCD
Part of subcall function 00007FF727052AF0: GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF727052CDF
Part of subcall function 00007FF727052AF0: CopySid.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF727052CF0
Part of subcall function 00007FF727052AF0: calloc.MSVCRT ref: 00007FF727052D91
Part of subcall function 00007FF727052AF0: memmove_s.MSVCRT ref: 00007FF727052DB4
Part of subcall function 00007FF727052AF0: free.MSVCRT ref: 00007FF727052DC6
Part of subcall function 00007FF727052AF0: free.MSVCRT ref: 00007FF727052DF2

GetSecurityDescriptorDacl.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF72705360D
GetAclInformation.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF727053677
malloc.MSVCRT ref: 00007FF72705368C
memcpy_s.MSVCRT ref: 00007FF7270536B3
SetSecurityDescriptorDacl.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF7270536E1
free.MSVCRT ref: 00007FF7270536F3
CoInitializeSecurity.API-MS-WIN-CORE-COM-L1-1-1 ref: 00007FF727053725
free.MSVCRT ref: 00007FF727053790
free.MSVCRT ref: 00007FF7270537A8
free.MSVCRT ref: 00007FF7270537D0

Part of subcall function 00007FF727053BE0: GetSecurityDescriptorControl.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF727053C0C
Part of subcall function 00007FF727053BE0: GetSecurityDescriptorOwner.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF727053C38
Part of subcall function 00007FF727053BE0: free.MSVCRT ref: 00007FF727053C43
Part of subcall function 00007FF727053BE0: GetSecurityDescriptorGroup.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF727053C57
Part of subcall function 00007FF727053BE0: free.MSVCRT ref: 00007FF727053C62
Part of subcall function 00007FF727053BE0: GetSecurityDescriptorDacl.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF727053C7B
Part of subcall function 00007FF727053BE0: free.MSVCRT ref: 00007FF727053C8C
Part of subcall function 00007FF727053BE0: GetSecurityDescriptorSacl.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF727053CA5
Part of subcall function 00007FF727053BE0: free.MSVCRT ref: 00007FF727053CB9

free.MSVCRT ref: 00007FF727053372

Part of subcall function 00007FF727052870: GetSecurityDescriptorControl.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF7270528A1

GetSecurityDescriptorOwner.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF727059E38
free.MSVCRT ref: 00007FF727059E58
free.MSVCRT ref: 00007FF72705A11A
free.MSVCRT ref: 00007FF72705A153
free.MSVCRT ref: 00007FF72705A16D
free.MSVCRT ref: 00007FF72705A188

Memory Dump Source

Source File: 00000000.00000002.237913977.00007FF727051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF727050000, based on PE: true

Associated: 00000000.00000002.237908138.00007FF727050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237927801.00007FF727060000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237932983.00007FF727061000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff727050000_taskhost.jbxd

Similarity

API ID: free$Security$Descriptor$Validmalloc$CopyDaclGroupLengthOwner$ControlInitialize$InformationSaclcallocmemcpy_smemmove_s
String ID:
API String ID: 3033521031-0
Opcode ID: 1f3b394812e92becc2b6fdddc590fde7f4866344361ceefa31ee3ef36007f7e3
Instruction ID: 47c1c4955c3914d02908be6cddc3147a457cd20204f011226036e1ee0ff30d49
Opcode Fuzzy Hash: 1f3b394812e92becc2b6fdddc590fde7f4866344361ceefa31ee3ef36007f7e3
Instruction Fuzzy Hash: CF526E31B0DB4281EA20AB21DE542BDE760FB86B94FD45135DA1E87795CF3CE44ACB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF727052240 Relevance: 13.6, APIs: 9, Instructions: 85
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7270548A0: memset.MSVCRT ref: 00007FF7270548C2
Part of subcall function 00007FF7270548A0: RegisterClassW.USER32 ref: 00007FF727054911
Part of subcall function 00007FF7270548A0: CreateWindowExW.USER32 ref: 00007FF72705495B

SetEvent.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF727052262
MsgWaitForMultipleObjects.USER32 ref: 00007FF727052295
PeekMessageW.USER32 ref: 00007FF7270522B5
DestroyWindow.USER32 ref: 00007FF7270546C5
PeekMessageW.USER32 ref: 00007FF7270546E6
UnregisterClassW.USER32 ref: 00007FF727054700
TranslateMessage.USER32 ref: 00007FF727054853
DispatchMessageW.USER32 ref: 00007FF72705485E
PeekMessageW.USER32 ref: 00007FF727054884

Memory Dump Source

Source File: 00000000.00000002.237913977.00007FF727051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF727050000, based on PE: true

Associated: 00000000.00000002.237908138.00007FF727050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237927801.00007FF727060000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237932983.00007FF727061000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff727050000_taskhost.jbxd

Similarity

API ID: Message$Peek$ClassWindow$CreateDestroyDispatchEventMultipleObjectsRegisterTranslateUnregisterWaitmemset
String ID:
API String ID: 2029843109-0
Opcode ID: 9d3a507b0d8c0104aa6555387b0a18fd63407b2c28d75631afb8da0397bf70a3
Instruction ID: 9433e928c2c89258277a7d37944e4d2cb766bebbf09bde5aaa1e970e41c088cc
Opcode Fuzzy Hash: 9d3a507b0d8c0104aa6555387b0a18fd63407b2c28d75631afb8da0397bf70a3
Instruction Fuzzy Hash: 8E31C261F2855282F770BB25EE60A7AA3A0FF96744FC44135EA4DC2594DF2CD44E8F60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7270522E0 Relevance: 3.0, APIs: 2, Instructions: 45
nativewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00007FF77FF7270522E0(void* __eax, void* __edx, long long __rbx, void* __rcx, long long __rsi, long long __rbp, void* __r8, void* __r9, long long _a8, long long _a16, long long _a24) {

				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				if (__edx - 0x16 <= 0) goto 0x2705232a;
				"ation>\r\n</assembly>"(); // executed
				return __eax;
			}

0x7ff7270522e0
0x7ff7270522e5
0x7ff7270522ea
0x7ff727052302
0x7ff72705230f
0x7ff727052329

APIs

NtdllDefWindowProc_W.NTDLL ref: 00007FF72705230F
PostQuitMessage.USER32 ref: 00007FF72705233A

Memory Dump Source

Source File: 00000000.00000002.237913977.00007FF727051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF727050000, based on PE: true

Associated: 00000000.00000002.237908138.00007FF727050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237927801.00007FF727060000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237932983.00007FF727061000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff727050000_taskhost.jbxd

Similarity

API ID: MessageNtdllPostProc_QuitWindow
String ID:
API String ID: 4264772764-0
Opcode ID: 422c55a8cdebbc48c7822e8fc1bc34a637d80d95c89324f68c51aee4e41dbb9e
Instruction ID: e2dbfdea308e8512113e4a6c91f024810d00b9c763d4effbbff5c708331e0c60
Opcode Fuzzy Hash: 422c55a8cdebbc48c7822e8fc1bc34a637d80d95c89324f68c51aee4e41dbb9e
Instruction Fuzzy Hash: 16019261F1865285E774B7666E8403EE690FF8ABC0FD88431DA0DC2799CD2CE44A8A60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF727052970 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-1 ref: 00007FF72705297B

Memory Dump Source

Source File: 00000000.00000002.237913977.00007FF727051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF727050000, based on PE: true

Associated: 00000000.00000002.237908138.00007FF727050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237927801.00007FF727060000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237932983.00007FF727061000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff727050000_taskhost.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: a8e962779971eea3a48e8286fb88c7d015fc519c956c73c540bcf1e2c30f0310
Instruction ID: aa100731075c95b55706a11b5fa7c9d78b1e922c526d975666ac7bd4e3ab0074
Opcode Fuzzy Hash: a8e962779971eea3a48e8286fb88c7d015fc519c956c73c540bcf1e2c30f0310
Instruction Fuzzy Hash: 7AB01210F36403C1EA24BB21DD9506192A1FF5E705FC00830C00DC5220DE6CB59FCF50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF727054EE0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.237913977.00007FF727051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF727050000, based on PE: true

Associated: 00000000.00000002.237908138.00007FF727050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237927801.00007FF727060000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237932983.00007FF727061000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff727050000_taskhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f36331aa407c207627c383d0addf4de2e4e1dd4b9de0c586b0dfbe696a4c1530
Instruction ID: 5bc4967017af566f973f7eeec37345e3610f86d346a63d17c9c668737addb696
Opcode Fuzzy Hash: f36331aa407c207627c383d0addf4de2e4e1dd4b9de0c586b0dfbe696a4c1530
Instruction Fuzzy Hash: 28D05EA5D0854281E620AB41ED112A5B720FB55344FC00132E84C82664DF3CD60ECF14

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7270548A0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 79
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00007FF7270548C2
RegisterClassW.USER32 ref: 00007FF727054911
CreateWindowExW.USER32 ref: 00007FF72705495B
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-1 ref: 00007FF72705ABFC
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-1 ref: 00007FF72705AC1C
UnregisterClassW.USER32 ref: 00007FF72705AC4A

Strings

Task Host Window, xrefs: 00007FF727054947
COMTASKSWINDOWCLASS, xrefs: 00007FF7270548FD

Memory Dump Source

Source File: 00000000.00000002.237913977.00007FF727051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF727050000, based on PE: true

Associated: 00000000.00000002.237908138.00007FF727050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237927801.00007FF727060000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237932983.00007FF727061000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff727050000_taskhost.jbxd

Similarity

API ID: ClassErrorLast$CreateRegisterUnregisterWindowmemset
String ID: COMTASKSWINDOWCLASS$Task Host Window
API String ID: 3115513498-523095222
Opcode ID: bfcf70b8d98bd1f41332d67f7fca69309f8ca7b6b7ec98b3655990cfa03622c5
Instruction ID: c4dfd0da907bcf25576d568d6e7fd8cb7ac5f10d106042471105414a84e0c629
Opcode Fuzzy Hash: bfcf70b8d98bd1f41332d67f7fca69309f8ca7b6b7ec98b3655990cfa03622c5
Instruction Fuzzy Hash: 28319576918B9282E7209B25F94026AF7A5FB85B90FD44135EACCC3754DF3CD44ACBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF727054E10 Relevance: 10.6, APIs: 7, Instructions: 74
synchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateEventW.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF727054E2E
CreateEventW.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF727054E4E
CreateThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2 ref: 00007FF727054E78
WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF727054E92
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF727054EA9
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-1 ref: 00007FF72705A9F8
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF72705AA49

Memory Dump Source

Source File: 00000000.00000002.237913977.00007FF727051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF727050000, based on PE: true

Associated: 00000000.00000002.237908138.00007FF727050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237927801.00007FF727060000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237932983.00007FF727061000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff727050000_taskhost.jbxd

Similarity

API ID: Create$CloseEventHandle$ErrorLastObjectSingleThreadWait
String ID:
API String ID: 1854897459-0
Opcode ID: 1e6efd1d75c998c52023b78a35499d3558810fee5e097e073bb79df76013d784
Instruction ID: 342414c469a9cbf6083600ce0162beabb6fec1fedebbf0bb01acac29a5df4d77
Opcode Fuzzy Hash: 1e6efd1d75c998c52023b78a35499d3558810fee5e097e073bb79df76013d784
Instruction Fuzzy Hash: 0231A632608B5282E730AB25EA54129F3A4FF49B687D14335DA2D967D4DF3CD48A8A90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF727052E60 Relevance: 7.7, APIs: 5, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2 ref: 00007FF727052EA9

Memory Dump Source

Source File: 00000000.00000002.237913977.00007FF727051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF727050000, based on PE: true

Associated: 00000000.00000002.237908138.00007FF727050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237927801.00007FF727060000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237932983.00007FF727061000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff727050000_taskhost.jbxd

Similarity

API ID: InfoStartup
String ID:
API String ID: 2571198056-0
Opcode ID: aa33cad896b09622a8729d89d292e3bf079fd9abc35bcd422a00bf54464c9bec
Instruction ID: c3f7b131cb023d73759a470307905d3a3ff115eba0eabbc01ac1dcdffa5aed1e
Opcode Fuzzy Hash: aa33cad896b09622a8729d89d292e3bf079fd9abc35bcd422a00bf54464c9bec
Instruction Fuzzy Hash: CD614B61E0C60382FA70BB11AE5067AE2A1FF4A740FD49535D94EC7290DF3CE94A9F60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF727051D30 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegGetValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF727051D76

Strings

EnableDebuggerBreakForTaskHang, xrefs: 00007FF727051D3D
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule, xrefs: 00007FF727051D4E

Memory Dump Source

Source File: 00000000.00000002.237913977.00007FF727051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF727050000, based on PE: true

Associated: 00000000.00000002.237908138.00007FF727050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237927801.00007FF727060000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237932983.00007FF727061000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff727050000_taskhost.jbxd

Similarity

API ID: Value
String ID: EnableDebuggerBreakForTaskHang$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule
API String ID: 3702945584-1563541103
Opcode ID: d627125af4e0c0fe36138b531fdebea97e06e4f46cc91860ae471834271c1dbe
Instruction ID: 94c0e77173e572e3230e2e3c357d2e3bb2e0361eee34aefc5013f54b6e2e7f0a
Opcode Fuzzy Hash: d627125af4e0c0fe36138b531fdebea97e06e4f46cc91860ae471834271c1dbe
Instruction Fuzzy Hash: AD01A171A0874382EB60AB51EA406AAF7A4FF41358FC04136D65D82794DFBCD54ECF64

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7270546A2 Relevance: 4.5, APIs: 3, Instructions: 32
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 27%

			E00007FF77FF7270546A2(void* __eax, void* __esp, long long __rdi, intOrPtr _a32, char _a48, void* _a112) {
				void* _t17;
				void* _t28;
				intOrPtr _t29;
				intOrPtr _t31;
				long long _t35;
				void* _t37;
				void* _t38;

