Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
svchost(1).exe

Overview

General Information

Sample name:svchost(1).exe
Analysis ID:1426767
MD5:d9e224acffd36b1c83e8ee2031ccf349
SHA1:557185cb2cfc025ba795dfe657b13c1509c290aa
SHA256:82bb0e74c91357fdceaa9bc94ac01448f2a97e0087f7c9d11f08586accd77cf6
Infos:

Detection

Score:5
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Analysis Advice

Sample is a service DLL but no service has been registered
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Process Tree

  • System is w10x64
  • svchost(1).exe (PID: 6392 cmdline: "C:\Users\user\Desktop\svchost(1).exe" MD5: D9E224ACFFD36B1C83E8EE2031CCF349)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: svchost(1).exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: svchost(1).exeStatic PE information: certificate valid
Source: svchost(1).exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: svchost.pdb source: svchost(1).exe
Source: Binary string: svchost.pdbUGP source: svchost(1).exe
Source: C:\Users\user\Desktop\svchost(1).exeCode function: 0_2_004B3150 NtSetInformationProcess,SetUnhandledExceptionFilter,SetErrorMode,GetProcessHeap,InitializeSRWLock,InitializeSRWLock,RegDisablePredefinedCacheEx,EventRegister,GetCommandLineW,memset,GetCurrentProcess,NtSetInformationProcess,HeapFree,HeapFree,ExitProcess,GetCurrentProcess,SetProcessAffinityUpdateMode,0_2_004B3150
Source: C:\Users\user\Desktop\svchost(1).exeCode function: 0_2_004B32D0 RtlImageNtHeader,RpcMgmtSetServerStackSize,I_RpcServerDisableExceptionFilter,RtlSetProcessIsCritical,SetProcessMitigationPolicy,SetProcessMitigationPolicy,SetProcessMitigationPolicy,SetProtectedPolicy,HeapSetInformation,HeapSetInformation,TpAllocTimer,EventRegister,EventSetInformation,GetTickCount64,GetTickCount64,TpSetTimer,NtSetInformationProcess,0_2_004B32D0
Source: C:\Users\user\Desktop\svchost(1).exeCode function: 0_2_004B2739 ReleaseSRWLockShared,HeapAlloc,memcpy,memcpy,AcquireSRWLockExclusive,ReleaseSRWLockExclusive,RegGetValueW,ActivateActCtx,LoadLibraryExW,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,ActivateActCtx,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,ActivateActCtx,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,RegCloseKey,0_2_004B2739
Source: C:\Users\user\Desktop\svchost(1).exeCode function: 0_2_004B24B0 RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegCloseKey,RegCloseKey,HeapAlloc,RegQueryValueExW,ExpandEnvironmentStringsW,LCMapStringW,RegQueryValueExW,HeapFree,AcquireSRWLockShared,ReleaseSRWLockShared,HeapAlloc,memcpy,memcpy,AcquireSRWLockExclusive,ReleaseSRWLockExclusive,RegGetValueW,ActivateActCtx,LoadLibraryExW,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,ActivateActCtx,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,ActivateActCtx,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,RegCloseKey,HeapAlloc,RegGetValueW,WideCharToMultiByte,HeapAlloc,WideCharToMultiByte,HeapFree,ExpandEnvironmentStringsW,HeapFree,CreateActCtxW,GetLastError,HeapFree,HeapFree,GetLastError,CreateActCtxW,GetLastError,ReleaseActCtx,GetLastError,GetLastError,RtlNtStatusToDosError,GetLastError,LoadLibraryExW,RtlNtStatusToDosError,LoadLibraryExW,RtlNtStatusToDosError,HeapFree,ReleaseActCtx,0_2_004B24B0
Source: C:\Users\user\Desktop\svchost(1).exeCode function: 0_2_004B27390_2_004B2739
Source: C:\Users\user\Desktop\svchost(1).exeCode function: 0_2_004B24B00_2_004B24B0
Source: svchost(1).exe, 00000000.00000000.2045451956.00000000004BB000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesvchost.exej% vs svchost(1).exe
Source: svchost(1).exeBinary or memory string: OriginalFilenamesvchost.exej% vs svchost(1).exe
Source: svchost(1).exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: clean5.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\svchost(1).exeCode function: 0_2_004B3120 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess,0_2_004B3120
Source: C:\Users\user\Desktop\svchost(1).exeCode function: 0_2_004B3120 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess,0_2_004B3120
Source: svchost(1).exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\svchost(1).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\svchost(1).exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_0-1511
Source: svchost(1).exeStatic PE information: certificate valid
Source: initial sampleStatic PE information: Valid certificate with Microsoft Issuer
Source: svchost(1).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: svchost(1).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: svchost(1).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: svchost(1).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: svchost(1).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: svchost(1).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: svchost(1).exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, GUARD_CF, TERMINAL_SERVER_AWARE
Source: svchost(1).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: svchost.pdb source: svchost(1).exe
Source: Binary string: svchost.pdbUGP source: svchost(1).exe
Source: svchost(1).exeStatic PE information: section name: .didat
Source: C:\Users\user\Desktop\svchost(1).exeCode function: 0_2_004B3120 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess,0_2_004B3120
Source: C:\Users\user\Desktop\svchost(1).exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-1696
Source: C:\Users\user\Desktop\svchost(1).exeAPI coverage: 3.6 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\svchost(1).exeAPI call chain: ExitProcess graph end nodegraph_0-1485
Source: C:\Users\user\Desktop\svchost(1).exeCode function: 0_2_004B45C0 mov eax, dword ptr fs:[00000030h]0_2_004B45C0
Source: C:\Users\user\Desktop\svchost(1).exeCode function: 0_2_004B45C0 mov eax, dword ptr fs:[00000030h]0_2_004B45C0
Source: C:\Users\user\Desktop\svchost(1).exeCode function: 0_2_004B45C0 mov eax, dword ptr fs:[00000030h]0_2_004B45C0
Source: C:\Users\user\Desktop\svchost(1).exeCode function: 0_2_004B45C0 mov eax, dword ptr fs:[00000030h]0_2_004B45C0
Source: C:\Users\user\Desktop\svchost(1).exeCode function: 0_2_004B4FD0 mov eax, dword ptr fs:[00000030h]0_2_004B4FD0
Source: C:\Users\user\Desktop\svchost(1).exeCode function: 0_2_004B4FD0 mov ecx, dword ptr fs:[00000030h]0_2_004B4FD0
Source: C:\Users\user\Desktop\svchost(1).exeCode function: 0_2_004B43D0 mov eax, dword ptr fs:[00000030h]0_2_004B43D0
Source: C:\Users\user\Desktop\svchost(1).exeCode function: 0_2_004B43D0 mov eax, dword ptr fs:[00000030h]0_2_004B43D0
Source: C:\Users\user\Desktop\svchost(1).exeCode function: 0_2_004B32D0 mov eax, dword ptr fs:[00000030h]0_2_004B32D0
Source: C:\Users\user\Desktop\svchost(1).exeCode function: 0_2_004B32D0 mov eax, dword ptr fs:[00000030h]0_2_004B32D0
Source: C:\Users\user\Desktop\svchost(1).exeCode function: 0_2_004B32D0 mov eax, dword ptr fs:[00000030h]0_2_004B32D0
Source: C:\Users\user\Desktop\svchost(1).exeCode function: 0_2_004B2E20 mov eax, dword ptr fs:[00000030h]0_2_004B2E20
Source: C:\Users\user\Desktop\svchost(1).exeCode function: 0_2_004B2E20 mov eax, dword ptr fs:[00000030h]0_2_004B2E20
Source: C:\Users\user\Desktop\svchost(1).exeCode function: 0_2_004B2E20 mov eax, dword ptr fs:[00000030h]0_2_004B2E20
Source: C:\Users\user\Desktop\svchost(1).exeCode function: 0_2_004B2E20 mov eax, dword ptr fs:[00000030h]0_2_004B2E20
Source: C:\Users\user\Desktop\svchost(1).exeCode function: 0_2_004B3150 NtSetInformationProcess,SetUnhandledExceptionFilter,SetErrorMode,GetProcessHeap,InitializeSRWLock,InitializeSRWLock,RegDisablePredefinedCacheEx,EventRegister,GetCommandLineW,memset,GetCurrentProcess,NtSetInformationProcess,HeapFree,HeapFree,ExitProcess,GetCurrentProcess,SetProcessAffinityUpdateMode,0_2_004B3150
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\svchost(1).exeCode function: 0_2_004B3150 NtSetInformationProcess,SetUnhandledExceptionFilter,SetErrorMode,GetProcessHeap,InitializeSRWLock,InitializeSRWLock,RegDisablePredefinedCacheEx,EventRegister,GetCommandLineW,memset,GetCurrentProcess,NtSetInformationProcess,HeapFree,HeapFree,ExitProcess,GetCurrentProcess,SetProcessAffinityUpdateMode,0_2_004B3150
Source: C:\Users\user\Desktop\svchost(1).exeCode function: 0_2_004B514A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_004B514A
Source: C:\Users\user\Desktop\svchost(1).exeCode function: 0_2_004B45C0 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,GetLastError,HeapAlloc,InitializeSecurityDescriptor,GetTokenInformation,GetTokenInformation,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,HeapAlloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,CloseHandle,GetLengthSid,AddAccessAllowedAce,GetLengthSid,AddAccessAllowedAce,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,HeapFree,HeapFree,0_2_004B45C0
Source: C:\Users\user\Desktop\svchost(1).exeCode function: 0_2_004B50B0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_004B50B0
Source: C:\Users\user\Desktop\svchost(1).exeCode function: 0_2_004B67D0 RpcServerUnregisterIfEx,EnterCriticalSection,RpcMgmtStopServerListening,RpcMgmtWaitServerListen,LeaveCriticalSection,I_RpcMapWin32Status,0_2_004B67D0
Source: C:\Users\user\Desktop\svchost(1).exeCode function: 0_2_004B6780 RpcServerUnregisterIf,EnterCriticalSection,RpcMgmtStopServerListening,RpcMgmtWaitServerListen,LeaveCriticalSection,I_RpcMapWin32Status,0_2_004B6780
Source: C:\Users\user\Desktop\svchost(1).exeCode function: 0_2_004B6710 EnterCriticalSection,RpcServerListen,LeaveCriticalSection,I_RpcMapWin32Status,0_2_004B6710

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		3
Windows Service		3
Windows Service		Direct Volume AccessOS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
Service Execution		Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts11
Native API		Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager2
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
svchost(1).exe0%ReversingLabs
svchost(1).exe0%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1426767
Start date and time:2024-04-16 15:38:33 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 56s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:svchost(1).exe
Detection:CLEAN
Classification:clean5.winEXE@1/0@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 75%
  • Number of executed functions: 2
  • Number of non-executed functions: 26
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.434813773926763
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:svchost(1).exe
File size:45'488 bytes
MD5:d9e224acffd36b1c83e8ee2031ccf349
SHA1:557185cb2cfc025ba795dfe657b13c1509c290aa
SHA256:82bb0e74c91357fdceaa9bc94ac01448f2a97e0087f7c9d11f08586accd77cf6
SHA512:8109ebc84a8ed5228c7bdaf2f2c0f62b2d9b20be7eb6091cd933971b0c64fa8a722665cbc240138810e33aec75400f38eec9e7244431cbefe8e43a6826aec3c6
SSDEEP:768:bJRYx30J+CVDfl4DoXagiPZCc8cVUyF4Q1PCfWoF9zupk:bd+CVDfl4DoXagiPZyXyFjPCf9Xzuq
TLSH:AD137C519689C052E9F321B0227FA22B6D7FBE726781C9E75682545938717C0FF3C22E
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........UJe..Je..Je../...He../...Ke..C.U.se..Je...e../...De../...Ce../.9.Ke../...Ke..RichJe..........PE..L......F.................Z.

File Icon

Icon Hash:00928e8e8686b000

Static PE Info

General

Entrypoint:0x403090
Entrypoint Section:.text
Digitally signed:true
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:0x46FA82D7 [Wed Sep 26 16:03:35 2007 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:10
OS Version Minor:0
File Version Major:10
File Version Minor:0
Subsystem Version Major:10
Subsystem Version Minor:0
Import Hash:ec10f5be711cb724c2d4d18a3c10ad6d

Authenticode Signature

Signature Valid:true
Signature Issuer:CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:The operation completed successfully
Error Number:0
Not Before, Not After
  • 27/01/2022 20:31:19 26/01/2023 20:31:19
Subject Chain
  • CN=Microsoft Windows Publisher, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:3
Thumbprint MD5:F5B9128CD5E7683597D6CF3824FA1276
Thumbprint SHA-1:C60A14A6BD925780E9F0463BA19C3F37D5473E8B
Thumbprint SHA-256:6F1EE3B86130D15010459132338EF2F3617283FFA802C4FA6061273604CC0CDA
Serial:330000036CE57EEB5D1CC2BE1700000000036C

Entrypoint Preview

Instruction
call 00007F0A453C8D00h
jmp 00007F0A453C6CEBh
int3
int3
int3
int3
int3
int3
mov edi, edi
push ebp
mov ebp, esp
sub esp, 10h
lea eax, dword ptr [ebp-04h]
mov dword ptr [ebp-0Ch], 00000000h
push 004011FCh
push 004011F8h
mov dword ptr [ebp-04h], 00000000h
mov dword ptr [ebp-08h], eax
mov dword ptr [ebp-10h], 00000000h
call dword ptr [00408048h]
add esp, 08h
test eax, eax
jne 00007F0A453C6D0Fh
push eax
push eax
push eax
lea eax, dword ptr [ebp-08h]
push eax
lea eax, dword ptr [ebp-0Ch]
push eax
call dword ptr [0040804Ch]
push 004011F4h
push 004011F0h
call dword ptr [00408044h]
add esp, 1Ch
lea eax, dword ptr [ebp-10h]
push eax
call 00007F0A453C6CEEh
mov eax, 000000FFh
mov esp, ebp
pop ebp
ret
jmp 00007F0A453C6CF0h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov edi, edi
push esi
call 00007F0A453C6D0Dh
mov esi, eax
test esi, esi
je 00007F0A453C6CF4h
push 00406030h
call dword ptr [004081C0h]
push esi
call dword ptr [004081B8h]
call 00007F0A453C83F0h
push 00000000h
call dword ptr [004080C4h]
int3
int3
int3
mov edi, edi
push ebp
mov ebp, esp
and esp, FFFFFFF8h

Rich Headers

Programming Language:
  • [IMP] VS2008 SP1 build 30729

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x82600x258.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0xb0000x818.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x8a000x27b0
IMAGE_DIRECTORY_ENTRY_BASERELOC0xc0000x660.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x1a000x54.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x11000xa4.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x80000x25c.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x69300x40.text
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x59e80x5a00d07f39300d943eea0b2dc5a75df85ab1False0.5348090277777777data6.090902221406976IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data0x70000x4b00x200c9a18b9809ce46cb1bd5c2d761aa077aFalse0.0625data0.2201131574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata0x80000x154c0x160080bc3534a49271b71bbf01c72b337222False0.3856534090909091data5.031519188486823IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat0xa0000x140x200097ab9033ed077b8a4f123dc3c367b98False0.046875OpenPGP Secret Key0.21310128450968063IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0xb0000x8180xa0051d8a1d4731bafe606d1a8c1280b6c3fFalse0.38046875data3.747297110254232IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0xc0000x6600x800fb7e0ac2c1401878659a65711ac726ebFalse0.7138671875data5.901056975990543IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
MUI0xb7500xc8dataEnglishUnited States0.545
RT_VERSION0xb3a00x3b0dataEnglishUnited States0.4576271186440678
RT_MANIFEST0xb0f00x2b0XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5232558139534884

