Edit tour

Windows Analysis Report
OmPnD1qvad.exe

Overview

General Information

Sample Name:	OmPnD1qvad.exe
Original Sample Name:	302b13223db8c63367c43b004b9395d8.exe
Analysis ID:	894060
MD5:	302b13223db8c63367c43b004b9395d8
SHA1:	2fda947fb80d0089f41fef46137b52bab9b9845e
SHA256:	9802c511f650d5eb611d309889655ac2f8daab5f87c30463b2505da99076192b
Tags:	exe
Infos:

Detection

Redline Clipper

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Redline Clipper

Multi AV Scanner detection for submitted file

Multi AV Scanner detection for dropped file

Sigma detected: Schedule system process

Machine Learning detection for dropped file

Machine Learning detection for sample

Uses schtasks.exe or at.exe to add and modify task schedules

Drops PE files with benign system names

Injects a PE file into a foreign processes

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Drops PE files

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Creates a window with clipboard capturing capabilities

Contains functionality to launch a process as a different user

Sample execution stops while process was sleeping (likely an evasion)

Creates a process in suspended mode (likely to inject code)

Contains long sleeps (>= 3 min)

Classification

Process Tree

System is w10x64

OmPnD1qvad.exe (PID: 6544 cmdline: C:\Users\user\Desktop\OmPnD1qvad.exe MD5: 302B13223DB8C63367C43B004B9395D8)

OmPnD1qvad.exe (PID: 5920 cmdline: C:\Users\user\Desktop\OmPnD1qvad.exe MD5: 302B13223DB8C63367C43B004B9395D8)

cmd.exe (PID: 5876 cmdline: cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\svchost MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6768 cmdline: "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 6724 cmdline: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f MD5: 15FF7D8324231381BAD48A052F85DF04)

cmd.exe (PID: 6864 cmdline: cmd.exe" /C copy "C:\Users\user\Desktop\OmPnD1qvad.exe" "C:\Users\user\AppData\Roaming\svchost\svchost.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

svchost.exe (PID: 6828 cmdline: C:\Users\user\AppData\Roaming\svchost\svchost.exe MD5: 302B13223DB8C63367C43B004B9395D8)

svchost.exe (PID: 6936 cmdline: C:\Users\user\AppData\Roaming\svchost\svchost.exe MD5: 302B13223DB8C63367C43B004B9395D8)

cmd.exe (PID: 6932 cmdline: cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\svchost MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 4708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 7028 cmdline: "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 7128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 5388 cmdline: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f MD5: 15FF7D8324231381BAD48A052F85DF04)

cmd.exe (PID: 5408 cmdline: cmd.exe" /C copy "C:\Users\user\AppData\Roaming\svchost\svchost.exe" "C:\Users\user\AppData\Roaming\svchost\svchost.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 3484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

svchost.exe (PID: 3176 cmdline: C:\Users\user\AppData\Roaming\svchost\svchost.exe MD5: 302B13223DB8C63367C43B004B9395D8)

svchost.exe (PID: 6892 cmdline: C:\Users\user\AppData\Roaming\svchost\svchost.exe MD5: 302B13223DB8C63367C43B004B9395D8)

cmd.exe (PID: 6908 cmdline: cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\svchost MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6980 cmdline: "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 7116 cmdline: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f MD5: 15FF7D8324231381BAD48A052F85DF04)

cmd.exe (PID: 7160 cmdline: cmd.exe" /C copy "C:\Users\user\AppData\Roaming\svchost\svchost.exe" "C:\Users\user\AppData\Roaming\svchost\svchost.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

svchost.exe (PID: 2376 cmdline: C:\Users\user\AppData\Roaming\svchost\svchost.exe MD5: 302B13223DB8C63367C43B004B9395D8)

svchost.exe (PID: 5820 cmdline: C:\Users\user\AppData\Roaming\svchost\svchost.exe MD5: 302B13223DB8C63367C43B004B9395D8)

cmd.exe (PID: 6740 cmdline: cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\svchost MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 7040 cmdline: "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 3676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 5068 cmdline: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f MD5: 15FF7D8324231381BAD48A052F85DF04)

cmd.exe (PID: 2588 cmdline: cmd.exe" /C copy "C:\Users\user\AppData\Roaming\svchost\svchost.exe" "C:\Users\user\AppData\Roaming\svchost\svchost.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: Redline Clipper

{"Wallet Addresses": ["0xe83e13519074b66ED4fEa23Bf8B18402417504cf", "DFHGrZZVdeJioKHuMtJsT8BjRa7JACkJ8x", "LQ3N47jbUeN1ncAxjL2bQxdbfrTv6DQEwq", "XwPYYFb9s2fCKgZdRJTSLkGy79rNXRnSqM", "46iBmeV6Z5VFEi6q4iGT8A7nzuxwA3AHsZajPsLEbHhFhDEs1SAk3jWWiNdn5CWRHxdsnqvEomjGT3pECWB7BTpsPGEi6Yu"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.480610988.00000000024A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedlineClipper	Yara detected Redline Clipper	Joe Security
00000009.00000002.488605181.0000000003371000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedlineClipper	Yara detected Redline Clipper	Joe Security
Process Memory Space: OmPnD1qvad.exe PID: 6544	JoeSecurity_RedlineClipper	Yara detected Redline Clipper	Joe Security
Process Memory Space: svchost.exe PID: 6828	JoeSecurity_RedlineClipper	Yara detected Redline Clipper	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.OmPnD1qvad.exe.24cfe38.0.raw.unpack	JoeSecurity_RedlineClipper	Yara detected Redline Clipper	Joe Security
9.2.svchost.exe.339ff34.0.raw.unpack	JoeSecurity_RedlineClipper	Yara detected Redline Clipper	Joe Security

Sigma Signatures

Persistence and Installation Behavior

Sigma detected: Schedule system process

Source: Process started

Author: Joe Security: Data: Command: "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f, CommandLine: "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\user\Desktop\OmPnD1qvad.exe, ParentImage: C:\Users\user\Desktop\OmPnD1qvad.exe, ParentProcessId: 6544, ParentProcessName: OmPnD1qvad.exe, ProcessCommandLine: "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f, ProcessId: 6768, ProcessName: cmd.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.OmPnD1qvad.exe.24cfe38.0.raw.unpack

Malware Configuration Extractor: Redline Clipper {"Wallet Addresses": ["0xe83e13519074b66ED4fEa23Bf8B18402417504cf", "DFHGrZZVdeJioKHuMtJsT8BjRa7JACkJ8x", "LQ3N47jbUeN1ncAxjL2bQxdbfrTv6DQEwq", "XwPYYFb9s2fCKgZdRJTSLkGy79rNXRnSqM", "46iBmeV6Z5VFEi6q4iGT8A7nzuxwA3AHsZajPsLEbHhFhDEs1SAk3jWWiNdn5CWRHxdsnqvEomjGT3pECWB7BTpsPGEi6Yu"]}

Multi AV Scanner detection for submitted file

Source: OmPnD1qvad.exe	ReversingLabs: Detection: 59%
Source: OmPnD1qvad.exe	Virustotal: Detection: 64%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	ReversingLabs: Detection: 59%
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Virustotal: Detection: 64%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: OmPnD1qvad.exe

Joe Sandbox ML: detected

Source: OmPnD1qvad.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: OmPnD1qvad.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: OmPnD1qvad.exe, 00000000.00000002.479946399.00000000005FB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Window created: window name: CLIPBRDWNDCLASS

Source: OmPnD1qvad.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: OmPnD1qvad.exe, 00000000.00000002.480610988.00000000024A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCrack Redline.exe4 vs OmPnD1qvad.exe
Source: OmPnD1qvad.exe, 00000000.00000000.474804324.00000000000CE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBvSsh.exe vs OmPnD1qvad.exe
Source: OmPnD1qvad.exe, 00000000.00000002.479946399.00000000005FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs OmPnD1qvad.exe
Source: OmPnD1qvad.exe, 00000001.00000002.742889499.0000000001489000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs OmPnD1qvad.exe
Source: OmPnD1qvad.exe, 00000001.00000002.744703347.0000000005858000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs OmPnD1qvad.exe
Source: OmPnD1qvad.exe	Binary or memory string: OriginalFilenameBvSsh.exe vs OmPnD1qvad.exe

Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Code function: 0_2_022E1AB4	0_2_022E1AB4
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Code function: 1_2_016EF9B2	1_2_016EF9B2
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Code function: 1_2_016EB634	1_2_016EB634
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Code function: 1_2_016EDEE0	1_2_016EDEE0
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Code function: 1_2_016EDED0	1_2_016EDED0
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Code function: 10_2_05C5F950	10_2_05C5F950
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Code function: 10_2_05C5B634	10_2_05C5B634
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Code function: 10_2_05C5DEDF	10_2_05C5DEDF
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Code function: 10_2_05C5DEE0	10_2_05C5DEE0
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Code function: 19_2_05B2D4B4	19_2_05B2D4B4
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Code function: 19_2_05B2D4A8	19_2_05B2D4A8
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Code function: 19_2_05B2B634	19_2_05B2B634
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Code function: 19_2_05B2DEE0	19_2_05B2DEE0
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Code function: 19_2_05B2DED0	19_2_05B2DED0
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Code function: 19_2_05B2F950	19_2_05B2F950
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Code function: 19_2_05BFD198	19_2_05BFD198
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Code function: 19_2_05BF5CE8	19_2_05BF5CE8
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Code function: 19_2_05BF6D87	19_2_05BF6D87

Source: C:\Users\user\Desktop\OmPnD1qvad.exe

Code function: 0_2_022E5D00 CreateProcessAsUserA,

0_2_022E5D00

Source: OmPnD1qvad.exe	ReversingLabs: Detection: 59%
Source: OmPnD1qvad.exe	Virustotal: Detection: 64%

Source: OmPnD1qvad.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\OmPnD1qvad.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: OmPnD1qvad.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\OmPnD1qvad.exe C:\Users\user\Desktop\OmPnD1qvad.exe
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process created: C:\Users\user\Desktop\OmPnD1qvad.exe C:\Users\user\Desktop\OmPnD1qvad.exe
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\svchost
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C copy "C:\Users\user\Desktop\OmPnD1qvad.exe" "C:\Users\user\AppData\Roaming\svchost\svchost.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\svchost\svchost.exe C:\Users\user\AppData\Roaming\svchost\svchost.exe
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process created: C:\Users\user\AppData\Roaming\svchost\svchost.exe C:\Users\user\AppData\Roaming\svchost\svchost.exe
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\svchost
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C copy "C:\Users\user\AppData\Roaming\svchost\svchost.exe" "C:\Users\user\AppData\Roaming\svchost\svchost.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\svchost\svchost.exe C:\Users\user\AppData\Roaming\svchost\svchost.exe
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process created: C:\Users\user\AppData\Roaming\svchost\svchost.exe C:\Users\user\AppData\Roaming\svchost\svchost.exe
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\svchost
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C copy "C:\Users\user\AppData\Roaming\svchost\svchost.exe" "C:\Users\user\AppData\Roaming\svchost\svchost.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\svchost\svchost.exe C:\Users\user\AppData\Roaming\svchost\svchost.exe
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process created: C:\Users\user\AppData\Roaming\svchost\svchost.exe C:\Users\user\AppData\Roaming\svchost\svchost.exe
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\svchost
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C copy "C:\Users\user\AppData\Roaming\svchost\svchost.exe" "C:\Users\user\AppData\Roaming\svchost\svchost.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process created: C:\Users\user\Desktop\OmPnD1qvad.exe C:\Users\user\Desktop\OmPnD1qvad.exe	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\svchost	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C copy "C:\Users\user\Desktop\OmPnD1qvad.exe" "C:\Users\user\AppData\Roaming\svchost\svchost.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process created: C:\Users\user\AppData\Roaming\svchost\svchost.exe C:\Users\user\AppData\Roaming\svchost\svchost.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\svchost	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C copy "C:\Users\user\AppData\Roaming\svchost\svchost.exe" "C:\Users\user\AppData\Roaming\svchost\svchost.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process created: C:\Users\user\AppData\Roaming\svchost\svchost.exe C:\Users\user\AppData\Roaming\svchost\svchost.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\svchost	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C copy "C:\Users\user\AppData\Roaming\svchost\svchost.exe" "C:\Users\user\AppData\Roaming\svchost\svchost.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process created: C:\Users\user\AppData\Roaming\svchost\svchost.exe C:\Users\user\AppData\Roaming\svchost\svchost.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\svchost	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C copy "C:\Users\user\AppData\Roaming\svchost\svchost.exe" "C:\Users\user\AppData\Roaming\svchost\svchost.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3676:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4708:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6036:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6732:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5852:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7128:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6068:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3484:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6756:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6760:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5652:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6844:120:WilError_01