				_t35 = __rdi;
				if (__eax != 0) goto 0x27056fca;
				_t31 =  *0x27060058; // 0x0
				E00007FF77FF727054730(0, _t28, _t31, __rdi, _t37, _t38);
				_t29 =  *0x27060058; // 0x0
				DestroyWindow(??); // executed
				 *((long long*)(_t29 + 0x18)) = _t35;
				r9d = 0;
				r8d = 0;
				_a32 = 1;
				if (PeekMessageW(??, ??, ??, ??, ??) != 0) goto 0x270546d1;
				if (0 == ( *(_t29 + 0x10) & 0x0000ffff)) goto 0x2705470a;
				UnregisterClassW(??, ??);
				 *(_t29 + 0x10) = 0;
				E00007FF77FF727051CB0(_t17, _t29,  &_a48, _t37); // executed
				return 0;
			}

0x7ff7270546a2
0x7ff7270546a6
0x7ff7270546ac
0x7ff7270546b5
0x7ff7270546ba
0x7ff7270546c5
0x7ff7270546cd
0x7ff7270546d6
0x7ff7270546d9
0x7ff7270546de
0x7ff7270546ee
0x7ff7270546f7
0x7ff727054700
0x7ff727054706
0x7ff72705470a
0x7ff72705471b

APIs

Part of subcall function 00007FF727054730: AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF7270547AE
Part of subcall function 00007FF727054730: ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF7270547BC

DestroyWindow.USER32 ref: 00007FF7270546C5
PeekMessageW.USER32 ref: 00007FF7270546E6
UnregisterClassW.USER32 ref: 00007FF727054700

Memory Dump Source

Source File: 00000000.00000002.237913977.00007FF727051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF727050000, based on PE: true

Associated: 00000000.00000002.237908138.00007FF727050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237927801.00007FF727060000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237932983.00007FF727061000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff727050000_taskhost.jbxd

Similarity

API ID: ExclusiveLock$AcquireClassDestroyMessagePeekReleaseUnregisterWindow
String ID:
API String ID: 4046107042-0
Opcode ID: 0b70fdffe4aa9f8bfd55f3f7531d7355d8594f5b03e93ce35b3c89c4f61bc036
Instruction ID: 02c5817742e9c70eed3c1bf9053378ea64d3a94bc2e1f9cf905e84e1f6de0da1
Opcode Fuzzy Hash: 0b70fdffe4aa9f8bfd55f3f7531d7355d8594f5b03e93ce35b3c89c4f61bc036
Instruction Fuzzy Hash: 3D018F21A1864281F730BF31EE5057AA391FF85B48BC04034EE4CC6554DF3CD49A8BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF727051780 Relevance: 3.1, APIs: 2, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 16%

			E00007FF77FF727051780(void* __eax, long long __rbx, void* __rcx, long long __rsi, long long __rbp, long long _a8, long long _a16, long long _a24) {
				long long _v16;
				char _v24;
				long long _v32;
				long long _v40;
				long long _v48;
				long long _v56;
				intOrPtr* _t34;
				long long _t53;

				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				 *0x270600a8 = 1;
				 *0x270600a0 = __rbp;
				 *0x27060090 = __rbp;
				 *0x27060070 = 0x270561b0;
				 *0x27060048 = 0x27060090;
				_t53 =  *0x27060070;
				_v16 = __rbp;
				_v32 = 0x7ff727060098;
				_v40 = __rbp;
				_v24 = _t53;
				r9d = 1;
				_v48 = __rbp;
				_v56 =  &_v24;
				 *0x7FF7270600B0 = _t53;
				__imp__RegisterTraceGuidsW();
				if ( *0x27060090 != 0) goto 0x270517d5;
				E00007FF77FF727051290();
				_t34 =  *0x27060048; // 0x7ff727060048
				if (_t34 == 0x27060048) goto 0x2705186b;
				if (_t34 == 0) goto 0x27051862;
				_t14 = _t34 + 8; // 0x0
				if ( *_t14 == 0) goto 0x2705185a;
				__imp__UnregisterTraceGuids();
				 *((long long*)(_t34 + 8)) = __rbp;
				if ( *_t34 != 0) goto 0x27051847;
				 *0x27060048 = 0x27060048;
				return __eax;
			}

0x7ff727051780
0x7ff727051785
0x7ff72705178a
0x7ff7270517a7
0x7ff7270517b2
0x7ff7270517b9
0x7ff7270517c7
0x7ff7270517ce
0x7ff7270517d5
0x7ff7270517dc
0x7ff7270517e1
0x7ff7270517eb
0x7ff7270517f0
0x7ff7270517fc
0x7ff727051805
0x7ff72705180e
0x7ff727051813
0x7ff727051817
0x7ff727051823
0x7ff727051828
0x7ff72705182d
0x7ff727051840
0x7ff727051845
0x7ff727051847
0x7ff72705184e
0x7ff727051850
0x7ff727051856
0x7ff727051860
0x7ff727051862
0x7ff72705187f

APIs

RegisterTraceGuidsW.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0 ref: 00007FF727051817
UnregisterTraceGuids.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0 ref: 00007FF727051850

Memory Dump Source

Source File: 00000000.00000002.237913977.00007FF727051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF727050000, based on PE: true

Associated: 00000000.00000002.237908138.00007FF727050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237927801.00007FF727060000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237932983.00007FF727061000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff727050000_taskhost.jbxd

Similarity

API ID: GuidsTrace$RegisterUnregister
String ID:
API String ID: 3446728691-0
Opcode ID: 527dcc6ed0b793e2fe379df56069233b0c8f7462cb0e2a56b6dfea3ef29e8f5b
Instruction ID: 276ab980c3516615b2b52818f3b4703198a7dd3ef1c12a315a99b478436833bf
Opcode Fuzzy Hash: 527dcc6ed0b793e2fe379df56069233b0c8f7462cb0e2a56b6dfea3ef29e8f5b
Instruction Fuzzy Hash: 22212B31A08B4285EB20AF11F950669F3A4FB45B84FD88539DA8C87715DF3CE45ACB54

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF727051CB0 Relevance: 3.0, APIs: 2, Instructions: 47
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF727051CFE

Memory Dump Source

Source File: 00000000.00000002.237913977.00007FF727051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF727050000, based on PE: true

Associated: 00000000.00000002.237908138.00007FF727050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237927801.00007FF727060000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237932983.00007FF727061000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff727050000_taskhost.jbxd

Similarity

API ID: ObjectSingleWait
String ID:
API String ID: 24740636-0
Opcode ID: 9fdae71b60d1eb0d473e731742d7201fce8aea5140ae0f5629cd8422eb31bb55
Instruction ID: 68cbbd3812c7ce5884a945389ee8ae87d70cdeb4ebd7e1d4bafabee17e71aecd
Opcode Fuzzy Hash: 9fdae71b60d1eb0d473e731742d7201fce8aea5140ae0f5629cd8422eb31bb55
Instruction Fuzzy Hash: 62117020B0C25282F77077665F5023A9585FF067A0FD04239EA2DC62D1EE1CE84B4AB1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF727053DC0 Relevance: 1.6, APIs: 1, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E00007FF77FF727053DC0(void* __ecx, void* __eflags, long long __rax, long long __rcx, void* __rdx, void* __r9, long long _a8, long long _a16, long long _a24) {
				long long _v72;
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* _t25;
				void* _t26;
				void* _t31;
				long long _t45;
				long long _t52;
				intOrPtr* _t53;
				void* _t60;
				void* _t62;
				long long _t67;
				long long _t68;

				_t45 = __rax;
				_a8 = __rcx;
				_v72 = 0xfffffffe;
				_t67 = __rcx;
				r15d = 0;
				_a24 = _t68;
				_t25 = E00007FF77FF727053260(_t52, __rdx, _t60, _t62, __r9); // executed
				if (_t25 < 0) goto 0x27053eed;
				_t26 = E00007FF77FF727053F00(_t45, __r9);
				if (_t26 < 0) goto 0x27053eed;
				if ( *((intOrPtr*)( *[gs:0x60] + 0x2c0)) == r15d) goto 0x2705435b;
				if (E00007FF77FF727054F24(_t26) == 0) goto 0x2705435b;
				if (0 != 0) goto 0x27054362;
				E00007FF77FF7270527D0(_t45,  *[gs:0x60]);
				_t53 = _t45;
				_a16 = _t45;
				if (_t45 == 0) goto 0x27056dee;
				 *_t53 = 0x270561c0;
				E00007FF77FF727054800(0x270561c0,  *[gs:0x60]);
				 *((long long*)(_t53 + 0x58)) = 0x270561c0;
				 *0x7FF7270561E1 = 1;
				 *((long long*)( *((intOrPtr*)(_t53 + 0x58)) + 8)) =  *((intOrPtr*)(_t53 + 0x58));
				 *((long long*)( *((intOrPtr*)(_t53 + 0x58)))) =  *((intOrPtr*)(_t53 + 0x58));
				 *((long long*)( *((intOrPtr*)(_t53 + 0x58)) + 0x10)) =  *((intOrPtr*)(_t53 + 0x58));
				 *((long long*)(_t53 + 0x60)) = _t68;
				__imp__InitializeSRWLock();
				 *((long long*)(_t53 + 8)) = _t68;
				 *((intOrPtr*)(_t53 + 0x10)) = r15w;
				 *((long long*)(_t53 + 0x18)) = _t68;
				 *((intOrPtr*)(_t53 + 0x20)) = 0x80004001;
				 *((long long*)(_t53 + 0x28)) = _t68;
				 *((long long*)(_t53 + 0x30)) = _t68;
				 *((long long*)(_t53 + 0x38)) = _t68;
				 *((long long*)(_t53 + 0x40)) = _t68;
				_a24 = _t53;
				if (_t53 == 0) goto 0x27056df6;
				if (_t26 < 0) goto 0x27059dd2;
				 *0x27060058 = _t53;
				if ( *((intOrPtr*)( *_t53 + 0x28)) != E00007FF77FF727054DE0) goto 0x27054387;
				_t31 = E00007FF77FF727054DE0(_t53, _t67); // executed
				return _t31;
			}

0x7ff727053dc0
0x7ff727053dc0
0x7ff727053dd0
0x7ff727053dd9
0x7ff727053ddc
0x7ff727053ddf
0x7ff727053de7
0x7ff727053dee
0x7ff727053df4
0x7ff727053dfd
0x7ff727053e13
0x7ff727053e20
0x7ff727053e2a
0x7ff727053e35
0x7ff727053e3a
0x7ff727053e3d
0x7ff727053e45
0x7ff727053e52
0x7ff727053e55
0x7ff727053e5a
0x7ff727053e5e
0x7ff727053e66
0x7ff727053e6e
0x7ff727053e75
0x7ff727053e79
0x7ff727053e81
0x7ff727053e87
0x7ff727053e8b
0x7ff727053e90
0x7ff727053e94
0x7ff727053e9b
0x7ff727053e9f
0x7ff727053ea3
0x7ff727053ea7
0x7ff727053eab
0x7ff727053eb6
0x7ff727053ebe
0x7ff727053ec4
0x7ff727053edc
0x7ff727053ee8
0x7ff727053ef8

APIs

Part of subcall function 00007FF727053260: malloc.MSVCRT ref: 00007FF7270532D1
Part of subcall function 00007FF727053260: InitializeSecurityDescriptor.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF7270532ED
Part of subcall function 00007FF727053260: IsValidSid.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF727053310
Part of subcall function 00007FF727053260: GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF727053321
Part of subcall function 00007FF727053260: malloc.MSVCRT ref: 00007FF72705332C
Part of subcall function 00007FF727053260: CopySid.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF727053347
Part of subcall function 00007FF727053260: SetSecurityDescriptorOwner.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF727053360
Part of subcall function 00007FF727053260: free.MSVCRT ref: 00007FF727053372
Part of subcall function 00007FF727053260: GetSecurityDescriptorGroup.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF72705340B
Part of subcall function 00007FF727053260: IsValidSid.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF72705342A

Part of subcall function 00007FF727053F00: CreateEventW.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF727053F2C

Part of subcall function 00007FF7270527D0: malloc.MSVCRT ref: 00007FF7270527DC

InitializeSRWLock.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF727053E81

Memory Dump Source

Source File: 00000000.00000002.237913977.00007FF727051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF727050000, based on PE: true

Associated: 00000000.00000002.237908138.00007FF727050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237927801.00007FF727060000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237932983.00007FF727061000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff727050000_taskhost.jbxd

Similarity

API ID: DescriptorSecuritymalloc$InitializeValid$CopyCreateEventGroupLengthLockOwnerfree
String ID:
API String ID: 2800279346-0
Opcode ID: ae4ed17ab7d7b969f7883ee90b42021041cc94042a4599d49506d32aa3e70606
Instruction ID: d537e36a2492f99f9801d8a51714b317ea28f859aab5f3e6a52a5012e05a11a1
Opcode Fuzzy Hash: ae4ed17ab7d7b969f7883ee90b42021041cc94042a4599d49506d32aa3e70606
Instruction Fuzzy Hash: 26418432A08B4282E721AF24EE40269E3E5FF46B98FC44534DE4D87395DF3DD45A9B60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF727053D40 Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 43%

			E00007FF77FF727053D40(long long __rbx, void* __rcx, void* __rdx, long long _a8, intOrPtr _a16, intOrPtr _a24) {
				long long _v40;
				intOrPtr _t12;
				void* _t15;
				void* _t21;
				intOrPtr _t26;
				void* _t30;