Imports

DLLImport
api-ms-win-core-crt-l2-1-0.dll_initterm, _initterm_e, __wgetmainargs
api-ms-win-core-profile-l1-1-0.dllQueryPerformanceCounter
api-ms-win-core-processthreads-l1-1-0.dllExitProcess, GetCurrentProcessId, SetProcessAffinityUpdateMode, TerminateProcess, GetCurrentProcess, GetCurrentThreadId, OpenProcessToken
api-ms-win-core-sysinfo-l1-1-0.dllGetTickCount, GetTickCount64, GetSystemTimeAsFileTime
api-ms-win-core-errorhandling-l1-1-0.dllGetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, SetErrorMode
api-ms-win-service-private-l1-1-3.dllI_RegisterSvchostNotificationCallback
api-ms-win-core-crt-l1-1-0.dllmemcpy, _wcsicmp, memset, memcmp, qsort_s
api-ms-win-core-libraryloader-l1-2-0.dllGetProcAddress, LoadLibraryExW, FreeLibrary
api-ms-win-core-heap-l1-1-0.dllHeapAlloc, HeapFree, HeapSetInformation, GetProcessHeap
api-ms-win-core-synch-l1-1-0.dllReleaseSRWLockExclusive, AcquireSRWLockExclusive, InitializeSRWLock, ReleaseSRWLockShared, AcquireSRWLockShared, LeaveCriticalSection, EnterCriticalSection
api-ms-win-service-winsvc-l1-1-0.dllRegisterServiceCtrlHandlerW
api-ms-win-service-core-l1-1-0.dllSetServiceStatus, StartServiceCtrlDispatcherW
api-ms-win-core-string-l1-1-0.dllCompareStringOrdinal, MultiByteToWideChar, WideCharToMultiByte
api-ms-win-core-registry-l1-1-0.dllRegEnumKeyExW, RegCloseKey, RegDisablePredefinedCacheEx, RegGetValueW, RegOpenKeyExW, RegQueryValueExW
api-ms-win-core-processenvironment-l1-1-0.dllGetCommandLineW, ExpandEnvironmentStringsW
api-ms-win-core-processthreads-l1-1-1.dllSetProcessMitigationPolicy
api-ms-win-core-processthreads-l1-1-2.dllSetProtectedPolicy
RPCRT4.dllRpcServerUnregisterIf, I_RpcMapWin32Status, RpcMgmtSetServerStackSize, I_RpcServerDisableExceptionFilter, RpcServerUseProtseqEpW, RpcServerUnregisterIfEx, RpcServerRegisterIf, RpcMgmtStopServerListening, RpcServerListen, RpcMgmtWaitServerListen
api-ms-win-core-localization-l1-2-0.dllLCMapStringW
api-ms-win-security-base-l1-1-0.dllSetSecurityDescriptorDacl, SetSecurityDescriptorOwner, MakeAbsoluteSD, InitializeSecurityDescriptor, InitializeAcl, AddAccessAllowedAce, GetLengthSid, SetSecurityDescriptorGroup, GetTokenInformation
api-ms-win-core-handle-l1-1-0.dllCloseHandle
api-ms-win-eventing-provider-l1-1-0.dllEventSetInformation, EventWriteTransfer, EventRegister
api-ms-win-crt-utility-l1-1-0.dllbsearch_s
api-ms-win-core-sidebyside-l1-1-0.dllDeactivateActCtx, CreateActCtxW, ReleaseActCtx, ActivateActCtx
api-ms-win-core-threadpool-private-l1-1-0.dllRegisterWaitForSingleObjectEx
ntdll.dllRtlSetProcessIsCritical, _vsnwprintf, TpSetTimer, RtlValidSecurityDescriptor, TpReleaseTimer, TpWaitForTimer, TpSetTimerEx, RtlFreeHeap, RtlAllocateHeap, RtlQueryHeapInformation, RtlRunOnceExecuteOnce, RtlNtStatusToDosError, EtwEventWrite, EtwEventEnabled, TpReleaseWait, RtlNtStatusToDosErrorNoTeb, TpSetWait, TpAllocWait, EtwEventRegister, NtQuerySystemInformation, RtlUnhandledExceptionFilter, RtlInitializeCriticalSection, RtlInitializeSid, RtlSubAuthoritySid, RtlGetDeviceFamilyInfoEnum, RtlReleaseSRWLockExclusive, RtlSubAuthorityCountSid, RtlAcquireSRWLockExclusive, RtlLengthRequiredSid, RtlDeriveCapabilitySidsFromName, RtlCopySid, NtSetInformationProcess, TpAllocTimer, RtlImageNtHeader
api-ms-win-core-heap-l2-1-0.dllLocalAlloc, LocalFree
api-ms-win-core-delayload-l1-1-1.dllResolveDelayLoadedAPI
api-ms-win-core-delayload-l1-1-0.dllDelayLoadFailureHook