Source: C:\Users\user\Desktop\OmPnD1qvad.exe

File created: C:\Users\user\AppData\Roaming\svchost

Jump to behavior

Source: classification engine

Classification label: mal100.spyw.evad.winEXE@56/4@0/0

Source: C:\Users\user\Desktop\OmPnD1qvad.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: OmPnD1qvad.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: OmPnD1qvad.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Code function: 19_2_05BFAE90 push 00000004h; ret	19_2_05BFAEA6
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Code function: 19_2_05BF9ACF push ecx; ret	19_2_05BF9AD5
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Code function: 19_2_05BF9AC1 push ecx; ret	19_2_05BF9AD5

Source: initial sample	Static PE information: section name: .text entropy: 7.661351728887682
Source: initial sample	Static PE information: section name: .text entropy: 7.661351728887682

Persistence and Installation Behavior

Drops PE files with benign system names

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\svchost\svchost.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\svchost\svchost.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f

Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\OmPnD1qvad.exe TID: 6516	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe TID: 5912	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe TID: 6816	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe TID: 6940	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe TID: 3216	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe TID: 7144	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe TID: 1084	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe TID: 1332	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\OmPnD1qvad.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Memory written: C:\Users\user\Desktop\OmPnD1qvad.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Memory written: C:\Users\user\AppData\Roaming\svchost\svchost.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Memory written: C:\Users\user\AppData\Roaming\svchost\svchost.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Memory written: C:\Users\user\AppData\Roaming\svchost\svchost.exe base: 400000 value starts with: 4D5A	Jump to behavior

Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process created: C:\Users\user\Desktop\OmPnD1qvad.exe C:\Users\user\Desktop\OmPnD1qvad.exe	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\svchost	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C copy "C:\Users\user\Desktop\OmPnD1qvad.exe" "C:\Users\user\AppData\Roaming\svchost\svchost.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process created: C:\Users\user\AppData\Roaming\svchost\svchost.exe C:\Users\user\AppData\Roaming\svchost\svchost.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\svchost	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C copy "C:\Users\user\AppData\Roaming\svchost\svchost.exe" "C:\Users\user\AppData\Roaming\svchost\svchost.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process created: C:\Users\user\AppData\Roaming\svchost\svchost.exe C:\Users\user\AppData\Roaming\svchost\svchost.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\svchost	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C copy "C:\Users\user\AppData\Roaming\svchost\svchost.exe" "C:\Users\user\AppData\Roaming\svchost\svchost.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process created: C:\Users\user\AppData\Roaming\svchost\svchost.exe C:\Users\user\AppData\Roaming\svchost\svchost.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\svchost	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C copy "C:\Users\user\AppData\Roaming\svchost\svchost.exe" "C:\Users\user\AppData\Roaming\svchost\svchost.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f

Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Queries volume information: C:\Users\user\Desktop\OmPnD1qvad.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Queries volume information: C:\Users\user\Desktop\OmPnD1qvad.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OmPnD1qvad.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\OmPnD1qvad.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Redline Clipper

Source: Yara match	File source: 0.2.OmPnD1qvad.exe.24cfe38.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.svchost.exe.339ff34.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.480610988.00000000024A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.488605181.0000000003371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OmPnD1qvad.exe PID: 6544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6828, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Valid Accounts	1 Scheduled Task/Job	1 Valid Accounts	1 Valid Accounts	11 Masquerading	1 Input Capture	1 Security Software Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	1 Scheduled Task/Job	1 Access Token Manipulation	1 Valid Accounts	LSASS Memory	21 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	111 Process Injection	1 Access Token Manipulation	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	1 Clipboard Data	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	1 Scheduled Task/Job	1 Disable or Modify Tools	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	21 Virtualization/Sandbox Evasion	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	111 Process Injection	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Software Packing	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
OmPnD1qvad.exe	59%	ReversingLabs	ByteCode-MSIL.Trojan.ClipBanker
OmPnD1qvad.exe	65%	Virustotal		Browse
OmPnD1qvad.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\svchost\svchost.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\svchost\svchost.exe	59%	ReversingLabs	ByteCode-MSIL.Trojan.ClipBanker
C:\Users\user\AppData\Roaming\svchost\svchost.exe	65%	Virustotal		Browse

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	894060
Start date and time:	2023-06-25 09:56:55 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	37
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	OmPnD1qvad.exe
Original Sample Name:	302b13223db8c63367c43b004b9395d8.exe
Detection:	MAL
Classification:	mal100.spyw.evad.winEXE@56/4@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 94 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): WMIADAP.exe
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.

Simulations

Behavior and APIs

Time	Type	Description
09:57:52	API Interceptor	1x Sleep call for process: OmPnD1qvad.exe modified
09:57:56	Task Scheduler	Run new task: Nafifas path: "C:\Users\user\AppData\Roaming\svchost\svchost.exe"
09:57:56	API Interceptor	3x Sleep call for process: svchost.exe modified

Process:	C:\Users\user\Desktop\OmPnD1qvad.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	520
Entropy (8bit):	5.345981753770044
Encrypted:	false
SSDEEP:	12:Q3La/hhkvoDLI4MWuCqDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:MLUE4K5E4Ks2wKDE4KhK3VZ9pKhk
MD5:	044A637E42FE9A819D7E43C8504CA769
SHA1:	6FCA27B1A571B73563C8424C84F4F64F3CBCBE2F
SHA-256:	E88E04654826CE00CC7A840745254164DDBD175066D6E4EA6858BF0FE463EBB4
SHA-512:	C9A74FA4154FA5E5951B0EEAC5330CA4BAC981FF9AD24C08575A76AD5D99CFB68556B9857C9C8209A1BFCB43F82E00F14962987A18A92A715F45AD0D4E4A718C
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\svchost\svchost.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	520
Entropy (8bit):	5.345981753770044
Encrypted:	false
SSDEEP:	12:Q3La/hhkvoDLI4MWuCqDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:MLUE4K5E4Ks2wKDE4KhK3VZ9pKhk
MD5:	044A637E42FE9A819D7E43C8504CA769
SHA1:	6FCA27B1A571B73563C8424C84F4F64F3CBCBE2F
SHA-256:	E88E04654826CE00CC7A840745254164DDBD175066D6E4EA6858BF0FE463EBB4
SHA-512:	C9A74FA4154FA5E5951B0EEAC5330CA4BAC981FF9AD24C08575A76AD5D99CFB68556B9857C9C8209A1BFCB43F82E00F14962987A18A92A715F45AD0D4E4A718C
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..

C:\Users\user\AppData\Roaming\svchost\svchost.exe

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	300544
Entropy (8bit):	6.28995420993401
Encrypted:	false
SSDEEP:	6144:Srbm6QnkktV535ZLLnvv2+EBEFMAA55555A5555555A5555555555ti:5nkktV535ZLLnvGp
MD5:	302B13223DB8C63367C43B004B9395D8
SHA1:	2FDA947FB80D0089F41FEF46137B52BAB9B9845E
SHA-256:	9802C511F650D5EB611D309889655AC2F8DAAB5F87C30463B2505DA99076192B
SHA-512:	AEFEB350ED922BCF127D299D091CF0F7CD6E2BF78D5FC19847386E4AE7117FD2B8832513064F9E08D9BD6EBD508E836B79995D1C939316B1408F292F01C693FE
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 59% Antivirus: Virustotal, Detection: 65%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....d............................(.... ........@.. ....................................@.....................................J.......0............................................................................ ............... ..H............text........ ...................... ..`.rsrc...0...........................@..@.reloc..............................@..B........................H........F...G..............F8...........................................0..S.......~)...8....8....~...~.....?8....8....8....~+...8....8....8....8....~-...~,...~.....\(m..........(....(....~...~.....}(m...(}....~+.....(......~-...~,...~.... ....(m..........(....(....~...~.... ....(m...(}....~+.....(......~-...~,...~.... ....(m..........(....(....(z...8.....8....(m...8....(}...8.....8.....8.....8....(....8......8......0..9.......8....8....~/...8......9...~.... ....8....8..

C:\Users\user\AppData\Roaming\svchost\svchost.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.28995420993401
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	OmPnD1qvad.exe
File size:	300544
MD5:	302b13223db8c63367c43b004b9395d8
SHA1:	2fda947fb80d0089f41fef46137b52bab9b9845e
SHA256:	9802c511f650d5eb611d309889655ac2f8daab5f87c30463b2505da99076192b
SHA512:	aefeb350ed922bcf127d299d091cf0f7cd6e2bf78d5fc19847386e4ae7117fd2b8832513064f9e08d9bd6ebd508e836b79995d1c939316b1408f292f01c693fe
SSDEEP:	6144:Srbm6QnkktV535ZLLnvv2+EBEFMAA55555A5555555A5555555555ti:5nkktV535ZLLnvGp
TLSH:	73541D770EAE6CACD8AECEF026A601265D9ACF16BCB0C25B1D51B08145FC940779ECD7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d............................(.... ........@.. ....................................@................................

File Icon


Icon Hash:	8e9693b32baf9e98

Static PE Info

General

Entrypoint:	0x41c728
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6495DEB4 [Fri Jun 23 18:04:36 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1c6de	0x4a	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1e000	0x2e830	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1a72e	0x1a800	False	0.4202903891509434	data	7.661351728887682	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x1e000	0x2e830	0x2ea00	False	0.1320794235924933	data	4.904497737371291	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x4e000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x1e0ac	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	0.04819294924878741
RT_ICON	0x2e8f8	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	0.14486546142526802
RT_ICON	0x37dc4	0x67e8	Device independent bitmap graphic, 80 x 160 x 32, image size 26560	0.16924812030075187
RT_ICON	0x3e5d0	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	0.1961645101663586
RT_ICON	0x43a7c	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	0.12801133679735474
RT_ICON	0x47cc8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	0.2567427385892116
RT_ICON	0x4a294	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.2980769230769231
RT_ICON	0x4b360	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	0.41762295081967216
RT_ICON	0x4bd0c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.549645390070922
RT_GROUP_ICON	0x4c1c2	0x84	data	0.7272727272727273
RT_VERSION	0x4c282	0x388	data	0.4491150442477876
RT_MANIFEST	0x4c646	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Target ID:	0
Start time:	09:57:52
Start date:	25/06/2023
Path:	C:\Users\user\Desktop\OmPnD1qvad.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\OmPnD1qvad.exe
Imagebase:	0xb0000
File size:	300544 bytes
MD5 hash:	302B13223DB8C63367C43B004B9395D8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RedlineClipper, Description: Yara detected Redline Clipper, Source: 00000000.00000002.480610988.00000000024A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	1
Start time:	09:57:53
Start date:	25/06/2023
Path:	C:\Users\user\Desktop\OmPnD1qvad.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\OmPnD1qvad.exe
Imagebase:	0xe50000
File size:	300544 bytes
MD5 hash:	302B13223DB8C63367C43B004B9395D8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Show Windows behavior