				_v40 = 0xfffffffe;
				_a8 = __rbx;
				_a24 = 0;
				_t26 =  *0x27060048; // 0x7ff727060048
				if (_t26 == 0x27060048) goto 0x27053d7c;
				if (( *(_t26 + 0x1c) & 0x00000004) != 0) goto 0x27059d45;
				_t12 = E00007FF77FF727053DC0(_t15,  *(_t26 + 0x1c) & 0x00000004, _t21, __rcx, __rdx, _t30); // executed
				_a16 = _t12;
				if (_a16 < 0) goto 0x27059d6c;
				SetProcessShutdownParameters(??, ??); // executed
				return _a24;
			}

0x7ff727053d46
0x7ff727053d4f
0x7ff727053d57
0x7ff727053d66
0x7ff727053d70
0x7ff727053d76
0x7ff727053d7f
0x7ff727053d84
0x7ff727053d8d
0x7ff727053d9b
0x7ff727053daf

APIs

SetProcessShutdownParameters.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2 ref: 00007FF727053D9B

Memory Dump Source

Source File: 00000000.00000002.237913977.00007FF727051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF727050000, based on PE: true

Associated: 00000000.00000002.237908138.00007FF727050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237927801.00007FF727060000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237932983.00007FF727061000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff727050000_taskhost.jbxd

Similarity

API ID: ParametersProcessShutdown
String ID:
API String ID: 4192036408-0
Opcode ID: ee8606501e69bef7081d99680ba5d48d5bcf458fdb25dfe9f13498b866e745cc
Instruction ID: e87661c34e7a8dbbc9052f223ce276162279483656d8e420073be03e1d11cf04
Opcode Fuzzy Hash: ee8606501e69bef7081d99680ba5d48d5bcf458fdb25dfe9f13498b866e745cc
Instruction Fuzzy Hash: 9E11AF31A0874186E760AB15EA50379E3A1FB86B54FD04235DA5DC76E5CFBCE44B8F20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF727052920 Relevance: 1.5, APIs: 1, Instructions: 13
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wgetmainargs.MSVCRT ref: 00007FF727052958

Memory Dump Source

Source File: 00000000.00000002.237913977.00007FF727051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF727050000, based on PE: true

Associated: 00000000.00000002.237908138.00007FF727050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237927801.00007FF727060000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237932983.00007FF727061000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff727050000_taskhost.jbxd

Similarity

API ID: __wgetmainargs
String ID:
API String ID: 1709950718-0
Opcode ID: 96ac0cb45e6698b98710fc58e0c2967d617f78f4ce9b77545343fd108a6e99b3
Instruction ID: 3f74722ac06fcd5323c16fb2a9fba611ae656864af9fed9c4c6a90a9c8d12cd5
Opcode Fuzzy Hash: 96ac0cb45e6698b98710fc58e0c2967d617f78f4ce9b77545343fd108a6e99b3
Instruction Fuzzy Hash: 1CE04574F8964396E620BB10FE64C64B760EB56314FC0813AD44DD2220DE7CA24BCF60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF727051930 Relevance: 1.3, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00007FF77FF727051930() {
				int _t3;
				void* _t8;
				intOrPtr _t12;

				goto 0x27051940;
				0;
				_t12 =  *0x27060008;
				 *0x27060008 = 0x27060008;
				_t2 = _t12 - 1; // -1
				if (_t2 - 0xfffffffd > 0) goto 0x2705195e; // executed
				_t3 = CloseHandle(_t8); // executed
				return _t3;
			}

0x7ff727051937
0x7ff72705193f
0x7ff72705194b
0x7ff72705194b
0x7ff72705194e
0x7ff727051956
0x7ff727051958
0x7ff727051966

APIs

CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF727051958

Memory Dump Source

Source File: 00000000.00000002.237913977.00007FF727051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF727050000, based on PE: true

Associated: 00000000.00000002.237908138.00007FF727050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237927801.00007FF727060000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237932983.00007FF727061000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff727050000_taskhost.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 8bf1bfe15a279063aef872c3ce47482dc35501873ed4dc0b37f5d208896ffad0
Instruction ID: 70d90570ee082ab0a41afe3f8951128296b0d98c1706a5f03f67b89c4c3fce70
Opcode Fuzzy Hash: 8bf1bfe15a279063aef872c3ce47482dc35501873ed4dc0b37f5d208896ffad0
Instruction Fuzzy Hash: 53D0C221B0850291EF266761CC5013CE321EF09B30BC44335C63D822D0CF68A49A8B20

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF727052440 Relevance: 35.4, APIs: 16, Strings: 4, Instructions: 379memoryregistrythreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7270527D0: malloc.MSVCRT ref: 00007FF7270527DC

SysAllocString.OLEAUT32 ref: 00007FF72705254C
SysAllocString.OLEAUT32 ref: 00007FF7270525D1
InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF727052618
memset.MSVCRT ref: 00007FF72705268F
RegGetValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7270526CF
CreateThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2 ref: 00007FF72705272D
_CxxThrowException.MSVCRT ref: 00007FF727059851
_CxxThrowException.MSVCRT ref: 00007FF727059882
_CxxThrowException.MSVCRT ref: 00007FF7270598AE
_CxxThrowException.MSVCRT ref: 00007FF7270598DA

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule, xrefs: 00007FF7270526C1
EnableDebuggerBreakForTaskStart, xrefs: 00007FF7270526BA
======================================================================WARNING: This is not an error but a forced debug break enabled by setting the registry keyHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\EnableDebuggerBreakForTaskStartThis , xrefs: 00007FF727059971
StartComTask, xrefs: 00007FF727059A3B

Memory Dump Source

Source File: 00000000.00000002.237913977.00007FF727051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF727050000, based on PE: true

Associated: 00000000.00000002.237908138.00007FF727050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237927801.00007FF727060000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237932983.00007FF727061000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff727050000_taskhost.jbxd

Similarity

API ID: ExceptionThrow$AllocString$CreateCriticalInitializeSectionThreadValuemallocmemset
String ID: ======================================================================WARNING: This is not an error but a forced debug break enabled by setting the registry keyHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\EnableDebuggerBreakForTaskStartThis $EnableDebuggerBreakForTaskStart$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule$StartComTask
API String ID: 2275435230-836363357
Opcode ID: 197649ba4dc4bdaa9229a882f0de331f0ee18919d9f1cf7db8e32f6f673d8eb1
Instruction ID: 86e10c9babf77b6d7e13930086ea60ba021ac85a2de34c7b1e87fa71cca06a22
Opcode Fuzzy Hash: 197649ba4dc4bdaa9229a882f0de331f0ee18919d9f1cf7db8e32f6f673d8eb1
Instruction Fuzzy Hash: 0D027E31A08B4286EB30EB15EE4016AB3A4FF4A754FD44539DA4D977A4DF3CE44ACB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF727052AF0 Relevance: 18.4, APIs: 12, Instructions: 366
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E00007FF77FF727052AF0(long long __rbx, long long __rcx, void* __rdx, long long __rsi, long long _a16) {
				void* _v40;
				long long _v48;
				void* _v56;
				void* _v72;
				void* _t82;
				void* _t83;
				void* _t89;
				void* _t121;
				long long _t125;
				long long _t128;
				long long _t131;
				intOrPtr _t133;
				unsigned long long _t136;
				void* _t140;
				long long _t155;
				void** _t159;
				void* _t161;
				void* _t168;
				signed long long _t179;
				void* _t181;
				void* _t186;
				int _t190;
				long long* _t191;
				void* _t194;
				void* _t196;
				intOrPtr _t197;
				intOrPtr _t198;
				intOrPtr _t199;
				void* _t202;

				_t161 = __rdx;
				_t121 = _t181;
				 *((long long*)(_t121 + 8)) = __rcx;
				 *((long long*)(_t121 - 0x40)) = 0xfffffffe;
				 *((long long*)(_t121 + 0x18)) = __rbx;
				 *((long long*)(_t121 + 0x20)) = __rsi;
				if ( *(__rdx + 0x4c) == 0) goto 0x2705a755;
				_t6 = _t161 + 8; // 0x8
				if (IsValidSid(_t202) == 0) goto 0x2705a755;
				if ( *((char*)(__rcx + 0x10)) != 0) goto 0x2705a564;
				r13d = 0;
				_v72 = _t194;
				E00007FF77FF7270527D0(_t121, _t6);
				_t140 = _t121;
				_v56 = _t121;
				if (_t121 == 0) goto 0x27056eef;
				 *_t140 = 0x27056920;
				_t10 = _t140 + 8; // 0x8
				_t191 = _t10;
				_v48 = _t191;
				 *_t191 = 0x270569c8;
				 *((char*)(_t191 + 0x4c)) =  *(__rdx + 0x4c) & 0x000000ff;
				 *((intOrPtr*)(_t191 + 0x50)) =  *((intOrPtr*)(__rdx + 0x50));
				_t197 =  *((intOrPtr*)(__rdx + 0x58));
				_t125 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t197 - 0x18)))) + 0x20));
				_a16 = _t125;
				if (_t125 != E00007FF77FF727054340) goto 0x2705a582;
				_t82 = E00007FF77FF727054340( *((intOrPtr*)(__rdx + 0x50)),  *((intOrPtr*)(_t197 - 0x18)));
				_a16 = _t125;
				if ( *((intOrPtr*)(_t197 - 8)) < 0) goto 0x2705a59c;
				if (_t125 !=  *((intOrPtr*)(_t197 - 0x18))) goto 0x2705a59c;
				asm("lock inc ecx");
				 *((long long*)(_t191 + 0x58)) = _t197 - 0x18 + 0x18;
				_t198 =  *((intOrPtr*)(__rdx + 0x60));
				_t128 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t198 - 0x18)))) + 0x20));
				_a16 = _t128;
				if (_t128 != E00007FF77FF727054340) goto 0x2705a5f3;
				_t83 = E00007FF77FF727054340(_t82,  *((intOrPtr*)(_t198 - 0x18)));
				_a16 = _t128;
				if ( *((intOrPtr*)(_t198 - 8)) < 0) goto 0x2705a60d;
				if (_t128 !=  *((intOrPtr*)(_t198 - 0x18))) goto 0x2705a60d;
				asm("lock inc ecx");
				 *((long long*)(_t191 + 0x60)) = _t198 - 0x18 + 0x18;
				_t199 =  *((intOrPtr*)(__rdx + 0x68));
				_t131 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t199 - 0x18)))) + 0x20));
				_a16 = _t131;
				if (_t131 != E00007FF77FF727054340) goto 0x2705a664;
				E00007FF77FF727054340(_t83,  *((intOrPtr*)(_t199 - 0x18)));
				_a16 = _t131;
				if ( *((intOrPtr*)(_t199 - 8)) < 0) goto 0x2705a67e;
				if (_t131 !=  *((intOrPtr*)(_t199 - 0x18))) goto 0x2705a67e;
				asm("lock inc ecx");
				 *((long long*)(_t191 + 0x68)) = _t199 - 0x18 + 0x18;
				_t133 =  *0x270600b8; // 0x7ff727056180
				_t46 = _t133 + 0x18; // 0x7ff7270529f0
				E00007FF77FF7270634F0();
				 *((long long*)( *_t46))();
				 *((long long*)(_t191 + 0x70)) = _t133 + 0x18;
				if ( *(__rdx + 0x4c) == 0) goto 0x27052cfe;
				if (IsValidSid(_t196) == 0) goto 0x27056ede;
				GetLengthSid(_t194);
				if (CopySid(??, ??, ??) == 0) goto 0x2705a6d5;
				 *((intOrPtr*)(_t140 + 0x80)) = 0x200ffff;
				 *((char*)(_t140 + 0x84)) = 0;
				 *(_t140 + 0x88) = _t194;
				 *_t140 = 0x27056890;
				 *((char*)(_t140 + 0x90)) = 1;
				_v72 = _t140;
				if (_t140 == 0) goto 0x27056ef7;
				_t179 =  *((intOrPtr*)(__rcx + 0x20));
				_t136 =  *((intOrPtr*)(__rcx + 0x28));
				if (_t179 - _t136 < 0) goto 0x27052dd4;
				_t60 = _t179 + 1; // 0x2010000
				_t155 = _t60;
				if (_t155 - _t136 <= 0) goto 0x27052dd4;
				if ( *(__rcx + 0x18) == 0) goto 0x27052e21;
				if ( *((intOrPtr*)(__rcx + 0x30)) != 0) goto 0x27052d7d;
				_t186 = _t155 - _t136;
				if (_t186 - _t136 >> 1 <= 0) goto 0x27052d7d;
				if (_t155 - _t136 + _t186 < 0) goto 0x27052d89;
				_t89 = calloc(_t190);
				if (_t136 == 0) goto 0x27056f02;
				__imp__memmove_s();
				if (_t89 != 0) goto 0x2705a6fa;
				free(_t168);
				 *(__rcx + 0x18) = _t136;
				 *((long long*)(__rcx + 0x28)) = _t155;
				_t159 =  *(__rcx + 0x18) + _t179 * 8;
				if (_t159 == 0) goto 0x27052dea;
				 *_t159 = _t140;
				 *((long long*)(__rcx + 0x20)) =  *((long long*)(__rcx + 0x20)) + 1;
				free(??);
				 *(__rcx + 8) = _t194;
				if (_t194 != 0) goto 0x2705a736;
				return 1;
			}