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

General

Target ID:0
Start time:15:39:24
Start date:16/04/2024
Path:C:\Users\user\Desktop\svchost(1).exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\svchost(1).exe"
Imagebase:0x4b0000
File size:45'488 bytes
MD5 hash:D9E224ACFFD36B1C83E8EE2031CCF349
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:1.7%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:50.9%
    Total number of Nodes:638
    Total number of Limit Nodes:2
    execution_graph 1752 4b6780 RpcServerUnregisterIf EnterCriticalSection 1753 4b67a9 RpcMgmtStopServerListening RpcMgmtWaitServerListen 1752->1753 1754 4b67b7 LeaveCriticalSection I_RpcMapWin32Status 1752->1754 1753->1754 1755 4b4bc7 1758 4b4bd0 1755->1758 1756 4b4be6 1757 4b50a0 4 API calls 1756->1757 1759 4b4bf6 1757->1759 1758->1756 1760 4b5d98 1758->1760 1762 4b5ebe 1758->1762 1763 4b65c8 EventWriteTransfer 1760->1763 1763->1762 1764 4b52c5 1765 4b52a0 1764->1765 1765->1764 1767 4b4f50 ResolveDelayLoadedAPI 1765->1767 1767->1765 1768 4b67d0 RpcServerUnregisterIfEx EnterCriticalSection 1769 4b67f9 RpcMgmtStopServerListening RpcMgmtWaitServerListen 1768->1769 1770 4b6807 LeaveCriticalSection I_RpcMapWin32Status 1768->1770 1769->1770 1771 4b4f10 LoadLibraryExW 1772 4b4f2b GetProcAddress 1771->1772 1773 4b4f3c 1771->1773 1772->1773 1774 4b6710 EnterCriticalSection 1779 4b665c 1774->1779 1777 4b675b LeaveCriticalSection I_RpcMapWin32Status 1778 4b6742 RpcServerListen 1778->1777 1780 4b666f 1779->1780 1780->1780 1781 4b667a LocalAlloc 1780->1781 1782 4b6694 1781->1782 1783 4b669b 1781->1783 1782->1777 1782->1778 1784 4b66f4 LocalFree 1783->1784 1785 4b66b7 RpcServerUseProtseqEpW 1783->1785 1784->1782 1786 4b66cd 1785->1786 1787 4b66d5 RpcServerRegisterIf 1785->1787 1786->1787 1788 4b66e4 LocalFree I_RpcMapWin32Status 1786->1788 1787->1788 1788->1782 1789 4b6110 RtlUnhandledExceptionFilter 1790 4b3090 1796 4b50b0 1790->1796 1794 4b30da __wgetmainargs _initterm 1795 4b3107 1794->1795 1797 4b50d9 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 1796->1797 1798 4b50d5 1796->1798 1799 4b3095 _initterm_e 1797->1799 1798->1797 1798->1799 1799->1794 1799->1795 1800 4b4890 GetTickCount64 1801 4b48b6 1800->1801 1802 4b492e 1801->1802 1803 4b48d6 1801->1803 1808 4b48db GetTickCount64 1801->1808 1833 4b4c60 memset GetCurrentProcess RtlQueryHeapInformation 1802->1833 1811 4b4940 1803->1811 1807 4b48eb 1810 4b4908 1807->1810 1825 4b4b90 1807->1825 1808->1807 1808->1810 1812 4b4970 RtlQueryHeapInformation 1811->1812 1813 4b49bd 1812->1813 1814 4b4b40 1812->1814 1817 4b4a08 1813->1817 1820 4b49cb qsort_s 1813->1820 1815 4b4b4e HeapAlloc 1814->1815 1816 4b5d42 HeapFree 1814->1816 1815->1812 1815->1817 1816->1817 1818 4b4a1c 1817->1818 1819 4b4b77 HeapFree 1817->1819 1821 4b50a0 4 API calls 1818->1821 1819->1816 1820->1817 1824 4b49ee __aulldiv 1820->1824 1822 4b4a2b 1821->1822 1822->1808 1823 4b4a2f bsearch_s 1823->1824 1824->1817 1824->1823 1826 4b4be6 1825->1826 1830 4b4bb8 1825->1830 1827 4b50a0 4 API calls 1826->1827 1828 4b4bf6 1827->1828 1828->1810 1829 4b5ebe 1830->1826 1830->1829 1831 4b5d98 1830->1831 1835 4b65c8 EventWriteTransfer 1831->1835 1834 4b4cb5 1833->1834 1834->1808 1835->1829 1836 4b6090 1837 4b60a3 TpReleaseWait 1836->1837 1838 4b609c 1836->1838 1837->1838 1839 4b5296 1840 4b52a0 1839->1840 1842 4b4f50 ResolveDelayLoadedAPI 1840->1842 1842->1840 1843 4b63e9 1845 4b63f0 1843->1845 1844 4b640f CompareStringOrdinal 1844->1845 1849 4b6434 1844->1849 1845->1844 1845->1849 1846 4b64d1 1847 4b50a0 4 API calls 1846->1847 1848 4b64e1 1847->1848 1849->1846 1851 4b65c8 EventWriteTransfer 1849->1851 1851->1846 1474 4b3120 1481 4b3150 8 API calls 1474->1481 1477 4b312e I_RegisterSvchostNotificationCallback StartServiceCtrlDispatcherW 1478 4b3140 1477->1478 1506 4b4850 1478->1506 1482 4b590a GetCurrentProcess SetProcessAffinityUpdateMode 1481->1482 1483 4b31f6 GetCommandLineW 1481->1483 1485 4b32bf ExitProcess 1482->1485 1489 4b5921 1482->1489 1511 4b3f50 1483->1511 1487 4b3298 1521 4b50a0 1487->1521 1488 4b320d memset 1488->1489 1491 4b3237 1488->1491 1492 4b3ef0 _vsnwprintf 1489->1492 1526 4b3ef0 1491->1526 1495 4b5939 1492->1495 1493 4b3128 1493->1477 1493->1478 1496 4b3249 GetCurrentProcess NtSetInformationProcess 1531 4b35a0 RegOpenKeyExW 1496->1531 1500 4b3282 1502 4b3289 HeapFree 1500->1502 1503 4b32ae HeapFree 1500->1503 1501 4b3271 1501->1500 1549 4b32d0 1501->1549 1502->1487 1503->1502 1505 4b327e 1505->1485 1505->1500 1507 4b4859 TpSetTimerEx 1506->1507 1508 4b3145 ExitProcess 1506->1508 1509 4b486e TpReleaseTimer 1507->1509 1510 4b5d25 TpWaitForTimer 1507->1510 1509->1508 1512 4b3f63 HeapAlloc 1511->1512 1513 4b3203 1511->1513 1515 4b3f9d memcpy 1512->1515 1516 4b4167 1512->1516 1513->1487 1513->1488 1517 4b3fc6 1515->1517 1516->1513 1517->1517 1518 4b401c LCMapStringW 1517->1518 1519 4b4037 1517->1519 1518->1519 1519->1516 1520 4b5a22 HeapFree 1519->1520 1520->1516 1522 4b50ab 1521->1522 1523 4b50a8 1521->1523 1584 4b514a SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 1522->1584 1523->1493 1525 4b5280 1525->1493 1527 4b3efe 1526->1527 1528 4b3f0d _vsnwprintf 1527->1528 1529 4b59cb 1527->1529 1530 4b3f2e 1528->1530 1529->1496 1530->1496 1532 4b35d1 1531->1532 1543 4b326c 1531->1543 1585 4b36b0 1532->1585 1535 4b363a HeapAlloc 1537 4b3658 1535->1537 1535->1543 1536 4b35ee 1536->1535 1541 4b5941 1536->1541 1538 4b366b 1537->1538 1537->1541 1540 4b3671 InitializeSRWLock 1538->1540 1538->1543 1539 4b595f _wcsicmp 1539->1541 1542 4b5994 InitializeSRWLock 1539->1542 1540->1538 1541->1539 1541->1543 1542->1543 1544 4b3540 1543->1544 1545 4b3549 1544->1545 1546 4b359c 1544->1546 1545->1546 1547 4b3552 HeapAlloc 1545->1547 1546->1501 1548 4b356f 1547->1548 1548->1501 1550 4b3303 1549->1550 1551 4b32fe 1549->1551 1553 4b3318 GetPEB RtlImageNtHeader 1550->1553 1554 4b3312 RpcMgmtSetServerStackSize 1550->1554 1557 4b350d 1550->1557 1682 4b43d0 1551->1682 1553->1554 1556 4b3334 1553->1556 1554->1556 1558 4b333a I_RpcServerDisableExceptionFilter 1556->1558 1559 4b3340 1556->1559 1562 4b50a0 4 API calls 1557->1562 1558->1559 1560 4b3346 RtlSetProcessIsCritical 1559->1560 1561 4b3355 1559->1561 1560->1561 1564 4b336d 1561->1564 1565 4b335c SetProcessMitigationPolicy 1561->1565 1563 4b351a 1562->1563 1563->1505 1566 4b3385 1564->1566 1567 4b3374 SetProcessMitigationPolicy 1564->1567 1565->1564 1568 4b3391 1566->1568 1694 4b52cf SetProcessMitigationPolicy 1566->1694 1567->1566 1570 4b33bb HeapSetInformation 1568->1570 1571 4b3397 SetProcessMitigationPolicy SetProtectedPolicy 1568->1571 1572 4b33ea 1570->1572 1573 4b33cf GetPEB GetPEB 1570->1573 1571->1570 1574 4b33f3 HeapSetInformation 1572->1574 1575 4b3401 TpAllocTimer 1572->1575 1573->1572 1574->1575 1576 4b341c EventRegister 1575->1576 1577 4b34e4 1575->1577 1578 4b346b EventSetInformation 1576->1578 1579 4b348a GetTickCount64 GetTickCount64 TpSetTimer 1576->1579 1580 4b34ea NtSetInformationProcess 1577->1580 1581 4b3521 1577->1581 1578->1579 1579->1577 1580->1557 1580->1581 1582 4b50a0 4 API calls 1581->1582 1583 4b3531 1582->1583 1583->1505 1584->1525 1662 4b3e30 RegGetValueW 1585->1662 1587 4b3727 RegOpenKeyExW 1588 4b3cea RegOpenKeyExW 1587->1588 1589 4b3758 1587->1589 1590 4b3d50 1588->1590 1591 4b3d0c 1588->1591 1592 4b3760 RegEnumKeyExW 1589->1592 1594 4b37a4 1589->1594 1595 4b3d77 HeapFree 1590->1595 1596 4b3d86 1590->1596 1593 4b3e30 4 API calls 1591->1593 1592->1589 1597 4b3d2c 1593->1597 1601 4b37c1 HeapAlloc 1594->1601 1608 4b391f 1594->1608 1595->1596 1598 4b3d9f 1596->1598 1599 4b3d90 HeapFree 1596->1599 1597->1590 1600 4b3d30 CompareStringOrdinal 1597->1600 1602 4b3da9 HeapFree 1598->1602 1603 4b3d66 1598->1603 1599->1598 1600->1590 1601->1608 1620 4b37e9 1601->1620 1602->1603 1604 4b3dc9 1603->1604 1605 4b3dc2 RegCloseKey 1603->1605 1606 4b3dda 1604->1606 1607 4b3dd3 RegCloseKey 1604->1607 1605->1604 1610 4b50a0 4 API calls 1606->1610 1607->1606 1608->1603 1669 4b3df0 RegQueryValueExW 1608->1669 1609 4b3888 RegEnumKeyExW 1613 4b387a 1609->1613 1611 4b35db RegCloseKey 1610->1611 1611->1536 1611->1543 1613->1609 1613->1613 1614 4b38fc 1613->1614 1616 4b38cf memcpy 1613->1616 1614->1608 1617 4b3910 HeapFree 1614->1617 1616->1613 1617->1608 1618 4b382b memcpy 1618->1620 1619 4b3df0 RegQueryValueExW 1621 4b3997 1619->1621 1620->1613 1620->1618 1620->1620 1622 4b3df0 RegQueryValueExW 1621->1622 1623 4b39be 1622->1623 1624 4b3df0 RegQueryValueExW 1623->1624 1625 4b39e5 1624->1625 1626 4b3b21 1625->1626 1627 4b3df0 RegQueryValueExW 1625->1627 1628 4b3df0 RegQueryValueExW 1626->1628 1629 4b3a16 1627->1629 1630 4b3b4e 1628->1630 1632 4b3df0 RegQueryValueExW 1629->1632 1631 4b3df0 RegQueryValueExW 1630->1631 1633 4b3b72 1631->1633 1634 4b3a43 1632->1634 1635 4b3df0 RegQueryValueExW 1633->1635 1637 4b3df0 RegQueryValueExW 1634->1637 1636 4b3b9c 1635->1636 1639 4b3df0 RegQueryValueExW 1636->1639 1638 4b3a70 1637->1638 1641 4b3e30 4 API calls 1638->1641 1640 4b3bc3 1639->1640 1671 4b41d0 1640->1671 1643 4b3aa6 1641->1643 1647 4b3df0 RegQueryValueExW 1643->1647 1648 4b3af4 1647->1648 1651 4b3df0 RegQueryValueExW 1648->1651 1649 4b3df0 RegQueryValueExW 1650 4b3bff 1649->1650 1652 4b3df0 RegQueryValueExW 1650->1652 1651->1626 1654 4b3c30 1652->1654 1653 4b3c65 1656 4b3df0 RegQueryValueExW 1653->1656 1654->1653 1655 4b3df0 RegQueryValueExW 1654->1655 1655->1653 1657 4b3c92 1656->1657 1658 4b3e30 4 API calls 1657->1658 1659 4b3ccc 1658->1659 1660 4b3cda RtlValidSecurityDescriptor 1659->1660 1661 4b3ce5 1659->1661 1660->1590 1660->1661 1661->1588 1661->1590 1663 4b3e81 1662->1663 1664 4b3e78 1662->1664 1663->1664 1665 4b3e90 HeapAlloc 1663->1665 1664->1587 1665->1664 1666 4b3ea6 RegGetValueW 1665->1666 1667 4b3ecd 1666->1667 1668 4b59b5 HeapFree 1666->1668 1667->1587 1668->1664 1670 4b3973 1669->1670 1670->1619 1673 4b41fb 1671->1673 1672 4b50a0 4 API calls 1674 4b3bda 1672->1674 1673->1672 1675 4b4350 RtlGetDeviceFamilyInfoEnum 1674->1675 1676 4b4375 RegOpenKeyExW 1675->1676 1679 4b5be3 1675->1679 1677 4b4393 RegQueryValueExW 1676->1677 1678 4b3be1 1676->1678 1680 4b5bff 1677->1680 1681 4b43bd RegCloseKey 1677->1681 1678->1649 1679->1676 1679->1678 1680->1681 1681->1678 1683 4b4588 1682->1683 1684 4b440d 1682->1684 1745 4b4fd0 MakeAbsoluteSD 1683->1745 1695 4b45c0 GetCurrentProcess OpenProcessToken 1684->1695 1687 4b4430 1690 4b4513 1687->1690 1693 4b456c memcmp 1687->1693 1688 4b4543 1691 4b454a GetPEB HeapFree 1688->1691 1692 4b455c 1688->1692 1689 4b4531 GetPEB HeapFree 1689->1688 1690->1688 1690->1689 1691->1692 1692->1550 1693->1690 1694->1568 1696 4b4601 GetTokenInformation 1695->1696 1697 4b5c47 GetLastError 1695->1697 1698 4b4627 GetTokenInformation 1696->1698 1699 4b4616 GetLastError 1696->1699 1703 4b5c54 1697->1703 1701 4b464f GetPEB HeapAlloc 1698->1701 1702 4b463e GetLastError 1698->1702 1699->1698 1700 4b47b4 1699->1700 1705 4b47cb CloseHandle 1700->1705 1706 4b47d2 1700->1706 1701->1703 1704 4b467f InitializeSecurityDescriptor 1701->1704 1702->1700 1702->1701 1707 4b5c5e GetLastError 1703->1707 1704->1707 1708 4b4696 GetTokenInformation 1704->1708 1705->1706 1709 4b47da 1706->1709 1710 4b5cf7 GetPEB HeapFree 1706->1710 1711 4b5c6b GetLastError 1707->1711 1708->1711 1712 4b46b1 GetTokenInformation 1708->1712 1713 4b5d0e GetPEB HeapFree 1709->1713 1714 4b47e2 1709->1714 1710->1713 1715 4b5c78 GetLastError 1711->1715 1712->1715 1716 4b46ce SetSecurityDescriptorOwner 1712->1716 1714->1687 1718 4b5c85 GetLastError 1715->1718 1717 4b46e1 SetSecurityDescriptorGroup 1716->1717 1716->1718 1719 4b5c92 GetLastError 1717->1719 1720 4b46f7 GetLengthSid 1717->1720 1718->1719 1725 4b5c9f 1719->1725 1721 4b471a 1720->1721 1722 4b470a GetLengthSid 1720->1722 1723 4b481b GetLengthSid 1721->1723 1724 4b4723 1721->1724 1722->1721 1730 4b4830 AddAccessAllowedAce 1723->1730 1726 4b47ed GetLengthSid 1724->1726 1727 4b472c GetPEB HeapAlloc 1724->1727 1728 4b5ca9 GetLastError 1725->1728 1726->1727 1727->1725 1729 4b4748 InitializeAcl 1727->1729 1737 4b5cb6 GetLastError 1728->1737 1729->1728 1733 4b475a AddAccessAllowedAce 1729->1733 1731 4b479a 1730->1731 1732 4b4848 GetLastError 1730->1732 1735 4b4802 AddAccessAllowedAce 1731->1735 1736 4b47a0 SetSecurityDescriptorDacl 1731->1736 1732->1700 1733->1737 1738 4b4772 1733->1738 1735->1736 1742 4b4816 GetLastError 1735->1742 1736->1700 1741 4b5cea GetLastError 1736->1741 1743 4b5cc3 GetLastError 1737->1743 1739 4b4778 AddAccessAllowedAce 1738->1739 1740 4b4790 1738->1740 1739->1740 1739->1743 1740->1730 1740->1731 1741->1710 1742->1700 1743->1700 1746 4b5fa8 