Target ID:	2
Start time:	09:57:53
Start date:	25/06/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\svchost
Imagebase:	0x1b0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	3
Start time:	09:57:53
Start date:	25/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	4
Start time:	09:57:54
Start date:	25/06/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f
Imagebase:	0x1b0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	5
Start time:	09:57:54
Start date:	25/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	6
Start time:	09:57:54
Start date:	25/06/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f
Imagebase:	0x870000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	7
Start time:	09:57:54
Start date:	25/06/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe" /C copy "C:\Users\user\Desktop\OmPnD1qvad.exe" "C:\Users\user\AppData\Roaming\svchost\svchost.exe
Imagebase:	0x1b0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	8
Start time:	09:57:54
Start date:	25/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	9
Start time:	09:57:56
Start date:	25/06/2023
Path:	C:\Users\user\AppData\Roaming\svchost\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\svchost\svchost.exe
Imagebase:	0xc00000
File size:	300544 bytes
MD5 hash:	302B13223DB8C63367C43B004B9395D8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RedlineClipper, Description: Yara detected Redline Clipper, Source: 00000009.00000002.488605181.0000000003371000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 59%, ReversingLabs Detection: 65%, Virustotal, Browse

Show Windows behavior

Target ID:	10
Start time:	09:57:56
Start date:	25/06/2023
Path:	C:\Users\user\AppData\Roaming\svchost\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\svchost\svchost.exe
Imagebase:	0xfb0000
File size:	300544 bytes
MD5 hash:	302B13223DB8C63367C43B004B9395D8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET

Show Windows behavior

Target ID:	11
Start time:	09:57:57
Start date:	25/06/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\svchost
Imagebase:	0x1b0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 4708, Parent PID: 6932

General

Target ID:	12
Start time:	09:57:57
Start date:	25/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	13
Start time:	09:57:57
Start date:	25/06/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f
Imagebase:	0x1b0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 7128, Parent PID: 7028

General

Target ID:	14
Start time:	09:57:57
Start date:	25/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	15
Start time:	09:57:57
Start date:	25/06/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f
Imagebase:	0x870000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	16
Start time:	09:57:58
Start date:	25/06/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe" /C copy "C:\Users\user\AppData\Roaming\svchost\svchost.exe" "C:\Users\user\AppData\Roaming\svchost\svchost.exe
Imagebase:	0x1b0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	17
Start time:	09:57:58
Start date:	25/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	18
Start time:	09:58:01
Start date:	25/06/2023
Path:	C:\Users\user\AppData\Roaming\svchost\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\svchost\svchost.exe
Imagebase:	0x260000
File size:	300544 bytes
MD5 hash:	302B13223DB8C63367C43B004B9395D8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET

Show Windows behavior

Target ID:	19
Start time:	09:58:02
Start date:	25/06/2023
Path:	C:\Users\user\AppData\Roaming\svchost\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\svchost\svchost.exe
Imagebase:	0xe80000
File size:	300544 bytes
MD5 hash:	302B13223DB8C63367C43B004B9395D8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET

Show Windows behavior

Target ID:	20
Start time:	09:58:02
Start date:	25/06/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\svchost
Imagebase:	0x1b0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	21
Start time:	09:58:02
Start date:	25/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	22
Start time:	09:58:02
Start date:	25/06/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f
Imagebase:	0x1b0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	23
Start time:	09:58:02
Start date:	25/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	24
Start time:	09:58:02
Start date:	25/06/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f
Imagebase:	0x870000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	25
Start time:	09:58:03
Start date:	25/06/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe" /C copy "C:\Users\user\AppData\Roaming\svchost\svchost.exe" "C:\Users\user\AppData\Roaming\svchost\svchost.exe
Imagebase:	0x1b0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	26
Start time:	09:58:03
Start date:	25/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	28
Start time:	09:59:00
Start date:	25/06/2023
Path:	C:\Users\user\AppData\Roaming\svchost\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\svchost\svchost.exe
Imagebase:	0x1f0000
File size:	300544 bytes
MD5 hash:	302B13223DB8C63367C43B004B9395D8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET

Show Windows behavior

Target ID:	29
Start time:	09:59:01
Start date:	25/06/2023
Path:	C:\Users\user\AppData\Roaming\svchost\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\svchost\svchost.exe
Imagebase:	0x470000
File size:	300544 bytes
MD5 hash:	302B13223DB8C63367C43B004B9395D8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET

Show Windows behavior

Target ID:	30
Start time:	09:59:01
Start date:	25/06/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\svchost
Imagebase:	0x1b0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	31
Start time:	09:59:01
Start date:	25/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	32
Start time:	09:59:03
Start date:	25/06/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f
Imagebase:	0x1b0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	33
Start time:	09:59:04
Start date:	25/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	34
Start time:	09:59:04
Start date:	25/06/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f
Imagebase:	0x870000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	35
Start time:	09:59:04
Start date:	25/06/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe" /C copy "C:\Users\user\AppData\Roaming\svchost\svchost.exe" "C:\Users\user\AppData\Roaming\svchost\svchost.exe
Imagebase:	0x1b0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	36
Start time:	09:59:04
Start date:	25/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Execution Graph

Execution Coverage:	24.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	10.5%
Total number of Nodes:	76
Total number of Limit Nodes:	5

Executed Functions

Function 022E6388 Relevance: 3.1, APIs: 2, Instructions: 99
memoryinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 022E6353
WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 022E641D

Memory Dump Source

Source File: 00000000.00000002.480372185.00000000022E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22e0000_OmPnD1qvad.jbxd

Similarity

API ID: AllocMemoryProcessVirtualWrite
String ID:
API String ID: 645232735-0
Opcode ID: aa139c06dc1079bf833871ac0eadbaf8740cd5b88dc9a67c7ccd6bec0888d8f8
Instruction ID: 7a929c7bf0644aa9d3577e88c8d7702b75f320a2a380ec1d5f18b5d1b824af86
Opcode Fuzzy Hash: aa139c06dc1079bf833871ac0eadbaf8740cd5b88dc9a67c7ccd6bec0888d8f8
Instruction Fuzzy Hash: CC4147B1900249DFCF10CF9AD884BEEBBF5FF48314F508429E919A7250C378A545DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 022E5D00 Relevance: 1.8, APIs: 1, Instructions: 262
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 022E5F93

Memory Dump Source

Source File: 00000000.00000002.480372185.00000000022E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22e0000_OmPnD1qvad.jbxd

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: d1c194d61439a0d97b03197539b3b53540792aeb1e3b9891c02c9bab6404e3a4
Instruction ID: 2568614d9d079f7efded18ea0d72495f5da10673cd4c1f74eb4a7b243a0e82dc
Opcode Fuzzy Hash: d1c194d61439a0d97b03197539b3b53540792aeb1e3b9891c02c9bab6404e3a4
Instruction Fuzzy Hash: 9CA17971E102198FDF10CFA8C8817EDBBB6FF48308F4481A9E819A7294DB749985DF91

Uniqueness

Uniqueness Score: -1.00%

Function 022E1AB4 Relevance: .4, Instructions: 411COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.480372185.00000000022E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22e0000_OmPnD1qvad.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adc7dc5b214255ea454821aad56aebbb741c14111c1904f0045ff924f0d80b11
Instruction ID: d15c74c13af73de9e56f1593cbbf42cdb286e55b9d4f4ac80e1df166197b314a
Opcode Fuzzy Hash: adc7dc5b214255ea454821aad56aebbb741c14111c1904f0045ff924f0d80b11
Instruction Fuzzy Hash: 96C15D1141F3C15ECB037BBCD4755DA7FA28D2B168B8D08E3C0C69E5A7D428489EE3A6

Uniqueness

Uniqueness Score: -1.00%

Function 022E5CF4 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 279
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 022E5F93

Strings

_, xrefs: 022E5CA4

Memory Dump Source

Source File: 00000000.00000002.480372185.00000000022E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22e0000_OmPnD1qvad.jbxd

Similarity

API ID: CreateProcessUser
String ID: _
API String ID: 2217836671-701932520
Opcode ID: 022cde8e6b450f371b28bc6c890c8cc4c93be7f60f96a18b76acb780bdfc18e4
Instruction ID: 249d3f53f68524796fd330b7feeb772d6cac9546820e32e0bfc283bdbe46d4f6
Opcode Fuzzy Hash: 022cde8e6b450f371b28bc6c890c8cc4c93be7f60f96a18b76acb780bdfc18e4
Instruction Fuzzy Hash: 6EB18B70D202198FDF10CFA8C8817EDBBB6FF48308F4481A9E81AA7255DB749985DF91

Uniqueness

Uniqueness Score: -1.00%

Function 022E64C0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 022E6527

Strings

d, xrefs: 022E646C

Memory Dump Source

Source File: 00000000.00000002.480372185.00000000022E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22e0000_OmPnD1qvad.jbxd

Similarity

API ID: ResumeThread
String ID: d
API String ID: 947044025-2564639436
Opcode ID: e043ed42af3697990cbbec5df1dbdd61601d1b00a673abc09140202a87d64540
Instruction ID: 12dd71f6196d3bfdf613ca0eaabff84833ddc7cfab7cf4534a62a78021b254b6
Opcode Fuzzy Hash: e043ed42af3697990cbbec5df1dbdd61601d1b00a673abc09140202a87d64540
Instruction Fuzzy Hash: EF2188B1904208CFCB20CF9AD4847EEBFF8EB48310F10805AD51AA7304D7746A45DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 022E61F0 Relevance: 3.1, APIs: 2, Instructions: 89
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 022E61AF
ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 022E626E

Memory Dump Source

Source File: 00000000.00000002.480372185.00000000022E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22e0000_OmPnD1qvad.jbxd

Similarity

API ID: ContextMemoryProcessReadThread
String ID:
API String ID: 1264303914-0
Opcode ID: 6564d6245724f7b187cb8b8d072293cc2ccaa4a853cfd24927c6d6e65c3a7346
Instruction ID: b67e7809162781b512a8d619d3cd94b30cae329383c4d193e367ff200d915fee
Opcode Fuzzy Hash: 6564d6245724f7b187cb8b8d072293cc2ccaa4a853cfd24927c6d6e65c3a7346
Instruction Fuzzy Hash: AC3114B29002099FDB10CF9AC884BEEBBF8EB48324F548069E458A7251D378A555DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 022E62E0 Relevance: 1.6, APIs: 1, Instructions: 68
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 022E6353

Memory Dump Source

Source File: 00000000.00000002.480372185.00000000022E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22e0000_OmPnD1qvad.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ea6404922fc0e6656e6552ba4d8e04088ad946454fd223780234b682ea7852b3
Instruction ID: 76bb0e123282b062963138433611136a035223ee05c932d3c292a25bdcf1337c
Opcode Fuzzy Hash: ea6404922fc0e6656e6552ba4d8e04088ad946454fd223780234b682ea7852b3
Instruction Fuzzy Hash: DB2175B69002099FCF20CF9AD844AEEBBF4FF98324F14805AE568A7241C334A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 022E6390 Relevance: 1.6, APIs: 1, Instructions: 65
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 022E641D

Memory Dump Source

Source File: 00000000.00000002.480372185.00000000022E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22e0000_OmPnD1qvad.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 7ff77ae4bb6c5e28ead868755275a95dd633cb1debc9af2f59b7881752fd469c
Instruction ID: ef6467e53fff6adc947624ea4498ff0d5cd3860c23fe1199bfda6c68e1fd046d
Opcode Fuzzy Hash: 7ff77ae4bb6c5e28ead868755275a95dd633cb1debc9af2f59b7881752fd469c
Instruction Fuzzy Hash: 7521E5B19102599FCF10CF9AD884BDEBBF4FF48314F50842AE959A7350D778A944DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 022E6136 Relevance: 1.6, APIs: 1, Instructions: 59
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 022E61AF

Memory Dump Source

Source File: 00000000.00000002.480372185.00000000022E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22e0000_OmPnD1qvad.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: d62a3c84492237c2e812364e2bcf7333d78d65b57f459d89bc87ed871bb9d6f7
Instruction ID: b2d32446fb9a534e16f0ccce9f6ed9a552d2ba8a16d00f637ee5324b18a05ed7
Opcode Fuzzy Hash: d62a3c84492237c2e812364e2bcf7333d78d65b57f459d89bc87ed871bb9d6f7
Instruction Fuzzy Hash: A6211571D0021A9FCB10CF9AC4857EEFBF4AB48214F50812AD418A7341D778A9458BA1

Uniqueness

Uniqueness Score: -1.00%

Function 022E6138 Relevance: 1.6, APIs: 1, Instructions: 58
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 022E61AF