0x7ff727052af0
0x7ff727052af0
0x7ff727052af3
0x7ff727052b04
0x7ff727052b0c
0x7ff727052b10
0x7ff727052b1e
0x7ff727052b24
0x7ff727052b30
0x7ff727052b3a
0x7ff727052b40
0x7ff727052b43
0x7ff727052b4d
0x7ff727052b52
0x7ff727052b55
0x7ff727052b5d
0x7ff727052b6a
0x7ff727052b6d
0x7ff727052b6d
0x7ff727052b71
0x7ff727052b7d
0x7ff727052b86
0x7ff727052b8f
0x7ff727052b94
0x7ff727052b9f
0x7ff727052ba3
0x7ff727052bb2
0x7ff727052bbb
0x7ff727052bc0
0x7ff727052bca
0x7ff727052bd4
0x7ff727052bde
0x7ff727052be7
0x7ff727052bec
0x7ff727052bf7
0x7ff727052bfb
0x7ff727052c0a
0x7ff727052c13
0x7ff727052c18
0x7ff727052c22
0x7ff727052c2c
0x7ff727052c36
0x7ff727052c3f
0x7ff727052c44
0x7ff727052c4f
0x7ff727052c53
0x7ff727052c62
0x7ff727052c6b
0x7ff727052c70
0x7ff727052c7a
0x7ff727052c84
0x7ff727052c8e
0x7ff727052c97
0x7ff727052c9c
0x7ff727052ca3
0x7ff727052caa
0x7ff727052cb7
0x7ff727052cbd
0x7ff727052cc7
0x7ff727052cd5
0x7ff727052cdf
0x7ff727052cf8
0x7ff727052cfe
0x7ff727052d08
0x7ff727052d0f
0x7ff727052d1d
0x7ff727052d20
0x7ff727052d27
0x7ff727052d2f
0x7ff727052d35
0x7ff727052d39
0x7ff727052d40
0x7ff727052d46
0x7ff727052d46
0x7ff727052d4d
0x7ff727052d5a
0x7ff727052d67
0x7ff727052d72
0x7ff727052d78
0x7ff727052d84
0x7ff727052d91
0x7ff727052d9d
0x7ff727052db4
0x7ff727052dbc
0x7ff727052dc6
0x7ff727052dcc
0x7ff727052dd0
0x7ff727052dd8
0x7ff727052ddf
0x7ff727052de7
0x7ff727052dea
0x7ff727052df2
0x7ff727052df8
0x7ff727052dff
0x7ff727052e20

APIs

IsValidSid.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF727052B28

Part of subcall function 00007FF7270527D0: malloc.MSVCRT ref: 00007FF7270527DC

IsValidSid.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF727052CCD
GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF727052CDF
CopySid.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF727052CF0
calloc.MSVCRT ref: 00007FF727052D91
memmove_s.MSVCRT ref: 00007FF727052DB4
free.MSVCRT ref: 00007FF727052DC6
free.MSVCRT ref: 00007FF727052DF2
calloc.MSVCRT ref: 00007FF727052E35
memcpy_s.MSVCRT ref: 00007FF72705A5E7
memcpy_s.MSVCRT ref: 00007FF72705A658
memcpy_s.MSVCRT ref: 00007FF72705A6C9

Memory Dump Source

Source File: 00000000.00000002.237913977.00007FF727051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF727050000, based on PE: true

Associated: 00000000.00000002.237908138.00007FF727050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237927801.00007FF727060000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237932983.00007FF727061000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff727050000_taskhost.jbxd

Similarity

API ID: memcpy_s$Validcallocfree$CopyLengthmallocmemmove_s
String ID:
API String ID: 59429654-0
Opcode ID: cfff7b2db95a2e435b477088e8f915c6065f26d53b4cb1adb12b557fcb09c69e
Instruction ID: de856cd336d696ff89542d107a307ef3167a0db2b36c1fc4e8fa6f619435063e
Opcode Fuzzy Hash: cfff7b2db95a2e435b477088e8f915c6065f26d53b4cb1adb12b557fcb09c69e
Instruction Fuzzy Hash: B3F19375B09B4682EA20EB11E95427DB7A0FB4AB84FD04035CA5E87761DF3CE44ECB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF727051F00 Relevance: 10.7, APIs: 7, Instructions: 216
threadcomCOMMON

Download Yara Rule

C-Code - Quality: 23%

			E00007FF77FF727051F00(void* __eax, long long __rbx, intOrPtr* __rcx, int _a8, void* _a16, void* _a24, void* _a32) {
				long long _v104;
				int _t33;
				int _t64;
				void* _t72;
				intOrPtr* _t75;
				intOrPtr* _t76;
				intOrPtr* _t85;
				intOrPtr* _t86;
				intOrPtr _t89;
				long long _t111;
				void* _t112;

				_t72 = _t112;
				 *((long long*)(_t72 - 0x48)) = 0xfffffffe;
				 *((long long*)(_t72 + 0x20)) = __rbx;
				 *((long long*)(_t72 + 0x10)) = _t111;
				_t89 =  *0x27060048; // 0x7ff727060048
				if (_t89 == 0x27060048) goto 0x27051f40;
				if (( *(_t89 + 0x1c) & 0x00000004) != 0) goto 0x270595ac;
				if ( *((char*)(__rcx + 0x30)) == 0) goto 0x270595ca;
				r8d = 5;
				_v104 = __rcx + 0x48;
				__imp__CoCreateInstance();
				if (__eax < 0) goto 0x270596a8;
				if ( *((intOrPtr*)( *__rcx)) != E00007FF77FF7270521B0) goto 0x270595d5;
				if (E00007FF77FF7270521B0(__rcx, 0x27056248,  &_a16) < 0) goto 0x270596a8;
				_t75 =  *0x27060048; // 0x7ff727060048
				if (_t75 == 0x27060048) goto 0x27051fc4;
				if (( *(_t75 + 0x1c) & 0x00000004) != 0) goto 0x270595f8;
				GetCurrentThread();
				_t33 = GetThreadPriority(??);
				_a8 = _t33;
				if (_t33 == 0x7fffffff) goto 0x27051ffe;
				GetCurrentThread();
				_t64 = SetThreadPriority(??, ??);
				if (_t64 == 0) goto 0x27059640;
				asm("lock dec eax");
				_a24 = _t75;
				if (_t64 == 0) goto 0x27052028;
				_t76 =  *_t75;
				E00007FF77FF7270634F0();
				 *((long long*)( *((intOrPtr*)(_t76 + 8))))();
				if ( *((char*)(__rcx + 0x30)) == 0) goto 0x27059650;
				asm("lock dec eax");
				if ( *((intOrPtr*)(__rcx + 0x38)) == 0) goto 0x27056cea;
				E00007FF77FF7270634F0();
				 *((long long*)( *((intOrPtr*)( *_t76 + 0x18))))();
				_t85 = _a24;
				if (_t85 == 0) goto 0x27052092;
				E00007FF77FF7270634F0();
				 *((long long*)( *((intOrPtr*)( *_t85 + 0x10))))();
				if (_a8 == 0x7fffffff) goto 0x270520b2;
				GetCurrentThread();
				SetThreadPriority(??, ??);
				if (0 < 0) goto 0x270596a8;
				_t86 = _a16;
				if (_t86 == 0) goto 0x270520e8;
				if ( *((intOrPtr*)( *_t86 + 0x10)) != 0x7ff727051010) goto 0x270596f4;
				E00007FF77FF727051010(_a8, _t86, _t86);
				return 0;
			}

0x7ff727051f00
0x7ff727051f0e
0x7ff727051f16
0x7ff727051f1f
0x7ff727051f2a
0x7ff727051f34
0x7ff727051f3a
0x7ff727051f45
0x7ff727051f4b
0x7ff727051f59
0x7ff727051f67
0x7ff727051f71
0x7ff727051f87
0x7ff727051fa8
0x7ff727051fae
0x7ff727051fb8
0x7ff727051fbe
0x7ff727051fc8
0x7ff727051fd1
0x7ff727051fd7
0x7ff727051fe3
0x7ff727051fe5
0x7ff727051ff6
0x7ff727051ff8
0x7ff727052000
0x7ff727052008
0x7ff727052010
0x7ff727052012
0x7ff72705201c
0x7ff727052025
0x7ff72705202d
0x7ff727052035
0x7ff727052044
0x7ff727052057
0x7ff72705206b
0x7ff72705206f
0x7ff72705207a
0x7ff727052086
0x7ff72705208f
0x7ff72705209f
0x7ff7270520a1
0x7ff7270520ac
0x7ff7270520b4
0x7ff7270520bc
0x7ff7270520c7
0x7ff7270520da
0x7ff7270520e3
0x7ff7270520fd

APIs

CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-1 ref: 00007FF727051F67
GetCurrentThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2 ref: 00007FF727051FC8
GetThreadPriority.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2 ref: 00007FF727051FD1
GetCurrentThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2 ref: 00007FF727051FE5
SetThreadPriority.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2 ref: 00007FF727051FF0
GetCurrentThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2 ref: 00007FF7270520A1
SetThreadPriority.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2 ref: 00007FF7270520AC

Memory Dump Source

Source File: 00000000.00000002.237913977.00007FF727051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF727050000, based on PE: true

Associated: 00000000.00000002.237908138.00007FF727050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237927801.00007FF727060000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237932983.00007FF727061000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff727050000_taskhost.jbxd

Similarity

API ID: Thread$CurrentPriority$CreateInstance
String ID:
API String ID: 2644264478-0
Opcode ID: 462dc9f54012bd26468d86e5c41990ce37e4a8aa9b33711e60f9a74216972750
Instruction ID: 40d2a5fab29f898ee02e5c0fdace10335f2ec81ba9ed839db57d4a819e55ec60
Opcode Fuzzy Hash: 462dc9f54012bd26468d86e5c41990ce37e4a8aa9b33711e60f9a74216972750
Instruction Fuzzy Hash: 4A915161B09A4281EA70AB12DE50279A394FF8AB94FC84135CA5DC77A5CF3CE44BCB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF727052990 Relevance: 9.0, APIs: 6, Instructions: 48
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00007FF77FF727052990(long long __rbx, signed long long _a16, long long _a32) {

				_a32 = __rbx;
				_a16 = _a16 & 0x00000000;
			}

0x7ff727052990
0x7ff7270529a4

APIs

GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-2-1 ref: 00007FF72705714A
GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2 ref: 00007FF727057158
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2 ref: 00007FF727057164
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-2-1 ref: 00007FF727057170
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-2-1 ref: 00007FF727057180
QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0 ref: 00007FF72705719B

Memory Dump Source

Source File: 00000000.00000002.237913977.00007FF727051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF727050000, based on PE: true

Associated: 00000000.00000002.237908138.00007FF727050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237927801.00007FF727060000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237932983.00007FF727061000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff727050000_taskhost.jbxd

Similarity

API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 4104442557-0
Opcode ID: 2a83857fe1aaf7985dcacf044db5b974994c803de38796a7e7c590b44d2171aa
Instruction ID: 9342f706e6c79a0736d1b771f98abaa541b796f95573ddda585b557acc6b6248
Opcode Fuzzy Hash: 2a83857fe1aaf7985dcacf044db5b974994c803de38796a7e7c590b44d2171aa
Instruction Fuzzy Hash: 7C115132705F428BEB20DF24ED5416873A4FB0A758F445A34EA6D87754DF3CD1698790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72705C63C Relevance: 6.4, APIs: 5, Instructions: 165COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF72705C8C8: memcpy_s.MSVCRT ref: 00007FF72705C8FE
Part of subcall function 00007FF72705C8C8: free.MSVCRT(?,?,?,00007FF72705C7F9,?,?,00000000,00007FF72705C9A1,?,?,?,00007FF72705B2EA), ref: 00007FF72705C907

_CxxThrowException.MSVCRT ref: 00007FF72705C65B

Part of subcall function 00007FF72705B340: ??0exception@@QEAA@AEBV0@@Z.MSVCRT ref: 00007FF72705B349

_CxxThrowException.MSVCRT ref: 00007FF72705C6AD
_CxxThrowException.MSVCRT ref: 00007FF72705C6EC

Part of subcall function 00007FF72705B444: ??0exception@@QEAA@AEBV0@@Z.MSVCRT ref: 00007FF72705B462

_CxxThrowException.MSVCRT ref: 00007FF72705C72C
_CxxThrowException.MSVCRT ref: 00007FF72705C78C

Memory Dump Source

Source File: 00000000.00000002.237913977.00007FF727051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF727050000, based on PE: true

Associated: 00000000.00000002.237908138.00007FF727050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237927801.00007FF727060000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237932983.00007FF727061000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff727050000_taskhost.jbxd

Similarity

API ID: ExceptionThrow$??0exception@@V0@@$freememcpy_s
String ID:
API String ID: 1571379330-0
Opcode ID: 4a5868237c6bd5104f25386642c84c83242381499985b087514514544df2989b
Instruction ID: a339b109bb9b56cc6363228ae70d437a050459574b693f1557ad009dbd906b9e
Opcode Fuzzy Hash: 4a5868237c6bd5104f25386642c84c83242381499985b087514514544df2989b
Instruction Fuzzy Hash: E7218562618A8555EB21FB21DC510A9A330FF96784FD45532D98CC77A6DE2CE50ECB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF727063300 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.237932983.00007FF727061000.00000002.00000001.01000000.00000003.sdmp, Offset: 00007FF727050000, based on PE: true

Associated: 00000000.00000002.237908138.00007FF727050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237913977.00007FF727051000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237927801.00007FF727060000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff727050000_taskhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14f7131abe61e012e94f6f523dfb2346a141b443532202b94151a2857b21ca6a
Instruction ID: c6f2d854964efa3b1db8fae23ff293552f4cf09a02bff01497eedf595a071b51
Opcode Fuzzy Hash: 14f7131abe61e012e94f6f523dfb2346a141b443532202b94151a2857b21ca6a
Instruction Fuzzy Hash: 51F0EC4790EBD50AF76397645D36029BF60DB92900B9E82ABC69082183ED0C681A96E2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF727053AD0 Relevance: 24.2, APIs: 16, Instructions: 224
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E00007FF77FF727053AD0(long long __rbx, intOrPtr* __rcx, long long __rsi) {
				short _t22;
				long _t27;
				int _t51;
				long long _t58;
				void* _t60;