1745->1746 1747 4b500d GetLastError 1745->1747 1748 4b5018 GetPEB HeapAlloc 1747->1748 1749 4b5085 1747->1749 1748->1749 1750 4b5040 MakeAbsoluteSD 1748->1750 1749->1687 1750->1749 1751 4b5f86 GetLastError GetPEB HeapFree 1750->1751 1751->1746 1852 4b2160 1853 4b21a6 1852->1853 1878 4b21d6 1852->1878 1854 4b21b0 CompareStringOrdinal 1853->1854 1853->1878 1854->1853 1856 4b21db 1854->1856 1855 4b50a0 4 API calls 1857 4b241f 1855->1857 1858 4b21ea AcquireSRWLockExclusive 1856->1858 1856->1878 1894 4b24b0 1858->1894 1860 4b2219 1861 4b2233 AcquireSRWLockExclusive 1860->1861 1866 4b2259 ReleaseSRWLockExclusive 1860->1866 1862 4b244b 1861->1862 1863 4b224b ReleaseSRWLockExclusive 1861->1863 1984 4b2cc0 1862->1984 1863->1866 1879 4b228a 1866->1879 1867 4b22b9 1870 4b22cb EtwEventEnabled 1867->1870 1871 4b22e0 1867->1871 1868 4b5438 1868->1878 1991 4b5fc0 RegisterServiceCtrlHandlerW 1868->1991 1869 4b23e9 1873 4b2455 ActivateActCtx 1869->1873 1876 4b23fa ReleaseSRWLockExclusive 1869->1876 1870->1871 1872 4b5384 EtwEventWrite 1870->1872 1882 4b2302 EtwEventEnabled 1871->1882 1883 4b2317 AcquireSRWLockExclusive RegOpenKeyExW 1871->1883 1872->1871 1873->1876 1877 4b2470 FreeLibrary DeactivateActCtx 1873->1877 1875 4b5452 1875->1875 1876->1878 1880 4b240b RegCloseKey 1876->1880 1877->1876 1878->1855 1878->1875 1879->1867 1879->1868 1879->1872 1880->1878 1882->1883 1884 4b53e7 EtwEventWrite 1882->1884 1885 4b236a RegOpenKeyExW 1883->1885 1886 4b23a7 1883->1886 1884->1883 1885->1886 1887 4b2384 RegOpenKeyExW 1885->1887 1889 4b23bb 1886->1889 1890 4b23b1 RegCloseKey 1886->1890 1887->1886 1891 4b23bf RegCloseKey 1889->1891 1892 4b23c6 1889->1892 1890->1889 1891->1892 1892->1876 1893 4b23ca RegQueryValueExW 1892->1893 1893->1869 1893->1876 1895 4b2560 RegOpenKeyExW 1894->1895 1919 4b25da 1894->1919 1896 4b2591 RegOpenKeyExW 1895->1896 1895->1919 1897 4b25b1 RegOpenKeyExW 1896->1897 1896->1919 1897->1919 1898 4b25ea RegCloseKey 1898->1919 1899 4b567f CreateActCtxW 1901 4b5699 GetLastError 1899->1901 1899->1919 1900 4b25fb RegCloseKey 1900->1919 1901->1919 1902 4b260a HeapAlloc 1903 4b2626 RegQueryValueExW 1902->1903 1902->1919 1903->1919 1904 4b56c1 ReleaseActCtx 1904->1919 1905 4b269c LCMapStringW RegQueryValueExW 1906 4b26f4 HeapFree 1905->1906 1905->1919 1906->1919 1907 4b2b42 1909 4b2b58 RegCloseKey 1907->1909 1910 4b2b5f 1907->1910 1908 4b2711 AcquireSRWLockShared 1912 4b2780 ReleaseSRWLockShared 1908->1912 1908->1919 1909->1910 1913 4b58c7 HeapFree 1910->1913 1914 4b2b67 1910->1914 1911 4b54f4 HeapFree 1996 4b60b0 1911->1996 1917 4b2793 1912->1917 1918 4b2881 RegGetValueW 1912->1918 1913->1914 1916 4b2b6f 1914->1916 1922 4b58e4 ReleaseActCtx 1914->1922 1923 4b50a0 4 API calls 1916->1923 1924 4b55e0 CreateActCtxW 1917->1924 1931 4b27a0 1917->1931 1920 4b28cc 1918->1920 1921 4b2b82 1918->1921 1919->1898 1919->1899 1919->1900 1919->1902 1919->1904 1919->1905 1919->1906 1919->1907 1919->1908 1919->1911 1919->1912 1920->1907 1928 4b28ed ActivateActCtx 1920->1928 1921->1920 1929 4b2b9d HeapAlloc 1921->1929 1922->1916 1925 4b2b7c 1923->1925 1926 4b561b 1924->1926 1927 4b5606 GetLastError 1924->1927 1925->1860 1935 4b5644 HeapFree 1926->1935 1927->1907 1932 4b290d 1928->1932 1933 4b56d6 GetLastError 1928->1933 1929->1920 1930 4b2bb6 RegGetValueW 1929->1930 1934 4b2be0 WideCharToMultiByte 1930->1934 1930->1935 1931->1931 1936 4b27cb HeapAlloc 1931->1936 1937 4b292d MultiByteToWideChar 1932->1937 1938 4b2914 LoadLibraryExW 1932->1938 1939 4b56e9 GetLastError 1933->1939 1948 4b2c5a HeapFree 1934->1948 1949 4b2c1a HeapAlloc 1934->1949 1935->1920 1936->1926 1940 4b27f6 memcpy memcpy AcquireSRWLockExclusive 1936->1940 1937->1939 1942 4b294e RtlRunOnceExecuteOnce 1937->1942 1938->1939 1941 4b292a 1938->1941 1945 4b56f7 1939->1945 1940->1926 1947 4b2852 ReleaseSRWLockExclusive 1940->1947 1941->1937 1943 4b296a NtQuerySystemInformation 1942->1943 1944 4b56fe RtlNtStatusToDosError 1942->1944 1959 4b2983 1943->1959 1944->1959 1945->1860 1947->1907 1950 4b2878 1947->1950 1948->1920 1949->1948 1952 4b2c2f WideCharToMultiByte 1949->1952 1950->1918 1951 4b29a0 GetProcAddress 1953 4b29b2 DeactivateActCtx ActivateActCtx 1951->1953 1954 4b5785 GetLastError 1951->1954 1955 4b5658 HeapFree GetLastError 1952->1955 1956 4b2c51 1952->1956 1957 4b2a7c 1953->1957 1958 4b29f1 1953->1958 1960 4b5798 LoadLibraryExW 1954->1960 1955->1948 1956->1948 1957->1907 1962 4b2a90 ActivateActCtx 1957->1962 1958->1960 1961 4b29fc MultiByteToWideChar 1958->1961 1959->1945 1959->1951 1963 4b57af 1960->1963 1964 4b2a6e DeactivateActCtx 1960->1964 1961->1964 1965 4b2a1d RtlRunOnceExecuteOnce 1961->1965 1962->1907 1966 4b2ab7 1962->1966 1968 4b57b7 RtlNtStatusToDosError 1963->1968 1964->1957 1967 4b2a39 NtQuerySystemInformation 1965->1967 1965->1968 1969 4b582a LoadLibraryExW 1966->1969 1970 4b2ac2 MultiByteToWideChar 1966->1970 1974 4b2a60 GetProcAddress 1967->1974 1981 4b2a53 1967->1981 1980 4b57fd 1968->1980 1972 4b2b34 DeactivateActCtx 1969->1972 1973 4b5841 1969->1973 1971 4b2ae3 RtlRunOnceExecuteOnce 1970->1971 1970->1972 1975 4b5849 RtlNtStatusToDosError 1971->1975 1976 4b2aff NtQuerySystemInformation 1971->1976 1972->1907 1973->1975 1974->1964 1983 4b588f 1975->1983 1978 4b2b26 GetProcAddress 1976->1978 1982 4b2b19 1976->1982 1977 4b5814 1977->1860 1978->1972 1979 4b58a6 1979->1860 1980->1964 1980->1977 1981->1964 1981->1974 1981->1980 1982->1972 1982->1978 1982->1983 1983->1972 1983->1979 1985 4b2cc9 RtlInitializeCriticalSection 1984->1985 1986 4b2ce6 1984->1986 1985->1986 1987 4b2d28 1985->1987 1988 4b2d0b HeapAlloc 1986->1988 2000 4b2e20 AcquireSRWLockExclusive 1986->2000 1987->1869 1988->1987 1992 4b601a 1991->1992 1993 4b600f SetServiceStatus 1991->1993 1994 4b50a0 4 API calls 1992->1994 1993->1992 1995 4b6024 1994->1995 1995->1878 1997 4b60e7 1996->1997 1998 4b60b4 LCMapStringW 1996->1998 1997->1919 1998->1997 2001 4b2e60 RtlLengthRequiredSid GetPEB HeapAlloc 2000->2001 2002 4b2e8a RtlInitializeSid RtlSubAuthoritySid 2001->2002 2003 4b5900 2001->2003 2002->2001 2004 4b2ebd 2002->2004 2005 4b2ec0 GetPEB RtlSubAuthorityCountSid RtlLengthRequiredSid HeapAlloc 2004->2005 2005->2003 2006 4b2f0f RtlCopySid 2005->2006 2007 4b58f0 HeapFree 2006->2007 2008 4b2f27 RtlSubAuthorityCountSid RtlSubAuthoritySid 2006->2008 2007->2003 2008->2005 2009 4b2f4b RtlLengthRequiredSid GetPEB HeapAlloc 2008->2009 2009->2003 2010 4b2f72 RtlInitializeSid RtlSubAuthoritySid RtlSubAuthoritySid RtlDeriveCapabilitySidsFromName 2009->2010 2011 4b3069 ReleaseSRWLockExclusive 2010->2011 2012 4b2fc6 RtlLengthRequiredSid GetPEB HeapAlloc 2010->2012 2013 4b50a0 4 API calls 2011->2013 2012->2003 2014 4b2ff7 7 API calls 2012->2014 2015 4b2cfc 2013->2015 2014->2011 2015->1987 2015->1988 2016 4b4d60 2019 4b4d90 2016->2019 2018 4b4d7e 2020 4b4e0a 2019->2020 2023 4b4db6 2019->2023 2020->2018 2021 4b4de4 CompareStringOrdinal 2022 4b4e0f 2021->2022 2021->2023 2022->2020 2024 4b4e1e AcquireSRWLockExclusive 2022->2024 2023->2020 2023->2021 2025 4b5ecd 2024->2025 2026 4b4e32 HeapAlloc 2024->2026 2030 4b5ed7 TpAllocWait 2025->2030 2027 4b4e4b 2026->2027 2028 4b4e83 2026->2028 2029 4b4e5e RegisterWaitForSingleObjectEx 2027->2029 2027->2030 2031 4b4e8e ReleaseSRWLockExclusive 2028->2031 2029->2028 2032 4b5f0f 2029->2032 2030->2032 2035 4b5ef0 TpSetWait 2030->2035 2033 4b4e9d 2031->2033 2034 4b5f36 HeapFree 2031->2034 2036 4b5f1b GetLastError 2032->2036 2037 4b5f28 RtlNtStatusToDosErrorNoTeb 2032->2037 2033->2018 2034->2020 2035->2032 2036->2031 2037->2031 2038 4b6060 2039 4b4d90 10 API calls 2038->2039 2040 4b607e 2039->2040 2045 4b2739 2112 4b25e0 2045->2112 2046 4b2780 ReleaseSRWLockShared 2047 4b2793 2046->2047 2048 4b2881 RegGetValueW 2046->2048 2052 4b55e0 CreateActCtxW 2047->2052 2063 4b27a0 2047->2063 2049 4b28cc 2048->2049 2050 4b2b82 2048->2050 2053 4b2b42 2049->2053 2060 4b28ed ActivateActCtx 2049->2060 2050->2049 2061 4b2b9d HeapAlloc 2050->2061 2051 4b567f CreateActCtxW 2054 4b5699 GetLastError 2051->2054 2051->2112 2055 4b561b 2052->2055 2056 4b5606 GetLastError 2052->2056 2058 4b2b58 RegCloseKey 2053->2058 2059 4b2b5f 2053->2059 2054->2112 2071 4b5644 HeapFree 2055->2071 2056->2053 2057 4b25ea RegCloseKey 2057->2112 2058->2059 2064 4b58c7 HeapFree 2059->2064 2065 4b2b67 2059->2065 2066 4b290d 2060->2066 2067 4b56d6 GetLastError 2060->2067 2061->2049 2062 4b2bb6 RegGetValueW 2061->2062 2070 4b2be0 WideCharToMultiByte 2062->2070 2062->2071 2063->2063 2072 4b27cb HeapAlloc 2063->2072 2064->2065 2073 4b2b6f 2065->2073 2078 4b58e4 ReleaseActCtx 2065->2078 2075 4b292d MultiByteToWideChar 2066->2075 2076 4b2914 LoadLibraryExW 2066->2076 2081 4b56e9 GetLastError 2067->2081 2068 4b56c1 ReleaseActCtx 2068->2112 2069 4b25fb RegCloseKey 2069->2112 2089 4b2c5a HeapFree 2070->2089 2090 4b2c1a HeapAlloc 2070->2090 2071->2049 2072->2055 2077 4b27f6 memcpy memcpy AcquireSRWLockExclusive 2072->2077 2079 4b50a0 4 API calls 2073->2079 2074 4b260a HeapAlloc 2083 4b2626 RegQueryValueExW 2074->2083 2074->2112 2075->2081 2082 4b294e RtlRunOnceExecuteOnce 2075->2082 2080 4b292a 2076->2080 2076->2081 2077->2055 2085 4b2852 ReleaseSRWLockExclusive 2077->2085 2078->2073 2086 4b2b7c 2079->2086 2080->2075 2124 4b56f7 2081->2124 2087 4b296a NtQuerySystemInformation 2082->2087 2088 4b56fe RtlNtStatusToDosError 2082->2088 2083->2112 2085->2053 2091 4b2878 2085->2091 2092 4b2983 2087->2092 2088->2092 2089->2049 2090->2089 2093 4b2c2f WideCharToMultiByte 2090->2093 2091->2048 2094 4b29a0 GetProcAddress 2092->2094 2092->2124 2095 4b5658 HeapFree GetLastError 2093->2095 2096 4b2c51 2093->2096 2097 4b29b2 DeactivateActCtx ActivateActCtx 2094->2097 2098 4b5785 GetLastError 2094->2098 2095->2089 2096->2089 2099 4b2a7c 2097->2099 2100 4b29f1 2097->2100 2101 4b5798 LoadLibraryExW 2098->2101 2099->2053 2103 4b2a90 ActivateActCtx 2099->2103 2100->2101 2102 4b29fc MultiByteToWideChar 2100->2102 2105 4b57af 2101->2105 2106 4b2a6e DeactivateActCtx 2101->2106 2102->2106 2107 4b2a1d RtlRunOnceExecuteOnce 2102->2107 2103->2053 2109 4b2ab7 2103->2109 2104 4b269c LCMapStringW RegQueryValueExW 2108 4b26f4 HeapFree 2104->2108 2104->2112 2111 4b57b7 RtlNtStatusToDosError 2105->2111 2106->2099 2110 4b2a39 NtQuerySystemInformation 2107->2110 2107->2111 2108->2112 2113 4b582a LoadLibraryExW 2109->2113 2114 4b2ac2 MultiByteToWideChar 2109->2114 2119 4b2a60 GetProcAddress 2110->2119 2130 4b2a53 2110->2130 2131 4b57fd 2111->2131 2112->2046 2112->2051 2112->2053 2112->2057 2112->2068 2112->2069 2112->2074 2112->2104 2112->2108 2117 4b2711 AcquireSRWLockShared 2112->2117 2120 4b54f4 HeapFree 2112->2120 2116 4b2b34 DeactivateActCtx 2113->2116 2118 4b5841 2113->2118 2115 4b2ae3 RtlRunOnceExecuteOnce 2114->2115 2114->2116 2121 4b5849 RtlNtStatusToDosError 2115->2121 2122 4b2aff NtQuerySystemInformation 2115->2122 2116->2053 2117->2046 2117->2112 2118->2121 2119->2106 2125 4b60b0 LCMapStringW 2120->2125 2127 4b588f 2121->2127 2126 4b2b26 GetProcAddress 2122->2126 2129 4b2b19 2122->2129 2123 4b5814 2125->2112 2126->2116 2127->2116 2128 4b58a6 2127->2128 2129->2116 2129->2126 2129->2127 2130->2106 2130->2119 2130->2131 2131->2106 2131->2123 2136 4b60f0 2139 4b1fa0 AcquireSRWLockExclusive ReleaseSRWLockExclusive 2136->2139 2138 4b610b 2140 4b1fde 2139->2140 2143 4b2000 AcquireSRWLockExclusive 2140->2143 2153 4b20c0 RegOpenKeyExW 2143->2153 2146 4b203c RegQueryValueExW 2147 4b20a5 ReleaseSRWLockExclusive 2146->2147 2150 4b205c 2146->2150 2148 4b1fe8 HeapFree 2147->2148 2149 4b20b5 RegCloseKey 2147->2149 2148->2138 2149->2148 2150->2147 2151 4b206d ActivateActCtx 2150->2151 2151->2147 2152 4b2084 FreeLibrary DeactivateActCtx 2151->2152 2152->2147 2154 4b20fe RegOpenKeyExW 2153->2154 2156 4b2138 2153->2156 2155 4b2118 RegOpenKeyExW 2154->2155 2154->2156 2155->2156 2157 4b214c 2156->2157 2158 4b2142 RegCloseKey 2156->2158 2159 4b2150 RegCloseKey 2157->2159 2160 4b2038 2157->2160 2158->2157 2159->2160 2160->2146 2160->2147 2161 4b6030 2162 4b603b 2161->2162 2163 4b6046 2161->2163 2165 4b6380 2162->2165 2178 4b64e5 GetTickCount64 2165->2178 2168 4b4b90 5 API calls 2169 4b63b9 2168->2169 2185 4b6333 GetTickCount64 TpSetTimer 2169->2185 2171 4b64d1 2172 4b50a0 4 API calls 2171->2172 2174 4b64e1 2172->2174 2173 4b63c8 2175 4b640f CompareStringOrdinal 2173->2175 2176 4b63d3 2173->2176 2174->2163 2175->2173 2175->2176 2176->2171 2186 4b65c8 EventWriteTransfer 2176->2186 2179 4b6509 2178->2179 2180 4b652c 2179->2180 2181 4b6533 2179->2181 2182 4b63a6 2179->2182 2183 4b4940 10 API calls 2180->2183 2184 4b4c60 3 API calls 2181->2184 2182->2168 2182->2173 2183->2182 2184->2182 2185->2173 2186->2171