Memory Dump Source

Source File: 00000000.00000002.480372185.00000000022E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22e0000_OmPnD1qvad.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: d80de9157a05fce93e2b891ca1bf53088a8cb3639caa320dc2db64186150e45b
Instruction ID: 6a7d7872ab7bd7e6978360693e33690ae16facbca53581c853c3ea5410a11f52
Opcode Fuzzy Hash: d80de9157a05fce93e2b891ca1bf53088a8cb3639caa320dc2db64186150e45b
Instruction Fuzzy Hash: CE21F771D1021A9FCB10CF9AC9457EEFBF8BB48314F54816AD418B7341D778A9448FA1

Uniqueness

Uniqueness Score: -1.00%

Function 022E61F8 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 022E626E

Memory Dump Source

Source File: 00000000.00000002.480372185.00000000022E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22e0000_OmPnD1qvad.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 1c6b37b7b40424913d123eb396b75b058ea4ac3d5535b382dd8ecb2c090773e9
Instruction ID: ece681e63b6ba16be0d6c6644114d531eccb06a5856455d036e9eb5134babbfc
Opcode Fuzzy Hash: 1c6b37b7b40424913d123eb396b75b058ea4ac3d5535b382dd8ecb2c090773e9
Instruction Fuzzy Hash: BF21C4B1900249DFCB10CF9AC984BDEBBF8EB48324F548429E959A7250D378A945DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 022E62E8 Relevance: 1.5, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 022E6353

Memory Dump Source

Source File: 00000000.00000002.480372185.00000000022E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22e0000_OmPnD1qvad.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b7e5460a38a93add99b752f44de4b149d8775876f9e27530c69cc1616063a4ce
Instruction ID: 60073946c3855b8812ed37069f4d9089b68356390b356da72e2adc14dad35c5a
Opcode Fuzzy Hash: b7e5460a38a93add99b752f44de4b149d8775876f9e27530c69cc1616063a4ce
Instruction Fuzzy Hash: 0C11D2B59002499FCB10CF9AC884BDEBBF8EB48324F248459E569A7250C375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 022E64C8 Relevance: 1.5, APIs: 1, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 022E6527

Memory Dump Source

Source File: 00000000.00000002.480372185.00000000022E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22e0000_OmPnD1qvad.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 5030637fbf52b05025f26d9fecdf4877381ea10c87f3ebcf1ac7492c119f7bf6
Instruction ID: e8dceec2c52ec1bad750f5035404372b75e8e36a0da1b0a3cdea4fee29677fdf
Opcode Fuzzy Hash: 5030637fbf52b05025f26d9fecdf4877381ea10c87f3ebcf1ac7492c119f7bf6
Instruction Fuzzy Hash: 2C1100B1900209CFCB20CF9AD484BDEBBF8EB48324F20845AD559A7300C378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: OmPnD1qvad.exePID: 5920, Parent PID: 6544COMMON

Execution Graph

Execution Coverage:	10.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	83
Total number of Limit Nodes:	3

Executed Functions

Function 016EB0B8 Relevance: 6.2, APIs: 4, Instructions: 153
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 016EB190
GetCurrentThread.KERNEL32 ref: 016EB1CD
GetCurrentProcess.KERNEL32 ref: 016EB20A
GetCurrentThreadId.KERNEL32 ref: 016EB263

Memory Dump Source

Source File: 00000001.00000002.743420953.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_16e0000_OmPnD1qvad.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: a2953c11b191ea67ab9047299cdee3192bba601ee98311942bda8c80b3234263
Instruction ID: 941ad1a36a9377f0a05bb0eff563ebcd8b9721699cfb9fb9b36d3be95102b134
Opcode Fuzzy Hash: a2953c11b191ea67ab9047299cdee3192bba601ee98311942bda8c80b3234263
Instruction Fuzzy Hash: BF51C8B09012498FDB14DFAAD8487EEBFF1BF48314F20855AD419A73A1CB355845CF66

Uniqueness

Uniqueness Score: -1.00%

Function 016EB120 Relevance: 6.1, APIs: 4, Instructions: 130
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 016EB190
GetCurrentThread.KERNEL32 ref: 016EB1CD
GetCurrentProcess.KERNEL32 ref: 016EB20A
GetCurrentThreadId.KERNEL32 ref: 016EB263

Memory Dump Source

Source File: 00000001.00000002.743420953.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_16e0000_OmPnD1qvad.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: b9b1c5a785ccd8cd4539c689f7c9429ddcb3105c82915b4726039266e6759c20
Instruction ID: ffe7c305b82ac6cc50ffdb3230a813344e4a783ab600fafeb1a68a43faa50c18
Opcode Fuzzy Hash: b9b1c5a785ccd8cd4539c689f7c9429ddcb3105c82915b4726039266e6759c20
Instruction Fuzzy Hash: 635164B09052488FDB14CFAAD9487EEBFF1AF48320F24855AE019A33A1D7785844CB66

Uniqueness

Uniqueness Score: -1.00%

Function 016EB130 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 016EB190
GetCurrentThread.KERNEL32 ref: 016EB1CD
GetCurrentProcess.KERNEL32 ref: 016EB20A
GetCurrentThreadId.KERNEL32 ref: 016EB263

Memory Dump Source

Source File: 00000001.00000002.743420953.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_16e0000_OmPnD1qvad.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: d8e42a9646ef5319f77be4c6d75d1aa68c19086baabdce2def1c9f9ee3183b58
Instruction ID: 8685809dbaeb32f2ed3af9a4bdb631a7765c5171e2617a2c5e807b9c2b776af2
Opcode Fuzzy Hash: d8e42a9646ef5319f77be4c6d75d1aa68c19086baabdce2def1c9f9ee3183b58
Instruction Fuzzy Hash: 865124B09012498FDB14CFAAD948BEEBBF1BF48314F24855AE419B7360D7746844CF66

Uniqueness

Uniqueness Score: -1.00%

Function 016E8E48 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 016E908E

Memory Dump Source

Source File: 00000001.00000002.743420953.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_16e0000_OmPnD1qvad.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4258cc1d3764ef9569e53dbc5525a23ee2d386eb3cc4378174023e0efb58c69f
Instruction ID: 59f3ab1f5134bad1c772ed7a993b1d4ad834aa99dfca037ed92e137633475859
Opcode Fuzzy Hash: 4258cc1d3764ef9569e53dbc5525a23ee2d386eb3cc4378174023e0efb58c69f
Instruction Fuzzy Hash: 45713470A01B058FD724DF2AD85879ABBF6BF88310F008A2ED54A97B50DB75E845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 016EF64C Relevance: 1.6, APIs: 1, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 016EF76A

Memory Dump Source

Source File: 00000001.00000002.743420953.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_16e0000_OmPnD1qvad.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: ec1246f049573546787bac377b21fd952651aaa13d403022760b02a6554e5e71
Instruction ID: 735968cdb7db79150fc72583836113e155f742a81eff9cf245fc9540b590a095
Opcode Fuzzy Hash: ec1246f049573546787bac377b21fd952651aaa13d403022760b02a6554e5e71
Instruction Fuzzy Hash: DA51D0B1D012199FDF14CFAAC984ADDBFF2BF48314F24866AE819AB210D7749845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 016EF658 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 016EF76A

Memory Dump Source

Source File: 00000001.00000002.743420953.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_16e0000_OmPnD1qvad.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 65630186b0e8aa72e01a1d2091dd5a4de0f9f7b01f54eb929bdd4c2b552d38dd
Instruction ID: fa23e04fffcfc3e9e321388421f962385ffd85bab6eba2d65e0b74e1e45e161b
Opcode Fuzzy Hash: 65630186b0e8aa72e01a1d2091dd5a4de0f9f7b01f54eb929bdd4c2b552d38dd
Instruction Fuzzy Hash: 9E41AEB1D002199FDF14CFAAD884ADEBFF5BF48710F24826AE819AB210D7749945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 016EB758 Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 016EB7E7

Memory Dump Source

Source File: 00000001.00000002.743420953.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_16e0000_OmPnD1qvad.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 850059d716a342b84ad566900262c2602d602b280b4486b92165472445530666
Instruction ID: 9fb78a890fa9e2edaba814fe1d1f902b51bea4b82763ac5a04d87cafe26255c6
Opcode Fuzzy Hash: 850059d716a342b84ad566900262c2602d602b280b4486b92165472445530666
Instruction Fuzzy Hash: 982126B58012099FDF10CF9AD888AEEBFF5EB48320F14811AE914B3721C378A944CF65

Uniqueness

Uniqueness Score: -1.00%

Function 016EB760 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 016EB7E7

Memory Dump Source

Source File: 00000001.00000002.743420953.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_16e0000_OmPnD1qvad.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: de1f7c8f4a27672977a79e172cc32c162a98c27d284843402e83e526626d7ce3
Instruction ID: 38d1806fd243a6e6cbdbdff310ba9eac62fe6402aca011ac82bd2faaa6e2cc40
Opcode Fuzzy Hash: de1f7c8f4a27672977a79e172cc32c162a98c27d284843402e83e526626d7ce3
Instruction Fuzzy Hash: 8321B5B59012099FDB10CF9AD984ADEBFF5EB48310F14841AE954B3310D378A954CF65

Uniqueness

Uniqueness Score: -1.00%

Function 016E81C8 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,016E9109,00000800,00000000,00000000), ref: 016E931A

Memory Dump Source

Source File: 00000001.00000002.743420953.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_16e0000_OmPnD1qvad.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 88918b5cc3559f8ef5bd7160f011ca2fc5ca41395520e9d48fd6d1af5f164459
Instruction ID: e4464c4e94d00353546dd712750e52efebacc3afa3b494445fb5feb1d4682382
Opcode Fuzzy Hash: 88918b5cc3559f8ef5bd7160f011ca2fc5ca41395520e9d48fd6d1af5f164459
Instruction Fuzzy Hash: EF1103B69002088FDB10CFAAC848ADEFBF4AB48314F14852AE919B7300C378A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 016E92A9 Relevance: 1.6, APIs: 1, Instructions: 54
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,016E9109,00000800,00000000,00000000), ref: 016E931A

Memory Dump Source

Source File: 00000001.00000002.743420953.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_16e0000_OmPnD1qvad.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 351a57175de756427e8124ebd5448873bf24bf858bdb93854d1b3247891c36bf
Instruction ID: cb451b26e8f70fdadbcdd8bd2377f5bc58501161400295e2da65d0c951338b54
Opcode Fuzzy Hash: 351a57175de756427e8124ebd5448873bf24bf858bdb93854d1b3247891c36bf
Instruction Fuzzy Hash: 021103B69002499FDB10CFAAC848ADEFBF5AF88354F14851AE919B7300C379A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 016E9350 Relevance: 1.6, APIs: 1, Instructions: 53
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,016E9109,00000800,00000000,00000000), ref: 016E931A

Memory Dump Source

Source File: 00000001.00000002.743420953.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_16e0000_OmPnD1qvad.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5659c11628e43c1e5c923e8513b39d97f0116419f3d8e7b73e474a2bc5616a60
Instruction ID: cb7a52cb53754d712e70c3a9b420d8b8b56df4dbadd8e0ad3799799d5cb74d0c
Opcode Fuzzy Hash: 5659c11628e43c1e5c923e8513b39d97f0116419f3d8e7b73e474a2bc5616a60
Instruction Fuzzy Hash: F511C2B19043448FCF118FA9D8087DAFFF5EF86328F18818AE549A7252C3759505CB65

Uniqueness

Uniqueness Score: -1.00%

Function 016E9028 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 016E908E

Memory Dump Source

Source File: 00000001.00000002.743420953.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_16e0000_OmPnD1qvad.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 06ff94bcad3a338a9c9315fd25d9e656c17996631ae73fc248ac385140135041
Instruction ID: 29ad2716971f7c390c46248ce894102a94cbc9276f3acecc1da6bb1554f745dd
Opcode Fuzzy Hash: 06ff94bcad3a338a9c9315fd25d9e656c17996631ae73fc248ac385140135041
Instruction Fuzzy Hash: 0B11DFB6C002498FDB20CF9AC844BDEFBF4AF88324F14851AD559A7710D379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 016EF898 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowLongW.USER32(?,?,?), ref: 016EF8FD