				 *((long long*)(_t60 + 8)) = __rbx;
				 *((long long*)(_t60 + 0x10)) = _t58;
				 *((long long*)(_t60 + 0x18)) = __rsi;
				if ( *((long long*)(__rcx + 0x88)) != 0) goto 0x27053b9c;
				if ( *((intOrPtr*)( *__rcx + 0x10)) != 0x7ff727053ab0) goto 0x2705a2fc;
				_t22 = E00007FF77FF727053AB0(0x7ff727053ab0, __rcx);
				malloc(_t51);
				if (0x7ff727053ab0 == 0) goto 0x27056ec5;
				r8d = _t22;
				0x27051880();
				 *0x7FF727053AB2 = _t22;
				 *0x7FF727053AB1 =  *(__rcx + 0x84) & 0x000000ff;
				if ( *((intOrPtr*)( *__rcx + 0x18)) != E00007FF77FF727053BC0) goto 0x2705a310;
				 *((char*)(0x7ff727053ab0)) = E00007FF77FF727053BC0(__rcx);
				 *0x7FF727053AB4 =  *((intOrPtr*)(__rcx + 0x80));
				_t27 = GetLengthSid(??);
				r9d = _t27;
				__imp__memcpy_s();
				if (_t27 != 0) goto 0x2705a324;
				 *((long long*)(__rcx + 0x88)) = 0x7ff727053ab0;
				return _t27;
			}

0x7ff727053ad0
0x7ff727053ad5
0x7ff727053ada
0x7ff727053aef
0x7ff727053b06
0x7ff727053b0c
0x7ff727053b17
0x7ff727053b23
0x7ff727053b29
0x7ff727053b31
0x7ff727053b36
0x7ff727053b41
0x7ff727053b55
0x7ff727053b63
0x7ff727053b6f
0x7ff727053b72
0x7ff727053b84
0x7ff727053b87
0x7ff727053b8f
0x7ff727053b95
0x7ff727053bb7

APIs

Part of subcall function 00007FF727053AB0: GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF727053AB8

malloc.MSVCRT ref: 00007FF727053B17
GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF727053B72
memcpy_s.MSVCRT ref: 00007FF727053B87
MakeAbsoluteSD.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF72705A3AF
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-1 ref: 00007FF72705A3B5
malloc.MSVCRT ref: 00007FF72705A3D1
malloc.MSVCRT ref: 00007FF72705A3FB
malloc.MSVCRT ref: 00007FF72705A425
malloc.MSVCRT ref: 00007FF72705A452
malloc.MSVCRT ref: 00007FF72705A477

Memory Dump Source

Source File: 00000000.00000002.237913977.00007FF727051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF727050000, based on PE: true

Associated: 00000000.00000002.237908138.00007FF727050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237927801.00007FF727060000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237932983.00007FF727061000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff727050000_taskhost.jbxd

Similarity

API ID: malloc$Length$AbsoluteErrorLastMakememcpy_s
String ID:
API String ID: 1574620905-0
Opcode ID: 128663c384b2cadb163b47f000aacea77f39c9da7dd3bfe318e98322c48cbddf
Instruction ID: 467cf7373a6565467fe3b710446c21b2dd6a41772bec0ddf0e214b2a015e8066
Opcode Fuzzy Hash: 128663c384b2cadb163b47f000aacea77f39c9da7dd3bfe318e98322c48cbddf
Instruction Fuzzy Hash: 75A1D431A0974285EB24AF21E964269B3A4FF8AB48FD04439EA5DC3B55DF3CD40ECB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF727052870 Relevance: 21.2, APIs: 14, Instructions: 169COMMON

Download Yara Rule

APIs

GetSecurityDescriptorControl.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF7270528A1
MakeAbsoluteSD.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF72705A3AF
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-1 ref: 00007FF72705A3B5
malloc.MSVCRT ref: 00007FF72705A3D1
malloc.MSVCRT ref: 00007FF72705A3FB
malloc.MSVCRT ref: 00007FF72705A425
malloc.MSVCRT ref: 00007FF72705A452
malloc.MSVCRT ref: 00007FF72705A477

Memory Dump Source

Source File: 00000000.00000002.237913977.00007FF727051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF727050000, based on PE: true

Associated: 00000000.00000002.237908138.00007FF727050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237927801.00007FF727060000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237932983.00007FF727061000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff727050000_taskhost.jbxd

Similarity

API ID: malloc$AbsoluteControlDescriptorErrorLastMakeSecurity
String ID:
API String ID: 2710855330-0
Opcode ID: 814fb4b289b05f495af1d633d9e06ea289738d4254567ef7b106fa8c060c37c0
Instruction ID: 6e44b65c2831f3f8169149dcf40a6764bbf608b2a6d824ba67dbe6d799f0d038
Opcode Fuzzy Hash: 814fb4b289b05f495af1d633d9e06ea289738d4254567ef7b106fa8c060c37c0
Instruction Fuzzy Hash: F171A735609B4285E724AF21E950269B3E4FF8AB48F904039EA5D87B58DF3CD41DCF54

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF727053BE0 Relevance: 15.1, APIs: 10, Instructions: 55COMMON

Download Yara Rule

APIs

GetSecurityDescriptorControl.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF727053C0C
GetSecurityDescriptorOwner.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF727053C38
free.MSVCRT ref: 00007FF727053C43
GetSecurityDescriptorGroup.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF727053C57
free.MSVCRT ref: 00007FF727053C62
GetSecurityDescriptorDacl.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF727053C7B
free.MSVCRT ref: 00007FF727053C8C
GetSecurityDescriptorSacl.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF727053CA5
free.MSVCRT ref: 00007FF727053CB9

Memory Dump Source

Source File: 00000000.00000002.237913977.00007FF727051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF727050000, based on PE: true

Associated: 00000000.00000002.237908138.00007FF727050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237927801.00007FF727060000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237932983.00007FF727061000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff727050000_taskhost.jbxd

Similarity

API ID: DescriptorSecurity$free$ControlDaclGroupOwnerSacl
String ID:
API String ID: 1980401866-0
Opcode ID: d1ce11732459518ce842fd8645c3bcd9668bc9fc2c041ffad75ee8fc2d21c9ca
Instruction ID: 5dd9face434561443c86e2081fde79b07d3ce2b91ceb8ae99bb9305d7ff0783f
Opcode Fuzzy Hash: d1ce11732459518ce842fd8645c3bcd9668bc9fc2c041ffad75ee8fc2d21c9ca
Instruction Fuzzy Hash: E321017260CA46D2EB20AF15E950469E760FBC1B88F844036E69D87538CF3CD54ECF90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7270519C0 Relevance: 13.6, APIs: 9, Instructions: 104COMMON

Download Yara Rule

APIs

DeleteCriticalSection.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF727051A1B
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF727051A36
SysFreeString.OLEAUT32 ref: 00007FF727051A6C
free.MSVCRT ref: 00007FF727051A85
SysFreeString.OLEAUT32 ref: 00007FF727051AAA
free.MSVCRT ref: 00007FF727051AC3
free.MSVCRT ref: 00007FF727051AD5

Memory Dump Source

Source File: 00000000.00000002.237913977.00007FF727051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF727050000, based on PE: true

Associated: 00000000.00000002.237908138.00007FF727050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237927801.00007FF727060000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237932983.00007FF727061000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff727050000_taskhost.jbxd

Similarity

API ID: free$FreeString$CloseCriticalDeleteHandleSection
String ID:
API String ID: 2114342367-0
Opcode ID: 26cee22e88891523054d0075bb7497bdc0d86be37ff2cccba9db60dd90f77396
Instruction ID: c036bd1f80fa71030e2a98552b3fb71c544e3f9d8f65f0005ce40b3255d19a53
Opcode Fuzzy Hash: 26cee22e88891523054d0075bb7497bdc0d86be37ff2cccba9db60dd90f77396
Instruction Fuzzy Hash: 67418425A09B4191EA36AF11EA50178F3A4FF46BA4FD84135CE5D87690CF3CE85BCB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF727051070 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 214threadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF72705110D
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2 ref: 00007FF72705113B
NdrClientCall3.RPCRT4 ref: 00007FF727051183
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF7270511AD

Strings

HandleFailedStart, xrefs: 00007FF727057500

Memory Dump Source

Source File: 00000000.00000002.237913977.00007FF727051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF727050000, based on PE: true

Associated: 00000000.00000002.237908138.00007FF727050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237927801.00007FF727060000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237932983.00007FF727061000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff727050000_taskhost.jbxd

Similarity

API ID: CriticalSection$Call3ClientCurrentEnterLeaveThread
String ID: HandleFailedStart
API String ID: 2706058134-1580826537
Opcode ID: 94558726a2ea051febf14c35812bd19eefb2c0949a6e1d2a5a60e3d42e274425
Instruction ID: a987a258587f1aaa6e274546c2e456561439decffcb5bf9fa6c1dc8bc26d4352
Opcode Fuzzy Hash: 94558726a2ea051febf14c35812bd19eefb2c0949a6e1d2a5a60e3d42e274425
Instruction Fuzzy Hash: 6EA18E61A0C64286E631AB01EE50679A7A4FB46744FD04539DA1DC77A0CF7CE94FCF60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF727054730 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF7270547AE
ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF7270547BC

Strings

LateShutdown, xrefs: 00007FF72705AAC3
EarlyShutdown, xrefs: 00007FF72705AACC

Memory Dump Source

Source File: 00000000.00000002.237913977.00007FF727051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF727050000, based on PE: true

Associated: 00000000.00000002.237908138.00007FF727050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237927801.00007FF727060000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237932983.00007FF727061000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff727050000_taskhost.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID: EarlyShutdown$LateShutdown
API String ID: 17069307-2627945720
Opcode ID: fab6c23a3edd9314ec9a0f0e38d67e9f49448bccf6ceb33c381bb9f5d6a53699
Instruction ID: f7149f66d63333193e4fe3b6242fd63eb945f03aefcf01fd61c3eb6657af8830
Opcode Fuzzy Hash: fab6c23a3edd9314ec9a0f0e38d67e9f49448bccf6ceb33c381bb9f5d6a53699
Instruction Fuzzy Hash: 9F419E61E08A0782FA30BB119E54679A395FF46760FD40239DA1DC32D1DE7CE84E8BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF727055528 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114threadsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF72705559F
GetExitCodeThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2 ref: 00007FF7270555B9
CreateThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2 ref: 00007FF727055571

Part of subcall function 00007FF7270555F0: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF727055606

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-1 ref: 00007FF727057BA9
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-1 ref: 00007FF727057C13

Strings

Stop, xrefs: 00007FF727057B94, 00007FF727057BFE

Memory Dump Source

Source File: 00000000.00000002.237913977.00007FF727051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF727050000, based on PE: true

Associated: 00000000.00000002.237908138.00007FF727050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237927801.00007FF727060000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237932983.00007FF727061000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff727050000_taskhost.jbxd

Similarity

API ID: ErrorLastThread$CloseCodeCreateExitHandleObjectSingleWait
String ID: Stop
API String ID: 706134345-426031496
Opcode ID: 8fdb64e4e793c00225a158522177145529f0c5542d4b93ffd18f0c7fe91b6810
Instruction ID: 7e9cd6472894d234e4c10ff1ebeddc598dd85bd4a1529c7b5aeeaffbddb83ea9
Opcode Fuzzy Hash: 8fdb64e4e793c00225a158522177145529f0c5542d4b93ffd18f0c7fe91b6810
Instruction Fuzzy Hash: 9941C061A0874342F730AB25DE902BEA292FF46714FD44139DA1DC62A1CF2CF44F8E60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7270586D0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 101COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT ref: 00007FF727058722
RtlLookupFunctionEntry.API-MS-WIN-CORE-RTLSUPPORT-L1-2-0 ref: 00007FF7270587B1
RtlVirtualUnwind.API-MS-WIN-CORE-RTLSUPPORT-L1-2-0 ref: 00007FF7270587ED
OutputDebugStringA.API-MS-WIN-CORE-DEBUG-L1-1-1 ref: 00007FF72705881C

Strings

Invalid parameter passed to C runtime function., xrefs: 00007FF727058815
invalid string position, xrefs: 00007FF727058728, 00007FF7270586F2

Memory Dump Source

Source File: 00000000.00000002.237913977.00007FF727051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF727050000, based on PE: true

Associated: 00000000.00000002.237908138.00007FF727050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237927801.00007FF727060000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237932983.00007FF727061000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff727050000_taskhost.jbxd

Similarity

API ID: DebugEntryExceptionFunctionLookupOutputStringThrowUnwindVirtual
String ID: Invalid parameter passed to C runtime function.$invalid string position
API String ID: 844122916-530223239
Opcode ID: 3b30bb3e000f68929c4176f08f6e2796855bd448f7c2e56f68c3744a4a7b5b3d
Instruction ID: 38bdc1e3890db6e7acf4fb92a58780c9865c622a110eb209cde5fbcc044d64ef
Opcode Fuzzy Hash: 3b30bb3e000f68929c4176f08f6e2796855bd448f7c2e56f68c3744a4a7b5b3d
Instruction Fuzzy Hash: BF31C46261CB8282EB31AB14ED513AAB760FB86754FC04135D69D836E5DE2CD14ECF14

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF727053FC0 Relevance: 9.3, APIs: 6, Instructions: 274COMMON

Download Yara Rule

APIs

GetSidLengthRequired.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF7270540B5
InitializeSid.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF7270540D5
GetSidSubAuthority.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF727054107
IsValidSid.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF727054122
GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF727054135
CopySid.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF727054154

Memory Dump Source

Source File: 00000000.00000002.237913977.00007FF727051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF727050000, based on PE: true

Associated: 00000000.00000002.237908138.00007FF727050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237927801.00007FF727060000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237932983.00007FF727061000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff727050000_taskhost.jbxd