    Callgraph

    • Executed
    • Not Executed
    • Opacity -> Relevance
    • Disassembly available
    callgraph 0 Function_004B514A 1 Function_004B65C8 2 Function_004B52CF 3 Function_004B45C0 4 Function_004B3540 5 Function_004B4940 42 Function_004B5300 5->42 62 Function_004B50A0 5->62 6 Function_004B2CC0 60 Function_004B2E20 6->60 7 Function_004B5FC0 7->62 8 Function_004B20C0 9 Function_004B4BC7 9->1 9->62 66 Function_004B653D 9->66 10 Function_004B52C5 14 Function_004B4F50 10->14 11 Function_004B665C 25 Function_004B686F 11->25 46 Function_004B681E 11->46 12 Function_004B4CD0 12->42 13 Function_004B4350 15 Function_004B3F50 16 Function_004B3150 16->4 16->15 17 Function_004B32D0 16->17 36 Function_004B3EF0 16->36 16->62 63 Function_004B35A0 16->63 17->2 23 Function_004B43D0 17->23 17->62 18 Function_004B41D0 28 Function_004B4260 18->28 18->62 19 Function_004B6250 20 Function_004B4FD0 21 Function_004B67D0 22 Function_004B4850 23->3 23->20 24 Function_004B63E9 24->1 39 Function_004B6582 24->39 24->62 24->66 58 Function_004B6894 25->58 26 Function_004B5AE2 47 Function_004B611C 26->47 27 Function_004B2160 27->6 27->7 27->62 73 Function_004B24B0 27->73 41 Function_004B4300 28->41 28->47 29 Function_004B4C60 29->12 30 Function_004B4D60 55 Function_004B4D90 30->55 31 Function_004B6060 31->55 32 Function_004B68E6 33 Function_004B64E5 33->5 33->29 34 Function_004B657F 35 Function_004B6170 37 Function_004B3DF0 38 Function_004B60F0 61 Function_004B1FA0 38->61 40 Function_004B4F81 43 Function_004B6380 43->1 43->33 43->39 53 Function_004B4B90 43->53 43->62 43->66 67 Function_004B6333 43->67 44 Function_004B6780 45 Function_004B2000 45->8 46->32 46->58 48 Function_004B4F90 49 Function_004B4F10 50 Function_004B6710 50->11 51 Function_004B6110 52 Function_004B3090 71 Function_004B50B0 52->71 53->1 53->62 53->66 54 Function_004B4890 54->5 54->29 54->53 56 Function_004B6090 57 Function_004B5296 57->14 59 Function_004B3120 59->16 59->22 60->62 61->45 62->0 74 Function_004B36B0 63->74 64 Function_004B52BB 64->14 65 Function_004B2739 65->62 72 Function_004B60B0 65->72 68 Function_004B52B1 68->14 69 Function_004B3E30 70 Function_004B6030 70->43 73->62 73->72 74->13 74->18 74->37 74->62 74->69 75 Function_004B4EB0 76 Function_004B4FB0

    Executed Functions

    Function 004B3150 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 118memorynativeregistryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • NtSetInformationProcess.NTDLL(000000FF,00000036,?), ref: 004B3183
    • SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(004B6110), ref: 004B318E
    • SetErrorMode.KERNELBASE(00000001), ref: 004B3196
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 004B319C
    • InitializeSRWLock.API-MS-WIN-CORE-SYNCH-L1-1-0(004B7380), ref: 004B31C0
    • InitializeSRWLock.API-MS-WIN-CORE-SYNCH-L1-1-0(004B7360), ref: 004B31CB
    • RegDisablePredefinedCacheEx.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 004B31D1
    • EventRegister.API-MS-WIN-EVENTING-PROVIDER-L1-1-0(004B13B0,00000000,00000000,004B73C0), ref: 004B31E3
    • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 004B31F6
      • Part of subcall function 004B3F50: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000064,00000000,?,?,00000004), ref: 004B3F8A
      • Part of subcall function 004B3F50: memcpy.API-MS-WIN-CORE-CRT-L1-1-0(00000064,00000000,00000000,?,?,00000004), ref: 004B3FAA
      • Part of subcall function 004B3F50: LCMapStringW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000400,00000100,?,?,?,?,?,?,?,00000004), ref: 004B4031
    • GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000052,?,00000090,?,?,?,?,00000004), ref: 004B3258
    • NtSetInformationProcess.NTDLL(00000000), ref: 004B325F
      • Part of subcall function 004B35A0: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Microsoft\Windows NT\CurrentVersion\Svchost,00000000,00020019,l2K,?,?,004B326C,?,?,?,?,00000004), ref: 004B35C3
      • Part of subcall function 004B35A0: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(l2K,00000000,00000000,?,?,004B326C,?,?,?,?,00000004), ref: 004B35E0
      • Part of subcall function 004B35A0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000,00000000,?,?,004B326C,?,?,?,?,00000004), ref: 004B3646
      • Part of subcall function 004B35A0: InitializeSRWLock.API-MS-WIN-CORE-SYNCH-L1-1-0(00000010,?,?,004B326C,?,?,?,?,00000004), ref: 004B3677
      • Part of subcall function 004B3540: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,00000000,004B3271,?,?,?,?,00000004), ref: 004B3563
    • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,?,?,?,00000004), ref: 004B3292
    • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,?,00000004), ref: 004B32B7
    • ExitProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 004B32C1
      • Part of subcall function 004B32D0: RpcMgmtSetServerStackSize.RPCRT4(?), ref: 004B332E
      • Part of subcall function 004B32D0: I_RpcServerDisableExceptionFilter.RPCRT4 ref: 004B333A
      • Part of subcall function 004B32D0: RtlSetProcessIsCritical.NTDLL ref: 004B334C
      • Part of subcall function 004B32D0: SetProcessMitigationPolicy.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1(00000002,?,00000004), ref: 004B3367
      • Part of subcall function 004B32D0: SetProcessMitigationPolicy.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1(00000008,?,00000004), ref: 004B337F
      • Part of subcall function 004B32D0: SetProcessMitigationPolicy.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1(00000006,?,00000004), ref: 004B33A6
      • Part of subcall function 004B32D0: SetProtectedPolicy.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2(NoUrlMimeFilters,00000001,00000000), ref: 004B33B5
      • Part of subcall function 004B32D0: HeapSetInformation.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000001,00000000,00000000), ref: 004B33C3
      • Part of subcall function 004B32D0: HeapSetInformation.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000004,00000000,00000000), ref: 004B33FB
      • Part of subcall function 004B32D0: TpAllocTimer.NTDLL ref: 004B340E
    • memset.API-MS-WIN-CORE-CRT-L1-1-0(?,00000000,00000090), ref: 004B3219
      • Part of subcall function 004B3EF0: _vsnwprintf.NTDLL ref: 004B3F21
    • GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000001), ref: 004B590C
    • SetProcessAffinityUpdateMode.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 004B5913
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2045743246.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
    • Associated: 00000000.00000002.2045710143.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4b0000_svchost(1).jbxd
    Similarity
    • API ID: Process$Heap$AllocInformationPolicy$InitializeLockMitigation$CurrentDisableExceptionFilterFreeModeServer$AffinityCacheCloseCommandCriticalErrorEventExitLineMgmtOpenPredefinedProtectedRegisterSizeStackStringTimerUnhandledUpdate_vsnwprintfmemcpymemset
    • String ID: [%ws]$[%ws] [%ws]
    • API String ID: 350296402-2631382080
    • Opcode ID: 15025254753791d0fc9112a829cbdd4d89af21bf2fbb493e667c81a33a9b2f4b
    • Instruction ID: 3805ae598f4f8083cb9ee09dcb67a5a670eb105ce1b6a6ae81c7fff810738229
    • Opcode Fuzzy Hash: 15025254753791d0fc9112a829cbdd4d89af21bf2fbb493e667c81a33a9b2f4b
    • Instruction Fuzzy Hash: 8E41B271604700ABD7206F76DC0AF9B3AACAB84B45F14022EFA05962D1DF789905CB7E
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004B3120 Relevance: 4.5, APIs: 3, Instructions: 13COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
      • Part of subcall function 004B3150: NtSetInformationProcess.NTDLL(000000FF,00000036,?), ref: 004B3183
      • Part of subcall function 004B3150: SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(004B6110), ref: 004B318E
      • Part of subcall function 004B3150: SetErrorMode.KERNELBASE(00000001), ref: 004B3196
      • Part of subcall function 004B3150: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 004B319C
      • Part of subcall function 004B3150: InitializeSRWLock.API-MS-WIN-CORE-SYNCH-L1-1-0(004B7380), ref: 004B31C0
      • Part of subcall function 004B3150: InitializeSRWLock.API-MS-WIN-CORE-SYNCH-L1-1-0(004B7360), ref: 004B31CB
      • Part of subcall function 004B3150: RegDisablePredefinedCacheEx.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 004B31D1
      • Part of subcall function 004B3150: EventRegister.API-MS-WIN-EVENTING-PROVIDER-L1-1-0(004B13B0,00000000,00000000,004B73C0), ref: 004B31E3
      • Part of subcall function 004B3150: GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 004B31F6
      • Part of subcall function 004B3150: memset.API-MS-WIN-CORE-CRT-L1-1-0(?,00000000,00000090), ref: 004B3219
      • Part of subcall function 004B3150: GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000052,?,00000090,?,?,?,?,00000004), ref: 004B3258
      • Part of subcall function 004B3150: NtSetInformationProcess.NTDLL(00000000), ref: 004B325F
      • Part of subcall function 004B3150: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,?,?,?,00000004), ref: 004B3292
    • I_RegisterSvchostNotificationCallback.API-MS-WIN-SERVICE-PRIVATE-L1-1-3(Function_00006030), ref: 004B3133
    • StartServiceCtrlDispatcherW.API-MS-WIN-SERVICE-CORE-L1-1-0(00000000), ref: 004B313A
    • ExitProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 004B3147
    Memory Dump Source
    • Source File: 00000000.00000002.2045743246.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
    • Associated: 00000000.00000002.2045710143.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4b0000_svchost(1).jbxd
    Similarity
    • API ID: Process$HeapInformationInitializeLockRegister$CacheCallbackCommandCtrlCurrentDisableDispatcherErrorEventExceptionExitFilterFreeLineModeNotificationPredefinedServiceStartSvchostUnhandledmemset
    • String ID:
    • API String ID: 721293443-0
    • Opcode ID: 399117f65811ee820ce7b261a469fbdc1bf1d915f3d4e2b10b249dce3ac45ed1
    • Instruction ID: 051253731249955a378a46c9b49ec48071177b1edb2a323866456e0485f597c8
    • Opcode Fuzzy Hash: 399117f65811ee820ce7b261a469fbdc1bf1d915f3d4e2b10b249dce3ac45ed1
    • Instruction Fuzzy Hash: 04D0123140392057C2513F6F5C0DB8F351C6F85B43B0A022DF515661518E3C8902CABD
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions

    Function 004B24B0 Relevance: 132.1, APIs: 65, Strings: 10, Instructions: 860registrymemoryCOMMON
    Download Yara Rule
    APIs
    • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,System\CurrentControlSet\Services,00000000,00020019,?,00000000,-004B7390), ref: 004B2585
    • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00020019,?), ref: 004B25A5
    • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,Parameters,00000000,00020019,?), ref: 004B25C9
    • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 004B25EB
    • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 004B25FC
    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,0000020A), ref: 004B2616
    • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,ServiceDll,00000000,?,00000000,?), ref: 004B2651
    • ExpandEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,?,00000104), ref: 004B2682
    • LCMapStringW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000400,00000100,?,?,?,?), ref: 004B26B9
    • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,ServiceManifest,00000000,00000002,00000000,0000020A), ref: 004B26E5
    • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 004B2705
    • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(004B7380), ref: 004B2718
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2045743246.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
    • Associated: 00000000.00000002.2045710143.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4b0000_svchost(1).jbxd
    Similarity
    • API ID: Open$CloseHeapQueryValue$AcquireAllocEnvironmentExpandFreeLockSharedStringStrings
    • String ID: $Parameters$ServiceDll$ServiceMain$ServiceMain$ServiceManifest$SvchostPushServiceGlobals$SvchostPushServiceGlobalsEx$System\CurrentControlSet\Services$`Cu
    • API String ID: 3542892692-601186239
    • Opcode ID: 1827bd0882e6f2f359e76e045a0662b00b73a0da52e69b468a3a8c77b22e0013
    • Instruction ID: 82e982061f927b127f1190bd4a7ebdca525b24fc82f865e24340715eab63a8b6
    • Opcode Fuzzy Hash: 1827bd0882e6f2f359e76e045a0662b00b73a0da52e69b468a3a8c77b22e0013
    • Instruction Fuzzy Hash: 60727F70A04615DBDB249F24CD44BEAB7F8FF54700F1482AAE949A7290DF749D81CFA8
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004B45C0 Relevance: 70.3, APIs: 38, Strings: 2, Instructions: 258memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 231 4b45c0-4b45fb GetCurrentProcess OpenProcessToken 232 4b4601-4b4614 GetTokenInformation 231->232 233 4b5c47-4b5c4d GetLastError 231->233 234 4b4627-4b463c GetTokenInformation 232->234 235 4b4616-4b4621 GetLastError 232->235 239 4b5c54 233->239 237 4b464f-4b4679 GetPEB HeapAlloc 234->237 238 4b463e-4b4649 GetLastError 234->238 235->234 236 4b47c4-4b47c9 235->236 241 4b47cb-4b47cc CloseHandle 236->241 242 4b47d2-4b47d4 236->242 237->239 240 4b467f-4b4690 InitializeSecurityDescriptor 237->240 238->236 238->237 243 4b5c5e-4b5c64 GetLastError 239->243 240->243 244 4b4696-4b46ab GetTokenInformation 240->244 241->242 245 4b47da-4b47dc 242->245 246 4b5cf7-4b5d03 GetPEB HeapFree 242->246 247 4b5c6b-4b5c71 GetLastError 243->247 244->247 248 4b46b1-4b46c8 GetTokenInformation 244->248 249 4b5d0e-4b5d1a GetPEB HeapFree 245->249 250 4b47e2-4b47ea 245->250 246->249 251 4b5c78-4b5c7e GetLastError 247->251 248->251 252 4b46ce-4b46db SetSecurityDescriptorOwner 248->252 254 4b5c85-4b5c8b GetLastError 251->254 253 4b46e1-4b46f1 SetSecurityDescriptorGroup 252->253 252->254 255 4b5c92-4b5c98 GetLastError 253->255 256 4b46f7-4b4708 GetLengthSid 253->256 254->255 261 4b5c9f 255->261 257 4b471a-4b471d 256->257 258 4b470a-4b4718 GetLengthSid 256->258 259 4b481b-4b4829 GetLengthSid 257->259 260 4b4723-4b4726 257->260 258->257 266 4b4830-4b4842 AddAccessAllowedAce 259->266 262 4b47ed-4b47fd GetLengthSid 260->262 263 4b472c-4b4742 GetPEB HeapAlloc 260->263 264 4b5ca9-4b5caf GetLastError 261->264 262->263 263->261 265 4b4748-4b4754 InitializeAcl 263->265 273 4b5cb6-4b5cbc GetLastError 264->273 265->264 269 4b475a-4b476c AddAccessAllowedAce 265->269 267 4b479a-4b479e 266->267 268 4b4848-4b5cd8 GetLastError 266->268 271 4b4802-4b4814 AddAccessAllowedAce 267->271 272 4b47a0-4b47ae SetSecurityDescriptorDacl 267->272 268->236 269->273 274 4b4772-4b4776 269->274 271->272 279 4b4816-4b5ce5 GetLastError 271->279 277 4b5cea-4b5cf0 GetLastError 272->277 278 4b47b4-4b47c2 272->278 280 4b5cc3-4b5ccb GetLastError 273->280 275 4b4778-4b478a AddAccessAllowedAce 274->275 276 4b4790-4b4794 274->276 275->276 275->280 276->266 276->267 277->246 278->236 279->236 280->236
    APIs
    • GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000008,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 004B45EC
    • OpenProcessToken.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 004B45F3
    • GetTokenInformation.API-MS-WIN-SECURITY-BASE-L1-1-0(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 004B460C
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 004B4616
    • GetTokenInformation.API-MS-WIN-SECURITY-BASE-L1-1-0(00000000,00000005(TokenIntegrityLevel),00000000,00000000,?), ref: 004B4634
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 004B463E
    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,00000008,?), ref: 004B466F
    • InitializeSecurityDescriptor.API-MS-WIN-SECURITY-BASE-L1-1-0(00000000,00000001), ref: 004B4688
    • GetTokenInformation.API-MS-WIN-SECURITY-BASE-L1-1-0(00000000,00000001(TokenIntegrityLevel),00000014,?,?), ref: 004B46A3
    • GetTokenInformation.API-MS-WIN-SECURITY-BASE-L1-1-0(00000000,00000005(TokenIntegrityLevel),?,?,?), ref: 004B46C0
    • SetSecurityDescriptorOwner.API-MS-WIN-SECURITY-BASE-L1-1-0(00000000,00000014,00000000), ref: 004B46D3
    • SetSecurityDescriptorGroup.API-MS-WIN-SECURITY-BASE-L1-1-0(00000000,?,00000000), ref: 004B46E9
    • GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-1-0(004B14C0), ref: 004B46FC
    • GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-1-0(004B14CC), ref: 004B470F
    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,00000008,00000008), ref: 004B4738
    • InitializeAcl.API-MS-WIN-SECURITY-BASE-L1-1-0(00000000,00000008,00000002), ref: 004B474C
    • AddAccessAllowedAce.API-MS-WIN-SECURITY-BASE-L1-1-0(00000000,00000002,00000001,004B14C0), ref: 004B4764
    • AddAccessAllowedAce.API-MS-WIN-SECURITY-BASE-L1-1-0(00000000,00000002,00000001,004B14CC), ref: 004B4782
    • SetSecurityDescriptorDacl.API-MS-WIN-SECURITY-BASE-L1-1-0(00000000,00000001,00000000,00000000), ref: 004B47A6
    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 004B47CC
    • GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-1-0(004B14DC), ref: 004B47F2
    • AddAccessAllowedAce.API-MS-WIN-SECURITY-BASE-L1-1-0(00000000,00000002,00000001,004B14DC), ref: 004B480C
    • GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-1-0(004B150C), ref: 004B4820
    • AddAccessAllowedAce.API-MS-WIN-SECURITY-BASE-L1-1-0(00000000,00000002,00000001,004B150C), ref: 004B483A
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 004B5C47
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 004B5CD0
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 004B5CDD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2045743246.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
    • Associated: 00000000.00000002.2045710143.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4b0000_svchost(1).jbxd
    Similarity
    • API ID: ErrorLastToken$AccessAllowedDescriptorInformationLengthSecurity$AllocHeapInitializeProcess$CloseCurrentDaclGroupHandleOpenOwner
    • String ID: z$z
    • API String ID: 3690069739-3877588240
    • Opcode ID: fd193018951083e90caee284604feb3b2380162c62e600052fb4213cf573d950
    • Instruction ID: 8947e408bfbca98de6e07fb3e56de0521ac8cbf03ef216a56cfee2a407268f8c
    • Opcode Fuzzy Hash: fd193018951083e90caee284604feb3b2380162c62e600052fb4213cf573d950
    • Instruction Fuzzy Hash: 3791A630640705EFDB115FA4DC49BEA7BB8FB45B41F10422AF602E62A1DF748901DB79
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004B2739 Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 299librarynativeloaderCOMMON
    Download Yara Rule
    APIs
    • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(004B7380), ref: 004B2785
    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000), ref: 004B27E2
    • memcpy.API-MS-WIN-CORE-CRT-L1-1-0(0000001C,?), ref: 004B2812
    • memcpy.API-MS-WIN-CORE-CRT-L1-1-0(?,?,00000000,0000001C,?), ref: 004B2825
    • AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(004B7380), ref: 004B283B
    • ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(004B7380), ref: 004B2868
    • RegGetValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,ServiceMain,0000FFFF,?,00000000,00000000), ref: 004B28BE
    • ActivateActCtx.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0(?,?), ref: 004B28FF
    • LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000000,00000008), ref: 004B291A
    • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00000000,00000000,000000FF,?,00000104), ref: 004B2940
    • RtlRunOnceExecuteOnce.NTDLL(004B73B8,004B4F10,00000000,00000000), ref: 004B295C
    • NtQuerySystemInformation.NTDLL(000000A4,?,00000020,00000000), ref: 004B2979
    • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,00000000), ref: 004B29A2
    • DeactivateActCtx.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0(00000000,?), ref: 004B29BA
    • ActivateActCtx.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0(?,?), ref: 004B29E3
    • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00000000,SvchostPushServiceGlobalsEx,000000FF,?,00000104), ref: 004B2A13
    • RtlRunOnceExecuteOnce.NTDLL(004B73B8,004B4F10,00000000,00000000), ref: 004B2A2B
    • NtQuerySystemInformation.NTDLL(000000A4,?,00000020,00000000), ref: 004B2A49
    • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,SvchostPushServiceGlobalsEx), ref: 004B2A66
    • DeactivateActCtx.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0(00000000,?), ref: 004B2A76
    • ActivateActCtx.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0(?,?), ref: 004B2AA9
    • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00000000,SvchostPushServiceGlobals,000000FF,?,00000104), ref: 004B2AD9
    • RtlRunOnceExecuteOnce.NTDLL(004B73B8,004B4F10,00000000,00000000), ref: 004B2AF1
    • NtQuerySystemInformation.NTDLL(000000A4,?,00000020,00000000), ref: 004B2B0F
    • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,SvchostPushServiceGlobals), ref: 004B2B2C
    • DeactivateActCtx.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0(00000000,?), ref: 004B2B3C
    • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 004B2B59
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2045743246.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
    • Associated: 00000000.00000002.2045710143.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4b0000_svchost(1).jbxd
    Similarity
    • API ID: Once$ActivateAddressByteCharDeactivateExecuteInformationLockMultiProcQuerySystemWide$ExclusiveReleasememcpy$AcquireAllocCloseHeapLibraryLoadSharedValue
    • String ID: ServiceMain$ServiceMain$SvchostPushServiceGlobals$SvchostPushServiceGlobalsEx
    • API String ID: 2864900979-679183997
    • Opcode ID: 243ee3d1804adfa7c2dea058b9f47d85932b00ef539766060d3910a1fbb4fb89
    • Instruction ID: c452e045ebc62b72f37b75d52781ca5d8a3aaf6719a67d27b1f481563fa88987
    • Opcode Fuzzy Hash: 243ee3d1804adfa7c2dea058b9f47d85932b00ef539766060d3910a1fbb4fb89
    • Instruction Fuzzy Hash: 33B18031640615ABDB209F24CD45BEAB7F8FF54700F1582AAE948A7290DFB4DD41CBA8
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004B2E20 Relevance: 52.7, APIs: 28, Strings: 2, Instructions: 175memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(004B7440,00000000,-004B7390,?,004B2450,?,000000FF,00000000), ref: 004B2E54
    • RtlLengthRequiredSid.NTDLL(00000001), ref: 004B2E68
    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,00000000,00000000,?,004B2450,?,000000FF,00000000), ref: 004B2E7A
    • RtlInitializeSid.NTDLL(00000000,004B1014,00000001), ref: 004B2E94
    • RtlSubAuthoritySid.NTDLL(004B7490,00000000), ref: 004B2EA4
    • RtlSubAuthorityCountSid.NTDLL(?), ref: 004B2EE2
    • RtlLengthRequiredSid.NTDLL(?), ref: 004B2EF0
    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,00000000,?,004B2450,?,000000FF,00000000), ref: 004B2EFF
    • RtlCopySid.NTDLL ref: 004B2F14
    • RtlSubAuthorityCountSid.NTDLL(00000000), ref: 004B2F27
    • RtlSubAuthoritySid.NTDLL(htK,?), ref: 004B2F34
    • RtlLengthRequiredSid.NTDLL(00000002), ref: 004B2F4D
    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,00000000,00000000,?,004B2450,?,000000FF,00000000), ref: 004B2F5F
    • RtlInitializeSid.NTDLL(00000000,00000000,00000002), ref: 004B2F79
    • RtlSubAuthoritySid.NTDLL(00000000), ref: 004B2F87
    • RtlSubAuthoritySid.NTDLL(00000001), ref: 004B2F9B
    • RtlDeriveCapabilitySidsFromName.NTDLL ref: 004B2FB6
    • RtlLengthRequiredSid.NTDLL(00000006), ref: 004B2FD2
    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,00000000,00000000,?,004B2450,?,000000FF,00000000), ref: 004B2FE4
    • RtlInitializeSid.NTDLL(00000000,00000000,00000006), ref: 004B2FFE
    • RtlSubAuthoritySid.NTDLL(00000000), ref: 004B300D
    • RtlSubAuthoritySid.NTDLL(00000001), ref: 004B3021
    • RtlSubAuthoritySid.NTDLL(00000002), ref: 004B3031
    • RtlSubAuthoritySid.NTDLL(00000003), ref: 004B3041
    • RtlSubAuthoritySid.NTDLL(00000004), ref: 004B3051
    • RtlSubAuthoritySid.NTDLL(00000005), ref: 004B3061
    • ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(004B7440,?,004B2450,?,000000FF,00000000), ref: 004B306E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2045743246.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
    • Associated: 00000000.00000002.2045710143.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4b0000_svchost(1).jbxd
    Similarity
    • API ID: Authority$AllocHeapLengthRequired$Initialize$CountExclusiveLock$AcquireCapabilityCopyDeriveFromNameReleaseSids
    • String ID: P$K$htK
    • API String ID: 4098953902-3463356074
    • Opcode ID: 228857f704698c8f3736687f959ef9094cdb0b765e3ecfa500feab288f2709c2
    • Instruction ID: 62d5f03ae5ba499649e54d04c0ca160fe81a22d964d1b5fcf0d74eae2ec22247
    • Opcode Fuzzy Hash: 228857f704698c8f3736687f959ef9094cdb0b765e3ecfa500feab288f2709c2
    • Instruction Fuzzy Hash: C1616C71540605EFDB159FA8EC59B6A7BB8FB08705F0006B8F601A72B0CF759850DB69
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004B32D0 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184memorytimenativeCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • RtlImageNtHeader.NTDLL(?), ref: 004B3321
    • RpcMgmtSetServerStackSize.RPCRT4(?), ref: 004B332E
    • I_RpcServerDisableExceptionFilter.RPCRT4 ref: 004B333A
    • RtlSetProcessIsCritical.NTDLL ref: 004B334C
    • SetProcessMitigationPolicy.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1(00000002,?,00000004), ref: 004B3367
    • SetProcessMitigationPolicy.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1(00000008,?,00000004), ref: 004B337F
    • SetProcessMitigationPolicy.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1(00000006,?,00000004), ref: 004B33A6
    • SetProtectedPolicy.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-2(NoUrlMimeFilters,00000001,00000000), ref: 004B33B5
    • HeapSetInformation.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000001,00000000,00000000), ref: 004B33C3
    • HeapSetInformation.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000004,00000000,00000000), ref: 004B33FB
    • TpAllocTimer.NTDLL ref: 004B340E
    • EventRegister.API-MS-WIN-EVENTING-PROVIDER-L1-1-0(?,004B4EB0,004B7000,004B7018), ref: 004B3461
    • EventSetInformation.API-MS-WIN-EVENTING-PROVIDER-L1-1-0(00000002,?,00000000), ref: 004B3484
    • GetTickCount64.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 004B3492
    • GetTickCount64.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 004B34A3
    • TpSetTimer.NTDLL ref: 004B34DE
    • NtSetInformationProcess.NTDLL(000000FF,00000034,00000004,00000008), ref: 004B3503
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2045743246.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
    • Associated: 00000000.00000002.2045710143.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4b0000_svchost(1).jbxd
    Similarity
    • API ID: Process$InformationPolicy$Mitigation$Count64EventHeapServerTickTimer$AllocCriticalDisableExceptionFilterHeaderImageMgmtProtectedRegisterSizeStack
    • String ID: NoUrlMimeFilters$~2K
    • API String ID: 1743967075-1706826827
    • Opcode ID: bb294d15d18bb3e5c6dfcf12c1ac5de680b0a33af92d5979f7ebe5443c92712f
    • Instruction ID: 951ed3a0a216203bae23ba6a58679d80645a7e4851a5ab7ccf8834bd9207df05
    • Opcode Fuzzy Hash: bb294d15d18bb3e5c6dfcf12c1ac5de680b0a33af92d5979f7ebe5443c92712f
    • Instruction Fuzzy Hash: A5718370A44304AFDB20DF65DC49BAA7BF8FB44705F10466EFA01E62D0DB75A904CB68
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004B4FD0 Relevance: 9.1, APIs: 6, Instructions: 95memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 904 4b4fd0-4b5007 MakeAbsoluteSD 905 4b5fa8 904->905 906 4b500d-4b5016 GetLastError 904->906 907 4b5018-4b503e GetPEB HeapAlloc 906->907 908 4b508f-4b5092 906->908 909 4b5093-4b5098 907->909 910 4b5040-4b507f MakeAbsoluteSD 907->910 913 4b508e 909->913 911 4b5f86-4b5fa1 GetLastError GetPEB HeapFree 910->911 912 4b5085-4b508d 910->912 911->905 912->913 913->908
    APIs
    • MakeAbsoluteSD.API-MS-WIN-SECURITY-BASE-L1-1-0(?,00000000,004B4592,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,004B4592,00000000), ref: 004B4FFF
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,004B4592,00000000,00000000), ref: 004B500D
    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,00000008,?,?,?,?,?,004B4592,00000000,00000000), ref: 004B5034
    • MakeAbsoluteSD.API-MS-WIN-SECURITY-BASE-L1-1-0(?,00000000,004B4592,?,00000000,00000000,00000000,?,?,?,?,00000000,?), ref: 004B5077
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00000000,?,?,?,?,004B4592,00000000,00000000), ref: 004B5F86
    • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,00000000,00000000,?,?,?,?,00000000,?,?,?,?,004B4592,00000000,00000000), ref: 004B5F9B
    Memory Dump Source
    • Source File: 00000000.00000002.2045743246.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
    • Associated: 00000000.00000002.2045710143.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4b0000_svchost(1).jbxd
    Similarity
    • API ID: AbsoluteErrorHeapLastMake$AllocFree
    • String ID:
    • API String ID: 2337675216-0
    • Opcode ID: 24d0f8bd3778132949439701d0f0aff63138e3a80925eb8c8be68bafeed1377e
    • Instruction ID: 3887ca1bc9ee2a6f01b49c68110bcef407fbc97274f1b3e1d2c6e433648f19cf
    • Opcode Fuzzy Hash: 24d0f8bd3778132949439701d0f0aff63138e3a80925eb8c8be68bafeed1377e
    • Instruction Fuzzy Hash: F7312F76A00509AFDB14DF98CC85FFEB7BCEF44704F140169E605E7280EA74AA06CBA5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004B67D0 Relevance: 9.0, APIs: 6, Instructions: 23COMMON