Memory Dump Source

Source File: 00000001.00000002.743420953.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_16e0000_OmPnD1qvad.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 4cac2fe5dd25b02d5154381041236fa7022e2fe96d5565a77d942e9e40095261
Instruction ID: 9cdf8a291040e4e3487ea5afec2f7cb365c87bbf83177efa94477c330d3de845
Opcode Fuzzy Hash: 4cac2fe5dd25b02d5154381041236fa7022e2fe96d5565a77d942e9e40095261
Instruction Fuzzy Hash: FE1122B68002098FDB10CF9AD588BDEBFF8EB48320F21855AD959B7300C374A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 016EF8A0 Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowLongW.USER32(?,?,?), ref: 016EF8FD

Memory Dump Source

Source File: 00000001.00000002.743420953.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_16e0000_OmPnD1qvad.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 5e6ce411e90a7e5a369225af791505ca299dec8a53eb520965334f127d50c7b0
Instruction ID: d4b5137a926cc8b258faf71d61e2528f9af1e3d76c34f714c9e24250b6bc7642
Opcode Fuzzy Hash: 5e6ce411e90a7e5a369225af791505ca299dec8a53eb520965334f127d50c7b0
Instruction Fuzzy Hash: 411103B59002089FDB10CF9AD484BDEBBF8EB48320F20855AD959A3300C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: svchost.exePID: 6828, Parent PID: 1064COMMON

Execution Graph

Execution Coverage:	25.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	66
Total number of Limit Nodes:	2

Executed Functions

Function 05895CF4 Relevance: 1.8, APIs: 1, Instructions: 265
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 05895F93

Memory Dump Source

Source File: 00000009.00000002.488841099.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5890000_svchost.jbxd

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: 644f7e69594f1eea592833fbd4037cde7f158512886f6964c3c6c295be40d19d
Instruction ID: 6cbbb67125bcf38c9f85330058c79969ea492d3eec297690e0f383843ff4e862
Opcode Fuzzy Hash: 644f7e69594f1eea592833fbd4037cde7f158512886f6964c3c6c295be40d19d
Instruction Fuzzy Hash: C0A14871E002198FDF15CFA9C8817EDBAB2FF48304F0481A9E859E7290DB759985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05895D00 Relevance: 1.8, APIs: 1, Instructions: 262
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 05895F93

Memory Dump Source

Source File: 00000009.00000002.488841099.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5890000_svchost.jbxd

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: 6588f6f4acf0aaea14d1f406c84e9992992d2ee539a6a0579e5852db790f03f7
Instruction ID: cf111bd826533401d0b68beac1fe501ef5544eed16e0dea32e40f89e409a7530
Opcode Fuzzy Hash: 6588f6f4acf0aaea14d1f406c84e9992992d2ee539a6a0579e5852db790f03f7
Instruction Fuzzy Hash: A0A14871E002198FDF15CFA9C8817EDBAB6FF48304F0481A9E819E7290DB759985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05896388 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0589641D

Memory Dump Source

Source File: 00000009.00000002.488841099.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5890000_svchost.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 751ed29abcafe580bb5f21b9d74040ad4c953da370d48afe1ae6c9fcf58967a6
Instruction ID: b8cc0c09d787cf11769e24fa47033dc04a789ffac3b3794f3d23171369f6e577
Opcode Fuzzy Hash: 751ed29abcafe580bb5f21b9d74040ad4c953da370d48afe1ae6c9fcf58967a6
Instruction Fuzzy Hash: BA21F2B1901259DFCB14CF9AC885BDEBBF4FB48310F54842AE919A3350D778A944CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 05896390 Relevance: 1.6, APIs: 1, Instructions: 65
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0589641D

Memory Dump Source

Source File: 00000009.00000002.488841099.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5890000_svchost.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: b495bf7a8ed113557080dc6c07cfb839ae35e0c904c29a2fdbcf3ecec1c688da
Instruction ID: e10de4667df22d9765bbaeda0be542ccf080888d48d40327089123d56f0bf797
Opcode Fuzzy Hash: b495bf7a8ed113557080dc6c07cfb839ae35e0c904c29a2fdbcf3ecec1c688da
Instruction Fuzzy Hash: F72100B19002599FCB14CF9AC884BDEBBF4FB48310F14842AE919A3350D778A944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 058961F0 Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0589626E

Memory Dump Source

Source File: 00000009.00000002.488841099.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5890000_svchost.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: c8a70704222a0ff633aed096548bd50d8a60bf9118b1825247f3f9731c863ae0
Instruction ID: 9a0ba098e2906d6fa64e0d89edac2087e4dc7c12b62af22922d31834bb458ef1
Opcode Fuzzy Hash: c8a70704222a0ff633aed096548bd50d8a60bf9118b1825247f3f9731c863ae0
Instruction Fuzzy Hash: 332115719002499FCB10CF9AC884BDEBBF4EB48320F148029E858A3210D378A944DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05896133 Relevance: 1.6, APIs: 1, Instructions: 59
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 058961AF

Memory Dump Source

Source File: 00000009.00000002.488841099.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5890000_svchost.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: cd68cb7634e96dfb106bd7c211a1b638a89c695e7b336fc6b9abac0750035963
Instruction ID: e5ffaf1eed522cb8a32ff3a043c72a0a3c2e9025ff44d595ebe23753f213a581
Opcode Fuzzy Hash: cd68cb7634e96dfb106bd7c211a1b638a89c695e7b336fc6b9abac0750035963
Instruction Fuzzy Hash: 5221E5719002199BCB14DF9AC88579EFBF4BB48314F54812AE818B3741D778A9448FA5

Uniqueness

Uniqueness Score: -1.00%

Function 05896138 Relevance: 1.6, APIs: 1, Instructions: 58
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 058961AF

Memory Dump Source

Source File: 00000009.00000002.488841099.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5890000_svchost.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: f841b46b01b6fc7f09c2c78cf9f80ff182e01d26b517e8860e4c8c161628f0f6
Instruction ID: 5a775d396e12f7a57f35235e802ee1466965d13f76cb18ddae250ad8dbbdc3db
Opcode Fuzzy Hash: f841b46b01b6fc7f09c2c78cf9f80ff182e01d26b517e8860e4c8c161628f0f6
Instruction Fuzzy Hash: C821F771D002199FCB14DF9AC8457DEFBF4BB48314F14812AD818B3741D778A9448FA1

Uniqueness

Uniqueness Score: -1.00%

Function 058961F8 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0589626E

Memory Dump Source

Source File: 00000009.00000002.488841099.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5890000_svchost.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 25191bf1cd2d905f6d0e16af9cc9bf127043887628fed4f6363c2017efc1c016
Instruction ID: 0216282122eb9ba002b0f9c1fd6355522c78dccb0020b9afb6223f9625318a96
Opcode Fuzzy Hash: 25191bf1cd2d905f6d0e16af9cc9bf127043887628fed4f6363c2017efc1c016
Instruction Fuzzy Hash: BD21D3B1900249DFCB10CF9AC884BDEFBF5FB48324F14842AE958A7650D378A944DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 058962E0 Relevance: 1.6, APIs: 1, Instructions: 52
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05896353

Memory Dump Source

Source File: 00000009.00000002.488841099.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5890000_svchost.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ed6c6de7a0abf256cf5655f6ca62a8439f09c260446c8080e7a80f1e4a0fba16
Instruction ID: df52633323defe63ac0c797d93b31b05be3fd7c4c4b8aeb87db7aab006fbbe7c
Opcode Fuzzy Hash: ed6c6de7a0abf256cf5655f6ca62a8439f09c260446c8080e7a80f1e4a0fba16
Instruction Fuzzy Hash: 151102B59002499FCB10CF9AC884BDEBFF4FB48324F148419E529A7750D375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 058962E8 Relevance: 1.5, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05896353

Memory Dump Source

Source File: 00000009.00000002.488841099.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5890000_svchost.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 13ba7b2e8e94555ba8b144bbe18b095c36b90f650797162c03924774f97dcc8d
Instruction ID: c7db2787a08d19b3b7f17d62465453a3e379363ac8cebbc6ab5a1e30d2e72295
Opcode Fuzzy Hash: 13ba7b2e8e94555ba8b144bbe18b095c36b90f650797162c03924774f97dcc8d
Instruction Fuzzy Hash: A011E3B5900249DFCB10CF9AC884BDEBFF4FB48324F148419E529A7650D375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 058964C0 Relevance: 1.5, APIs: 1, Instructions: 47
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 05896527

Memory Dump Source

Source File: 00000009.00000002.488841099.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5890000_svchost.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ce57c6b922759e9860a2f1a7dcb0e88c3c734d72f3b4e8e1fe23b276bc67d03a
Instruction ID: 09c1728cbf4ac0550b841b02c5f69da7b0b1a2df4791d5ffa4306ce52198dfed
Opcode Fuzzy Hash: ce57c6b922759e9860a2f1a7dcb0e88c3c734d72f3b4e8e1fe23b276bc67d03a
Instruction Fuzzy Hash: 4A11F2B18002498FCB10DF9AD484BDEBFF4EB48724F24845AD419B3700D778A984CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 058964C8 Relevance: 1.5, APIs: 1, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 05896527

Memory Dump Source

Source File: 00000009.00000002.488841099.0000000005890000.00000040.00000800.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5890000_svchost.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d9510b49ce19e0f55d50477e3031cc3539f4e24e7125f86064a159a8c6469a7a
Instruction ID: 64c218aa9d8aef9d841a8c8a84e68ca8946d8a73b5990f61b240c73e43a47d5a
Opcode Fuzzy Hash: d9510b49ce19e0f55d50477e3031cc3539f4e24e7125f86064a159a8c6469a7a
Instruction Fuzzy Hash: 321112B1800249CFCB10DF9AD484BDEBBF8EB48324F24845AD419B3700D378A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: svchost.exePID: 6936, Parent PID: 6828COMMON

Execution Graph

Execution Coverage:	10.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	98
Total number of Limit Nodes:	2

Executed Functions

Function 05C58E48 Relevance: 1.7, APIs: 1, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 05C5908E

Memory Dump Source

Source File: 0000000A.00000002.743989671.0000000005C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5c50000_svchost.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 81103f9ede75bdc0f058463bcf3a54cf50337bf7f64935fcc2700f15e993aa68
Instruction ID: c1c06c4686a23ec115708bbb89d380d418f4f98a5be93ce97f9010528aa176e0
Opcode Fuzzy Hash: 81103f9ede75bdc0f058463bcf3a54cf50337bf7f64935fcc2700f15e993aa68
Instruction Fuzzy Hash: 31713670A00B058FD764DFAAD44475ABBF2BF88310F108A2DE44AD7A40D774E985CF95

Uniqueness

Uniqueness Score: -1.00%

Function 05C5F64C Relevance: 1.6, APIs: 1, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05C5F76A

Memory Dump Source

Source File: 0000000A.00000002.743989671.0000000005C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5c50000_svchost.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 6e6687052a1131f58e5645b33459388e4485b4ec83acfe2a2a5f2cbffa3fc883
Instruction ID: 8a9c3deac0191f5dfd4631749ff55e45487fdd283914c0ce4a4e9a161dbc3abb
Opcode Fuzzy Hash: 6e6687052a1131f58e5645b33459388e4485b4ec83acfe2a2a5f2cbffa3fc883
Instruction Fuzzy Hash: B251BFB1D003099FDB14CFAAC880ADEBBB5BF48354F24852AE819AB250D7749985CF94

Uniqueness

Uniqueness Score: -1.00%

Function 05C5D464 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05C5F76A

Memory Dump Source

Source File: 0000000A.00000002.743989671.0000000005C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5c50000_svchost.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 52658909bf91863f99fa0a114286db89f53dfbf7d4c40d38e8492941f0586f0e
Instruction ID: 63d8abde7eb258b78a55ba04d6936d5700004d460033debb563d523c0dbf4d1c
Opcode Fuzzy Hash: 52658909bf91863f99fa0a114286db89f53dfbf7d4c40d38e8492941f0586f0e
Instruction Fuzzy Hash: A8519DB1D00209DFDB14CFAAC884ADEBBB5BF48350F24852AE819AB250D7749985CF94