Similarity

API ID: Length$AuthorityCopyInitializeRequiredValid
String ID:
API String ID: 4248086415-0
Opcode ID: 804572b8e83990e6a22d2fb1e0844df068e3056248f56f763e389b72c4588887
Instruction ID: f1312d828b568d25d496a5bd82e908dc1d8ab7ad8d8ef01e9351188f8b93da13
Opcode Fuzzy Hash: 804572b8e83990e6a22d2fb1e0844df068e3056248f56f763e389b72c4588887
Instruction Fuzzy Hash: 1CB1A421B08B4681EA20EB11ED24279E761FB86B94FC44135D95E877A5CF3CE44FCB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72705AFA0 Relevance: 9.0, APIs: 6, Instructions: 48COMMON

Download Yara Rule

APIs

GetTraceLoggerHandle.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0 ref: 00007FF72705AFCE
GetTraceEnableLevel.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0 ref: 00007FF72705AFDA
GetTraceEnableFlags.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0 ref: 00007FF72705AFE3
GetTraceLoggerHandle.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0 ref: 00007FF72705AFF7
GetTraceEnableLevel.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0 ref: 00007FF72705B003
GetTraceEnableFlags.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0 ref: 00007FF72705B00F

Memory Dump Source

Source File: 00000000.00000002.237913977.00007FF727051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF727050000, based on PE: true

Associated: 00000000.00000002.237908138.00007FF727050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237927801.00007FF727060000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237932983.00007FF727061000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff727050000_taskhost.jbxd

Similarity

API ID: Trace$Enable$FlagsHandleLevelLogger
String ID:
API String ID: 1786651112-0
Opcode ID: f2c8a191aa848ca77c915c392027f01dc258afde8c7e6bf6f747595e8cb3a659
Instruction ID: eefd705ef21f168c44e9543987fdb5d887b8bfa3e19d28d426dba3433b92a27b
Opcode Fuzzy Hash: f2c8a191aa848ca77c915c392027f01dc258afde8c7e6bf6f747595e8cb3a659
Instruction Fuzzy Hash: D0117B62B0864182EB68AF26AE14639E690FF46B95FC44435CA1FC7754CE3CD15E8B50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72705D2C8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
threadtimeCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00007FF77FF72705D2C8(void* __eax, signed long long* __rcx) {
				intOrPtr _v24;
				signed int _v32;
				intOrPtr _v40;
				long _t16;
				intOrPtr _t29;
				intOrPtr _t33;

				 *__rcx =  *__rcx & 0x00000000;
				__rcx[1] = __rcx[1] & 0x00000000;
				__imp__CoEnableCallCancellation();
				if (__eax >= 0) goto 0x2705d305;
				_t33 =  *0x27060048; // 0x7ff727060048
				if (_t33 == 0x27060048) goto 0x2705d373;
				if (( *(_t33 + 0x1c) & 0x00000001) == 0) goto 0x2705d373;
				goto 0x2705d367;
				_t16 = GetCurrentThreadId();
				_v24 = 8;
				_v32 = _v32 & 0x00000000;
				__rcx[1] = _t16;
				_v40 = 0xea60;
				__imp__CreateTimerQueueTimer();
				if (_t16 != 0) goto 0x2705d373;
				_t29 =  *0x27060048; // 0x7ff727060048
				if (_t29 == 0x27060048) goto 0x2705d373;
				if (( *(_t29 + 0x1c) & 0x00000001) == 0) goto 0x2705d373;
				r9d = GetLastError();
				return E00007FF77FF72705D3FC(_t17, 0xb);
			}

0x7ff72705d2ce
0x7ff72705d2d2
0x7ff72705d2db
0x7ff72705d2e3
0x7ff72705d2e5
0x7ff72705d2f6
0x7ff72705d2fc
0x7ff72705d303
0x7ff72705d305
0x7ff72705d30b
0x7ff72705d313
0x7ff72705d327
0x7ff72705d32a
0x7ff72705d332
0x7ff72705d33a
0x7ff72705d33c
0x7ff72705d34d
0x7ff72705d353
0x7ff72705d36b
0x7ff72705d37b

APIs

CoEnableCallCancellation.API-MS-WIN-CORE-COM-L1-1-1 ref: 00007FF72705D2DB
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2 ref: 00007FF72705D305
CreateTimerQueueTimer.API-MS-WIN-CORE-THREADPOOL-LEGACY-L1-1-0 ref: 00007FF72705D332
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-1 ref: 00007FF72705D355

Strings

`, xrefs: 00007FF72705D32A

Memory Dump Source

Source File: 00000000.00000002.237913977.00007FF727051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF727050000, based on PE: true

Associated: 00000000.00000002.237908138.00007FF727050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237927801.00007FF727060000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237932983.00007FF727061000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff727050000_taskhost.jbxd

Similarity

API ID: Timer$CallCancellationCreateCurrentEnableErrorLastQueueThread
String ID: `
API String ID: 2043324556-1850852036
Opcode ID: f2cc9717673ad296f85767df8cd3504ba1dfbb88464597fa2ce8269f4ecd0266
Instruction ID: b666761baf84c252445d18b72f5523fae095cd6ffcb8ed9a549b26250d2f231b
Opcode Fuzzy Hash: f2cc9717673ad296f85767df8cd3504ba1dfbb88464597fa2ce8269f4ecd0266
Instruction Fuzzy Hash: D51184A1B0864282FB60AF12DD94738A291FB46B48FD48435C95DC6260CF7DE18F8F64

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF727058770 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E00007FF77FF727058770() {
				char _v0;
				signed int _v24;
				long long _v1008;
				long long _v1104;
				char _v1256;
				char _v1272;
				char _v1280;
				void* _v1288;
				signed long long _v1296;
				long long _v1304;
				long long _v1312;
				long long _v1320;
				void* _t19;
				signed long long _t24;
				signed long long _t25;
				CHAR* _t28;
				void* _t41;

				goto 0x27058778;
				_t42 = _t41 - 0x540;
				_t24 =  *0x270600e8; // 0x2df664ba1f6a
				_t25 = _t24 ^ _t41 - 0x00000540;
				_v24 = _t25;
				__imp__RtlCaptureContext();
				r8d = 0;
				__imp__RtlLookupFunctionEntry();
				if (_t25 == 0) goto 0x270587f5;
				_v1296 = _v1296 & 0x00000000;
				_v1304 =  &_v1280;
				_v1312 =  &_v1272;
				_v1320 =  &_v1256;
				__imp__RtlVirtualUnwind();
				goto 0x27058815;
				_v1008 = _v0;
				_v1104 =  &_v0;
				OutputDebugStringA(_t28);
				return E00007FF77FF727051700(_t19, 0, _v24 ^ _t42);
			}

0x7ff727058770
0x7ff72705877a
0x7ff727058781
0x7ff727058788
0x7ff72705878b
0x7ff727058798
0x7ff7270587ae
0x7ff7270587b1
0x7ff7270587ba
0x7ff7270587bc
0x7ff7270587cc
0x7ff7270587d9
0x7ff7270587e6
0x7ff7270587ed
0x7ff7270587f3
0x7ff7270587fd
0x7ff72705880d
0x7ff72705881c
0x7ff72705883a

APIs

RtlCaptureContext.API-MS-WIN-CORE-RTLSUPPORT-L1-2-0 ref: 00007FF727058798
RtlLookupFunctionEntry.API-MS-WIN-CORE-RTLSUPPORT-L1-2-0 ref: 00007FF7270587B1
RtlVirtualUnwind.API-MS-WIN-CORE-RTLSUPPORT-L1-2-0 ref: 00007FF7270587ED
OutputDebugStringA.API-MS-WIN-CORE-DEBUG-L1-1-1 ref: 00007FF72705881C

Strings

Invalid parameter passed to C runtime function., xrefs: 00007FF727058815

Memory Dump Source

Source File: 00000000.00000002.237913977.00007FF727051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF727050000, based on PE: true

Associated: 00000000.00000002.237908138.00007FF727050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237927801.00007FF727060000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237932983.00007FF727061000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff727050000_taskhost.jbxd

Similarity

API ID: CaptureContextDebugEntryFunctionLookupOutputStringUnwindVirtual
String ID: Invalid parameter passed to C runtime function.
API String ID: 711593133-455672764
Opcode ID: 980cee685a8012c58f610db6bc644cd012abf05b2a4eda542e1f777815010118
Instruction ID: d3b88dc90985db8c7191fe5f3c773cc5ba498d5c5246ee41aaa533941ade3f73
Opcode Fuzzy Hash: 980cee685a8012c58f610db6bc644cd012abf05b2a4eda542e1f777815010118
Instruction Fuzzy Hash: B5113032618A8682EA60AB11F8A13BAE360FB89745FC05135DA8E82694DF3CD14DCF10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72705BE00 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E00007FF77FF72705BE00(void* __ecx, void* __rdx) {
				int _t2;
				void* _t15;

				_t2 = IsDebuggerPresent();
				if (_t2 != 0) goto 0x2705be1b;
				if ( *0x7ffe02d4 == _t2) goto 0x2705be42;
				_t15 =  ==  ? L"ComTaskMgrWnd::ShutdownTasksThreadProc" : L"ComTaskHost::StartTaskWorker or ComTaskHost::StopTaskWorker";
				__imp__DbgPrintEx();
				asm("int3");
				return _t2;
			}

0x7ff72705be08
0x7ff72705be10
0x7ff72705be19
0x7ff72705be2b
0x7ff72705be3b
0x7ff72705be41
0x7ff72705be47

APIs

IsDebuggerPresent.API-MS-WIN-CORE-DEBUG-L1-1-1 ref: 00007FF72705BE08
DbgPrintEx.NTDLL ref: 00007FF72705BE3B

Strings

ComTaskMgrWnd::ShutdownTasksThreadProc, xrefs: 00007FF72705BE1B
================================================================================================WARNING: A possible task hung was detected for a COM-based scheduled task!The likely culprit task is stuck on the same stack with %S.This break is recoverable. , xrefs: 00007FF72705BE31
ComTaskHost::StartTaskWorker or ComTaskHost::StopTaskWorker, xrefs: 00007FF72705BE22

Memory Dump Source

Source File: 00000000.00000002.237913977.00007FF727051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF727050000, based on PE: true

Associated: 00000000.00000002.237908138.00007FF727050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237927801.00007FF727060000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237932983.00007FF727061000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff727050000_taskhost.jbxd

Similarity

API ID: DebuggerPresentPrint
String ID: ================================================================================================WARNING: A possible task hung was detected for a COM-based scheduled task!The likely culprit task is stuck on the same stack with %S.This break is recoverable. $ComTaskHost::StartTaskWorker or ComTaskHost::StopTaskWorker$ComTaskMgrWnd::ShutdownTasksThreadProc
API String ID: 960733757-1597285619
Opcode ID: 38c9bbb6cbb9ef80c38ec424c89e00ecd6bace5087496ade64811bcd1d69629e
Instruction ID: 4bb0afeea2dff86cc1c595e4ecc61e16aa84cbfce8253cca288b83cb2d298665
Opcode Fuzzy Hash: 38c9bbb6cbb9ef80c38ec424c89e00ecd6bace5087496ade64811bcd1d69629e
Instruction Fuzzy Hash: 35E06DA1E0464B96F735ABA1AE801B1A351FB15708FC88039C10983161DE78B59FCB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7270538F0 Relevance: 7.7, APIs: 5, Instructions: 194
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00007FF77FF7270538F0(void* __ebx, long long __rbx, intOrPtr* __rcx, long long __rsi, long long __rbp, long long _a8, long long _a16, long long _a24) {
				intOrPtr _v56;
				void* __rdi;
				void* __r14;
				void* __r15;
				void* _t24;
				int _t33;
				long long _t66;
				long long _t67;
				intOrPtr* _t70;
				long long _t76;
				intOrPtr* _t90;
				void* _t106;

				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t76 = __rcx;
				if ( *((long long*)(__rcx + 8)) != 0) goto 0x27053a81;
				if ( *((char*)(__rcx + 0x10)) != 0) goto 0x27053a81;
				if ( *((intOrPtr*)( *__rcx + 8)) != E00007FF77FF727053CE0) goto 0x2705a226;
				_t24 = E00007FF77FF727053CE0(__rcx);
				r15d = _t24;
				if (_t24 == 0) goto 0x2705399f;
				_t66 =  *__rcx;
				if ( *((intOrPtr*)(_t66 + 0x20)) != 0x7ff727052840) goto 0x2705a23a;
				E00007FF77FF727052840(0, _t66, __rcx);
				if (_t66 == 0) goto 0x27053998;
				_t67 =  *_t66;
				if ( *((intOrPtr*)(_t67 + 0x10)) != E00007FF77FF727053AB0) goto 0x2705a250;
				E00007FF77FF727053AB0(_t67, _t66);
				if (1 - r15d < 0) goto 0x2705395c;
				malloc(??);
				 *((long long*)(__rcx + 8)) = _t67;
				if (_t67 == 0) goto 0x27056eaf;
				r8d =  *(__rcx + 0x14);
				if (InitializeAcl(??, ??, ??) == 0) goto 0x2705a265;
				if ( *((intOrPtr*)( *__rcx + 0x28)) != 0x7ff727053000) goto 0x2705a286;
				E00007FF77FF727053000(__rcx,  *((intOrPtr*)( *__rcx + 0x28)), _t66, __rbp,  *((intOrPtr*)(_t67 + 0x10)), _t106);
				if (r15d == 0) goto 0x27053a81;
				_t70 =  *_t76;
				if ( *((intOrPtr*)(_t70 + 0x20)) != 0x7ff727052840) goto 0x2705a29a;
				E00007FF77FF727052840(0, _t70, _t76);
				_t90 = _t70;
				if (_t70 == 0) goto 0x2705a2d8;
				if ( *((intOrPtr*)( *_t70 + 0x10)) != E00007FF77FF727053AB0) goto 0x2705a2b0;
				r14d = E00007FF77FF727053AB0( *_t70, _t90);
				if ( *((intOrPtr*)( *_t90 + 8)) != E00007FF77FF727053AD0) goto 0x2705a2c4;
				E00007FF77FF727053AD0(_t76, _t90, _t66);
				r8d = r8d | 0xffffffff;
				_v56 = r14d;
				_t33 = AddAce(??, ??, ??, ??, ??);
				if (_t33 == 0) goto 0x2705a2d8;
				if (1 - r15d < 0) goto 0x270539f5;
				return _t33;
			}