    Download Yara Rule
    APIs
    • RpcServerUnregisterIfEx.RPCRT4(?,00000000,00000001), ref: 004B67DD
    • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(004B7428), ref: 004B67EA
    • RpcMgmtStopServerListening.RPCRT4(00000000), ref: 004B67FB
    • RpcMgmtWaitServerListen.RPCRT4 ref: 004B6801
    • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(004B7428), ref: 004B680C
    • I_RpcMapWin32Status.RPCRT4(00000000), ref: 004B6813
    Memory Dump Source
    • Source File: 00000000.00000002.2045743246.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
    • Associated: 00000000.00000002.2045710143.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4b0000_svchost(1).jbxd
    Similarity
    • API ID: Server$CriticalMgmtSection$EnterLeaveListenListeningStatusStopUnregisterWaitWin32
    • String ID:
    • API String ID: 3168261810-0
    • Opcode ID: a228b6fe6c120d0c8a6ec2b51b3186e81d57125baf2588a5ee83008d98aa2f8d
    • Instruction ID: b1e6ecee0721bd608aea136abfa24277584ce099f89fecd9a455b96c8177a61f
    • Opcode Fuzzy Hash: a228b6fe6c120d0c8a6ec2b51b3186e81d57125baf2588a5ee83008d98aa2f8d
    • Instruction Fuzzy Hash: 11E06532140200ABCA203BA5AC0EB8A3F2CAB807A2F110239F301A11A0CEA88415CB7D
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004B6780 Relevance: 9.0, APIs: 6, Instructions: 23COMMON
    Download Yara Rule
    APIs
    • RpcServerUnregisterIf.RPCRT4(?,00000000,00000001), ref: 004B678D
    • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(004B7428), ref: 004B679A
    • RpcMgmtStopServerListening.RPCRT4(00000000), ref: 004B67AB
    • RpcMgmtWaitServerListen.RPCRT4 ref: 004B67B1
    • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(004B7428), ref: 004B67BC
    • I_RpcMapWin32Status.RPCRT4(00000000), ref: 004B67C3
    Memory Dump Source
    • Source File: 00000000.00000002.2045743246.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
    • Associated: 00000000.00000002.2045710143.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4b0000_svchost(1).jbxd
    Similarity
    • API ID: Server$CriticalMgmtSection$EnterLeaveListenListeningStatusStopUnregisterWaitWin32
    • String ID:
    • API String ID: 3168261810-0
    • Opcode ID: 91bf0badca7fcda817dd9719619b2db02c4e315275f9aaea33a16009524e7824
    • Instruction ID: 79e9cdbe50b27f3314ac70acd026ddce826e6d8fd00808ebb3f88f4384aa9124
    • Opcode Fuzzy Hash: 91bf0badca7fcda817dd9719619b2db02c4e315275f9aaea33a16009524e7824
    • Instruction Fuzzy Hash: 04E01A32544214ABCB103BA5BC0EBDE3F6CEB857A6F150239F705A51A0CEB98415CB6D
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004B50B0 Relevance: 7.6, APIs: 5, Instructions: 51timethreadCOMMON
    Download Yara Rule
    APIs
    • GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(00000000), ref: 004B50DD
    • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 004B50EC
    • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 004B50F5
    • GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 004B50FE
    • QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0(?), ref: 004B5113
    Memory Dump Source
    • Source File: 00000000.00000002.2045743246.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
    • Associated: 00000000.00000002.2045710143.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4b0000_svchost(1).jbxd
    Similarity
    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
    • String ID:
    • API String ID: 1445889803-0
    • Opcode ID: 9a232d40d056365fe62951d84c80ab9c7901f1e2a807e712aa2ce8375defff89
    • Instruction ID: 80fcc37d7f26306a02a519b9303f68786cca9573caebcc4d259384ba56f290b0
    • Opcode Fuzzy Hash: 9a232d40d056365fe62951d84c80ab9c7901f1e2a807e712aa2ce8375defff89
    • Instruction Fuzzy Hash: 30111F71D15208EBCB10EFB8D94869EB7F9FF48351F52496AD805E7210EB349A04CB58
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004B6710 Relevance: 6.0, APIs: 4, Instructions: 32COMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(004B7428), ref: 004B671B
      • Part of subcall function 004B665C: LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000000), ref: 004B6688
    • RpcServerListen.RPCRT4(?,00003039,?), ref: 004B6749
    • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(004B7428), ref: 004B6760
    • I_RpcMapWin32Status.RPCRT4(00000000), ref: 004B6767
    Memory Dump Source
    • Source File: 00000000.00000002.2045743246.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
    • Associated: 00000000.00000002.2045710143.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4b0000_svchost(1).jbxd
    Similarity
    • API ID: CriticalSection$AllocEnterLeaveListenLocalServerStatusWin32
    • String ID:
    • API String ID: 3342318003-0
    • Opcode ID: 171422472bd3f1d6badf0c1a667bd09117802cf023586a4b212f74958828dd95
    • Instruction ID: 818b5eac8138d0f40cb6175944ba9a520f6516d7d6322c323d056645731203e1
    • Opcode Fuzzy Hash: 171422472bd3f1d6badf0c1a667bd09117802cf023586a4b212f74958828dd95
    • Instruction Fuzzy Hash: 16F0BE32900224AF8B11AB68AC498EA3B5CEB84B513120225FD05A7210CB389C02CBE8
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004B514A Relevance: 6.0, APIs: 4, Instructions: 13COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,004B5280,@pK), ref: 004B5151
    • UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(004B5280,?,004B5280,@pK), ref: 004B515A
    • GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(C0000409,?,004B5280,@pK), ref: 004B5165
    • TerminateProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,004B5280,@pK), ref: 004B516C
    Memory Dump Source
    • Source File: 00000000.00000002.2045743246.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
    • Associated: 00000000.00000002.2045710143.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4b0000_svchost(1).jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
    • String ID:
    • API String ID: 3231755760-0
    • Opcode ID: 024614ed6ea006697dee96f04b3b5b0370105ecb83468637a404ce49a3aeb68d
    • Instruction ID: 6a6d9e786e65294c0773416b8ace1b45e8359541100f36af803b72861a4d0846
    • Opcode Fuzzy Hash: 024614ed6ea006697dee96f04b3b5b0370105ecb83468637a404ce49a3aeb68d
    • Instruction Fuzzy Hash: E9D00272044108FFD7403BE1ED0DA4A3F2DEB44796F064524F70D96461DF715459DB69
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004B43D0 Relevance: 3.9, APIs: 3, Instructions: 190memoryCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 004B45C0: GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000008,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 004B45EC
      • Part of subcall function 004B45C0: OpenProcessToken.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 004B45F3
      • Part of subcall function 004B45C0: GetTokenInformation.API-MS-WIN-SECURITY-BASE-L1-1-0(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 004B460C
      • Part of subcall function 004B45C0: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 004B4616
      • Part of subcall function 004B45C0: GetTokenInformation.API-MS-WIN-SECURITY-BASE-L1-1-0(00000000,00000005(TokenIntegrityLevel),00000000,00000000,?), ref: 004B4634
      • Part of subcall function 004B45C0: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 004B463E
      • Part of subcall function 004B45C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,00000008,?), ref: 004B466F
      • Part of subcall function 004B45C0: InitializeSecurityDescriptor.API-MS-WIN-SECURITY-BASE-L1-1-0(00000000,00000001), ref: 004B4688
      • Part of subcall function 004B45C0: GetTokenInformation.API-MS-WIN-SECURITY-BASE-L1-1-0(00000000,00000001(TokenIntegrityLevel),00000014,?,?), ref: 004B46A3
      • Part of subcall function 004B45C0: GetTokenInformation.API-MS-WIN-SECURITY-BASE-L1-1-0(00000000,00000005(TokenIntegrityLevel),?,?,?), ref: 004B46C0
      • Part of subcall function 004B45C0: SetSecurityDescriptorOwner.API-MS-WIN-SECURITY-BASE-L1-1-0(00000000,00000014,00000000), ref: 004B46D3
    • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004B453D
    • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004B4556
    • memcmp.API-MS-WIN-CORE-CRT-L1-1-0(-00000024,004B1570,00000010), ref: 004B4577
    Memory Dump Source
    • Source File: 00000000.00000002.2045743246.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
    • Associated: 00000000.00000002.2045710143.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4b0000_svchost(1).jbxd
    Similarity
    • API ID: Token$Information$Heap$DescriptorErrorFreeLastProcessSecurity$AllocCurrentInitializeOpenOwnermemcmp
    • String ID:
    • API String ID: 2676371371-0
    • Opcode ID: 90f575a4eae364ddffe4623bab793dc367d646e49d803eb7f4937cd7234c2c0a
    • Instruction ID: a0845540b393d19d1a4b57b4300e99baae8e1cab9dfd12ee59e36b4e5b21ef6f
    • Opcode Fuzzy Hash: 90f575a4eae364ddffe4623bab793dc367d646e49d803eb7f4937cd7234c2c0a
    • Instruction Fuzzy Hash: 1B511A31A00A21BFDB34CB54CC50BAE77A9AF84714F154166FA01E7391DB74ED01CBA8
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004B2160 Relevance: 42.3, APIs: 21, Strings: 3, Instructions: 302registryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 656 4b2160-4b21a0 657 4b2413-4b2422 call 4b50a0 656->657 658 4b21a6-4b21a9 656->658 659 4b21b0-4b21c8 CompareStringOrdinal 658->659 661 4b21db-4b21e4 659->661 662 4b21ca-4b21d4 659->662 665 4b21ea-4b2213 AcquireSRWLockExclusive 661->665 666 4b2412 661->666 662->659 664 4b21d6 662->664 664->666 667 4b2214 call 4b24b0 665->667 666->657 668 4b2219-4b221d 667->668 669 4b2223 668->669 670 4b2425-4b2429 668->670 671 4b2225-4b222d 669->671 670->669 672 4b242f-4b2431 670->672 673 4b2259-4b2263 671->673 674 4b222f-4b2231 671->674 672->671 676 4b2269-4b2270 673->676 677 4b2436-4b2438 673->677 674->673 675 4b2233-4b2245 AcquireSRWLockExclusive 674->675 678 4b244b 675->678 679 4b224b-4b2256 ReleaseSRWLockExclusive 675->679 676->677 680 4b2276 676->680 681 4b2279-4b2288 ReleaseSRWLockExclusive 677->681 682 4b243e-4b2440 677->682 683 4b244b call 4b2cc0 678->683 679->673 680->681 684 4b228a-4b2292 681->684 685 4b22b1-4b22b3 681->685 682->680 686 4b2446 682->686 689 4b2450 683->689 684->685 690 4b2294-4b2298 684->690 687 4b22b9-4b22c9 685->687 688 4b5438-4b543d 685->688 686->681 691 4b22cb-4b22da EtwEventEnabled 687->691 692 4b22e0-4b2300 687->692 693 4b544a-4b544c 688->693 694 4b543f-4b5447 call 4b5fc0 688->694 698 4b2455-4b246e ActivateActCtx 689->698 695 4b229e-4b22ae 690->695 696 4b5384-4b5391 690->696 691->692 697 4b5396-4b5398 691->697 713 4b2302-4b2311 EtwEventEnabled 692->713 714 4b2317-4b2368 AcquireSRWLockExclusive RegOpenKeyExW 692->714 693->666 700 4b5452 693->700 694->693 695->685 696->697 707 4b539b-4b53a4 697->707 702 4b23fa-4b2409 ReleaseSRWLockExclusive 698->702 703 4b2470-4b2491 FreeLibrary DeactivateActCtx 698->703 700->700 702->666 708 4b240b-4b240c RegCloseKey 702->708 703->702 707->707 709 4b53a6-4b53e2 EtwEventWrite 707->709 708->666 709->692 713->714 715 4b53e7-4b53e9 713->715 716 4b236a-4b2382 RegOpenKeyExW 714->716 717 4b23a7 714->717 718 4b53ec-4b53f5 715->718 716->717 719 4b2384-4b23a1 RegOpenKeyExW 716->719 720 4b23aa-4b23af 717->720 718->718 721 4b53f7-4b5433 EtwEventWrite 718->721 719->717 722 4b2496-4b24a3 719->722 723 4b23bb-4b23bd 720->723 724 4b23b1-4b23b8 RegCloseKey 720->724 721->714 722->720 725 4b23bf-4b23c0 RegCloseKey 723->725 726 4b23c6-4b23c8 723->726 724->723 725->726 726->702 727 4b23ca-4b23e7 RegQueryValueExW 726->727 727->702 728 4b23e9-4b23ed 727->728 728->702 729 4b23ef-4b23f3 728->729 729->702 730 4b23f5-4b23f8 729->730 730->698 730->702
    APIs
    • CompareStringOrdinal.API-MS-WIN-CORE-STRING-L1-1-0(?,000000FF,00000000,000000FF,00000001), ref: 004B21BF
    • AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(-004B7380,?,000000FF,00000000,000000FF,00000001), ref: 004B21EE
    • AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(004B7360,00000000,00000000,00000002,?,000000FF,00000000,000000FF,00000001), ref: 004B2238
    • ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(004B7360,?,000000FF,00000000,000000FF,00000001), ref: 004B2250
    • ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(-004B7380,00000000,00000000,00000002,?,000000FF,00000000,000000FF,00000001), ref: 004B227D
    • EtwEventEnabled.NTDLL ref: 004B22D2
    • EtwEventEnabled.NTDLL ref: 004B2309
    • AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(-004B7380,?,000000FF,00000000,000000FF,00000001), ref: 004B2330
    • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,System\CurrentControlSet\Services,00000000,00020019,?,?,000000FF,00000000,000000FF,00000001), ref: 004B235E
    • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,?,00000000,00020019,00000000,?,000000FF,00000000,000000FF,00000001), ref: 004B2378
    • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,Parameters,00000000,00020019,00000000,?,00000000,00020019,00000000,?,000000FF,00000000,000000FF,00000001), ref: 004B2396
    • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,?,000000FF,00000000,000000FF,00000001), ref: 004B23B2
    • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,?,000000FF,00000000,000000FF,00000001), ref: 004B23C0
    • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,ServiceDllUnloadOnStop,00000000,?,00000000,00000004,?,000000FF,00000000,000000FF,00000001), ref: 004B23DF
    • ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(-004B7380,?,000000FF,00000000,000000FF,00000001), ref: 004B23FE
    • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,?,000000FF,00000000,000000FF,00000001), ref: 004B240C
    • ActivateActCtx.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0(00000000,?,?,000000FF,00000000,000000FF,00000001), ref: 004B2466
    • FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,000000FF,00000000,000000FF,00000001), ref: 004B2476
    • DeactivateActCtx.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0(00000000,00000000,?,000000FF,00000000,000000FF,00000001), ref: 004B248B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2045743246.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
    • Associated: 00000000.00000002.2045710143.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4b0000_svchost(1).jbxd
    Similarity
    • API ID: ExclusiveLock$AcquireCloseOpenRelease$EnabledEvent$ActivateCompareDeactivateFreeLibraryOrdinalQueryStringValue
    • String ID: Parameters$ServiceDllUnloadOnStop$System\CurrentControlSet\Services
    • API String ID: 701447889-2925796325
    • Opcode ID: 0ce7aa46df32183bfe03112a278f65e9ba167ec88ca11608d557d5ed4c473651
    • Instruction ID: 9b4b2afb6253436d37ef4c4703a03f2be9cf1a91020248976dd1faec2e781643
    • Opcode Fuzzy Hash: 0ce7aa46df32183bfe03112a278f65e9ba167ec88ca11608d557d5ed4c473651
    • Instruction Fuzzy Hash: 0DC15135900208DFDB24DFA4DD54BEEBBB9FB44301F14516AEC12A3360DBB99905DB68
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004B4D90 Relevance: 15.1, APIs: 10, Instructions: 130memoryregistryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 769 4b4d90-4b4db0 770 4b5f56 769->770 771 4b4db6-4b4db8 769->771 771->770 772 4b4dbe-4b4dc2 771->772 772->770 773 4b4dc8-4b4dcc 772->773 773->770 774 4b4dd2-4b4ddc 773->774 775 4b5f4c-4b5f51 774->775 776 4b4de2 774->776 777 4b4de4-4b4dfc CompareStringOrdinal 776->777 778 4b4e0f-4b4e18 777->778 779 4b4dfe-4b4e08 777->779 778->775 781 4b4e1e-4b4e2c AcquireSRWLockExclusive 778->781 779->777 780 4b4e0a 779->780 780->775 782 4b5ecd 781->782 783 4b4e32-4b4e49 HeapAlloc 781->783 787 4b5ed7-4b5eee TpAllocWait 782->787 784 4b4e4b-4b4e58 783->784 785 4b4ea8-4b4ead 783->785 786 4b4e5e-4b4e7d RegisterWaitForSingleObjectEx 784->786 784->787 788 4b4e8e-4b4e97 ReleaseSRWLockExclusive 785->788 789 4b4e83-4b4e8c 786->789 790 4b5f17-4b5f19 786->790 793 4b5f0f 787->793 794 4b5ef0-4b5f07 TpSetWait 787->794 791 4b4e9d-4b4ea5 788->791 792 4b5f36-4b5f41 HeapFree 788->792 789->788 795 4b5f1b-4b5f23 GetLastError 790->795 796 4b5f28-4b5f31 RtlNtStatusToDosErrorNoTeb 790->796 792->775 793->790 794->793 795->788 796->788
    APIs
    • CompareStringOrdinal.API-MS-WIN-CORE-STRING-L1-1-0(?,000000FF,00000000,000000FF,00000001), ref: 004B4DF3
    • AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(-004B7380), ref: 004B4E22
    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000008), ref: 004B4E3C
    • RegisterWaitForSingleObjectEx.API-MS-WIN-CORE-THREADPOOL-PRIVATE-L1-1-0(00000000,Function_00001FA0,00000000,000000FF,?), ref: 004B4E6D
    • ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(-004B7380), ref: 004B4E8F
    Memory Dump Source
    • Source File: 00000000.00000002.2045743246.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
    • Associated: 00000000.00000002.2045710143.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4b0000_svchost(1).jbxd
    Similarity
    • API ID: ExclusiveLock$AcquireAllocCompareHeapObjectOrdinalRegisterReleaseSingleStringWait
    • String ID:
    • API String ID: 1836250775-0
    • Opcode ID: c48d2ca7b6b0e3d650544a0fa242d470d3cff7e086bd347b86bc80d3188d354e
    • Instruction ID: cbcce671c3245deb88b079adfea5d3b0088d1f8224d5a99b709e90aeae5be1ee
    • Opcode Fuzzy Hash: c48d2ca7b6b0e3d650544a0fa242d470d3cff7e086bd347b86bc80d3188d354e
    • Instruction Fuzzy Hash: 7E41B271A04614EFDB208FA8DC04BEABBB9BB44350F14426AF915E7390C7789C42DB69
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004B4940 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 168memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 797 4b4940-4b496e 798 4b4970-4b49b7 RtlQueryHeapInformation 797->798 799 4b49bd-4b49bf 798->799 800 4b4b40-4b4b48 798->800 803 4b4a0e-4b4a16 799->803 804 4b49c1-4b49c5 799->804 801 4b4b4e-4b4b6c HeapAlloc 800->801 802 4b5d42-4b5d4b HeapFree 800->802 801->798 805 4b4b72 801->805 811 4b5d56 802->811 806 4b4a1c-4b4a2e call 4b50a0 803->806 807 4b4b77-4b4b80 HeapFree 803->807 808 4b49cb-4b49ec qsort_s 804->808 809 4b5d60-4b5d65 804->809 805->811 807->802 808->803 810 4b49ee 808->810 809->803 813 4b49f0-4b49fa 810->813 811->809 815 4b4a2f-4b4a6e bsearch_s 813->815 816 4b49fc-4b4a06 813->816 815->816 818 4b4a70-4b4aa1 815->818 816->813 817 4b4a08 816->817 817->803 819 4b4ada-4b4b3b call 4b5300 818->819 820 4b4aa3-4b4aa5 818->820 822 4b4aaf-4b4ac0 819->822 820->822 824 4b4acf-4b4ad5 822->824 825 4b4ac2 822->825 824->816 826 4b4ac9-4b4acc 825->826 827 4b4ac4-4b4ac7 825->827 826->824 827->824 827->826
    APIs
    • RtlQueryHeapInformation.NTDLL(00000000,00000004,?,00000140,00000140), ref: 004B49A3
    • qsort_s.API-MS-WIN-CORE-CRT-L1-1-0(?,?,00000014,004B4F90,00000000,?,-004B7370), ref: 004B49DB
    • bsearch_s.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,00000014,004B4F90,00000000), ref: 004B4A63
    • __aulldiv.LIBCMT ref: 004B4B1E
    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000140,?,-004B7370), ref: 004B4B5C
    • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,-004B7370), ref: 004B4B80
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2045743246.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
    • Associated: 00000000.00000002.2045710143.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4b0000_svchost(1).jbxd
    Similarity