Uniqueness

Uniqueness Score: -1.00%

Function 05C5B758 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,05C5B726,?,?,?,?,?), ref: 05C5B7E7

Memory Dump Source

Source File: 0000000A.00000002.743989671.0000000005C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5c50000_svchost.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 182c510fdaba8a936becb4009335a83fe4a6a63af2a86e569ca196b96352bd2b
Instruction ID: 45f6dcbd7a3109dbb295b4e265ee4cadfcdf8d2610526277e0e91db5db9158f3
Opcode Fuzzy Hash: 182c510fdaba8a936becb4009335a83fe4a6a63af2a86e569ca196b96352bd2b
Instruction Fuzzy Hash: D321D4B59002099FDB10CFAAD885ADEBFF9FB48324F14841AE915B3310D378A944DF65

Uniqueness

Uniqueness Score: -1.00%

Function 05C59BAC Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,05C5B726,?,?,?,?,?), ref: 05C5B7E7

Memory Dump Source

Source File: 0000000A.00000002.743989671.0000000005C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5c50000_svchost.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 90341c56e3778afdbe611a81d71afabc672b783ffd6af1e4d4a321b26cc2c71e
Instruction ID: 390928b6e2a4dd1e0590c67f64ded6016b9f710c77863a23dbf5de79c631b428
Opcode Fuzzy Hash: 90341c56e3778afdbe611a81d71afabc672b783ffd6af1e4d4a321b26cc2c71e
Instruction Fuzzy Hash: A121D4B59002099FDB10CFAAD984ADEBFF9EB48364F14841AE915B3310D378A944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 05C581C8 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,05C59109,00000800,00000000,00000000), ref: 05C5931A

Memory Dump Source

Source File: 0000000A.00000002.743989671.0000000005C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5c50000_svchost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6142aecfaf2b67c46a6318f4122fd74044a4074819a6296f8b54a01f3058de9f
Instruction ID: 3cfcfa8148d8d5daa753a9d0592b306f44eb5705a582cdde6d16db93b944b529
Opcode Fuzzy Hash: 6142aecfaf2b67c46a6318f4122fd74044a4074819a6296f8b54a01f3058de9f
Instruction Fuzzy Hash: B91106B2900209CFCB10CF9AC844ADEFBF5EB48320F54845AE915B7310C378A545CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 05C592A9 Relevance: 1.6, APIs: 1, Instructions: 54
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,05C59109,00000800,00000000,00000000), ref: 05C5931A

Memory Dump Source

Source File: 0000000A.00000002.743989671.0000000005C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5c50000_svchost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 399f5028506fbf2338cbc9eece0dd78fbabe85377b2994a7316838a1726cd977
Instruction ID: a64b4d422fdf7a804b8c96a60313f45e50c1824834503cce9ea101721b156db4
Opcode Fuzzy Hash: 399f5028506fbf2338cbc9eece0dd78fbabe85377b2994a7316838a1726cd977
Instruction Fuzzy Hash: F61103B6800209CFCB10CF9AC884ADEFBF4AB48320F14845AE916B7710C378A545CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 05C59028 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 05C5908E

Memory Dump Source

Source File: 0000000A.00000002.743989671.0000000005C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5c50000_svchost.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3766a0184fa339abd66b4399765e7a1940c836a8c95d25dd76a48edd7f5c2188
Instruction ID: cb1fe1899e9701660460b0b419a0e0769a4d91006165221efd3775f62322ea61
Opcode Fuzzy Hash: 3766a0184fa339abd66b4399765e7a1940c836a8c95d25dd76a48edd7f5c2188
Instruction Fuzzy Hash: 6411D2B5C00249CFCB10CF9AD444BDEFBF4EB88224F14895AE819A7610D379A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 017CD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.742779236.00000000017CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17cd000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e07ca86520e24afd9e13de3a3b0ed0b1a611bf2a84d344df7beb8e5d7dbe37f
Instruction ID: f9bf2585f0b539abcc7833f555efc83e19b0189987805b78e7235b27d065da67
Opcode Fuzzy Hash: 3e07ca86520e24afd9e13de3a3b0ed0b1a611bf2a84d344df7beb8e5d7dbe37f
Instruction Fuzzy Hash: D421E2B1504240DFDB25DF98D9C0B66FB65FB88724F2485BDEE090B246C33AE546C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 017CD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.742779236.00000000017CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17cd000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7089c09a5f32279a1f06bcf1580f5ea3a389caf2ca641afe76c2e0ee77c905e
Instruction ID: eb896714a5e0c775252015617d73efde063834a12c62dcc402d898a67fa0377d
Opcode Fuzzy Hash: f7089c09a5f32279a1f06bcf1580f5ea3a389caf2ca641afe76c2e0ee77c905e
Instruction Fuzzy Hash: F021E272504240DFDB26DF58E8C0B26FF65FB98718F2485BDE9050A246C336D446C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 017DD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.742824378.00000000017DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17dd000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3aa943a5d1fadce0e27f501b6dfdf16195ebd912050c2a57cced12b3c3d5000
Instruction ID: 6d31a886c045898cc68c9415a551d8348f80eaa827b8fb51b96228922eae0304
Opcode Fuzzy Hash: a3aa943a5d1fadce0e27f501b6dfdf16195ebd912050c2a57cced12b3c3d5000
Instruction Fuzzy Hash: AE212571604248DFDB25DF58D9C0B16FF75FBC8354F24C5A9D8090B286C33AD806CA61

Uniqueness

Uniqueness Score: -1.00%

Function 017DD005 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.742824378.00000000017DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17dd000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db38cb31cc3e2dd706d021a69119f736eafe1aa4ad7644e5597ef84868d2d61e
Instruction ID: 73fe3217ee933a3ac75e5b53dff7137398c866ed1f24be0115c426960caae4d9
Opcode Fuzzy Hash: db38cb31cc3e2dd706d021a69119f736eafe1aa4ad7644e5597ef84868d2d61e
Instruction Fuzzy Hash: 272192755083849FDB13CF24D994B11BF71EB86214F28C5EAD8498F297C33AD846CB62

Uniqueness

Uniqueness Score: -1.00%

Function 017CD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.742779236.00000000017CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17cd000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb067d5dad88413f3e34b132bb63acaa0c988591488faadeeb326543b5c515d9
Instruction ID: d533e69549df09c7d6007759ce7fa99704e4fa1c65405a2d0b5f59adb0381242
Opcode Fuzzy Hash: fb067d5dad88413f3e34b132bb63acaa0c988591488faadeeb326543b5c515d9
Instruction Fuzzy Hash: DF119D76904280CFDB12CF54E9C4B16BF72FB94724F2486ADD8490B656C33AD456CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 017CD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.742779236.00000000017CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17cd000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb067d5dad88413f3e34b132bb63acaa0c988591488faadeeb326543b5c515d9
Instruction ID: 5bdf7e799b433f495c185a86bc73cf0ffac4d35971dc6c17783cd2f16320ada4
Opcode Fuzzy Hash: fb067d5dad88413f3e34b132bb63acaa0c988591488faadeeb326543b5c515d9
Instruction Fuzzy Hash: 4C11CD72404280DFDB12CF44D9C0B56FF72FB84320F2482ADDD090A616C33AE556CBA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: svchost.exePID: 3176, Parent PID: 1064COMMON

Execution Graph

Execution Coverage:	21.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	69
Total number of Limit Nodes:	2

Executed Functions

Function 00FD5CF8 Relevance: 1.8, APIs: 1, Instructions: 266
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00FD5F93

Memory Dump Source

Source File: 00000012.00000002.499079985.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_fd0000_svchost.jbxd

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: 8f80cdcc39f519fa3deb89295e2ee50b26bea53dccec7ce5573f956919eb98be
Instruction ID: 6f7f177c6ed99583884a6d937bc31bed019dde1b5f878ec82b21dfb85eaeecee
Opcode Fuzzy Hash: 8f80cdcc39f519fa3deb89295e2ee50b26bea53dccec7ce5573f956919eb98be
Instruction Fuzzy Hash: 1FA17871E002198FDB10DFA9C8817EDBBB2EF48314F0481AAE819E7391DB759985DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00FD5D00 Relevance: 1.8, APIs: 1, Instructions: 262
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00FD5F93

Memory Dump Source

Source File: 00000012.00000002.499079985.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_fd0000_svchost.jbxd

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: b800717981f4f7e1a2e235ec4a171c64ed31538582ae171ed9a5fb28db5ac35b
Instruction ID: 60dc673a7c89d9d67803e9c037b3c7592b02e49f397b708c3925914d3168b402
Opcode Fuzzy Hash: b800717981f4f7e1a2e235ec4a171c64ed31538582ae171ed9a5fb28db5ac35b
Instruction Fuzzy Hash: 6CA16871E002198FDB10DFA9C8817EDBBB6EF48314F0481AAE818E7391DB759985DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00FD6388 Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 00FD641D

Memory Dump Source

Source File: 00000012.00000002.499079985.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_fd0000_svchost.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 5facfcfa3e4df41042e3877820e9c76ed4167b3ad8a093171de62e4a70ca886c
Instruction ID: a50f372947156063e460e88b9e3197d790eb35e0a8dee739eed1d8877209a04f
Opcode Fuzzy Hash: 5facfcfa3e4df41042e3877820e9c76ed4167b3ad8a093171de62e4a70ca886c
Instruction Fuzzy Hash: 382122B1900249DFCB10CF9AD885BDEBBF5FB48320F14842AE818A3350D378A941CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FD6390 Relevance: 1.6, APIs: 1, Instructions: 65
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 00FD641D

Memory Dump Source

Source File: 00000012.00000002.499079985.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_fd0000_svchost.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e3fd6a5f034b1b2901acc1fb85052f8a0b825271df46a8a61d86cf7e9c7b9249
Instruction ID: 3a0773d286253815c4705df0c8f20331f31b752ce60c6cdb9370ddd2fbde5b65
Opcode Fuzzy Hash: e3fd6a5f034b1b2901acc1fb85052f8a0b825271df46a8a61d86cf7e9c7b9249
Instruction Fuzzy Hash: E121E0B19002599FCB10CF9AD884BDEBBF5FB48320F54842AE918A3351D778A944DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FD6132 Relevance: 1.6, APIs: 1, Instructions: 61
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 00FD61AF

Memory Dump Source

Source File: 00000012.00000002.499079985.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_fd0000_svchost.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: e9b2600d8edae61624ae2159108d1bd0c8e11a6a18387ab7c35fd984da9b50bb
Instruction ID: 820344db455eee9412aabb5cf24264a3b1ebb511f5eb17bea166bf00c3a34637
Opcode Fuzzy Hash: e9b2600d8edae61624ae2159108d1bd0c8e11a6a18387ab7c35fd984da9b50bb
Instruction Fuzzy Hash: AD2113B1D002199FCB00CF9AC8857EEFBF5AB48720F14812AE418A3341D778A9458FA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FD61F0 Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00FD626E

Memory Dump Source

Source File: 00000012.00000002.499079985.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_fd0000_svchost.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: caf97b2ea61f7e8109e7b2653ba36ce9248a798f2718e72986c8dae608c320cf
Instruction ID: 2477626567ab895a65b45be4aa18e586c0963b6c2dc244868585f778018b5b4c
Opcode Fuzzy Hash: caf97b2ea61f7e8109e7b2653ba36ce9248a798f2718e72986c8dae608c320cf
Instruction Fuzzy Hash: EB21F7B1900249DFDB10CF9AC984BDEBBF5FB48320F14842AE858A7351D3789545DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FD6138 Relevance: 1.6, APIs: 1, Instructions: 58
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 00FD61AF