0x7ff7270538f0
0x7ff7270538f5
0x7ff7270538fa
0x7ff727053911
0x7ff727053914
0x7ff72705391e
0x7ff72705393a
0x7ff727053940
0x7ff727053947
0x7ff72705395a
0x7ff72705395c
0x7ff727053966
0x7ff727053971
0x7ff72705397c
0x7ff72705397e
0x7ff727053988
0x7ff727053991
0x7ff72705399d
0x7ff7270539a1
0x7ff7270539a7
0x7ff7270539ae
0x7ff7270539b4
0x7ff7270539c5
0x7ff7270539dc
0x7ff7270539e5
0x7ff7270539ef
0x7ff7270539f5
0x7ff7270539ff
0x7ff727053a0a
0x7ff727053a0f
0x7ff727053a15
0x7ff727053a25
0x7ff727053a33
0x7ff727053a47
0x7ff727053a50
0x7ff727053a5f
0x7ff727053a63
0x7ff727053a68
0x7ff727053a70
0x7ff727053a7b
0x7ff727053aa1

APIs

malloc.MSVCRT ref: 00007FF7270539A1
InitializeAcl.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF7270539BD
AddAce.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF727053A68

Part of subcall function 00007FF727053AB0: GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-2-0 ref: 00007FF727053AB8

Memory Dump Source

Source File: 00000000.00000002.237913977.00007FF727051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF727050000, based on PE: true

Associated: 00000000.00000002.237908138.00007FF727050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237927801.00007FF727060000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237932983.00007FF727061000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff727050000_taskhost.jbxd

Similarity

API ID: InitializeLengthmalloc
String ID:
API String ID: 898285474-0
Opcode ID: 4861f49b0657cb3753856d4f0fdc6e80e56900f32157443919f9aaa8e96ab639
Instruction ID: edba7c59614885e38b82d9feb42b24d28eb0bea1416d68b5936f07eadba7e70a
Opcode Fuzzy Hash: 4861f49b0657cb3753856d4f0fdc6e80e56900f32157443919f9aaa8e96ab639
Instruction Fuzzy Hash: 93617321B0960681EA24BB26DE25279E791FF87F88FD44035D91E87795CE3CE44F8B60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72705AC70 Relevance: 7.6, APIs: 5, Instructions: 61
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E00007FF77FF72705AC70(long long __rbx, void* __rcx, signed int** __rdx, long long __rbp, void* __r9, long long _a8, intOrPtr _a16, long long _a24) {
				int _t24;
				intOrPtr _t39;
				intOrPtr _t50;

				_a8 = __rbx;
				_a24 = __rbp;
				__rdx[1] = 1;
				GetWindowThreadProcessId(??, ??);
				if (_a16 != __rdx[1]) goto 0x2705ad4d;
				if (EnumThreadWindows(??, ??, ??) != 0) goto 0x2705acf5;
				_t39 =  *0x27060048; // 0x7ff727060048
				if (_t39 == 0x27060048) goto 0x2705acf5;
				if (( *(_t39 + 0x1c) & 0x00000004) == 0) goto 0x2705acf5;
				r9d = GetLastError();
				E00007FF77FF72705AED8(_t21, 0xb);
				if ( *( *__rdx) == 0) goto 0x2705ad4d;
				if (IsWindow(??) == 0) goto 0x2705ad4d;
				r9d = 0;
				r8d = 0;
				_t24 = PostMessageW(??, ??, ??, ??);
				 *( *__rdx) =  *( *__rdx) & 0x00000000;
				_t50 =  *0x27060048; // 0x7ff727060048
				if (_t50 == 0x27060048) goto 0x2705ad4d;
				if (( *(_t50 + 0x1c) & 0x00000004) == 0) goto 0x2705ad4d;
				E00007FF77FF72705AF14(_t24, 0xc, __rcx);
				return 1;
			}

0x7ff72705ac70
0x7ff72705ac75
0x7ff72705ac82
0x7ff72705ac8e
0x7ff72705ac9d
0x7ff72705acbc
0x7ff72705acbe
0x7ff72705acc8
0x7ff72705acce
0x7ff72705ace8
0x7ff72705acf0
0x7ff72705acfb
0x7ff72705ad08
0x7ff72705ad0a
0x7ff72705ad0d
0x7ff72705ad17
0x7ff72705ad20
0x7ff72705ad23
0x7ff72705ad2d
0x7ff72705ad33
0x7ff72705ad48
0x7ff72705ad61

APIs

GetWindowThreadProcessId.USER32 ref: 00007FF72705AC8E
EnumThreadWindows.USER32 ref: 00007FF72705ACAD
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-1 ref: 00007FF72705ACD0

Part of subcall function 00007FF72705AED8: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0 ref: 00007FF72705AF01

IsWindow.USER32 ref: 00007FF72705AD00
PostMessageW.USER32 ref: 00007FF72705AD17

Memory Dump Source

Source File: 00000000.00000002.237913977.00007FF727051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF727050000, based on PE: true

Associated: 00000000.00000002.237908138.00007FF727050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237927801.00007FF727060000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237932983.00007FF727061000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff727050000_taskhost.jbxd

Similarity

API ID: MessageThreadWindow$EnumErrorLastPostProcessTraceWindows
String ID:
API String ID: 50814547-0
Opcode ID: f3c1beda5f7d9f5b89ae5f10a90bd50fdf532b7066c3ba063e72f3e14ad6a477
Instruction ID: 2166ad6f335c7eaa1c4feeefa43fb061888d7888e8824910333790c1c7a75bef
Opcode Fuzzy Hash: f3c1beda5f7d9f5b89ae5f10a90bd50fdf532b7066c3ba063e72f3e14ad6a477
Instruction Fuzzy Hash: 91214161608642C5EB60BB16EA50768A791FB46B85FC48035CA0EC7660DF7CD48ECB64

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72705CE08 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00007FF77FF72705CE08(intOrPtr __edx, long long __rbx, void* __rcx, long long __rsi, void* __r9) {
				void* __rdi;
				signed short _t28;
				signed int _t36;
				intOrPtr _t43;
				void* _t45;
				intOrPtr _t59;
				intOrPtr _t64;
				void* _t68;
				void* _t69;
				long long _t73;
				void* _t75;
				void* _t76;
				void* _t78;
				void* _t82;
				struct _CRITICAL_SECTION* _t85;

				 *((long long*)(_t75 + 8)) = __rbx;
				 *((long long*)(_t75 + 0x18)) = _t73;
				 *((long long*)(_t75 + 0x20)) = __rsi;
				_t76 = _t75 - 0x30;
				_t43 = __edx;
				_t69 = __rcx;
				_t45 = __edx - 0x80073c8d;
				if (_t45 != 0) goto 0x2705ce3a;
				goto 0x2705cf2c;
				EnterCriticalSection(_t85);
				 *((intOrPtr*)(__rcx + 0x58)) = 1;
				 *((intOrPtr*)(__rcx + 0x5c)) = __edx;
				asm("lock cmpxchg [edi+0x10], ebp");
				if (_t45 != 0) goto 0x2705ceed;
				r9d =  *((intOrPtr*)(__rcx + 0x44));
				r8d = __edx;
				_t28 = E00007FF77FF72705B070(__rbx, __rcx, __rcx + 0x18, __rcx, __rsi, _t73, _t78, _t82, _t68);
				if (_t28 <= 0) goto 0x2705ce8a;
				_t36 = _t28 & 0x0000ffff | 0x80070000;
				if (_t36 >= 0) goto 0x2705cec9;
				_t59 =  *0x27060048; // 0x7ff727060048
				if (_t59 == 0x27060048) goto 0x2705ceb9;
				if (( *(_t59 + 0x1c) & 0x00000001) == 0) goto 0x2705ceb9;
				 *(_t76 + 0x28) = _t36;
				 *((intOrPtr*)(_t76 + 0x20)) = _t43;
				E00007FF77FF72705D0C4(_t28, 0x18, _t78, _t69);
				asm("lock cmpxchg [edi+0x10], ecx");
				if (r8d == r8d) goto 0x2705cef2;
				goto 0x2705ced3;
				asm("lock cmpxchg [edi+0x10], edx");
				LeaveCriticalSection(??);
				E00007FF77FF7270553CC();
				goto 0x2705cefb;
				LeaveCriticalSection(??);
				if (0x80004004 >= 0) goto 0x2705cf2a;
				_t64 =  *0x27060048; // 0x7ff727060048
				if (_t64 == 0x27060048) goto 0x2705cf2a;
				if (( *(_t64 + 0x1c) & 0x00000001) == 0) goto 0x2705cf2a;
				 *(_t76 + 0x28) = 0x80004004;
				 *((intOrPtr*)(_t76 + 0x20)) = _t43;
				E00007FF77FF72705D0C4(r8d, 0x19, _t78, _t69);
				return 0x80004004;
			}

0x7ff72705ce08
0x7ff72705ce0d
0x7ff72705ce12
0x7ff72705ce1c
0x7ff72705ce23
0x7ff72705ce25
0x7ff72705ce28
0x7ff72705ce2e
0x7ff72705ce35
0x7ff72705ce41
0x7ff72705ce47
0x7ff72705ce4e
0x7ff72705ce5d
0x7ff72705ce62
0x7ff72705ce68
0x7ff72705ce70
0x7ff72705ce76
0x7ff72705ce7f
0x7ff72705ce84
0x7ff72705ce8c
0x7ff72705ce8e
0x7ff72705ce98
0x7ff72705ce9e
0x7ff72705ceac
0x7ff72705ceb0
0x7ff72705ceb4
0x7ff72705cebe
0x7ff72705cec5
0x7ff72705cec7
0x7ff72705cece
0x7ff72705ced6
0x7ff72705cee6
0x7ff72705ceeb
0x7ff72705cef5
0x7ff72705cefd
0x7ff72705ceff
0x7ff72705cf09
0x7ff72705cf0f
0x7ff72705cf1d
0x7ff72705cf21
0x7ff72705cf25
0x7ff72705cf44

APIs

EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF72705CE41
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF72705CED6

Strings

HandleFailedStart, xrefs: 00007FF72705CEDC

Memory Dump Source

Source File: 00000000.00000002.237913977.00007FF727051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF727050000, based on PE: true

Associated: 00000000.00000002.237908138.00007FF727050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237927801.00007FF727060000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237932983.00007FF727061000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff727050000_taskhost.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: HandleFailedStart
API String ID: 3168844106-1580826537
Opcode ID: b3207b312c83599162b2ef46feeb1b995072c086d2c4aa91cdd8aac82157ff27
Instruction ID: b7791fd05c95326869820f7f36e84dc99af1728e5ea086fb77c3d892969751ed
Opcode Fuzzy Hash: b3207b312c83599162b2ef46feeb1b995072c086d2c4aa91cdd8aac82157ff27
Instruction Fuzzy Hash: 3531A071A0864386E720AB069A5027AF360FB45748FD08139DA0DCBB54CF7DE95BCB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72705C300 Relevance: 6.1, APIs: 4, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E00007FF77FF72705C300(void* __ebx, void* __ecx, long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, long long __rbp, void* _a8, void* _a16, void* _a24, void* _a32) {
				void* _t20;
				void* _t23;
				void* _t24;
				void* _t28;
				void* _t31;
				void* _t49;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t59;
				void* _t78;
				void* _t82;
				void* _t87;
				intOrPtr* _t88;

				_t54 = __rbx;
				_t31 = __ebx;
				_t49 = _t82;
				 *((long long*)(_t49 + 8)) = __rbx;
				 *((long long*)(_t49 + 0x10)) = __rbp;
				 *((long long*)(_t49 + 0x18)) = __rsi;
				 *((long long*)(_t49 + 0x20)) = __rdi;
				_t78 = __rcx;
				_t59 =  *0x27060048; // 0x7ff727060048
				if (_t59 == 0x27060048) goto 0x2705c34d;
				if (( *(_t59 + 0x1c) & 0x00000004) == 0) goto 0x2705c34d;
				E00007FF77FF72705AF14(_t20, 0xc, __rcx);
				E00007FF77FF72705BC9C(__rbx, __rcx, __rdx, __rcx, _t87);
				_t23 = E00007FF77FF727051CB0(_t31, _t54, __rcx, __rcx);
				if (_t23 < 0) goto 0x2705c40e;
				__imp__CoInitializeEx();
				if (_t23 < 0) goto 0x2705c40e;
				r14d = 0;
				__imp__AcquireSRWLockExclusive();
				if ( *((intOrPtr*)(_t78 + 0x60)) == _t87) goto 0x2705c398;
				_t88 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t78 + 0x58)))) + 0x18));
				__imp__ReleaseSRWLockExclusive();
				if (_t88 == 0) goto 0x2705c400;
				_t52 =  *_t88;
				E00007FF77FF7270634F0();
				_t24 =  *((long long*)( *((intOrPtr*)(_t52 + 0x30))))();
				if (_t52 == 0) goto 0x2705c3e9;
				E00007FF77FF72705C0D0(_t24, _t78);
				_t53 =  *_t88;
				_t56 =  *((intOrPtr*)(_t53 + 0x30));
				E00007FF77FF7270634F0();
				 *((long long*)( *((intOrPtr*)(_t53 + 0x30))))();
				E00007FF77FF72705BC9C( *((intOrPtr*)(_t53 + 0x30)), _t78, _t53, _t78);
				_t28 = E00007FF77FF72705CFAC(_t56, _t88, _t53);
				if (_t23 != 0) goto 0x2705c37a;
				if (_t28 >= 0) goto 0x2705c37a;
				goto 0x2705c37a;
				__imp__CoUninitialize();
				E00007FF77FF72705C0D0(_t28, _t78);
				return _t28;
			}