    • API ID: Heap$AllocFreeInformationQuery__aulldivbsearch_sqsort_s
    • String ID: #
    • API String ID: 3915933142-1885708031
    • Opcode ID: 1618b0403a5c2225a5f904aa503ed4a884ae62cef8ede208daa154d1adbbf19e
    • Instruction ID: 05fdf298cc960f238abea2724f9559c2419a1f2f8172dc2393f8cbe1bf1a53cd
    • Opcode Fuzzy Hash: 1618b0403a5c2225a5f904aa503ed4a884ae62cef8ede208daa154d1adbbf19e
    • Instruction Fuzzy Hash: 38614DB1900618DFDB24CF29CC44BDAB7B5BB88304F1042AAE509A7351D775AD91CF98
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004B35A0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 117registrymemoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 828 4b35a0-4b35cb RegOpenKeyExW 829 4b36a1-4b36a5 828->829 830 4b35d1-4b35e8 call 4b36b0 RegCloseKey 828->830 833 4b35ee-4b35f8 830->833 834 4b36a0 830->834 835 4b35fe-4b3609 833->835 836 4b5941-4b594b 833->836 834->829 837 4b360b 835->837 838 4b363a-4b3656 HeapAlloc 835->838 839 4b5955-4b5959 836->839 840 4b3610-4b361e 837->840 841 4b3658-4b3665 838->841 842 4b369f 838->842 839->842 844 4b595f-4b596e _wcsicmp 839->844 845 4b3620-4b3629 840->845 841->839 843 4b366b-4b366f 841->843 842->834 843->842 846 4b3671-4b3682 InitializeSRWLock 843->846 847 4b5970-4b5972 844->847 848 4b5994-4b59a0 InitializeSRWLock 844->848 845->845 849 4b362b-4b3638 845->849 850 4b3685-4b368e 846->850 851 4b5975-4b597e 847->851 848->842 849->838 849->840 850->850 852 4b3690-4b369d 850->852 851->851 853 4b5980-4b598d 851->853 852->842 852->846 853->844 854 4b598f 853->854 854->842
    APIs
    • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Microsoft\Windows NT\CurrentVersion\Svchost,00000000,00020019,l2K,?,?,004B326C,?,?,?,?,00000004), ref: 004B35C3
      • Part of subcall function 004B36B0: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(l2K,?,00000000,00020019,00000000,00000007,004B7394,?,00000000,00000000,00000000), ref: 004B374A
      • Part of subcall function 004B36B0: RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 004B3787
      • Part of subcall function 004B36B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 004B37D3
    • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(l2K,00000000,00000000,?,?,004B326C,?,?,?,?,00000004), ref: 004B35E0
    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000,00000000,?,?,004B326C,?,?,?,?,00000004), ref: 004B3646
    • InitializeSRWLock.API-MS-WIN-CORE-SYNCH-L1-1-0(00000010,?,?,004B326C,?,?,?,?,00000004), ref: 004B3677
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2045743246.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
    • Associated: 00000000.00000002.2045710143.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4b0000_svchost(1).jbxd
    Similarity
    • API ID: AllocHeapOpen$CloseEnumInitializeLock
    • String ID: Software\Microsoft\Windows NT\CurrentVersion\Svchost$l2K
    • API String ID: 4187173433-593795201
    • Opcode ID: ba0f3952db90568a55c1e8ab70b355e0fbeb892501bcbc6a4a7b2334b55b83ab
    • Instruction ID: 44ed1971baf9cf71659a805f4ec2df665c8f30cee70a40e7a7634de30ad53142
    • Opcode Fuzzy Hash: ba0f3952db90568a55c1e8ab70b355e0fbeb892501bcbc6a4a7b2334b55b83ab
    • Instruction Fuzzy Hash: EE412675900301EBCB309F69CC457A7B7B8FB94346B05062AEC4297350E774AE62C7A8
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004B2000 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 65registryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 855 4b2000-4b203a AcquireSRWLockExclusive call 4b20c0 858 4b203c-4b205a RegQueryValueExW 855->858 859 4b20a5-4b20b3 ReleaseSRWLockExclusive 855->859 858->859 860 4b205c-4b2060 858->860 861 4b20bc-4b20bf 859->861 862 4b20b5-4b20b6 RegCloseKey 859->862 860->859 863 4b2062-4b2066 860->863 862->861 863->859 864 4b2068-4b206b 863->864 864->859 865 4b206d-4b2082 ActivateActCtx 864->865 865->859 866 4b2084-4b209f FreeLibrary DeactivateActCtx 865->866 866->859
    APIs
    • AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(00000004,?,?), ref: 004B2025
      • Part of subcall function 004B20C0: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,System\CurrentControlSet\Services,00000000,00020019,?,00000004,?), ref: 004B20F2
      • Part of subcall function 004B20C0: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,?,00000000,00020019,00000000), ref: 004B210C
      • Part of subcall function 004B20C0: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,Parameters,00000000,00020019,00000000,?,00000000,00020019,00000000), ref: 004B2127
      • Part of subcall function 004B20C0: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000), ref: 004B2143
      • Part of subcall function 004B20C0: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000), ref: 004B2151
    • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,ServiceDllUnloadOnStop,00000000,00000000,00000000,00000004), ref: 004B2052
    • ActivateActCtx.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0(?,?), ref: 004B207A
    • FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?), ref: 004B208A
    • DeactivateActCtx.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0(00000000,?), ref: 004B209F
    • ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(00000004), ref: 004B20A6
    • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000), ref: 004B20B6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2045743246.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
    • Associated: 00000000.00000002.2045710143.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4b0000_svchost(1).jbxd
    Similarity
    • API ID: CloseOpen$ExclusiveLock$AcquireActivateDeactivateFreeLibraryQueryReleaseValue
    • String ID: ServiceDllUnloadOnStop
    • API String ID: 875000390-2673481689
    • Opcode ID: d99c850f141573d9ce8c80f27f76a1c47d90834d9f88c1d40ccc7b464f56dd6c
    • Instruction ID: ce1b52b0aecdf4163282b535b8cfb4b898b014abe5aa770c45c448022fa66e06
    • Opcode Fuzzy Hash: d99c850f141573d9ce8c80f27f76a1c47d90834d9f88c1d40ccc7b464f56dd6c
    • Instruction Fuzzy Hash: B8213A71900208EBDB20EF94DE48B9FBBFCBF08701F10456AE615A2250DB749A05CF65
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004B665C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 867 4b665c-4b666c 868 4b666f-4b6678 867->868 868->868 869 4b667a-4b6692 LocalAlloc 868->869 870 4b669b-4b66a7 call 4b686f 869->870 871 4b6694-4b6699 869->871 875 4b66a9-4b66b5 call 4b681e 870->875 876 4b66f4-4b66fb LocalFree 870->876 872 4b6700-4b6706 871->872 875->876 879 4b66b7-4b66cb RpcServerUseProtseqEpW 875->879 876->872 880 4b66cd-4b66d3 879->880 881 4b66d5-4b66e2 RpcServerRegisterIf 879->881 880->881 882 4b66e4-4b66f2 LocalFree I_RpcMapWin32Status 880->882 881->882 882->872
    APIs
    • LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000000), ref: 004B6688
    • RpcServerUseProtseqEpW.RPCRT4(ncacn_np,0000000A,00000000,00000000), ref: 004B66C1
    • RpcServerRegisterIf.RPCRT4(?,00000000,00000000), ref: 004B66DC
    • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000), ref: 004B66E5
    • I_RpcMapWin32Status.RPCRT4(00000000), ref: 004B66EC
    • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000), ref: 004B66F5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2045743246.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
    • Associated: 00000000.00000002.2045710143.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4b0000_svchost(1).jbxd
    Similarity
    • API ID: Local$FreeServer$AllocProtseqRegisterStatusWin32
    • String ID: ncacn_np
    • API String ID: 1007250533-272970834
    • Opcode ID: 7a6eefeaabe9ececffc1d84471675c75065d3f08dd8e79d120b8049643902f08
    • Instruction ID: f3282937fe862b54f99fe7c4c170ebdc73dd80f7817193ae921b85af68696cbb
    • Opcode Fuzzy Hash: 7a6eefeaabe9ececffc1d84471675c75065d3f08dd8e79d120b8049643902f08
    • Instruction Fuzzy Hash: 49110232B0421067D3202B695C49BEB76AD9BD97A8F13012AFE09E3350EE7C9D0185FD
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004B20C0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 64registryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 883 4b20c0-4b20fc RegOpenKeyExW 884 4b2138 883->884 885 4b20fe-4b2116 RegOpenKeyExW 883->885 887 4b213b-4b2140 884->887 885->884 886 4b2118-4b2132 RegOpenKeyExW 885->886 886->884 888 4b5373-4b537f 886->888 889 4b214c-4b214e 887->889 890 4b2142-4b2149 RegCloseKey 887->890 888->887 891 4b2150-4b2151 RegCloseKey 889->891 892 4b2157-4b215f 889->892 890->889 891->892
    APIs
    • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,System\CurrentControlSet\Services,00000000,00020019,?,00000004,?), ref: 004B20F2
    • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,?,00000000,00020019,00000000), ref: 004B210C
    • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,Parameters,00000000,00020019,00000000,?,00000000,00020019,00000000), ref: 004B2127
    • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000), ref: 004B2143
    • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000), ref: 004B2151
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2045743246.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
    • Associated: 00000000.00000002.2045710143.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4b0000_svchost(1).jbxd
    Similarity
    • API ID: Open$Close
    • String ID: Parameters$System\CurrentControlSet\Services
    • API String ID: 3083169812-135649160
    • Opcode ID: 8808219b9bf7fdc86cdf631ffca38e47482edade7300f7195eb1fa64ea2e45e8
    • Instruction ID: 029d08cc366de525204e46e1b49338b3bf2ad9241a75b0333c4ff09e06dfa184
    • Opcode Fuzzy Hash: 8808219b9bf7fdc86cdf631ffca38e47482edade7300f7195eb1fa64ea2e45e8
    • Instruction Fuzzy Hash: B4116075A41228BBD7208B689D49B9FBBACEB14751F110166ED44E3310D6748E01DAA4
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004B4350 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55registryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 893 4b4350-4b436f RtlGetDeviceFamilyInfoEnum 894 4b5be3-4b5be6 893->894 895 4b4375-4b4391 RegOpenKeyExW 893->895 894->895 898 4b5bec-4b5bef 894->898 896 4b4393-4b43b7 RegQueryValueExW 895->896 897 4b43c5 895->897 899 4b5bff-4b5c03 896->899 900 4b43bd-4b43c0 RegCloseKey 896->900 901 4b43c7-4b43cb 897->901 898->895 902 4b5bf5-4b5bfa 898->902 899->900 903 4b5c09-4b5c11 899->903 900->897 902->901 903->900
    APIs
    • RtlGetDeviceFamilyInfoEnum.NTDLL(00000000,?,00000000), ref: 004B4363
    • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,System\CurrentControlSet\Control\SCMConfig,00000000,00020019,?), ref: 004B438A
    • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,EnableSvchostMitigationPolicy,00000000,?,80000002,00000000,80000002,System\CurrentControlSet\Control\SCMConfig), ref: 004B43B0
    • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,EnableSvchostMitigationPolicy,00000000,?,80000002,00000000,80000002), ref: 004B43C0
    Strings
    • System\CurrentControlSet\Control\SCMConfig, xrefs: 004B4380
    • EnableSvchostMitigationPolicy, xrefs: 004B43A8
    Memory Dump Source
    • Source File: 00000000.00000002.2045743246.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
    • Associated: 00000000.00000002.2045710143.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4b0000_svchost(1).jbxd
    Similarity
    • API ID: CloseDeviceEnumFamilyInfoOpenQueryValue
    • String ID: EnableSvchostMitigationPolicy$System\CurrentControlSet\Control\SCMConfig
    • API String ID: 3374871968-1194725368
    • Opcode ID: c480f565b94656961aefa0513ba7c7ee19de1829a34a1ecd3e42c7eeb6e8d72e
    • Instruction ID: 90d2fa330f87d10cd81a29442972ad7b4b4235c92a09987b4f19b24fcba88f7a
    • Opcode Fuzzy Hash: c480f565b94656961aefa0513ba7c7ee19de1829a34a1ecd3e42c7eeb6e8d72e
    • Instruction Fuzzy Hash: 32014434A44209BBEB14DA948C86FFFB3ACEB44304F640567E910E1252D7789E549A79
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004B3E30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80registrymemoryCOMMON
    Download Yara Rule
    APIs
    • RegGetValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(l2K,00000000,?,0000FFFF,00000000,00000000,00000000,00000000,l2K,00000000,?,00000000,00000000), ref: 004B3E6E
    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 004B3E99
    • RegGetValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,00000000,?,0000FFFF,00000000,00000000,00000000), ref: 004B3EBA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2045743246.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
    • Associated: 00000000.00000002.2045710143.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4b0000_svchost(1).jbxd
    Similarity
    • API ID: Value$AllocHeap
    • String ID: l2K
    • API String ID: 1008940825-3002214207
    • Opcode ID: 143e6d90752bdc661b7b55d0df266dcc2b322ca4993cfe5f4453cfa61f223f59
    • Instruction ID: 5119bba01712f7cbb01910df6b14b06d97a1e9e241ba79b4fac16e15e04f2902
    • Opcode Fuzzy Hash: 143e6d90752bdc661b7b55d0df266dcc2b322ca4993cfe5f4453cfa61f223f59
    • Instruction Fuzzy Hash: 66213C71604209FFEB10DF99DC45FAAB7A8EB54311F10016AF900E6290EB75AE51DB64
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004B3DF0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28registryCOMMON
    Download Yara Rule
    APIs
    • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,CoInitializeSecurityParam,00000000,s9K,s9K,?,00000001,004B3973), ref: 004B3E10
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2045743246.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
    • Associated: 00000000.00000002.2045710143.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4b0000_svchost(1).jbxd
    Similarity
    • API ID: QueryValue
    • String ID: CoInitializeSecurityParam$s9K$s9K
    • API String ID: 3660427363-1459389152
    • Opcode ID: 4af1d61cc3cd7ea02c0fce7bf4fcb276a57aad6bec24e1f97e5ceb2f957e582e
    • Instruction ID: 3baa0264fed814f9add8d5a030d8d6140ecda796653f715906c2f344c18e3c8a
    • Opcode Fuzzy Hash: 4af1d61cc3cd7ea02c0fce7bf4fcb276a57aad6bec24e1f97e5ceb2f957e582e
    • Instruction Fuzzy Hash: 33E030B1500108EBEB209F559C05BEBB7ACDB40311F104167A90196140D678EE5586BA
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004B4F10 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(WLDP.DLL,00000000,00000800), ref: 004B4F1C
    • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,WldpIsAllowedEntryPoint), ref: 004B4F31
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2045743246.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
    • Associated: 00000000.00000002.2045710143.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4b0000_svchost(1).jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: WLDP.DLL$WldpIsAllowedEntryPoint
    • API String ID: 2574300362-3624529204
    • Opcode ID: d6f949af1748da7095eca5f5116006975a95ab4d89239f175931a4c7f33fbd1a
    • Instruction ID: 3d9af98786c688e1bd903b7067f39108b52ccbf5d3eaf1a9f465384a09b2c847
    • Opcode Fuzzy Hash: d6f949af1748da7095eca5f5116006975a95ab4d89239f175931a4c7f33fbd1a
    • Instruction Fuzzy Hash: BDD0C774654301ABD3505B746C16B8635D4ABA4B41F604136A906D66E2DB748014CA3C
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004B3F50 Relevance: 6.2, APIs: 4, Instructions: 226memoryCOMMON
    Download Yara Rule
    APIs
    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000064,00000000,?,?,00000004), ref: 004B3F8A
    • memcpy.API-MS-WIN-CORE-CRT-L1-1-0(00000064,00000000,00000000,?,?,00000004), ref: 004B3FAA
    • LCMapStringW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000400,00000100,?,?,?,?,?,?,?,00000004), ref: 004B4031
    Memory Dump Source
    • Source File: 00000000.00000002.2045743246.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
    • Associated: 00000000.00000002.2045710143.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4b0000_svchost(1).jbxd
    Similarity
    • API ID: AllocHeapStringmemcpy
    • String ID:
    • API String ID: 132164024-0
    • Opcode ID: a541357c7b9ef7cb1361ec3a752a1eea874ede0234e69bd66b3c75e106abb91b
    • Instruction ID: f6936528feda815fda8eb719524b0aedf05a2657f9167087ee277d34c1493de0
    • Opcode Fuzzy Hash: a541357c7b9ef7cb1361ec3a752a1eea874ede0234e69bd66b3c75e106abb91b
    • Instruction Fuzzy Hash: 3C71D674A0022287DB24AF1888543F772E1EBD4344F99402BEDC59B786E63DDD82D779
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004B3090 Relevance: 6.0, APIs: 4, Instructions: 36COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 004B50B0: GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(00000000), ref: 004B50DD
      • Part of subcall function 004B50B0: GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 004B50EC
      • Part of subcall function 004B50B0: GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 004B50F5
      • Part of subcall function 004B50B0: GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 004B50FE
      • Part of subcall function 004B50B0: QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0(?), ref: 004B5113
    • _initterm_e.API-MS-WIN-CORE-CRT-L2-1-0(004B11F8,004B11FC), ref: 004B30CD
    • __wgetmainargs.API-MS-WIN-CORE-CRT-L2-1-0(?,?,00000000,00000000,00000000), ref: 004B30E5
    • _initterm.API-MS-WIN-CORE-CRT-L2-1-0(004B11F0,004B11F4), ref: 004B30F5
    Memory Dump Source
    • Source File: 00000000.00000002.2045743246.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
    • Associated: 00000000.00000002.2045710143.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4b0000_svchost(1).jbxd
    Similarity
    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick__wgetmainargs_initterm_initterm_e
    • String ID:
    • API String ID: 543135555-0
    • Opcode ID: 89ef8b3449e86d3d3c20a3c92dda167ce81a7a31b23b22a4fc9401d023f8c8ac
    • Instruction ID: 95b3a51529d589cadd910aee417f1fdb055d738df91cb4c0a0e1e5d8b4399d11
    • Opcode Fuzzy Hash: 89ef8b3449e86d3d3c20a3c92dda167ce81a7a31b23b22a4fc9401d023f8c8ac
    • Instruction Fuzzy Hash: 7DF06271840209ABDB00EF9DDC5ABEE7BBCEB04309F500166E514A2142DB7856188BB9
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004B5FC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29registryCOMMON
    Download Yara Rule
    APIs
    • RegisterServiceCtrlHandlerW.API-MS-WIN-SERVICE-WINSVC-L1-1-0(?,004B4F80), ref: 004B6005
    • SetServiceStatus.API-MS-WIN-SERVICE-CORE-L1-1-0(00000000,00000030), ref: 004B6014
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2045743246.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
    • Associated: 00000000.00000002.2045710143.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2045767502.00000000004BB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4b0000_svchost(1).jbxd
    Similarity
    • API ID: Service$CtrlHandlerRegisterStatus
    • String ID: 0
    • API String ID: 786618493-4108050209
    • Opcode ID: 23514c546214fc970fa6d327655dbee9638b8a756315c49421eb159ee8c075b8
    • Instruction ID: 7c32c53cc68cf4b36a3344a07228ced5667bfb5d050b6dd84142b6520647b83a
    • Opcode Fuzzy Hash: 23514c546214fc970fa6d327655dbee9638b8a756315c49421eb159ee8c075b8
    • Instruction Fuzzy Hash: 36F030709012089BDB04DF95D8597EFBBF8EF48308F50415DE80567280DBB95605CFA4
    Uniqueness

    Uniqueness Score: -1.00%