Memory Dump Source

Source File: 00000012.00000002.499079985.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_fd0000_svchost.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: dd1e129d2192ebe038aa5c2beeb5e4d1e5ca5e6ee526f30404b11de460b8d45a
Instruction ID: 0095e272960b5405eadb1a12bd65168c8f7716ae7cd0557381d5ed46e87119eb
Opcode Fuzzy Hash: dd1e129d2192ebe038aa5c2beeb5e4d1e5ca5e6ee526f30404b11de460b8d45a
Instruction Fuzzy Hash: 7C21D6B1D006199FCB10CF9AC9857EEFBF4BB48724F54812AE418B3741D778A9448FA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FD61F8 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00FD626E

Memory Dump Source

Source File: 00000012.00000002.499079985.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_fd0000_svchost.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: c50cfdbbe48ff38a845492b72d9e217250dc9184112e7ae8a0db052ff746748e
Instruction ID: d32c68da360abbacc2a03957a4d92a002de45f7f1aad271386532c06c820acb0
Opcode Fuzzy Hash: c50cfdbbe48ff38a845492b72d9e217250dc9184112e7ae8a0db052ff746748e
Instruction Fuzzy Hash: 9921D3B5900249DFCB10CF9AC984BDEBBF5FB48320F14842AE958A7351D379A944DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FD62E0 Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00FD6353

Memory Dump Source

Source File: 00000012.00000002.499079985.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_fd0000_svchost.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8a187b2fd713ee9c7dbfc77a935f8af15fa26593f01dada9ace26fbc8738e317
Instruction ID: 88ba3327f9249011ec098880d807586e48f60ab03941b9c50421d5ddf6646e8a
Opcode Fuzzy Hash: 8a187b2fd713ee9c7dbfc77a935f8af15fa26593f01dada9ace26fbc8738e317
Instruction Fuzzy Hash: 441102B59002499FCB10CF9AD884BDEBFF5EB58320F24841AE568A7350D379A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FD62E8 Relevance: 1.5, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00FD6353

Memory Dump Source

Source File: 00000012.00000002.499079985.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_fd0000_svchost.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fe3c1f0198e78dcf56e53ad91e5c9052f8cb43267c5b6ea8c9d595954435f4c5
Instruction ID: ae9d0eeccd94e822fc5cb67eb7969121fdfce7dd77d3843375a9f60f85dd46fb
Opcode Fuzzy Hash: fe3c1f0198e78dcf56e53ad91e5c9052f8cb43267c5b6ea8c9d595954435f4c5
Instruction Fuzzy Hash: 0311D2B59002499FCB10CF9AD884BDEBFF5EB48320F14841AE528A7350D379A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FD64C0 Relevance: 1.5, APIs: 1, Instructions: 48
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 00FD6527

Memory Dump Source

Source File: 00000012.00000002.499079985.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_fd0000_svchost.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d55079815a1b0c43729a4276c799cd947a591652c9a2059586c096eb1945a93a
Instruction ID: dde2dd3a75a2604de239f939e5998f5721b71959d3f623ce06e6c9955d332433
Opcode Fuzzy Hash: d55079815a1b0c43729a4276c799cd947a591652c9a2059586c096eb1945a93a
Instruction Fuzzy Hash: 5711F2B1D002088FCB10DF9AE484BDEBFF4EB59324F24845AD459A7700D379A985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FD64C8 Relevance: 1.5, APIs: 1, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 00FD6527

Memory Dump Source

Source File: 00000012.00000002.499079985.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_fd0000_svchost.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 7c70e15ad95ebdcaa0382957c9d2d935c34fe73d2df85be6e8df3bff93d3ff34
Instruction ID: 55304c756d8b9ba51c24b83fb44fb0d45c45818d188d90554e159ac4254bdd46
Opcode Fuzzy Hash: 7c70e15ad95ebdcaa0382957c9d2d935c34fe73d2df85be6e8df3bff93d3ff34
Instruction Fuzzy Hash: BF1100B1800208CFCB10DF9AE484BDEBBF8EB48324F24845AD418A3300C379A984CFA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: svchost.exePID: 6892, Parent PID: 3176COMMON

Execution Graph

Execution Coverage:	11.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	317
Total number of Limit Nodes:	22

Executed Functions

Function 05BFD198 Relevance: 1.9, APIs: 1, Instructions: 396
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000013.00000002.744785514.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5bf0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 983139241edbf5f1f3fd03e3742f7efdcabea239fa787c9429fa5080141cc6ea
Instruction ID: a00ad05314aa2f6e3c09a0d4ebfd1457b84fe687bef30b037a7193e1a3ede9ea
Opcode Fuzzy Hash: 983139241edbf5f1f3fd03e3742f7efdcabea239fa787c9429fa5080141cc6ea
Instruction Fuzzy Hash: AFF15C31A00209CFDB14DFA9C944BADBBF2FF88314F158598E509AF2A5DB74A949CF40

Uniqueness

Uniqueness Score: -1.00%

Function 05B2B120 Relevance: 6.1, APIs: 4, Instructions: 123
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 05B2B190
GetCurrentThread.KERNEL32 ref: 05B2B1CD
GetCurrentProcess.KERNEL32 ref: 05B2B20A
GetCurrentThreadId.KERNEL32 ref: 05B2B263

Memory Dump Source

Source File: 00000013.00000002.743977792.0000000005B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b20000_svchost.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 48005f4a510efa1a593986d5ca5e5a56a12decbf010bab87fe66c31403954350
Instruction ID: 04ec68f9f8d80394d33860df22f668382e0c47afc3f87d0690255ae0d37f2ee8
Opcode Fuzzy Hash: 48005f4a510efa1a593986d5ca5e5a56a12decbf010bab87fe66c31403954350
Instruction Fuzzy Hash: A15111B19006498FDB14CFAAD58879EBFF1FB88314F20849AE419B7350DB786844CF65

Uniqueness

Uniqueness Score: -1.00%

Function 05B2B130 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 05B2B190
GetCurrentThread.KERNEL32 ref: 05B2B1CD
GetCurrentProcess.KERNEL32 ref: 05B2B20A
GetCurrentThreadId.KERNEL32 ref: 05B2B263

Memory Dump Source

Source File: 00000013.00000002.743977792.0000000005B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b20000_svchost.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 6c5183965867c3ff867036afad4ef869f46a25510e2ba1e8c5114a567b67e75d
Instruction ID: 7db8cf64d9b0b28cf405203320beb5c127a7cdbd034d73fd1aec4f9d52b1a5bb
Opcode Fuzzy Hash: 6c5183965867c3ff867036afad4ef869f46a25510e2ba1e8c5114a567b67e75d
Instruction Fuzzy Hash: FD5123B19002498FDB14CFAAD58879EBFF1FB88314F208499E419B7350DB786844CF65

Uniqueness

Uniqueness Score: -1.00%

Function 05B28E48 Relevance: 1.7, APIs: 1, Instructions: 192
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 05B2908E

Memory Dump Source

Source File: 00000013.00000002.743977792.0000000005B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b20000_svchost.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 9c2979e06dc9c9b18c4cab1d0e6b924f4316cc822f37fa0f5b5a72587cc23b77
Instruction ID: 74908de5a35b3f2987e88c5dccd1bd8fefed93809ddab5f29d9c4c8d3afb10cf
Opcode Fuzzy Hash: 9c2979e06dc9c9b18c4cab1d0e6b924f4316cc822f37fa0f5b5a72587cc23b77
Instruction Fuzzy Hash: 6D713570A00B158FD724DF6AD55476ABBF2FF88200F00896AE48AD7B50DB34F8458FA1

Uniqueness

Uniqueness Score: -1.00%

Function 05B2F64C Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05B2F76A

Memory Dump Source

Source File: 00000013.00000002.743977792.0000000005B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b20000_svchost.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 8c2afa1e88347551ffa9179469770d3a374ab78c16d77a25ae6f7f73d29b7f20
Instruction ID: 9f91f0388750651fcc7ba318f82b4434c1b2bd7175f9782a9a4aecf699fa2b5c
Opcode Fuzzy Hash: 8c2afa1e88347551ffa9179469770d3a374ab78c16d77a25ae6f7f73d29b7f20
Instruction Fuzzy Hash: 4B51C2B1D00319DFDB15CF9AC884ADEBBB5FF48310F24866AE419AB210D774A845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05B2F658 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05B2F76A

Memory Dump Source

Source File: 00000013.00000002.743977792.0000000005B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b20000_svchost.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: d2766076d76044916ec6eec87921c2d2196d98831bcc1043016fac9c6fefcfe2
Instruction ID: 0453cabe1277ecc6d01bebbfee6d3647f966a00f65da8c8f0a0c69df3a021a62
Opcode Fuzzy Hash: d2766076d76044916ec6eec87921c2d2196d98831bcc1043016fac9c6fefcfe2
Instruction Fuzzy Hash: 0941B2B1D00319DFDB15CF9AC884ADEBBB5FF48310F24866AE419AB210D774A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05BF1F70 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05BF2031

Memory Dump Source

Source File: 00000013.00000002.744785514.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5bf0000_svchost.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 37e81e2be47f6a701b0c7e5bbd4d4e732c4205dc33ac9d2b984c47f49cc4ab78
Instruction ID: bcdfb84915eca3101907078f99f931f02066a5dfd04e192507e9f81169f597b3
Opcode Fuzzy Hash: 37e81e2be47f6a701b0c7e5bbd4d4e732c4205dc33ac9d2b984c47f49cc4ab78
Instruction Fuzzy Hash: 32415EB9900205CFCB14CF99C448AAAFBF5FF88314F24C499E519A7321D774A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05BF8008 Relevance: 1.6, APIs: 1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000013.00000002.744785514.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5bf0000_svchost.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 6095783f2219c4ba2a44dac36ac3ae6537abb6850bf825e42549288e8f4df774
Instruction ID: ab79bdb8bcc154349e0a4c137d36975064d63038448383282181589fbca66f14
Opcode Fuzzy Hash: 6095783f2219c4ba2a44dac36ac3ae6537abb6850bf825e42549288e8f4df774
Instruction Fuzzy Hash: 27318D729043499FCB11DFA9C844AEEBFF9EF49310F14809AF954A7221C335A954DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05BF928C Relevance: 1.6, APIs: 1, Instructions: 74
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?), ref: 05BFA730

Memory Dump Source

Source File: 00000013.00000002.744785514.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5bf0000_svchost.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 83c74a99d4730700563aab56f52156e64efb9ef0cb15b491735e6952c8fe5e0a
Instruction ID: 4b96c71e982ea3e864d22644fbde70a2c57d0b8de063733eb97ca0dd04ea9ef3
Opcode Fuzzy Hash: 83c74a99d4730700563aab56f52156e64efb9ef0cb15b491735e6952c8fe5e0a
Instruction Fuzzy Hash: A231E4B0D01208DFDB14DF99C984BDDBBF6AF48314F248059E508BB390D7B46949CB55

Uniqueness

Uniqueness Score: -1.00%

Function 05BFA6A5 Relevance: 1.6, APIs: 1, Instructions: 70
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?), ref: 05BFA730

Memory Dump Source

Source File: 00000013.00000002.744785514.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5bf0000_svchost.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 92a3ab5c502ba50108a99c78a5018cb17f25d7aa4f2cf2211e262354dde6ca97
Instruction ID: 8cc859a3457de1e67cdfad3ead4d54c944fc02389698087fdcc9ea18b2c04ff7
Opcode Fuzzy Hash: 92a3ab5c502ba50108a99c78a5018cb17f25d7aa4f2cf2211e262354dde6ca97
Instruction Fuzzy Hash: 8C31DEB4D01208DFDB14CF99C988BDDBBB6AB48314F248059E008BB390D7B46949CF61

Uniqueness

Uniqueness Score: -1.00%

Function 05B2B760 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05B2B7E7

Memory Dump Source

Source File: 00000013.00000002.743977792.0000000005B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b20000_svchost.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8ee75b9fc75df1ec89d399c85fed582f23ed8eeea60888d666e9526c10d987ee
Instruction ID: e7ba668ac6b7b1e02ec772a471401bad7cdbdd112d0b3287b2d4def7dd4b2fd1
Opcode Fuzzy Hash: 8ee75b9fc75df1ec89d399c85fed582f23ed8eeea60888d666e9526c10d987ee
Instruction Fuzzy Hash: B321C4B5D002599FDB10CF9AD584ADEBBF9FB48320F14845AE918B3310D778A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05B2B758 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05B2B7E7