0x7ff72705c300
0x7ff72705c300
0x7ff72705c300
0x7ff72705c303
0x7ff72705c307
0x7ff72705c30b
0x7ff72705c30f
0x7ff72705c319
0x7ff72705c31c
0x7ff72705c32d
0x7ff72705c333
0x7ff72705c348
0x7ff72705c352
0x7ff72705c357
0x7ff72705c360
0x7ff72705c36a
0x7ff72705c374
0x7ff72705c37e
0x7ff72705c381
0x7ff72705c38b
0x7ff72705c394
0x7ff72705c39c
0x7ff72705c3a5
0x7ff72705c3a7
0x7ff72705c3b1
0x7ff72705c3ba
0x7ff72705c3bf
0x7ff72705c3c4
0x7ff72705c3c9
0x7ff72705c3cc
0x7ff72705c3d3
0x7ff72705c3dc
0x7ff72705c3e4
0x7ff72705c3ec
0x7ff72705c3f3
0x7ff72705c3f7
0x7ff72705c3fb
0x7ff72705c400
0x7ff72705c409
0x7ff72705c42a

APIs

CoInitializeEx.API-MS-WIN-CORE-COM-L1-1-1 ref: 00007FF72705C36A
AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF72705C381
ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF72705C39C
CoUninitialize.API-MS-WIN-CORE-COM-L1-1-1 ref: 00007FF72705C400

Part of subcall function 00007FF72705AF14: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0 ref: 00007FF72705AF3D

Memory Dump Source

Source File: 00000000.00000002.237913977.00007FF727051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF727050000, based on PE: true

Associated: 00000000.00000002.237908138.00007FF727050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237927801.00007FF727060000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237932983.00007FF727061000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff727050000_taskhost.jbxd

Similarity

API ID: ExclusiveLock$AcquireInitializeMessageReleaseTraceUninitialize
String ID:
API String ID: 114521419-0
Opcode ID: 85ae01b7563361a2bd3ea48cc4530719e0a396e9b2987d413353757d9e95d3b8
Instruction ID: 0c628dac5584ed02e7a1ec4267251357c9d63a8b71244bfdfafb17e735d5c051
Opcode Fuzzy Hash: 85ae01b7563361a2bd3ea48cc4530719e0a396e9b2987d413353757d9e95d3b8
Instruction Fuzzy Hash: B1316121B09A0781EA24BB16DD1017AA760FF86F84BC84035CE0EC7751DF3CE54B8B60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72705BC9C Relevance: 6.1, APIs: 4, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E00007FF77FF72705BC9C(long long __rbx, void* __rcx, void* __rdx, long long __rsi, long long _a16, long long _a24) {
				void* _v8;
				signed int _v24;
				void* _v1046;
				char _v1048;
				signed long long _t38;
				void* _t57;
				signed long long _t58;
				void* _t64;

				_t40 = __rbx;
				_a16 = __rbx;
				_a24 = __rsi;
				_t58 = _t57 - 0x430;
				_t38 =  *0x270600e8; // 0x2df664ba1f6a
				_t39 = _t38 ^ _t58;
				_v24 = _t38 ^ _t58;
				r8d = 0x3fe;
				_v1048 = 0;
				memset(??, ??, ??);
				GetModuleHandleW(??);
				r9d = 0x200;
				if (LoadStringW(??, ??, ??, ??) == 0) goto 0x2705bd4b;
				if (__rdx == 0) goto 0x2705bd38;
				E00007FF77FF72705C474(_t38 ^ _t58, __rbx,  &_v1048, 0x2705bd8c, _t64);
				E00007FF77FF72705C474(_t38 ^ _t58, _t40,  &_v1048, __rdx, _t64);
				E00007FF77FF72705C474(_t39, _t40,  &_v1048, 0x2705bd94, _t64);
				if ( *0x27065078() != 0) goto 0x2705bd62;
				if (GetLastError() > 0) goto 0x2705bd59;
				goto 0x2705bd62;
				return E00007FF77FF727051700(_t23 & 0x0000ffff | 0x80070000, 0, _v24 ^ _t58);
			}

0x7ff72705bc9c
0x7ff72705bc9c
0x7ff72705bca1
0x7ff72705bca7
0x7ff72705bcae
0x7ff72705bcb5
0x7ff72705bcb8
0x7ff72705bccf
0x7ff72705bcd5
0x7ff72705bcda
0x7ff72705bce1
0x7ff72705bcec
0x7ff72705bd02
0x7ff72705bd07
0x7ff72705bd15
0x7ff72705bd22
0x7ff72705bd33
0x7ff72705bd49
0x7ff72705bd53
0x7ff72705bd57
0x7ff72705bd88

APIs

memset.MSVCRT ref: 00007FF72705BCDA
GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF72705BCE1
LoadStringW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF72705BCFA
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-1 ref: 00007FF72705BD4B

Memory Dump Source

Source File: 00000000.00000002.237913977.00007FF727051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF727050000, based on PE: true

Associated: 00000000.00000002.237908138.00007FF727050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237927801.00007FF727060000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237932983.00007FF727061000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff727050000_taskhost.jbxd

Similarity

API ID: ErrorHandleLastLoadModuleStringmemset
String ID:
API String ID: 1639429114-0
Opcode ID: ea336cb57723f1f0658b04206d26aa0b711bb30ba45fe8911567c91025de6fe3
Instruction ID: f6f89113e5e4798518a33e421e4aff0d1af973ff4b9bba288664bae8487c4c1b
Opcode Fuzzy Hash: ea336cb57723f1f0658b04206d26aa0b711bb30ba45fe8911567c91025de6fe3
Instruction Fuzzy Hash: CA21336170868291EA30AB11E9506BAA3A0FF49784FC44135DA9DC7655DF2CE50E8F60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72705AD70 Relevance: 6.0, APIs: 4, Instructions: 44windowthreadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32 ref: 00007FF72705AD85
PostMessageW.USER32 ref: 00007FF72705ADDA
PostMessageW.USER32 ref: 00007FF72705ADF1
PostMessageW.USER32 ref: 00007FF72705AE04

Part of subcall function 00007FF72705AF50: TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0 ref: 00007FF72705AF89

Memory Dump Source

Source File: 00000000.00000002.237913977.00007FF727051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF727050000, based on PE: true

Associated: 00000000.00000002.237908138.00007FF727050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237927801.00007FF727060000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237932983.00007FF727061000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff727050000_taskhost.jbxd

Similarity

API ID: Message$Post$ProcessThreadTraceWindow
String ID:
API String ID: 1122175763-0
Opcode ID: 846fd7052f266f09fc48c11bbc2efc487bf375ec1aad0120f9bdc2d60d0007c9
Instruction ID: 9c13ca3e03aa569d53bee891c450cb33cd9501f85f735571a72bb3b429987233
Opcode Fuzzy Hash: 846fd7052f266f09fc48c11bbc2efc487bf375ec1aad0120f9bdc2d60d0007c9
Instruction Fuzzy Hash: E911E37270825282FB20AF16ED60B69A760FB86B84FD08431CF0D87A54CE3DD44E8F50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7270544A0 Relevance: 6.0, APIs: 4, Instructions: 29synchronizationCOMMON

Download Yara Rule

APIs

SetEvent.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF7270544B1
WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF7270544C2
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF7270544D8
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF7270544F0

Memory Dump Source

Source File: 00000000.00000002.237913977.00007FF727051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF727050000, based on PE: true

Associated: 00000000.00000002.237908138.00007FF727050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237927801.00007FF727060000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237932983.00007FF727061000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff727050000_taskhost.jbxd

Similarity

API ID: CloseHandle$EventObjectSingleWait
String ID:
API String ID: 2857295742-0
Opcode ID: 438d312dc60b74bea5ed02ed5db7f73323eb1a90a1b3bbacd8f7ff36782901bf
Instruction ID: c75f92e9e521e30a543b3f3240f651cd8b8ff2a2c4423ccb11dc415513d5dcae
Opcode Fuzzy Hash: 438d312dc60b74bea5ed02ed5db7f73323eb1a90a1b3bbacd8f7ff36782901bf
Instruction Fuzzy Hash: C7F0622271494195E7509F25ED8002CF3A8FB45F747945334DA3E922D4CF38D4CACB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7270551B0 Relevance: 6.0, APIs: 4, Instructions: 24threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2 ref: 00007FF7270551BF
GetThreadPriority.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2 ref: 00007FF7270551C8
GetCurrentThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2 ref: 00007FF7270551D7
SetThreadPriority.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2 ref: 00007FF7270551E2

Memory Dump Source

Source File: 00000000.00000002.237913977.00007FF727051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF727050000, based on PE: true

Associated: 00000000.00000002.237908138.00007FF727050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237927801.00007FF727060000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237932983.00007FF727061000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff727050000_taskhost.jbxd

Similarity

API ID: Thread$CurrentPriority
String ID:
API String ID: 1343868529-0
Opcode ID: a8b2d5dcf4ee41e56b5e1e3f71e8cc7c1f8e1aa3f41a3bdb8e869fbecb82b451
Instruction ID: a709a2ff673ca3394f000d74580d76e8e1a7a36176e3ad4323a7fb9b20e03161
Opcode Fuzzy Hash: a8b2d5dcf4ee41e56b5e1e3f71e8cc7c1f8e1aa3f41a3bdb8e869fbecb82b451
Instruction Fuzzy Hash: 16F01931B0860392DB346B75FD14139E2D1FF4AB64B948234C93D823A4DD3CD44A4A10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72705D124 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0 ref: 00007FF72705D1E6

Strings

NULL, xrefs: 00007FF72705D17F
<NULL>, xrefs: 00007FF72705D172

Memory Dump Source

Source File: 00000000.00000002.237913977.00007FF727051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF727050000, based on PE: true

Associated: 00000000.00000002.237908138.00007FF727050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237927801.00007FF727060000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237932983.00007FF727061000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff727050000_taskhost.jbxd

Similarity

API ID: MessageTrace
String ID: <NULL>$NULL
API String ID: 471583391-888386124
Opcode ID: dca6ae9867d2077ffdcc52524966eaf8d07db47c65085749c38023003614f6ac
Instruction ID: 56128441ee13f7c21ba2ad867149c3c18a2f0213047668a7749ddac4b14db60d
Opcode Fuzzy Hash: dca6ae9867d2077ffdcc52524966eaf8d07db47c65085749c38023003614f6ac
Instruction Fuzzy Hash: 52116D31A08B81D1DA30DB11F9906AAB3B4FB96750FD00236D69D43BA4EF3CD16ACB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72705CCA8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38windowCOMMON

Download Yara Rule

APIs

TraceMessage.API-MS-WIN-EVENTING-CLASSICPROVIDER-L1-1-0 ref: 00007FF72705CD3E

Strings

NULL, xrefs: 00007FF72705CD03
<NULL>, xrefs: 00007FF72705CCF6

Memory Dump Source

Source File: 00000000.00000002.237913977.00007FF727051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF727050000, based on PE: true

Associated: 00000000.00000002.237908138.00007FF727050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237927801.00007FF727060000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.237932983.00007FF727061000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff727050000_taskhost.jbxd

Similarity

API ID: MessageTrace
String ID: <NULL>$NULL
API String ID: 471583391-888386124
Opcode ID: 291a57432247d76d3c5557f5f4a2f135507886947d9bcc7bc04442145b60a424
Instruction ID: 3ab93646e359c17162b399c5e174ff022527d89fe74adcabf48320876ecb9d1f
Opcode Fuzzy Hash: 291a57432247d76d3c5557f5f4a2f135507886947d9bcc7bc04442145b60a424
Instruction Fuzzy Hash: CF018621609B42C1EA31EB10ED5476AB764FB86750FD05235D69E827D4DF3CD45ACB10

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report taskhost.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Software Vulnerabilities

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: taskhost.exePID: 4844, Parent PID: 3452

General

File Activities

File Opened

File Attributes Queried

Volume Information Queried

Device IO

Section Activities

Sections loaded by Windows

Registry Activities

Key Opened

Windows Analysis Report
taskhost.exe

Function 00007FF727051290 Relevance: 89.7, APIs: 49, Strings: 2, Instructions: 415
memorysleepsynchronizationCOMMON

Function 00007FF727053260 Relevance: 47.1, APIs: 31, Instructions: 639
COMMON

Function 00007FF727052240 Relevance: 13.6, APIs: 9, Instructions: 85
windowCOMMON

Function 00007FF7270522E0 Relevance: 3.0, APIs: 2, Instructions: 45
nativewindowCOMMON

Function 00007FF727052970 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Function 00007FF7270548A0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 79
registryCOMMON

Function 00007FF727054E10 Relevance: 10.6, APIs: 7, Instructions: 74
synchronizationthreadCOMMON

Function 00007FF727052E60 Relevance: 7.7, APIs: 5, Instructions: 157
COMMON

Function 00007FF727051D30 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38
registryCOMMON

Function 00007FF7270546A2 Relevance: 4.5, APIs: 3, Instructions: 32
windowCOMMON

Function 00007FF727051780 Relevance: 3.1, APIs: 2, Instructions: 58
registryCOMMON

Function 00007FF727051CB0 Relevance: 3.0, APIs: 2, Instructions: 47
synchronizationCOMMON

Function 00007FF727053DC0 Relevance: 1.6, APIs: 1, Instructions: 109
COMMON

Function 00007FF727053D40 Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Function 00007FF727052920 Relevance: 1.5, APIs: 1, Instructions: 13
COMMON

Function 00007FF727051930 Relevance: 1.3, APIs: 1, Instructions: 15
COMMON

Function 00007FF727052AF0 Relevance: 18.4, APIs: 12, Instructions: 366
COMMON