Memory Dump Source

Source File: 00000013.00000002.743977792.0000000005B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b20000_svchost.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a3c1f57480932baaddab0d80dc2c3013f4ce50d77b77715479989b8da9c2517d
Instruction ID: 4bc5a7213e69423e77bd7aa13977124dc7fb62d6037c1a0ede056e294011ce62
Opcode Fuzzy Hash: a3c1f57480932baaddab0d80dc2c3013f4ce50d77b77715479989b8da9c2517d
Instruction Fuzzy Hash: 3721D2B6D002199FDB10CFAAD584AEEBBF5FB48310F14845AE918B3310D378A944DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05BF6C6C Relevance: 1.6, APIs: 1, Instructions: 56
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,05BF8022,?,?,?,?,?), ref: 05BF80C7

Memory Dump Source

Source File: 00000013.00000002.744785514.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5bf0000_svchost.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 8bb664dcc6c8c2319f85443802053a2512461d057db0bb8537a7fe2cc9367501
Instruction ID: 56de5b5ba512c3aa6ae31bd16bac7afdd2a96db3766ff53dbd2da0d59abcb528
Opcode Fuzzy Hash: 8bb664dcc6c8c2319f85443802053a2512461d057db0bb8537a7fe2cc9367501
Instruction Fuzzy Hash: 0E115C719002499FCB10CFAAC844BEEBFF9EB48310F14845AE914A7210C375A954DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05B281C8 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,05B29109,00000800,00000000,00000000), ref: 05B2931A

Memory Dump Source

Source File: 00000013.00000002.743977792.0000000005B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b20000_svchost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0d573022ebf202607bede9292956ce4909171f1ac867f022d4553d05d4ed3056
Instruction ID: 484dbe600a00528713c07bbbf2388abc70805ae77d4831ead5966ab7b7b0dda7
Opcode Fuzzy Hash: 0d573022ebf202607bede9292956ce4909171f1ac867f022d4553d05d4ed3056
Instruction Fuzzy Hash: 2711F2B69002588FCB10CF9AC484ADEBBF5EB48310F14846AE819A7200C378A585CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05B292A9 Relevance: 1.6, APIs: 1, Instructions: 51
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,05B29109,00000800,00000000,00000000), ref: 05B2931A

Memory Dump Source

Source File: 00000013.00000002.743977792.0000000005B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b20000_svchost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 58cb298890cf6872151369aeedb6e8b637e61592d36b18020a238fc78b1257da
Instruction ID: 29f0ee18eaf171d51e73ea7c2e55ee855b022af9714564adc580c0366394fb47
Opcode Fuzzy Hash: 58cb298890cf6872151369aeedb6e8b637e61592d36b18020a238fc78b1257da
Instruction Fuzzy Hash: D61114B6D002598FCB10CF9AC584BDEFBF5AB48310F14845AD419B7300C378A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05B29028 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 05B2908E

Memory Dump Source

Source File: 00000013.00000002.743977792.0000000005B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5b20000_svchost.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: da1f6cc197f60c66dc945ca6adc81502bca5f8b2bcb36814cb09da9f36ab779a
Instruction ID: ef13a198eb508904f5c0f704bf13ae5332ab8a4b2ca3419ea86348a627fc11f1
Opcode Fuzzy Hash: da1f6cc197f60c66dc945ca6adc81502bca5f8b2bcb36814cb09da9f36ab779a
Instruction Fuzzy Hash: D01102B6C002598FDB10CF9AC444BDFFBF4EB88224F10855AD429A7210C379A585CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05BF6CB0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 05BF842D

Memory Dump Source

Source File: 00000013.00000002.744785514.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5bf0000_svchost.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0f1066eb2dc9902e5a923e8b9e160aea5dca461bca28f754cddf7acc0884ab46
Instruction ID: 59c254de248f5abcee36bd9d979e6199f59d40332ff574c495784a6270adf73b
Opcode Fuzzy Hash: 0f1066eb2dc9902e5a923e8b9e160aea5dca461bca28f754cddf7acc0884ab46
Instruction Fuzzy Hash: EB11F5B58002489FDB10DF9AD484BDEBFF8EB48320F108459E955A7700D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05BF9274 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 05BFA1B5

Memory Dump Source

Source File: 00000013.00000002.744785514.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5bf0000_svchost.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: e28f901014e68706346c8b6ee6c729a497d39c5c55e4dc5ad8611d2e7456258d
Instruction ID: 458efe19c43406bbfe379f3de5958f55aefa9031832af57c3e41d114d5b6a104
Opcode Fuzzy Hash: e28f901014e68706346c8b6ee6c729a497d39c5c55e4dc5ad8611d2e7456258d
Instruction Fuzzy Hash: 791115B59043488FCB20DF9AC484BDEBBF4EB48324F208499E519B7310D378A948CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05BF3DFC Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,?,?,?,05BF4530), ref: 05BF9EBF

Memory Dump Source

Source File: 00000013.00000002.744785514.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5bf0000_svchost.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 9bc61279def94e82c356d5852e3b62e7b98a0c57949f79e2bc1b04624c59c953
Instruction ID: 75229a52a34f337a004f0f0a08c0b9fc45fa0c91cda5ccdc4828cf139b3725a5
Opcode Fuzzy Hash: 9bc61279def94e82c356d5852e3b62e7b98a0c57949f79e2bc1b04624c59c953
Instruction Fuzzy Hash: 921106B59002488FCB20DF9AC4447DEBBF4EB48324F10845AD569B7700D774A948CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05BF83CF Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 05BF842D

Memory Dump Source

Source File: 00000013.00000002.744785514.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5bf0000_svchost.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 6caa7d9f249bd89e48a7bc71454364694207536ed417543dbb44112588975d07
Instruction ID: 59a3e594f42ed585763ade114ac030fe36b6b85604b27ce2438be0a3ad8c935f
Opcode Fuzzy Hash: 6caa7d9f249bd89e48a7bc71454364694207536ed417543dbb44112588975d07
Instruction Fuzzy Hash: 0711D0B68002499FDB10DF9AD584BDEBBF8EB48320F14845AE559B7700D378A584CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05BFA15F Relevance: 1.5, APIs: 1, Instructions: 41comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 05BFA1B5

Memory Dump Source

Source File: 00000013.00000002.744785514.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5bf0000_svchost.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 85f9383409c641ccc6e32e0294d575b961e34722396b3882913c7a925d45ac10
Instruction ID: 8ce278b5d0f634ba9a8faec5cec5a9c88cee5c600536641ef7f474c334d92ca5
Opcode Fuzzy Hash: 85f9383409c641ccc6e32e0294d575b961e34722396b3882913c7a925d45ac10
Instruction Fuzzy Hash: EF11F3B5D00248CFCB10DF9AD584BDEBBF4AB48324F24845AD519B7710D378A548CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05BF9E5F Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,?,?,?,05BF4530), ref: 05BF9EBF

Memory Dump Source

Source File: 00000013.00000002.744785514.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5bf0000_svchost.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 2f359a1d7623d0d986f400febf2e74731fbc4ed722235578f23162689f968a8d
Instruction ID: fb8c7d69aa153e0772da9d6cafecd802cf0dfdfbf96acd328172750fa275f839
Opcode Fuzzy Hash: 2f359a1d7623d0d986f400febf2e74731fbc4ed722235578f23162689f968a8d
Instruction Fuzzy Hash: 831100B58002088FCB10CF9AC5847DEBBF4AB48320F20885AD569B3700C378A548CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05BFA1EC Relevance: 1.5, APIs: 1, Instructions: 32comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 05BFA1B5

Memory Dump Source

Source File: 00000013.00000002.744785514.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5bf0000_svchost.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 24bb57b05b5e1c64c72cdfbd0d7d5a9082d273f7754c4cf1701f3af4a3b83774
Instruction ID: 8dc8f011b3e082d6fc4aa3a04282ff5ad9ec59ef005656ba5bfb14be91001385
Opcode Fuzzy Hash: 24bb57b05b5e1c64c72cdfbd0d7d5a9082d273f7754c4cf1701f3af4a3b83774
Instruction Fuzzy Hash: 8DF02B7290C2808FCB2187AED8443D9BFF0EF55354F6544CAC18DE7661D278A24DC750

Uniqueness

Uniqueness Score: -1.00%

Function 01A9D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.743227910.0000000001A9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1a9d000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be6cec666cdafefcf73793df3ca9a66684582f2d619689402f894f6615db07b1
Instruction ID: c7b32293e9470082ce583ae5bd3411b8405420de2c4843e9a1d1763a00938351
Opcode Fuzzy Hash: be6cec666cdafefcf73793df3ca9a66684582f2d619689402f894f6615db07b1
Instruction Fuzzy Hash: 4421C172504240DFDF16DF68D9C0B26BFA5FB88328F248569E8051B246C336D8D6CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01A9D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.743227910.0000000001A9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1a9d000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e1659640becc28bb2d44df454aaab270bd631880006459d11e9ce857cf1b9a1
Instruction ID: 47fa73efa6466d781abb84e16f79c4e55c74d50acd0429c8eb8f40a2fbe9dc13
Opcode Fuzzy Hash: 1e1659640becc28bb2d44df454aaab270bd631880006459d11e9ce857cf1b9a1
Instruction Fuzzy Hash: A721E271504240DFDF05DF58D9C0B66BBA5FBC8324F24C569E9091B247C33AE4C6C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 01AAD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.743289701.0000000001AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1aad000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cb72bb2f0996ef70403f012cd17675efa4e8c30ef7b755a32937b1ba387a97c
Instruction ID: f46a9c91d3ba9c2da1f1158981d0b6ed2cf7633bf3c1acb1254736a1269ed735
Opcode Fuzzy Hash: 4cb72bb2f0996ef70403f012cd17675efa4e8c30ef7b755a32937b1ba387a97c
Instruction Fuzzy Hash: 18213471684240DFDB15CF68D8C0B26BF65FB88364F64C569E88A4B746C33AD807CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01A9D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.743227910.0000000001A9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1a9d000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb067d5dad88413f3e34b132bb63acaa0c988591488faadeeb326543b5c515d9
Instruction ID: d4cac473bac2fdeb622d4be6655c8c06cf9b0e80475f8c6d500a77666755e601
Opcode Fuzzy Hash: fb067d5dad88413f3e34b132bb63acaa0c988591488faadeeb326543b5c515d9
Instruction Fuzzy Hash: CC11D376904280CFDF12CF54D5C4B16BFB2FB84324F24C6A9D8454B616C33AD496CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01A9D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.743227910.0000000001A9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1a9d000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb067d5dad88413f3e34b132bb63acaa0c988591488faadeeb326543b5c515d9
Instruction ID: 074d9e9a1b93299cc8c2f08e7610347d6e890e20b400e39629b074fb08068f02
Opcode Fuzzy Hash: fb067d5dad88413f3e34b132bb63acaa0c988591488faadeeb326543b5c515d9
Instruction Fuzzy Hash: CF119D76504280DFDF12CF54D5C4B56BFB2FB84224F24C6A9D8490B617C33AE496CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01AAD017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.743289701.0000000001AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1aad000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21427ca23a48a55dcad0e3d484f99097b9453c19b67056f3b82d25d18eec669f
Instruction ID: 58959969f4ef0d52cc20bee05ea5febfefa0760aff0385505c066ab17e842a3f
Opcode Fuzzy Hash: 21427ca23a48a55dcad0e3d484f99097b9453c19b67056f3b82d25d18eec669f
Instruction Fuzzy Hash: 7C11D075544280CFDB12CF14D5C4B15FF72FB84324F24C6AAD88A4BA56C33AD44ACB61

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report OmPnD1qvad.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Redline Clipper

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OmPnD1qvad.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log

C:\Users\user\AppData\Roaming\svchost\svchost.exe

C:\Users\user\AppData\Roaming\svchost\svchost.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
OmPnD1qvad.exe